fix(iast): improve overhead control logic #8452

gnufede · 2024-02-19T14:26:31Z

IAST: Improve overhead control logic so the decision to analyze a request is done at span start and is saved at the span level using the core API. This should fix issues where requests were analyzed when they shouldn't be and viceversa.

Checklist

Change(s) are motivated and described in the PR description
Testing strategy is described if automated tests are not included in the PR
Risks are described (performance impact, potential for breakage, maintainability)
Change is maintainable (easy to change, telemetry, documentation)
Library release note guidelines are followed or label changelog/no-changelog is set
Documentation is included (in-code, generated user docs, public corp docs)
Backport labels are set (if applicable)
If this PR changes the public interface, I've notified @DataDog/apm-tees.
If change touches code that signs or publishes builds or packages, or handles credentials of any kind, I've requested a review from @DataDog/security-design-and-guidance.

Reviewer Checklist

Title is accurate
All changes are related to the pull request's stated goal
Description motivates each change
Avoids breaking API changes
Testing strategy adequately addresses listed risks
Change is maintainable (easy to change, telemetry, documentation)
Release note makes sense to a user of the library
Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
Backport labels are set in a manner that is consistent with the release branch maintenance policy

datadog-dd-trace-py-rkomorn · 2024-02-19T14:42:01Z

Datadog Report

Branch report: gnufede/iast-refactor-oce
Commit report: e850fde
Test service: dd-trace-py

✅ 0 Failed, 103587 Passed, 7686 Skipped, 28m 59.41s Total duration (1h 30m 35.03s time saved)

ITR:NoSkip

IAST: Improve overhead control logic so the decision to analyze a request is done at span start and is saved at the span level using the core API. This should fix issues where requests were analyzed when they shouldn't be and viceversa. - [x] Change(s) are motivated and described in the PR description - [x] Testing strategy is described if automated tests are not included in the PR - [x] Risks are described (performance impact, potential for breakage, maintainability) - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] [Library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) are followed or label `changelog/no-changelog` is set - [x] Documentation is included (in-code, generated user docs, [public corp docs](https://github.com/DataDog/documentation/)) - [x] Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) - [x] If this PR changes the public interface, I've notified `@DataDog/apm-tees`. - [x] If change touches code that signs or publishes builds or packages, or handles credentials of any kind, I've requested a review from `@DataDog/security-design-and-guidance`. - [x] Title is accurate - [x] All changes are related to the pull request's stated goal - [x] Description motivates each change - [x] Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - [x] Testing strategy adequately addresses listed risks - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] Release note makes sense to a user of the library - [x] Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - [x] Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) (cherry picked from commit 7e8aaac)

IAST: Ensure context is created in the current span, as some tainting operations occur regardless of `oce.acquire_request`. Note: The bug was introduce in this PR: #8452 ## Checklist - [x] Change(s) are motivated and described in the PR description - [x] Testing strategy is described if automated tests are not included in the PR - [x] Risks are described (performance impact, potential for breakage, maintainability) - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] [Library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) are followed or label `changelog/no-changelog` is set - [x] Documentation is included (in-code, generated user docs, [public corp docs](https://github.com/DataDog/documentation/)) - [x] Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) - [x] If this PR changes the public interface, I've notified `@DataDog/apm-tees`. - [x] If change touches code that signs or publishes builds or packages, or handles credentials of any kind, I've requested a review from `@DataDog/security-design-and-guidance`. ## Reviewer Checklist - [x] Title is accurate - [x] All changes are related to the pull request's stated goal - [x] Description motivates each change - [x] Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - [x] Testing strategy adequately addresses listed risks - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] Release note makes sense to a user of the library - [x] Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - [x] Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

