chore(iast): taint parameter name and header name in fastapi #12009

avara1986 · 2025-01-21T14:32:31Z

Code security: Taint FastAPI parameter name and header name in each request.

Checklist

PR author has checked that all the criteria below are met
The PR description includes an overview of the change
The PR description articulates the motivation for the change
The change includes tests OR the PR description describes a testing strategy
The PR description notes risks associated with the change, if any
Newly-added code is easy to change
The change follows the library release note guidelines
The change includes or references documentation updates if necessary
Backport labels are set (if applicable)

Reviewer Checklist

Reviewer has checked that all the criteria below are met
Title is accurate
All changes are related to the pull request's stated goal
Avoids breaking API changes
Testing strategy adequately addresses listed risks
Newly-added code is easy to change
Release note makes sense to a user of the library
If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
Backport labels are set in a manner that is consistent with the release branch maintenance policy

github-actions · 2025-01-21T14:33:11Z

CODEOWNERS have been resolved as:

ddtrace/appsec/_iast/_handlers.py                                       @DataDog/asm-python
tests/contrib/fastapi/test_fastapi_appsec_iast.py                       @DataDog/asm-python

datadog-dd-trace-py-rkomorn · 2025-01-21T14:46:53Z

Datadog Report

Branch report: avara1986/APPSEC-56447-taint-fastapi-http-request-parameter-name
Commit report: df37d9a
Test service: dd-trace-py

✅ 0 Failed, 130 Passed, 1468 Skipped, 4m 33.97s Total duration (35m 31.54s time saved)

ddtrace/appsec/_iast/_handlers.py

pr-commenter · 2025-01-21T15:14:00Z

Benchmarks

Benchmark execution time: 2025-01-22 09:01:52

Comparing candidate commit 3f4261e in PR branch avara1986/APPSEC-56447-taint-fastapi-http-request-parameter-name with baseline commit 922c71b in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 394 metrics, 2 unstable metrics.

…quest-parameter-name

Code security: Taint FastAPI parameter name and header name in each request. ## Checklist - [x] PR author has checked that all the criteria below are met - The PR description includes an overview of the change - The PR description articulates the motivation for the change - The change includes tests OR the PR description describes a testing strategy - The PR description notes risks associated with the change, if any - Newly-added code is easy to change - The change follows the [library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) - The change includes or references documentation updates if necessary - Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) ## Reviewer Checklist - [x] Reviewer has checked that all the criteria below are met - Title is accurate - All changes are related to the pull request's stated goal - Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - Testing strategy adequately addresses listed risks - Newly-added code is easy to change - Release note makes sense to a user of the library - If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) (cherry picked from commit 6a10743)

Continuation of #12009 ## Checklist - [x] PR author has checked that all the criteria below are met - The PR description includes an overview of the change - The PR description articulates the motivation for the change - The change includes tests OR the PR description describes a testing strategy - The PR description notes risks associated with the change, if any - Newly-added code is easy to change - The change follows the [library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) - The change includes or references documentation updates if necessary - Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) ## Reviewer Checklist - [x] Reviewer has checked that all the criteria below are met - Title is accurate - All changes are related to the pull request's stated goal - Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - Testing strategy adequately addresses listed risks - Newly-added code is easy to change - Release note makes sense to a user of the library - If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

…t 2.20] (#12037) Backport 6a10743 from #12009 to 2.20. Code security: Taint FastAPI parameter name and header name in each request. ## Checklist - [x] PR author has checked that all the criteria below are met - The PR description includes an overview of the change - The PR description articulates the motivation for the change - The change includes tests OR the PR description describes a testing strategy - The PR description notes risks associated with the change, if any - Newly-added code is easy to change - The change follows the [library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) - The change includes or references documentation updates if necessary - Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) ## Reviewer Checklist - [x] Reviewer has checked that all the criteria below are met - Title is accurate - All changes are related to the pull request's stated goal - Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - Testing strategy adequately addresses listed risks - Newly-added code is easy to change - Release note makes sense to a user of the library - If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) Co-authored-by: Alberto Vara <[email protected]>

Continuation of #12009 ## Checklist - [x] PR author has checked that all the criteria below are met - The PR description includes an overview of the change - The PR description articulates the motivation for the change - The change includes tests OR the PR description describes a testing strategy - The PR description notes risks associated with the change, if any - Newly-added code is easy to change - The change follows the [library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) - The change includes or references documentation updates if necessary - Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) ## Reviewer Checklist - [x] Reviewer has checked that all the criteria below are met - Title is accurate - All changes are related to the pull request's stated goal - Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - Testing strategy adequately addresses listed risks - Newly-added code is easy to change - Release note makes sense to a user of the library - If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) (cherry picked from commit ff41c13)

