fix(iast): duplicated Flask headers [backport 2.8] #9021
Merged
Commits on Apr 17, 2024
-
fix(iast): duplicated Flask headers (#9014)
Ensure that when tainting the headers of a Flask application, iterating over the headers (i.e., with `headers.items()`) does not duplicate them. ``` >> list(request.headers.items()) ``` Now: ``` [['Host', '0.0.0.0:8000'], ['User-Agent', 'python-requests/2.31.0'], ['Accept-Encoding', 'gzip, deflate, br'], ['Accept', '*/*'], ['Connection', 'keep-alive'], ['Host', '0.0.0.0:8000'], ['User-Agent', 'python-requests/2.31.0'], ['Accept-Encoding', 'gzip, deflate, br'], ['Accept', '*/*'], ['Connection', 'keep-alive']] != [['Host', '0.0.0.0:8000'], ['User-Agent', 'python-requests/2.31.0'], ['Accept-Encoding', 'gzip, deflate, br'], ['Accept', '*/*'], ['Connection', 'keep-alive'] ] ``` With this fix: ``` [ ["Host", "0.0.0.0:8000"], ["User-Agent", "python-requests/2.31.0"], ["Accept-Encoding", "gzip, deflate, br"], ["Accept", "*/*"], ["Connection", "keep-alive"], ] ``` Introduced in: #8452 ## Checklist - [x] Change(s) are motivated and described in the PR description - [x] Testing strategy is described if automated tests are not included in the PR - [x] Risks are described (performance impact, potential for breakage, maintainability) - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] [Library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) are followed or label `changelog/no-changelog` is set - [x] Documentation is included (in-code, generated user docs, [public corp docs](https://github.com/DataDog/documentation/)) - [x] Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) - [x] If this PR changes the public interface, I've notified `@DataDog/apm-tees`. - [x] If change touches code that signs or publishes builds or packages, or handles credentials of any kind, I've requested a review from `@DataDog/security-design-and-guidance`. ## Reviewer Checklist - [x] Title is accurate - [x] All changes are related to the pull request's stated goal - [x] Description motivates each change - [x] Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - [x] Testing strategy adequately addresses listed risks - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] Release note makes sense to a user of the library - [x] Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - [x] Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) (cherry picked from commit ad6ac08)
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.