Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(asm): cmdi patch refactor + rasp support #11870

Merged
merged 15 commits into from
Jan 9, 2025
Merged

feat(asm): cmdi patch refactor + rasp support #11870

merged 15 commits into from
Jan 9, 2025

Conversation

christophe-papazian
Copy link
Contributor

@christophe-papazian christophe-papazian commented Jan 7, 2025
edited
Loading

  • Add suport for CMDI for Exploit Prevention on subprocess module and system.spawn* functions
  • Increase support for SHI for Exploit Prevention on subprocess module (with shell=True)
  • Refactor patching process for subprocess and os related to those functions. Use only one patching process for both asm attacks and IAST.
  • Update Codeowners file
  • Add Exploit Prevention unit tests for CMDI on all supported frameworks
  • Add rule_variant tags for exploit prevention telemetry

once merged this will also be tested with DataDog/system-tests#3791

APPSEC-56275

Checklist

  • PR author has checked that all the criteria below are met
  • The PR description includes an overview of the change
  • The PR description articulates the motivation for the change
  • The change includes tests OR the PR description describes a testing strategy
  • The PR description notes risks associated with the change, if any
  • Newly-added code is easy to change
  • The change follows the library release note guidelines
  • The change includes or references documentation updates if necessary
  • Backport labels are set (if applicable)

Reviewer Checklist

  • Reviewer has checked that all the criteria below are met
  • Title is accurate
  • All changes are related to the pull request's stated goal
  • Avoids breaking API changes
  • Testing strategy adequately addresses listed risks
  • Newly-added code is easy to change
  • Release note makes sense to a user of the library
  • If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
  • Backport labels are set in a manner that is consistent with the release branch maintenance policy

@christophe-papazian christophe-papazian added the ASM Application Security Monitoring label Jan 7, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 7, 2025
edited
Loading

CODEOWNERS have been resolved as:

releasenotes/notes/rasp_cmdi-3c7819ee9e33e447.yaml                      @DataDog/apm-python
.github/CODEOWNERS                                                      @DataDog/python-guild @DataDog/apm-core-python
ddtrace/appsec/_capabilities.py                                         @DataDog/asm-python
ddtrace/appsec/_common_module_patches.py                                @DataDog/asm-python
ddtrace/appsec/_constants.py                                            @DataDog/asm-python
ddtrace/appsec/_iast/_pytest_plugin.py                                  @DataDog/asm-python
ddtrace/appsec/_iast/taint_sinks/command_injection.py                   @DataDog/asm-python
ddtrace/appsec/_metrics.py                                              @DataDog/asm-python
ddtrace/appsec/_processor.py                                            @DataDog/asm-python
ddtrace/contrib/internal/subprocess/patch.py                            @DataDog/asm-python
tests/appsec/appsec/rules-rasp-blocking.json                            @DataDog/asm-python
tests/appsec/appsec/rules-rasp-disabled.json                            @DataDog/asm-python
tests/appsec/appsec/rules-rasp-redirecting.json                         @DataDog/asm-python
tests/appsec/appsec/rules-rasp.json                                     @DataDog/asm-python
tests/appsec/appsec/test_remoteconfiguration.py                         @DataDog/asm-python
tests/appsec/contrib_appsec/django_app/urls.py                          @DataDog/asm-python
tests/appsec/contrib_appsec/fastapi_app/app.py                          @DataDog/asm-python
tests/appsec/contrib_appsec/flask_app/app.py                            @DataDog/asm-python
tests/appsec/contrib_appsec/utils.py                                    @DataDog/asm-python
tests/appsec/iast/taint_sinks/test_command_injection.py                 @DataDog/asm-python

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 7, 2025
View reviewed changes
tests/appsec/contrib_appsec/django_app/urls.py Dismissed Show dismissed Hide dismissed
tests/appsec/contrib_appsec/flask_app/app.py Dismissed Show dismissed Hide dismissed
@datadog-dd-trace-py-rkomorn
Copy link

datadog-dd-trace-py-rkomorn bot commented Jan 7, 2025
edited
Loading

Datadog Report

Branch report: christophe-papazian/cmdi_support
Commit report: 1e3c3bf
Test service: dd-trace-py

✅ 0 Failed, 87 Passed, 1468 Skipped, 3m 56.06s Total duration (35m 33.79s time saved)

@pr-commenter
Copy link

pr-commenter bot commented Jan 7, 2025
edited
Loading

Benchmarks

Benchmark execution time: 2025-01-09 14:27:42

Comparing candidate commit 1e3c3bf in PR branch christophe-papazian/cmdi_support with baseline commit 75bed24 in branch main.

Found 0 performance improvements and 3 performance regressions! Performance is the same for 391 metrics, 2 unstable metrics.

scenario:iast_aspects-ospathdirname_aspect

  • 🟥 execution_time [+381.039ns; +444.966ns] or [+10.348%; +12.084%]

scenario:iast_aspects-ospathjoin_aspect

  • 🟥 execution_time [+385.215ns; +445.063ns] or [+7.361%; +8.505%]

scenario:iast_aspects-ospathsplitext_aspect

  • 🟥 execution_time [+330.747ns; +387.286ns] or [+9.116%; +10.674%]

@christophe-papazian christophe-papazian marked this pull request as ready for review January 8, 2025 12:24
@christophe-papazian christophe-papazian requested review from a team as code owners January 8, 2025 12:24
gnufede
gnufede approved these changes Jan 8, 2025
View reviewed changes
Copy link
Member

@gnufede gnufede left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work!

@christophe-papazian christophe-papazian enabled auto-merge (squash) January 8, 2025 16:26
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 9, 2025
View reviewed changes
tests/appsec/contrib_appsec/django_app/urls.py Dismissed Show dismissed Hide dismissed
tests/appsec/contrib_appsec/django_app/urls.py Dismissed Show dismissed Hide dismissed
tests/appsec/contrib_appsec/django_app/urls.py Dismissed Show dismissed Hide dismissed
tests/appsec/contrib_appsec/flask_app/app.py Dismissed Show dismissed Hide dismissed
tests/appsec/contrib_appsec/flask_app/app.py Dismissed Show dismissed Hide dismissed
tests/appsec/contrib_appsec/flask_app/app.py Dismissed Show dismissed Hide dismissed
@christophe-papazian christophe-papazian enabled auto-merge (squash) January 9, 2025 13:53
@christophe-papazian christophe-papazian mentioned this pull request Jan 9, 2025
Merged
7 tasks
@christophe-papazian christophe-papazian merged commit 5581f73 into main Jan 9, 2025
637 checks passed
@christophe-papazian christophe-papazian deleted the christophe-papazian/cmdi_support branch January 9, 2025 14:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@emmettbutler emmettbutler emmettbutler approved these changes

@gnufede gnufede gnufede approved these changes

@juanjux juanjux juanjux approved these changes

@wconti27 wconti27 Awaiting requested review from wconti27 wconti27 was automatically assigned from DataDog/apm-idm-python

Assignees
No one assigned
Labels
ASM Application Security Monitoring
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@christophe-papazian @juanjux @gnufede @emmettbutler