IAST: Ensure context is created in the current span, as some tainting operations occur regardless of `oce.acquire_request`. Note: The bug was introduce in this PR: #8452 ## Checklist - [x] Change(s) are motivated and described in the PR description - [x] Testing strategy is described if automated tests are not included in the PR - [x] Risks are described (performance impact, potential for breakage, maintainability) - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] [Library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) are followed or label `changelog/no-changelog` is set - [x] Documentation is included (in-code, generated user docs, [public corp docs](https://github.com/DataDog/documentation/)) - [x] Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) - [x] If this PR changes the public interface, I've notified `@DataDog/apm-tees`. - [x] If change touches code that signs or publishes builds or packages, or handles credentials of any kind, I've requested a review from `@DataDog/security-design-and-guidance`. ## Reviewer Checklist - [x] Title is accurate - [x] All changes are related to the pull request's stated goal - [x] Description motivates each change - [x] Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - [x] Testing strategy adequately addresses listed risks - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] Release note makes sense to a user of the library - [x] Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - [x] Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) (cherry picked from commit fedf88e)

…8785) Backport fedf88e from #8772 to 2.6. IAST: Ensure context is created in the current span, as some tainting operations occur regardless of `oce.acquire_request`. Note: The bug was introduce in this PR: #8452 ## Checklist - [x] Change(s) are motivated and described in the PR description - [x] Testing strategy is described if automated tests are not included in the PR - [x] Risks are described (performance impact, potential for breakage, maintainability) - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] [Library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) are followed or label `changelog/no-changelog` is set - [x] Documentation is included (in-code, generated user docs, [public corp docs](https://github.com/DataDog/documentation/)) - [x] Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) - [x] If this PR changes the public interface, I've notified `@DataDog/apm-tees`. - [x] If change touches code that signs or publishes builds or packages, or handles credentials of any kind, I've requested a review from `@DataDog/security-design-and-guidance`. ## Reviewer Checklist - [x] Title is accurate - [x] All changes are related to the pull request's stated goal - [x] Description motivates each change - [x] Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - [x] Testing strategy adequately addresses listed risks - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] Release note makes sense to a user of the library - [x] Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - [x] Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) Co-authored-by: Federico Mon <federico.mon@datadoghq.com>

…8784) Backport fedf88e from #8772 to 2.5. IAST: Ensure context is created in the current span, as some tainting operations occur regardless of `oce.acquire_request`. Note: The bug was introduce in this PR: #8452 ## Checklist - [x] Change(s) are motivated and described in the PR description - [x] Testing strategy is described if automated tests are not included in the PR - [x] Risks are described (performance impact, potential for breakage, maintainability) - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] [Library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) are followed or label `changelog/no-changelog` is set - [x] Documentation is included (in-code, generated user docs, [public corp docs](https://github.com/DataDog/documentation/)) - [x] Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) - [x] If this PR changes the public interface, I've notified `@DataDog/apm-tees`. - [x] If change touches code that signs or publishes builds or packages, or handles credentials of any kind, I've requested a review from `@DataDog/security-design-and-guidance`. ## Reviewer Checklist - [x] Title is accurate - [x] All changes are related to the pull request's stated goal - [x] Description motivates each change - [x] Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - [x] Testing strategy adequately addresses listed risks - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] Release note makes sense to a user of the library - [x] Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - [x] Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) Co-authored-by: Federico Mon <federico.mon@datadoghq.com>

…8786) Backport fedf88e from #8772 to 2.7. IAST: Ensure context is created in the current span, as some tainting operations occur regardless of `oce.acquire_request`. Note: The bug was introduce in this PR: #8452 ## Checklist - [x] Change(s) are motivated and described in the PR description - [x] Testing strategy is described if automated tests are not included in the PR - [x] Risks are described (performance impact, potential for breakage, maintainability) - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] [Library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) are followed or label `changelog/no-changelog` is set - [x] Documentation is included (in-code, generated user docs, [public corp docs](https://github.com/DataDog/documentation/)) - [x] Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) - [x] If this PR changes the public interface, I've notified `@DataDog/apm-tees`. - [x] If change touches code that signs or publishes builds or packages, or handles credentials of any kind, I've requested a review from `@DataDog/security-design-and-guidance`. ## Reviewer Checklist - [x] Title is accurate - [x] All changes are related to the pull request's stated goal - [x] Description motivates each change - [x] Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - [x] Testing strategy adequately addresses listed risks - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] Release note makes sense to a user of the library - [x] Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - [x] Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) Co-authored-by: Federico Mon <federico.mon@datadoghq.com>

