fix(asm): make sure iast is not loaded by exploit prevention if disabled [backport 2.20] (#12271)

Co-authored-by: Christophe Papazian <[email protected]>

Author: github-actions[bot]

ddtrace/appsec/_common_module_patches.py

@@ -1,5 +1,4 @@
-# This module must not import other modules inconditionnaly that
-# require iast, ddwaf or any native optional module.
+# This module must not import other modules unconditionally that require iast
 
 import ctypes
 import os
@@ -17,9 +16,6 @@
 from ddtrace.appsec._asm_request_context import get_blocked
 from ddtrace.appsec._constants import EXPLOIT_PREVENTION
 from ddtrace.appsec._constants import WAF_ACTIONS
-from ddtrace.appsec._iast._iast_request_context import is_iast_request_enabled
-from ddtrace.appsec._iast._metrics import _set_metric_iast_instrumented_sink
-from ddtrace.appsec._iast.constants import VULN_PATH_TRAVERSAL
 import ddtrace.contrib.internal.subprocess.patch as subprocess_patch
 from ddtrace.internal import core
 from ddtrace.internal._exceptions import BlockingException
@@ -29,6 +25,14 @@
 from ddtrace.settings.asm import config as asm_config
 
 
+if asm_config._iast_enabled:
+    from ddtrace.appsec._iast._iast_request_context import is_iast_request_enabled
+else:
+
+    def is_iast_request_enabled() -> bool:
+        return False
+
+
 log = get_logger(__name__)
 _DD_ORIGINAL_ATTRIBUTES: Dict[Any, Any] = {}
 
@@ -42,6 +46,16 @@ def patch_common_modules():
     global _is_patched
     if _is_patched:
         return
+    # for testing purposes, we need to update is_iast_request_enabled
+    if asm_config._iast_enabled:
+        global is_iast_request_enabled
+        from ddtrace.appsec._iast._iast_request_context import is_iast_request_enabled
+    else:
+        global is_iast_request_enabled
+
+        def is_iast_request_enabled() -> bool:
+            return False
+
     try_wrap_function_wrapper("builtins", "open", wrapped_open_CFDDB7ABBA9081B6)
     try_wrap_function_wrapper("urllib.request", "OpenerDirector.open", wrapped_open_ED4CF71136E15EBF)
     try_wrap_function_wrapper("_io", "BytesIO.read", wrapped_read_F3E51D71B4EC16EF)
@@ -52,6 +66,9 @@ def patch_common_modules():
     subprocess_patch.add_lst_callback(_RASP_POPEN, popen_FD233052260D8B4D)
     core.on("asm.block.dbapi.execute", execute_4C9BAC8E228EB347)
     if asm_config._iast_enabled:
+        from ddtrace.appsec._iast._metrics import _set_metric_iast_instrumented_sink
+        from ddtrace.appsec._iast.constants import VULN_PATH_TRAVERSAL
+
         _set_metric_iast_instrumented_sink(VULN_PATH_TRAVERSAL)
     _is_patched = True
 

ddtrace/appsec/_iast/_iast_request_context.py

@@ -104,7 +104,7 @@ def set_iast_request_enabled(request_enabled) -> None:
         log.debug("[IAST] Trying to set IAST reporter but no context is present")
 
 
-def is_iast_request_enabled():
+def is_iast_request_enabled() -> bool:
     env = _get_iast_context()
     if env:
         return env.request_enabled

releasenotes/notes/no_IAST_unguarded_loading_in_common_module_patches-123cf6d3f8844823.yaml

@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    ASM: This fix resolves an issue where IAST modules could be loaded, even if disabled, 
+         which could create an ImportError exception on Windows.