From 5ba16abf851cc91504467021169d3f7505b240ce Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 27 Mar 2024 08:49:22 +0000 Subject: [PATCH] fix(iast): ensure context is created for current span [backport 2.6] (#8785) Backport fedf88e7161e7eff19038231c2b2fa8f8f75ddec from #8772 to 2.6. IAST: Ensure context is created in the current span, as some tainting operations occur regardless of `oce.acquire_request`. Note: The bug was introduce in this PR: https://github.com/DataDog/dd-trace-py/pull/8452 ## Checklist - [x] Change(s) are motivated and described in the PR description - [x] Testing strategy is described if automated tests are not included in the PR - [x] Risks are described (performance impact, potential for breakage, maintainability) - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] [Library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) are followed or label `changelog/no-changelog` is set - [x] Documentation is included (in-code, generated user docs, [public corp docs](https://github.com/DataDog/documentation/)) - [x] Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) - [x] If this PR changes the public interface, I've notified `@DataDog/apm-tees`. - [x] If change touches code that signs or publishes builds or packages, or handles credentials of any kind, I've requested a review from `@DataDog/security-design-and-guidance`. ## Reviewer Checklist - [x] Title is accurate - [x] All changes are related to the pull request's stated goal - [x] Description motivates each change - [x] Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - [x] Testing strategy adequately addresses listed risks - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] Release note makes sense to a user of the library - [x] Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - [x] Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) Co-authored-by: Federico Mon --- ddtrace/appsec/_iast/processor.py | 7 ++++--- .../notes/iast-fix-context-creation-2d0dee033723514c.yaml | 4 ++++ 2 files changed, 8 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/iast-fix-context-creation-2d0dee033723514c.yaml diff --git a/ddtrace/appsec/_iast/processor.py b/ddtrace/appsec/_iast/processor.py index 0fb8d0f7cbc..7462e62ff76 100644 --- a/ddtrace/appsec/_iast/processor.py +++ b/ddtrace/appsec/_iast/processor.py @@ -48,12 +48,13 @@ def on_span_start(self, span): if not _is_iast_enabled(): return + from ._taint_tracking import create_context + + create_context() + request_iast_enabled = False if oce.acquire_request(span): - from ._taint_tracking import create_context - request_iast_enabled = True - create_context() core.set_item(IAST.REQUEST_IAST_ENABLED, request_iast_enabled, span=span) diff --git a/releasenotes/notes/iast-fix-context-creation-2d0dee033723514c.yaml b/releasenotes/notes/iast-fix-context-creation-2d0dee033723514c.yaml new file mode 100644 index 00000000000..9e798d7cf71 --- /dev/null +++ b/releasenotes/notes/iast-fix-context-creation-2d0dee033723514c.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - | + Vulnerability Management for Code-level (IAST): This fix addresses an issue where tainting objects may fail due to context not being created in the current span.