Ensure that when tainting the headers of a Flask application, iterating over the headers (i.e., with `headers.items()`) does not duplicate them. ``` >> list(request.headers.items()) ``` Now: ``` [['Host', '0.0.0.0:8000'], ['User-Agent', 'python-requests/2.31.0'], ['Accept-Encoding', 'gzip, deflate, br'], ['Accept', '*/*'], ['Connection', 'keep-alive'], ['Host', '0.0.0.0:8000'], ['User-Agent', 'python-requests/2.31.0'], ['Accept-Encoding', 'gzip, deflate, br'], ['Accept', '*/*'], ['Connection', 'keep-alive']] != [['Host', '0.0.0.0:8000'], ['User-Agent', 'python-requests/2.31.0'], ['Accept-Encoding', 'gzip, deflate, br'], ['Accept', '*/*'], ['Connection', 'keep-alive'] ] ``` With this fix: ``` [ ["Host", "0.0.0.0:8000"], ["User-Agent", "python-requests/2.31.0"], ["Accept-Encoding", "gzip, deflate, br"], ["Accept", "*/*"], ["Connection", "keep-alive"], ] ``` Introduced in: #8452 ## Checklist - [x] Change(s) are motivated and described in the PR description - [x] Testing strategy is described if automated tests are not included in the PR - [x] Risks are described (performance impact, potential for breakage, maintainability) - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] [Library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) are followed or label `changelog/no-changelog` is set - [x] Documentation is included (in-code, generated user docs, [public corp docs](https://github.com/DataDog/documentation/)) - [x] Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) - [x] If this PR changes the public interface, I've notified `@DataDog/apm-tees`. - [x] If change touches code that signs or publishes builds or packages, or handles credentials of any kind, I've requested a review from `@DataDog/security-design-and-guidance`. ## Reviewer Checklist - [x] Title is accurate - [x] All changes are related to the pull request's stated goal - [x] Description motivates each change - [x] Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - [x] Testing strategy adequately addresses listed risks - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] Release note makes sense to a user of the library - [x] Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - [x] Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

Ensure that when tainting the headers of a Flask application, iterating over the headers (i.e., with `headers.items()`) does not duplicate them. ``` >> list(request.headers.items()) ``` Now: ``` [['Host', '0.0.0.0:8000'], ['User-Agent', 'python-requests/2.31.0'], ['Accept-Encoding', 'gzip, deflate, br'], ['Accept', '*/*'], ['Connection', 'keep-alive'], ['Host', '0.0.0.0:8000'], ['User-Agent', 'python-requests/2.31.0'], ['Accept-Encoding', 'gzip, deflate, br'], ['Accept', '*/*'], ['Connection', 'keep-alive']] != [['Host', '0.0.0.0:8000'], ['User-Agent', 'python-requests/2.31.0'], ['Accept-Encoding', 'gzip, deflate, br'], ['Accept', '*/*'], ['Connection', 'keep-alive'] ] ``` With this fix: ``` [ ["Host", "0.0.0.0:8000"], ["User-Agent", "python-requests/2.31.0"], ["Accept-Encoding", "gzip, deflate, br"], ["Accept", "*/*"], ["Connection", "keep-alive"], ] ``` Introduced in: #8452 ## Checklist - [x] Change(s) are motivated and described in the PR description - [x] Testing strategy is described if automated tests are not included in the PR - [x] Risks are described (performance impact, potential for breakage, maintainability) - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] [Library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) are followed or label `changelog/no-changelog` is set - [x] Documentation is included (in-code, generated user docs, [public corp docs](https://github.com/DataDog/documentation/)) - [x] Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) - [x] If this PR changes the public interface, I've notified `@DataDog/apm-tees`. - [x] If change touches code that signs or publishes builds or packages, or handles credentials of any kind, I've requested a review from `@DataDog/security-design-and-guidance`. ## Reviewer Checklist - [x] Title is accurate - [x] All changes are related to the pull request's stated goal - [x] Description motivates each change - [x] Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - [x] Testing strategy adequately addresses listed risks - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] Release note makes sense to a user of the library - [x] Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - [x] Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) (cherry picked from commit ad6ac08)

