Merge branch 'main' into taegyunkim/build_base_venv_jobs

DataDog · Feb 14, 2025 · 54e4375 · 54e4375
2 parents cb3b1b0 + a87b4f7
commit 54e4375
Show file tree

Hide file tree

Showing 62 changed files with 1,137 additions and 732 deletions.
diff --git a/.github/workflows/requirements-locks.yml b/.github/workflows/requirements-locks.yml
@@ -31,5 +31,14 @@ jobs:
       - name: Generate riot locks
         run: scripts/compile-and-prune-test-requirements
 
-      - name: Check git diff
+      - name: Check locks diff
         run: scripts/check-diff '.riot/requirements/' 'Mismatches found between .riot/requirements/*.txt and riotfile.py. Run scripts/compile-and-prune-test-requirements and commit the result.'
+
+      - name: Generate min_compatible_versions
+        run: python scripts/min_compatible_versions.py
+
+      - name: Check min_compatible_versions diff
+        run: scripts/check-diff 'min_compatible_versions.csv' 'Mismatches found between min_compatible_versions.csv and riotfile.py. Run `python scripts/min_compatible_versions.py` and commit the result.'
+
+      - name: Check lib-injection min_compatible_versions diff
+        run: scripts/check-diff 'lib-injection/sources/min_compatible_versions.csv' 'Mismatches found between min_compatible_versions.csv and riotfile.py. Run `python scripts/min_compatible_versions.py` and commit the result.'
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -1,8 +1,6 @@
 stages:
   - package
-  - tests-gen
-  - tests-trigger
-  - quality-gate
+  - tests
   - shared-pipeline
   - benchmarks
   - macrobenchmarks
@@ -26,7 +24,7 @@ include:
   - local: ".gitlab/testrunner.yml"
 
 tests-gen:
-  stage: tests-gen
+  stage: tests
   extends: .testrunner
   script:
     - pip install riot==0.20.1
@@ -38,14 +36,28 @@ tests-gen:
       - .gitlab/tests-gen.yml
 
 run-tests-trigger:
- stage: tests-trigger
+ stage: tests
  needs: [ tests-gen ]
  trigger:
    include:
      - artifact: .gitlab/tests-gen.yml
        job: tests-gen
    strategy: depend
 
+check_new_flaky_tests:
+  stage: tests
+  needs: ["run-tests-trigger"]
+  extends: .testrunner
+  script:
+    - export DD_SITE=datadoghq.com
+    - export DD_API_KEY=$(aws ssm get-parameter --region us-east-1 --name ci.${CI_PROJECT_NAME}.dd-api-key-qualitygate --with-decryption --query "Parameter.Value" --out text)
+    - export DD_APP_KEY=$(aws ssm get-parameter --region us-east-1 --name ci.${CI_PROJECT_NAME}.dd-app-key-qualitygate --with-decryption --query "Parameter.Value" --out text)
+    - datadog-ci gate evaluate
+  except:
+    - main
+    - '[0-9].[0-9]*'
+    - 'mq-working-branch**'
+
 requirements_json_test:
   rules:
     - when: on_success
@@ -93,15 +105,3 @@ deploy_to_di_backend:manual:
     UPSTREAM_TAG: $CI_COMMIT_TAG
     UPSTREAM_PACKAGE_JOB: build
 
