Merge branch 'main' into wantsui/add-component-telemetry

Author: brettlangdon

.github/workflows/system-tests.yml

@@ -21,7 +21,7 @@ jobs:
           persist-credentials: false
           repository: 'DataDog/system-tests'
           # Automatically managed, use scripts/update-system-tests-version to update
-          ref: 'bc5ac8df80c981de47ad258e066c26e2fc5ff4ee'
+          ref: '3b3df04b753484a73a4b78fcdd95d5076da87602'
 
       - name: Build agent
         run: ./build.sh -i agent
@@ -69,7 +69,7 @@ jobs:
           persist-credentials: false
           repository: 'DataDog/system-tests'
           # Automatically managed, use scripts/update-system-tests-version to update
-          ref: 'bc5ac8df80c981de47ad258e066c26e2fc5ff4ee'
+          ref: '3b3df04b753484a73a4b78fcdd95d5076da87602'
 
       - name: Checkout dd-trace-py
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -123,7 +123,7 @@ jobs:
           persist-credentials: false
           repository: 'DataDog/system-tests'
           # Automatically managed, use scripts/update-system-tests-version to update
-          ref: 'bc5ac8df80c981de47ad258e066c26e2fc5ff4ee'
+          ref: '3b3df04b753484a73a4b78fcdd95d5076da87602'
 
       - name: Build runner
         uses: ./.github/actions/install_runner
@@ -310,7 +310,7 @@ jobs:
           persist-credentials: false
           repository: 'DataDog/system-tests'
           # Automatically managed, use scripts/update-system-tests-version to update
-          ref: 'bc5ac8df80c981de47ad258e066c26e2fc5ff4ee'
+          ref: '3b3df04b753484a73a4b78fcdd95d5076da87602'
       - name: Checkout dd-trace-py
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:

.riot/requirements/14676df.txt

@@ -0,0 +1,26 @@
+#
+# This file is autogenerated by pip-compile with Python 3.10
+# by the following command:
+#
+#    pip-compile --no-annotate .riot/requirements/14676df.in
+#
+attrs==25.3.0
+coverage[toml]==7.8.2
+exceptiongroup==1.3.0
+freezegun==1.5.2
+hypothesis==6.45.0
+iniconfig==2.1.0
+mock==5.2.0
+opentracing==2.4.0
+packaging==25.0
+pluggy==1.6.0
+pygments==2.19.1
+pytest==8.4.0
+pytest-cov==6.1.1
+pytest-mock==3.14.1
+pytest-randomly==3.16.0
+python-dateutil==2.9.0.post0
+six==1.17.0
+sortedcontainers==2.4.0
+tomli==2.2.1
+typing-extensions==4.14.0

.riot/requirements/15de642.txt

@@ -0,0 +1,23 @@
+#
+# This file is autogenerated by pip-compile with Python 3.12
+# by the following command:
+#
+#    pip-compile --no-annotate .riot/requirements/15de642.in
+#
+attrs==25.3.0
+coverage[toml]==7.8.2
+freezegun==1.5.2
+hypothesis==6.45.0
+iniconfig==2.1.0
+mock==5.2.0
+opentracing==2.4.0
+packaging==25.0
+pluggy==1.6.0
+pygments==2.19.1
+pytest==8.4.0
+pytest-cov==6.1.1
+pytest-mock==3.14.1
+pytest-randomly==3.16.0
+python-dateutil==2.9.0.post0
+six==1.17.0
+sortedcontainers==2.4.0

.riot/requirements/1d1dbc1.txt

@@ -0,0 +1,26 @@
+#
+# This file is autogenerated by pip-compile with Python 3.10
+# by the following command:
+#
+#    pip-compile --no-annotate .riot/requirements/1d1dbc1.in
+#
+attrs==25.3.0
+coverage[toml]==7.8.2
+exceptiongroup==1.3.0
+freezegun==1.3.1
+hypothesis==6.45.0
+iniconfig==2.1.0
+mock==5.2.0
+opentracing==2.4.0
+packaging==25.0
+pluggy==1.6.0
+pygments==2.19.1
+pytest==8.4.0
+pytest-cov==6.1.1
+pytest-mock==3.14.1
+pytest-randomly==3.16.0
+python-dateutil==2.9.0.post0
+six==1.17.0
+sortedcontainers==2.4.0
+tomli==2.2.1
+typing-extensions==4.14.0