…rt 2.20] (#12040) Backport ff41c13 from #12038 to 2.20. Continuation of #12009 ## Checklist - [x] PR author has checked that all the criteria below are met - The PR description includes an overview of the change - The PR description articulates the motivation for the change - The change includes tests OR the PR description describes a testing strategy - The PR description notes risks associated with the change, if any - Newly-added code is easy to change - The change follows the [library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) - The change includes or references documentation updates if necessary - Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) ## Reviewer Checklist - [x] Reviewer has checked that all the criteria below are met - Title is accurate - All changes are related to the pull request's stated goal - Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - Testing strategy adequately addresses listed risks - Newly-added code is easy to change - Release note makes sense to a user of the library - If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) Co-authored-by: Alberto Vara <[email protected]>

Continuation of #12009 ## Checklist - [x] PR author has checked that all the criteria below are met - The PR description includes an overview of the change - The PR description articulates the motivation for the change - The change includes tests OR the PR description describes a testing strategy - The PR description notes risks associated with the change, if any - Newly-added code is easy to change - The change follows the [library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) - The change includes or references documentation updates if necessary - Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) ## Reviewer Checklist - [x] Reviewer has checked that all the criteria below are met - Title is accurate - All changes are related to the pull request's stated goal - Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - Testing strategy adequately addresses listed risks - Newly-added code is easy to change - Release note makes sense to a user of the library - If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

rn chore(iast): taint parameter name in post requests in fastapi (#12038) Continuation of #12009 - [x] PR author has checked that all the criteria below are met - The PR description includes an overview of the change - The PR description articulates the motivation for the change - The change includes tests OR the PR description describes a testing strategy - The PR description notes risks associated with the change, if any - Newly-added code is easy to change - The change follows the [library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) - The change includes or references documentation updates if necessary - Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) - [x] Reviewer has checked that all the criteria below are met - Title is accurate - All changes are related to the pull request's stated goal - Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - Testing strategy adequately addresses listed risks - Newly-added code is easy to change - Release note makes sense to a user of the library - If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) still expose patch_all since it's just deprecated change imports for _patch_all clean up where it's called in strings fix up more tests

chore(iast): taint parameter name and header name in fastapi

df37d9a

avara1986 added changelog/no-changelog A changelog entry is not required for this PR. ASM Application Security Monitoring labels Jan 21, 2025

avara1986 mentioned this pull request Jan 21, 2025

[python] taint parameter name and header name in fastapi DataDog/system-tests#3867

Merged

7 tasks

avara1986 marked this pull request as ready for review January 21, 2025 15:00

avara1986 requested a review from a team as a code owner January 21, 2025 15:00

gnufede reviewed Jan 21, 2025

View reviewed changes

ddtrace/appsec/_iast/_handlers.py Show resolved Hide resolved

gnufede approved these changes Jan 21, 2025

View reviewed changes

avara1986 added 3 commits January 21, 2025 16:19

chore(iast): taint parameter name and header name in fastapi

04ae2fb

Merge branch 'main' into avara1986/APPSEC-56447-taint-fastapi-http-re…

f708701

…quest-parameter-name

Merge branch 'main' into avara1986/APPSEC-56447-taint-fastapi-http-re…

3f4261e

…quest-parameter-name

avara1986 merged commit 6a10743 into main Jan 22, 2025
262 checks passed

avara1986 deleted the avara1986/APPSEC-56447-taint-fastapi-http-request-parameter-name branch January 22, 2025 09:05

avara1986 added the backport 2.20 label Jan 23, 2025

github-actions bot mentioned this pull request Jan 23, 2025

chore(iast): taint parameter name and header name in fastapi [backport 2.20] #12037

Merged

2 tasks

avara1986 mentioned this pull request Jan 23, 2025

chore(iast): taint parameter name in post requests in fastapi #12038

Merged

2 tasks

github-actions bot mentioned this pull request Jan 23, 2025

chore(iast): taint parameter name in post requests in fastapi [backport 2.20] #12040

Merged

2 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(iast): taint parameter name and header name in fastapi #12009

chore(iast): taint parameter name and header name in fastapi #12009

avara1986 commented Jan 21, 2025 •

edited

Loading

github-actions bot commented Jan 21, 2025

datadog-dd-trace-py-rkomorn bot commented Jan 21, 2025

pr-commenter bot commented Jan 21, 2025 •

edited

Loading

chore(iast): taint parameter name and header name in fastapi #12009

chore(iast): taint parameter name and header name in fastapi #12009

Conversation

avara1986 commented Jan 21, 2025 • edited Loading

Checklist

Reviewer Checklist

github-actions bot commented Jan 21, 2025

datadog-dd-trace-py-rkomorn bot commented Jan 21, 2025

Datadog Report

pr-commenter bot commented Jan 21, 2025 • edited Loading

Benchmarks

avara1986 commented Jan 21, 2025 •

edited

Loading

pr-commenter bot commented Jan 21, 2025 •

edited

Loading