-check_new_flaky_tests:
-  stage: quality-gate
-  extends: .testrunner
-  script:
-    - export DD_SITE=datadoghq.com
-    - export DD_API_KEY=$(aws ssm get-parameter --region us-east-1 --name ci.${CI_PROJECT_NAME}.dd-api-key-qualitygate --with-decryption --query "Parameter.Value" --out text)
-    - export DD_APP_KEY=$(aws ssm get-parameter --region us-east-1 --name ci.${CI_PROJECT_NAME}.dd-app-key-qualitygate --with-decryption --query "Parameter.Value" --out text)
-    - datadog-ci gate evaluate
-  except:
-    - main
-    - '[0-9].[0-9]*'
-    - 'mq-working-branch**'
diff --git a/.riot/requirements/1993410.txt b/.riot/requirements/1993410.txt
@@ -0,0 +1,31 @@
+#
+# This file is autogenerated by pip-compile with Python 3.13
+# by the following command:
+#
+#    pip-compile --no-annotate .riot/requirements/1993410.in
+#
+attrs==25.1.0
+coverage[toml]==7.6.12
+gevent==24.11.1
+greenlet==3.1.1
+gunicorn[gevent]==23.0.0
+hypothesis==6.45.0
+iniconfig==2.0.0
+mock==5.1.0
+opentracing==2.4.0
+packaging==24.2
+pluggy==1.5.0
+py-cpuinfo==8.0.0
+pytest==8.3.4
+pytest-asyncio==0.21.1
+pytest-benchmark==5.1.0
+pytest-cov==6.0.0
+pytest-mock==3.14.0
+pytest-randomly==3.16.0
+sortedcontainers==2.4.0
+uwsgi==2.0.28
+zope-event==5.0
+zope-interface==7.2
+
+# The following packages are considered to be unsafe in a requirements file:
+# setuptools
diff --git a/.riot/requirements/1ccff62.txt b/.riot/requirements/1ccff62.txt
@@ -0,0 +1,25 @@
+#
+# This file is autogenerated by pip-compile with Python 3.13
+# by the following command:
+#
+#    pip-compile --no-annotate .riot/requirements/1ccff62.in
+#
+attrs==25.1.0
+coverage[toml]==7.6.12
+gunicorn==23.0.0
+hypothesis==6.45.0
+iniconfig==2.0.0
+mock==5.1.0
+opentracing==2.4.0
+packaging==24.2
+pluggy==1.5.0
+protobuf==5.29.3
+py-cpuinfo==8.0.0
+pytest==8.3.4
+pytest-asyncio==0.21.1
+pytest-benchmark==5.1.0
+pytest-cov==6.0.0
+pytest-mock==3.14.0
+pytest-randomly==3.16.0
+sortedcontainers==2.4.0
+uwsgi==2.0.28
diff --git a/.riot/requirements/1d21cf3.txt b/.riot/requirements/1d21cf3.txt
diff --git a/.riot/requirements/4e93dc8.txt b/.riot/requirements/4e93dc8.txt
@@ -0,0 +1,29 @@
+#
+# This file is autogenerated by pip-compile with Python 3.8
+# by the following command:
+#
+#    pip-compile --no-annotate .riot/requirements/4e93dc8.in
+#
+attrs==25.1.0
+certifi==2025.1.31
+chardet==3.0.4
+coverage[toml]==7.6.1
+exceptiongroup==1.2.2
+hypothesis==6.45.0
+idna==2.8
+importlib-metadata==8.5.0
+iniconfig==2.0.0
+mock==5.1.0
+opentracing==2.4.0
+packaging==24.2
+pluggy==1.5.0
+pytest==8.3.4
+pytest-cov==5.0.0
+pytest-mock==3.14.0
+pytest-randomly==3.15.0
+requests==2.22.0
+requests-mock==1.12.1
+sortedcontainers==2.4.0
+tomli==2.2.1
+urllib3==1.25.11
+zipp==3.20.2
diff --git a/.riot/requirements/518c01e.txt b/.riot/requirements/518c01e.txt
@@ -0,0 +1,25 @@
+#
+# This file is autogenerated by pip-compile with Python 3.13
+# by the following command:
+#
+#    pip-compile --no-annotate .riot/requirements/518c01e.in
+#
+attrs==25.1.0
+coverage[toml]==7.6.12
+gunicorn==23.0.0
+hypothesis==6.45.0
+iniconfig==2.0.0
+mock==5.1.0
+opentracing==2.4.0
+packaging==24.2
+pluggy==1.5.0
+protobuf==4.22.0
+py-cpuinfo==8.0.0
+pytest==8.3.4
+pytest-asyncio==0.21.1
+pytest-benchmark==5.1.0
+pytest-cov==6.0.0
+pytest-mock==3.14.0
+pytest-randomly==3.16.0
+sortedcontainers==2.4.0
+uwsgi==2.0.28
diff --git a/ddtrace/appsec/_asm_request_context.py b/ddtrace/appsec/_asm_request_context.py
@@ -26,13 +26,8 @@
 
