Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(iast): duplicated Flask headers [backport 2.5] (#9018)
Backport ad6ac08 from #9014 to 2.5. Ensure that when tainting the headers of a Flask application, iterating over the headers (i.e., with `headers.items()`) does not duplicate them. ``` >> list(request.headers.items()) ``` Now: ``` [['Host', '0.0.0.0:8000'], ['User-Agent', 'python-requests/2.31.0'], ['Accept-Encoding', 'gzip, deflate, br'], ['Accept', '*/*'], ['Connection', 'keep-alive'], ['Host', '0.0.0.0:8000'], ['User-Agent', 'python-requests/2.31.0'], ['Accept-Encoding', 'gzip, deflate, br'], ['Accept', '*/*'], ['Connection', 'keep-alive']] != [['Host', '0.0.0.0:8000'], ['User-Agent', 'python-requests/2.31.0'], ['Accept-Encoding', 'gzip, deflate, br'], ['Accept', '*/*'], ['Connection', 'keep-alive'] ] ``` With this fix: ``` [ ["Host", "0.0.0.0:8000"], ["User-Agent", "python-requests/2.31.0"], ["Accept-Encoding", "gzip, deflate, br"], ["Accept", "*/*"], ["Connection", "keep-alive"], ] ``` Introduced in: #8452 ## Checklist - [x] Change(s) are motivated and described in the PR description - [x] Testing strategy is described if automated tests are not included in the PR - [x] Risks are described (performance impact, potential for breakage, maintainability) - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] [Library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) are followed or label `changelog/no-changelog` is set - [x] Documentation is included (in-code, generated user docs, [public corp docs](https://github.com/DataDog/documentation/)) - [x] Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) - [x] If this PR changes the public interface, I've notified `@DataDog/apm-tees`. - [x] If change touches code that signs or publishes builds or packages, or handles credentials of any kind, I've requested a review from `@DataDog/security-design-and-guidance`. ## Reviewer Checklist - [x] Title is accurate - [x] All changes are related to the pull request's stated goal - [x] Description motivates each change - [x] Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - [x] Testing strategy adequately addresses listed risks - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] Release note makes sense to a user of the library - [x] Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - [x] Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) --------- Co-authored-by: Alberto Vara <alberto.vara@datadoghq.com>
- Loading branch information