Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(iast): header source in werkzeug 3.1 #12213

Merged
merged 5 commits into from
Feb 5, 2025
Merged

chore(iast): header source in werkzeug 3.1 #12213

merged 5 commits into from
Feb 5, 2025

Conversation

avara1986
Copy link
Member

@avara1986 avara1986 commented Feb 4, 2025
edited
Loading

IAST taint source Header wouldn't work correctly in werkzeug>=3.1.0

We're tainting EnvironHeaders.__getitem__ due to get method calls to __getitem__
https://github.com/pallets/werkzeug/blob/2.3.8/src/werkzeug/datastructures/headers.py
but now the __getitem__ and get methods of EnvironHeaders are completely differents:
https://github.com/pallets/werkzeug/blob/main/src/werkzeug/datastructures/headers.py

Checklist

  • PR author has checked that all the criteria below are met
  • The PR description includes an overview of the change
  • The PR description articulates the motivation for the change
  • The change includes tests OR the PR description describes a testing strategy
  • The PR description notes risks associated with the change, if any
  • Newly-added code is easy to change
  • The change follows the library release note guidelines
  • The change includes or references documentation updates if necessary
  • Backport labels are set (if applicable)

Reviewer Checklist

  • Reviewer has checked that all the criteria below are met
  • Title is accurate
  • All changes are related to the pull request's stated goal
  • Avoids breaking API changes
  • Testing strategy adequately addresses listed risks
  • Newly-added code is easy to change
  • Release note makes sense to a user of the library
  • If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
  • Backport labels are set in a manner that is consistent with the release branch maintenance policy

@avara1986 avara1986 added changelog/no-changelog A changelog entry is not required for this PR. ASM Application Security Monitoring labels Feb 4, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 4, 2025

CODEOWNERS have been resolved as:

ddtrace/appsec/_iast/_handlers.py                                       @DataDog/asm-python
hatch.toml                                                              @DataDog/python-guild
tests/appsec/integrations/flask_tests/test_iast_flask.py                @DataDog/asm-python

@datadog-dd-trace-py-rkomorn
Copy link

datadog-dd-trace-py-rkomorn bot commented Feb 4, 2025
edited
Loading

Datadog Report

Branch report: avara1986/APPSEC-56329-werkzeug_header_source
Commit report: 0ffc9b1
Test service: dd-trace-py

✅ 0 Failed, 130 Passed, 1184 Skipped, 3m 49.52s Total duration (24m 51.05s time saved)

@avara1986 avara1986 changed the title chore(iast): Header source in werkzeug 3.1 chore(iast): deader source in werkzeug 3.1 Feb 4, 2025
@pr-commenter
Copy link

pr-commenter bot commented Feb 4, 2025
edited
Loading

Benchmarks

Benchmark execution time: 2025-02-05 08:35:27

Comparing candidate commit 0ffc9b1 in PR branch avara1986/APPSEC-56329-werkzeug_header_source with baseline commit a54a55d in branch 3.x-staging.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 394 metrics, 2 unstable metrics.

@avara1986 avara1986 changed the title chore(iast): deader source in werkzeug 3.1 chore(iast): Header source in werkzeug 3.1 Feb 4, 2025
@avara1986 avara1986 changed the title chore(iast): Header source in werkzeug 3.1 chore(iast): header source in werkzeug 3.1 Feb 4, 2025
@avara1986 avara1986 marked this pull request as ready for review February 5, 2025 07:53
@avara1986 avara1986 requested review from a team as code owners February 5, 2025 07:53
@avara1986 avara1986 requested a review from taegyunkim February 5, 2025 07:53
@avara1986 avara1986 merged commit e5055b7 into 3.x-staging Feb 5, 2025
736 checks passed
@avara1986 avara1986 deleted the avara1986/APPSEC-56329-werkzeug_header_source branch February 5, 2025 09:02
ZStriker19 pushed a commit that referenced this pull request Feb 6, 2025
@avara1986 @ZStriker19
chore(iast): header source in werkzeug 3.1 (#12213)
91ef4ee 
IAST taint source Header wouldn't work correctly in `werkzeug>=3.1.0`

We're tainting `EnvironHeaders.__getitem__` due to get method calls to
`__getitem__`

https://github.com/pallets/werkzeug/blob/2.3.8/src/werkzeug/datastructures/headers.py
but now the `__getitem__` and `get` methods of `EnvironHeaders` are
completely differents:

https://github.com/pallets/werkzeug/blob/main/src/werkzeug/datastructures/headers.py

## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met 
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gnufede gnufede gnufede approved these changes

@taegyunkim taegyunkim Awaiting requested review from taegyunkim taegyunkim is a code owner automatically assigned from DataDog/python-guild

Assignees
No one assigned
Labels
ASM Application Security Monitoring changelog/no-changelog A changelog entry is not required for this PR.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@avara1986 @gnufede