 
 if asm_config._iast_enabled:
-    from ddtrace.appsec._iast._iast_request_context import is_iast_request_enabled
     from ddtrace.appsec._iast._taint_tracking import OriginType
     from ddtrace.appsec._iast._taint_tracking._taint_objects import taint_pyobject
-else:
-
-    def is_iast_request_enabled() -> bool:
-        return False
 
 
 if TYPE_CHECKING:
@@ -500,7 +495,7 @@ def _on_wrapped_view(kwargs):
     # If IAST is enabled, taint the Flask function kwargs (path parameters)
 
     if asm_config._iast_enabled and kwargs:
-        if not is_iast_request_enabled():
+        if not asm_config.is_iast_request_enabled:
             return return_value
 
         _kwargs = {}

diff --git a/ddtrace/appsec/_common_module_patches.py b/ddtrace/appsec/_common_module_patches.py
@@ -25,14 +25,6 @@
 from ddtrace.settings.asm import config as asm_config
 
 
-if asm_config._iast_enabled:
-    from ddtrace.appsec._iast._iast_request_context import is_iast_request_enabled
-else:
-
-    def is_iast_request_enabled() -> bool:
-        return False
-
-
 log = get_logger(__name__)
 _DD_ORIGINAL_ATTRIBUTES: Dict[Any, Any] = {}
 
@@ -50,15 +42,6 @@ def patch_common_modules():
     subprocess_patch.add_lst_callback(_RASP_POPEN, popen_FD233052260D8B4D)
     if _is_patched:
         return
-    # for testing purposes, we need to update is_iast_request_enabled
-    if asm_config._iast_enabled:
-        global is_iast_request_enabled
-        from ddtrace.appsec._iast._iast_request_context import is_iast_request_enabled
-    else:
-        global is_iast_request_enabled
-
-        def is_iast_request_enabled() -> bool:
-            return False
 
     try_wrap_function_wrapper("builtins", "open", wrapped_open_CFDDB7ABBA9081B6)
     try_wrap_function_wrapper("urllib.request", "OpenerDirector.open", wrapped_open_ED4CF71136E15EBF)
@@ -91,7 +74,7 @@ def wrapped_read_F3E51D71B4EC16EF(original_read_callable, instance, args, kwargs
     wrapper for _io.BytesIO and _io.StringIO read function
     """
     result = original_read_callable(*args, **kwargs)
-    if asm_config._iast_enabled and is_iast_request_enabled():
+    if asm_config._iast_enabled and asm_config.is_iast_request_enabled:
         from ddtrace.appsec._iast._taint_tracking import OriginType
         from ddtrace.appsec._iast._taint_tracking import Source
         from ddtrace.appsec._iast._taint_tracking._taint_objects import get_tainted_ranges
@@ -117,7 +100,7 @@ def wrapped_open_CFDDB7ABBA9081B6(original_open_callable, instance, args, kwargs
     """
     wrapper for open file function
     """
-    if asm_config._iast_enabled and is_iast_request_enabled():
+    if asm_config._iast_enabled and asm_config.is_iast_request_enabled:
         try:
             from ddtrace.appsec._iast.taint_sinks.path_traversal import check_and_report_path_traversal
 
@@ -208,7 +191,7 @@ def wrapped_request_D8CB81E472AF98A2(original_request_callable, instance, args,
     wrapper for third party requests.request function
     https://requests.readthedocs.io
     """
-    if asm_config._iast_enabled and is_iast_request_enabled():
+    if asm_config._iast_enabled and asm_config.is_iast_request_enabled:
         from ddtrace.appsec._iast.taint_sinks.ssrf import _iast_report_ssrf
 
         _iast_report_ssrf(original_request_callable, *args, **kwargs)

diff --git a/ddtrace/appsec/_constants.py b/ddtrace/appsec/_constants.py
@@ -159,6 +159,7 @@ class IAST(metaclass=Constant_Class):
 
     TEXT_TYPES = (str, bytes, bytearray)
     TAINTEABLE_TYPES = (str, bytes, bytearray, Match, BytesIO, StringIO)
+    REQUEST_CONTEXT_KEY: Literal["_iast_env"] = "_iast_env"
 
 
 class IAST_SPAN_TAGS(metaclass=Constant_Class):