Backport ad6ac08 from #9014 to 2.8. Ensure that when tainting the headers of a Flask application, iterating over the headers (i.e., with `headers.items()`) does not duplicate them. ``` >> list(request.headers.items()) ``` Now: ``` [['Host', '0.0.0.0:8000'], ['User-Agent', 'python-requests/2.31.0'], ['Accept-Encoding', 'gzip, deflate, br'], ['Accept', '*/*'], ['Connection', 'keep-alive'], ['Host', '0.0.0.0:8000'], ['User-Agent', 'python-requests/2.31.0'], ['Accept-Encoding', 'gzip, deflate, br'], ['Accept', '*/*'], ['Connection', 'keep-alive']] != [['Host', '0.0.0.0:8000'], ['User-Agent', 'python-requests/2.31.0'], ['Accept-Encoding', 'gzip, deflate, br'], ['Accept', '*/*'], ['Connection', 'keep-alive'] ] ``` With this fix: ``` [ ["Host", "0.0.0.0:8000"], ["User-Agent", "python-requests/2.31.0"], ["Accept-Encoding", "gzip, deflate, br"], ["Accept", "*/*"], ["Connection", "keep-alive"], ] ``` Introduced in: #8452 ## Checklist - [x] Change(s) are motivated and described in the PR description - [x] Testing strategy is described if automated tests are not included in the PR - [x] Risks are described (performance impact, potential for breakage, maintainability) - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] [Library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) are followed or label `changelog/no-changelog` is set - [x] Documentation is included (in-code, generated user docs, [public corp docs](https://github.com/DataDog/documentation/)) - [x] Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) - [x] If this PR changes the public interface, I've notified `@DataDog/apm-tees`. - [x] If change touches code that signs or publishes builds or packages, or handles credentials of any kind, I've requested a review from `@DataDog/security-design-and-guidance`. ## Reviewer Checklist - [x] Title is accurate - [x] All changes are related to the pull request's stated goal - [x] Description motivates each change - [x] Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - [x] Testing strategy adequately addresses listed risks - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] Release note makes sense to a user of the library - [x] Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - [x] Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) Co-authored-by: Alberto Vara <alberto.vara@datadoghq.com>

Backport ad6ac08 from #9014 to 2.6. Ensure that when tainting the headers of a Flask application, iterating over the headers (i.e., with `headers.items()`) does not duplicate them. ``` >> list(request.headers.items()) ``` Now: ``` [['Host', '0.0.0.0:8000'], ['User-Agent', 'python-requests/2.31.0'], ['Accept-Encoding', 'gzip, deflate, br'], ['Accept', '*/*'], ['Connection', 'keep-alive'], ['Host', '0.0.0.0:8000'], ['User-Agent', 'python-requests/2.31.0'], ['Accept-Encoding', 'gzip, deflate, br'], ['Accept', '*/*'], ['Connection', 'keep-alive']] != [['Host', '0.0.0.0:8000'], ['User-Agent', 'python-requests/2.31.0'], ['Accept-Encoding', 'gzip, deflate, br'], ['Accept', '*/*'], ['Connection', 'keep-alive'] ] ``` With this fix: ``` [ ["Host", "0.0.0.0:8000"], ["User-Agent", "python-requests/2.31.0"], ["Accept-Encoding", "gzip, deflate, br"], ["Accept", "*/*"], ["Connection", "keep-alive"], ] ``` Introduced in: #8452 ## Checklist - [x] Change(s) are motivated and described in the PR description - [x] Testing strategy is described if automated tests are not included in the PR - [x] Risks are described (performance impact, potential for breakage, maintainability) - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] [Library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) are followed or label `changelog/no-changelog` is set - [x] Documentation is included (in-code, generated user docs, [public corp docs](https://github.com/DataDog/documentation/)) - [x] Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) - [x] If this PR changes the public interface, I've notified `@DataDog/apm-tees`. - [x] If change touches code that signs or publishes builds or packages, or handles credentials of any kind, I've requested a review from `@DataDog/security-design-and-guidance`. ## Reviewer Checklist - [x] Title is accurate - [x] All changes are related to the pull request's stated goal - [x] Description motivates each change - [x] Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - [x] Testing strategy adequately addresses listed risks - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] Release note makes sense to a user of the library - [x] Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - [x] Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) --------- Co-authored-by: Alberto Vara <alberto.vara@datadoghq.com>

