diff --git a/ddtrace/appsec/_iast/_ast/visitor.py b/ddtrace/appsec/_iast/_ast/visitor.py index 4394ff0b6d2..b898c2cb84d 100644 --- a/ddtrace/appsec/_iast/_ast/visitor.py +++ b/ddtrace/appsec/_iast/_ast/visitor.py @@ -261,7 +261,7 @@ def _should_replace_with_taint_sink(self, call_node: ast.Call, is_function: bool if function_name in self._taint_sink_replace_disabled: return False - return any(allowed in function_name for allowed in self._taint_sink_replace_any) + return function_name in self._taint_sink_replace_any def _add_original_function_as_arg(self, call_node: ast.Call, is_function: bool) -> Any: """ diff --git a/releasenotes/notes/iast-aspects-partial-matches-f43dc04584ca6788.yaml b/releasenotes/notes/iast-aspects-partial-matches-f43dc04584ca6788.yaml new file mode 100644 index 00000000000..d20f910ba30 --- /dev/null +++ b/releasenotes/notes/iast-aspects-partial-matches-f43dc04584ca6788.yaml @@ -0,0 +1,3 @@ +fixes: + - | + Code security: This fix resolves an issue where partial matches on function names we aimed to patch were being patched instead of full matches on them. diff --git a/tests/appsec/iast/_ast/test_ast_patching.py b/tests/appsec/iast/_ast/test_ast_patching.py index e0fd4960c72..19f05b4e192 100644 --- a/tests/appsec/iast/_ast/test_ast_patching.py +++ b/tests/appsec/iast/_ast/test_ast_patching.py @@ -155,3 +155,18 @@ def test_module_path_none(caplog): with caplog.at_level(logging.DEBUG), mock.patch("ddtrace.internal.module.Path.resolve", side_effect=AttributeError): assert ("", "") == astpatch_module(__import__("tests.appsec.iast.fixtures.ast.str.class_str", fromlist=[None])) assert "astpatch_source couldn't find the module: tests.appsec.iast.fixtures.ast.str.class_str" in caplog.text + + +@pytest.mark.parametrize( + "module_name", + [ + ("tests.appsec.iast.fixtures.ast.other.globals_builtin"), + ], +) +def test_astpatch_globals_module_unchanged(module_name): + """ + This is a regression test for partially matching function names: + ``globals()`` was being incorrectly patched with the aspect for ``glob()`` + """ + module_path, new_source = astpatch_module(__import__(module_name, fromlist=[None])) + assert ("", "") == (module_path, new_source) diff --git a/tests/appsec/iast/fixtures/ast/other/globals_builtin.py b/tests/appsec/iast/fixtures/ast/other/globals_builtin.py new file mode 100644 index 00000000000..411f0643843 --- /dev/null +++ b/tests/appsec/iast/fixtures/ast/other/globals_builtin.py @@ -0,0 +1,3 @@ +#!/usr/bin/env python3 + +_globals = globals()