diff --git a/ddtrace/appsec/_common_module_patches.py b/ddtrace/appsec/_common_module_patches.py index 0b455dbba6b..8c834b80e6f 100644 --- a/ddtrace/appsec/_common_module_patches.py +++ b/ddtrace/appsec/_common_module_patches.py @@ -1,5 +1,4 @@ -# This module must not import other modules inconditionnaly that -# require iast, ddwaf or any native optional module. +# This module must not import other modules unconditionally that require iast import ctypes import os @@ -17,9 +16,6 @@ from ddtrace.appsec._asm_request_context import get_blocked from ddtrace.appsec._constants import EXPLOIT_PREVENTION from ddtrace.appsec._constants import WAF_ACTIONS -from ddtrace.appsec._iast._iast_request_context import is_iast_request_enabled -from ddtrace.appsec._iast._metrics import _set_metric_iast_instrumented_sink -from ddtrace.appsec._iast.constants import VULN_PATH_TRAVERSAL import ddtrace.contrib.internal.subprocess.patch as subprocess_patch from ddtrace.internal import core from ddtrace.internal._exceptions import BlockingException @@ -29,6 +25,14 @@ from ddtrace.settings.asm import config as asm_config +if asm_config._iast_enabled: + from ddtrace.appsec._iast._iast_request_context import is_iast_request_enabled +else: + + def is_iast_request_enabled() -> bool: + return False + + log = get_logger(__name__) _DD_ORIGINAL_ATTRIBUTES: Dict[Any, Any] = {} @@ -42,6 +46,16 @@ def patch_common_modules(): global _is_patched if _is_patched: return + # for testing purposes, we need to update is_iast_request_enabled + if asm_config._iast_enabled: + global is_iast_request_enabled + from ddtrace.appsec._iast._iast_request_context import is_iast_request_enabled + else: + global is_iast_request_enabled + + def is_iast_request_enabled() -> bool: + return False + try_wrap_function_wrapper("builtins", "open", wrapped_open_CFDDB7ABBA9081B6) try_wrap_function_wrapper("urllib.request", "OpenerDirector.open", wrapped_open_ED4CF71136E15EBF) try_wrap_function_wrapper("_io", "BytesIO.read", wrapped_read_F3E51D71B4EC16EF) @@ -52,6 +66,9 @@ def patch_common_modules(): subprocess_patch.add_lst_callback(_RASP_POPEN, popen_FD233052260D8B4D) core.on("asm.block.dbapi.execute", execute_4C9BAC8E228EB347) if asm_config._iast_enabled: + from ddtrace.appsec._iast._metrics import _set_metric_iast_instrumented_sink + from ddtrace.appsec._iast.constants import VULN_PATH_TRAVERSAL + _set_metric_iast_instrumented_sink(VULN_PATH_TRAVERSAL) _is_patched = True diff --git a/ddtrace/appsec/_iast/_iast_request_context.py b/ddtrace/appsec/_iast/_iast_request_context.py index d2b809c252c..1ac3d6d6387 100644 --- a/ddtrace/appsec/_iast/_iast_request_context.py +++ b/ddtrace/appsec/_iast/_iast_request_context.py @@ -104,7 +104,7 @@ def set_iast_request_enabled(request_enabled) -> None: log.debug("[IAST] Trying to set IAST reporter but no context is present") -def is_iast_request_enabled(): +def is_iast_request_enabled() -> bool: env = _get_iast_context() if env: return env.request_enabled diff --git a/releasenotes/notes/no_IAST_unguarded_loading_in_common_module_patches-123cf6d3f8844823.yaml b/releasenotes/notes/no_IAST_unguarded_loading_in_common_module_patches-123cf6d3f8844823.yaml new file mode 100644 index 00000000000..c88f0e042e5 --- /dev/null +++ b/releasenotes/notes/no_IAST_unguarded_loading_in_common_module_patches-123cf6d3f8844823.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + ASM: This fix resolves an issue where IAST modules could be loaded, even if disabled, + which could create an ImportError exception on Windows. \ No newline at end of file