Backport ad6ac08 from #9014 to 2.7. Ensure that when tainting the headers of a Flask application, iterating over the headers (i.e., with `headers.items()`) does not duplicate them. ``` >> list(request.headers.items()) ``` Now: ``` [['Host', '0.0.0.0:8000'], ['User-Agent', 'python-requests/2.31.0'], ['Accept-Encoding', 'gzip, deflate, br'], ['Accept', '*/*'], ['Connection', 'keep-alive'], ['Host', '0.0.0.0:8000'], ['User-Agent', 'python-requests/2.31.0'], ['Accept-Encoding', 'gzip, deflate, br'], ['Accept', '*/*'], ['Connection', 'keep-alive']] != [['Host', '0.0.0.0:8000'], ['User-Agent', 'python-requests/2.31.0'], ['Accept-Encoding', 'gzip, deflate, br'], ['Accept', '*/*'], ['Connection', 'keep-alive'] ] ``` With this fix: ``` [ ["Host", "0.0.0.0:8000"], ["User-Agent", "python-requests/2.31.0"], ["Accept-Encoding", "gzip, deflate, br"], ["Accept", "*/*"], ["Connection", "keep-alive"], ] ``` Introduced in: #8452 ## Checklist - [x] Change(s) are motivated and described in the PR description - [x] Testing strategy is described if automated tests are not included in the PR - [x] Risks are described (performance impact, potential for breakage, maintainability) - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] [Library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) are followed or label `changelog/no-changelog` is set - [x] Documentation is included (in-code, generated user docs, [public corp docs](https://github.com/DataDog/documentation/)) - [x] Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) - [x] If this PR changes the public interface, I've notified `@DataDog/apm-tees`. - [x] If change touches code that signs or publishes builds or packages, or handles credentials of any kind, I've requested a review from `@DataDog/security-design-and-guidance`. ## Reviewer Checklist - [x] Title is accurate - [x] All changes are related to the pull request's stated goal - [x] Description motivates each change - [x] Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - [x] Testing strategy adequately addresses listed risks - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] Release note makes sense to a user of the library - [x] Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - [x] Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) Co-authored-by: Alberto Vara <alberto.vara@datadoghq.com>

Backport ad6ac08 from #9014 to 2.5. Ensure that when tainting the headers of a Flask application, iterating over the headers (i.e., with `headers.items()`) does not duplicate them. ``` >> list(request.headers.items()) ``` Now: ``` [['Host', '0.0.0.0:8000'], ['User-Agent', 'python-requests/2.31.0'], ['Accept-Encoding', 'gzip, deflate, br'], ['Accept', '*/*'], ['Connection', 'keep-alive'], ['Host', '0.0.0.0:8000'], ['User-Agent', 'python-requests/2.31.0'], ['Accept-Encoding', 'gzip, deflate, br'], ['Accept', '*/*'], ['Connection', 'keep-alive']] != [['Host', '0.0.0.0:8000'], ['User-Agent', 'python-requests/2.31.0'], ['Accept-Encoding', 'gzip, deflate, br'], ['Accept', '*/*'], ['Connection', 'keep-alive'] ] ``` With this fix: ``` [ ["Host", "0.0.0.0:8000"], ["User-Agent", "python-requests/2.31.0"], ["Accept-Encoding", "gzip, deflate, br"], ["Accept", "*/*"], ["Connection", "keep-alive"], ] ``` Introduced in: #8452 ## Checklist - [x] Change(s) are motivated and described in the PR description - [x] Testing strategy is described if automated tests are not included in the PR - [x] Risks are described (performance impact, potential for breakage, maintainability) - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] [Library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) are followed or label `changelog/no-changelog` is set - [x] Documentation is included (in-code, generated user docs, [public corp docs](https://github.com/DataDog/documentation/)) - [x] Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) - [x] If this PR changes the public interface, I've notified `@DataDog/apm-tees`. - [x] If change touches code that signs or publishes builds or packages, or handles credentials of any kind, I've requested a review from `@DataDog/security-design-and-guidance`. ## Reviewer Checklist - [x] Title is accurate - [x] All changes are related to the pull request's stated goal - [x] Description motivates each change - [x] Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - [x] Testing strategy adequately addresses listed risks - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] Release note makes sense to a user of the library - [x] Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - [x] Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) --------- Co-authored-by: Alberto Vara <alberto.vara@datadoghq.com>

