Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(iast): duplicated Flask headers [backport 2.8] #9021

Merged
merged 1 commit into from
Apr 17, 2024
Merged

fix(iast): duplicated Flask headers [backport 2.8] #9021

merged 1 commit into from
Apr 17, 2024
+93 −9

Conversation

github-actions[bot]
Copy link
Contributor

@github-actions github-actions bot commented Apr 17, 2024
edited by avara1986
Loading

Backport ad6ac08 from #9014 to 2.8.

Ensure that when tainting the headers of a Flask application, iterating over the headers (i.e., with headers.items()) does not duplicate them.

>> list(request.headers.items())

Now:

[['Host', '0.0.0.0:8000'],
 ['User-Agent', 'python-requests/2.31.0'],
 ['Accept-Encoding', 'gzip, deflate, br'],
 ['Accept', '*/*'],
 ['Connection', 'keep-alive'],
 ['Host', '0.0.0.0:8000'],
 ['User-Agent', 'python-requests/2.31.0'],
 ['Accept-Encoding', 'gzip, deflate, br'],
 ['Accept', '*/*'],
 ['Connection', 'keep-alive']] != [['Host', '0.0.0.0:8000'],
 ['User-Agent', 'python-requests/2.31.0'],
 ['Accept-Encoding', 'gzip, deflate, br'],
 ['Accept', '*/*'],
 ['Connection', 'keep-alive']
]

With this fix:

[
            ["Host", "0.0.0.0:8000"],
            ["User-Agent", "python-requests/2.31.0"],
            ["Accept-Encoding", "gzip, deflate, br"],
            ["Accept", "*/*"],
            ["Connection", "keep-alive"],
]

Introduced in: #8452

Checklist

  • Change(s) are motivated and described in the PR description
  • Testing strategy is described if automated tests are not included in the PR
  • Risks are described (performance impact, potential for breakage, maintainability)
  • Change is maintainable (easy to change, telemetry, documentation)
  • Library release note guidelines are followed or label changelog/no-changelog is set
  • Documentation is included (in-code, generated user docs, public corp docs)
  • Backport labels are set (if applicable)
  • If this PR changes the public interface, I've notified @DataDog/apm-tees.
  • If change touches code that signs or publishes builds or packages, or handles credentials of any kind, I've requested a review from @DataDog/security-design-and-guidance.

Reviewer Checklist

  • Title is accurate
  • All changes are related to the pull request's stated goal
  • Description motivates each change
  • Avoids breaking API changes
  • Testing strategy adequately addresses listed risks
  • Change is maintainable (easy to change, telemetry, documentation)
  • Release note makes sense to a user of the library
  • Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
  • Backport labels are set in a manner that is consistent with the release branch maintenance policy

@avara1986 @github-actions
fix(iast): duplicated Flask headers (#9014)
cb5c59d 
Ensure that when tainting the headers of a Flask application, iterating
over the headers (i.e., with `headers.items()`) does not duplicate them.

```
>> list(request.headers.items())
```

Now:
```
[['Host', '0.0.0.0:8000'],
 ['User-Agent', 'python-requests/2.31.0'],
 ['Accept-Encoding', 'gzip, deflate, br'],
 ['Accept', '*/*'],
 ['Connection', 'keep-alive'],
 ['Host', '0.0.0.0:8000'],
 ['User-Agent', 'python-requests/2.31.0'],
 ['Accept-Encoding', 'gzip, deflate, br'],
 ['Accept', '*/*'],
 ['Connection', 'keep-alive']] != [['Host', '0.0.0.0:8000'],
 ['User-Agent', 'python-requests/2.31.0'],
 ['Accept-Encoding', 'gzip, deflate, br'],
 ['Accept', '*/*'],
 ['Connection', 'keep-alive']
]
```

With this fix:
```
[
            ["Host", "0.0.0.0:8000"],
            ["User-Agent", "python-requests/2.31.0"],
            ["Accept-Encoding", "gzip, deflate, br"],
            ["Accept", "*/*"],
            ["Connection", "keep-alive"],
]
```

Introduced in: #8452

## Checklist

- [x] Change(s) are motivated and described in the PR description
- [x] Testing strategy is described if automated tests are not included
in the PR
- [x] Risks are described (performance impact, potential for breakage,
maintainability)
- [x] Change is maintainable (easy to change, telemetry, documentation)
- [x] [Library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
are followed or label `changelog/no-changelog` is set
- [x] Documentation is included (in-code, generated user docs, [public
corp docs](https://github.com/DataDog/documentation/))
- [x] Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))
- [x] If this PR changes the public interface, I've notified
`@DataDog/apm-tees`.
- [x] If change touches code that signs or publishes builds or packages,
or handles credentials of any kind, I've requested a review from
`@DataDog/security-design-and-guidance`.

## Reviewer Checklist

- [x] Title is accurate
- [x] All changes are related to the pull request's stated goal
- [x] Description motivates each change
- [x] Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- [x] Testing strategy adequately addresses listed risks
- [x] Change is maintainable (easy to change, telemetry, documentation)
- [x] Release note makes sense to a user of the library
- [x] Author has acknowledged and discussed the performance implications
of this PR as reported in the benchmarks PR comment
- [x] Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

(cherry picked from commit ad6ac08)
@github-actions github-actions bot requested a review from a team as a code owner April 17, 2024 14:03
@github-actions github-actions bot added the bug label Apr 17, 2024
@github-actions github-actions bot requested a review from a team as a code owner April 17, 2024 14:03
@github-actions github-actions bot added the ASM Application Security Monitoring label Apr 17, 2024
@datadog-dd-trace-py-rkomorn
Copy link

Datadog Report

Branch report: backport-9014-to-2.8
Commit report: cb5c59d
Test service: dd-trace-py

✅ 0 Failed, 110963 Passed, 592 Skipped, 2h 7m 29.31s Total duration (3m 53.45s time saved)

@avara1986 avara1986 closed this Apr 17, 2024
@avara1986 avara1986 reopened this Apr 17, 2024
@avara1986 avara1986 enabled auto-merge (squash) April 17, 2024 14:42
@avara1986 avara1986 merged commit 26f8759 into 2.8 Apr 17, 2024
77 of 78 checks passed
@avara1986 avara1986 deleted the backport-9014-to-2.8 branch April 17, 2024 15:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@avara1986 avara1986 avara1986 approved these changes

@juanjux juanjux Awaiting requested review from juanjux juanjux is a code owner automatically assigned from DataDog/apm-python

@romainkomorndatadog romainkomorndatadog Awaiting requested review from romainkomorndatadog romainkomorndatadog is a code owner automatically assigned from DataDog/apm-python

Assignees
No one assigned
Labels
ASM Application Security Monitoring bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@avara1986