gnufede added 2 commits February 19, 2024 15:25

refactor(iast): improve oce

9bfd252

Merge branch 'main' into gnufede/iast-refactor-oce

b083696

gnufede added 15 commits February 19, 2024 17:33

refactor(iast): wip

a2d0ab2

ITR:NoSkip

empty commit

4cfd9a3

ITR:NoSkip

refactor(iast): remove request_has_quota function

76e289e

chore(iast): sort imports

0c5cd89

typing

ef68748

imports sort

072449c

fix import

35dcb55

sort import

3900306

fix import

77225b0

refactor(iast): avoid tainting if not analyzing request

b231aac

fix(iast): import loop

53da1ad

remove outdated tests

8411a74

fix import

d1ff2ed

add release note

4ee3603

Merge branch 'main' into gnufede/iast-refactor-oce

ed48163

gnufede changed the title ~~refactor(iast): improve oce~~ fix(iast): improve oce logic Feb 21, 2024

gnufede added bug ASM Application Security Monitoring backport 2.4 labels Feb 21, 2024

empty commit

96d7989

ITR:NoSkip

gnufede changed the title ~~fix(iast): improve oce logic~~ fix(iast): improve overhead control logic Feb 21, 2024

gnufede force-pushed the gnufede/iast-refactor-oce branch from 6df5d70 to f5ad1b1 Compare February 21, 2024 15:16

fix instrumented metrics

78843a3

gnufede force-pushed the gnufede/iast-refactor-oce branch from f5ad1b1 to 78843a3 Compare February 21, 2024 15:17

chore(iast): add tests, code improvement

fbceea3

gnufede mentioned this pull request Mar 26, 2024

fix(iast): ensure context is created for current span #8772

Merged

18 tasks

github-actions bot mentioned this pull request Mar 26, 2024

fix(iast): ensure context is created for current span [backport 2.5] #8784

Merged

18 tasks

github-actions bot mentioned this pull request Mar 26, 2024

fix(iast): ensure context is created for current span [backport 2.6] #8785

Merged

18 tasks

github-actions bot mentioned this pull request Mar 26, 2024

fix(iast): ensure context is created for current span [backport 2.7] #8786

Merged

18 tasks

avara1986 mentioned this pull request Apr 17, 2024

fix(iast): duplicated Flask headers #9014

Merged

18 tasks

github-actions bot mentioned this pull request Apr 17, 2024

fix(iast): duplicated Flask headers [backport 2.5] #9018

Merged

18 tasks

github-actions bot mentioned this pull request Apr 17, 2024

fix(iast): duplicated Flask headers [backport 2.6] #9019

Merged

18 tasks

github-actions bot mentioned this pull request Apr 17, 2024

fix(iast): duplicated Flask headers [backport 2.7] #9020

Merged

18 tasks

github-actions bot mentioned this pull request Apr 17, 2024

fix(iast): duplicated Flask headers [backport 2.8] #9021

Merged

18 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(iast): improve overhead control logic #8452

fix(iast): improve overhead control logic #8452

gnufede commented Feb 19, 2024 •

edited by juanjux

Loading

datadog-dd-trace-py-rkomorn bot commented Feb 19, 2024 •

edited

Loading

fix(iast): improve overhead control logic #8452

fix(iast): improve overhead control logic #8452

Conversation

gnufede commented Feb 19, 2024 • edited by juanjux Loading

Checklist

Reviewer Checklist

datadog-dd-trace-py-rkomorn bot commented Feb 19, 2024 • edited Loading

Datadog Report

gnufede commented Feb 19, 2024 •

edited by juanjux

Loading

datadog-dd-trace-py-rkomorn bot commented Feb 19, 2024 •

edited

Loading