.riot/requirements/2bcce4e.txt

@@ -0,0 +1,23 @@
+#
+# This file is autogenerated by pip-compile with Python 3.12
+# by the following command:
+#
+#    pip-compile --no-annotate .riot/requirements/2bcce4e.in
+#
+attrs==25.3.0
+coverage[toml]==7.8.2
+freezegun==1.3.1
+hypothesis==6.45.0
+iniconfig==2.1.0
+mock==5.2.0
+opentracing==2.4.0
+packaging==25.0
+pluggy==1.6.0
+pygments==2.19.1
+pytest==8.4.0
+pytest-cov==6.1.1
+pytest-mock==3.14.1
+pytest-randomly==3.16.0
+python-dateutil==2.9.0.post0
+six==1.17.0
+sortedcontainers==2.4.0

ddtrace/appsec/_api_security/api_manager.py

@@ -33,12 +33,14 @@ class TooLargeSchemaException(Exception):
 
 
 class APIManager(Service):
-    COLLECTED = [
+    BLOCK_COLLECTED = [
         ("REQUEST_HEADERS_NO_COOKIES", API_SECURITY.REQUEST_HEADERS_NO_COOKIES, dict),
         ("REQUEST_COOKIES", API_SECURITY.REQUEST_COOKIES, dict),
         ("REQUEST_QUERY", API_SECURITY.REQUEST_QUERY, dict),
         ("REQUEST_PATH_PARAMS", API_SECURITY.REQUEST_PATH_PARAMS, dict),
         ("REQUEST_BODY", API_SECURITY.REQUEST_BODY, None),
+    ]
+    COLLECTED = BLOCK_COLLECTED + [
         ("RESPONSE_HEADERS_NO_COOKIES", API_SECURITY.RESPONSE_HEADERS_NO_COOKIES, dict),
         ("RESPONSE_BODY", API_SECURITY.RESPONSE_BODY, lambda f: f()),
     ]
@@ -132,7 +134,8 @@ def _schema_callback(self, env):
         if env.span is None or not asm_config._api_security_feature_active:
             return
         root = env.span._local_root or env.span
-        if not root or any(meta_name in root._meta for _, meta_name, _ in self.COLLECTED):
+        collected = self.BLOCK_COLLECTED if env.blocked else self.COLLECTED
+        if not root or any(meta_name in root._meta for _, meta_name, _ in collected):
             return
 
         try:
@@ -161,7 +164,7 @@ def _schema_callback(self, env):
             return
 
         waf_payload = {"PROCESSOR_SETTINGS": {"extract-schema": True}}
-        for address, _, transform in self.COLLECTED:
+        for address, _, transform in collected:
             if not asm_config._api_security_parse_response_body and address == "RESPONSE_BODY":
                 continue
             value = env.waf_addresses.get(SPAN_DATA_NAMES[address], _sentinel)

ddtrace/appsec/_iast/_ast/iastpatch.c

@@ -18,8 +18,9 @@ static size_t cached_packages_count = 0;
 
 /* Static Lists */
 static const char* static_allowlist[] = {
-    "jinja2.", "pygments.", "multipart.", "sqlalchemy.", "python_multipart.", "attrs.",     "jsonschema.",
-    "s3fs.",   "mysql.",    "pymysql.",   "markupsafe.", "werkzeug.utils.",   "langchain.", "langchain_core."
+    "jinja2.",     "pygments.",       "multipart.", "sqlalchemy.",     "python_multipart.",
+    "attrs.",      "jsonschema.",     "s3fs.",      "mysql.",          "pymysql.",
+    "markupsafe.", "werkzeug.utils.", "langchain.", "langchain_core.", "django.http.response"
 };
 static const size_t static_allowlist_count = sizeof(static_allowlist) / sizeof(static_allowlist[0]);
 

ddtrace/appsec/_iast/_handlers.py

@@ -204,8 +204,12 @@ def _on_django_func_wrapped(fn_args, fn_kwargs, first_arg_expected_type, *_):
                 )
             except AttributeError:
                 log.debug("IAST can't set attribute http_req._body", exc_info=True)
+        # This condition is only for testing purposes.
+        # In real applications, http_req.body is typically a property that can be set.
+        # Here we check if it's not a property to handle test cases where body is directly assigned.
         elif (
             getattr(http_req, "body", None) is not None
+            and not isinstance(getattr(http_req, "body", None), property)
             and len(getattr(http_req, "body", None)) > 0
             and not is_pyobject_tainted(getattr(http_req, "body", None))
         ):

ddtrace/appsec/_iast/_patch_modules.py

@@ -6,6 +6,7 @@
 from ddtrace.appsec._iast.secure_marks.sanitizers import path_traversal_sanitizer
 from ddtrace.appsec._iast.secure_marks.sanitizers import sqli_sanitizer
 from ddtrace.appsec._iast.secure_marks.sanitizers import xss_sanitizer
+from ddtrace.appsec._iast.secure_marks.validators import header_injection_validator
 from ddtrace.appsec._iast.secure_marks.validators import ssrf_validator
 from ddtrace.appsec._iast.secure_marks.validators import unvalidated_redirect_validator
 
@@ -70,6 +71,20 @@ def patch_iast(patch_modules=IAST_PATCH):
         )
     )
 
+    # Header Injection validators
+    # Header injection for > Django 3.2
+    when_imported("django.http.response")(
+        lambda _: try_wrap_function_wrapper(
+            "django.http.response", "ResponseHeaders._convert_to_charset", header_injection_validator
+        )
+    )
+    # Header injection for <= Django 2.2
+    when_imported("django.http.response")(
+        lambda _: try_wrap_function_wrapper(
+            "django.http.response", "HttpResponseBase._convert_to_charset", header_injection_validator
+        )
+    )
+
     # Unvalidated Redirect validators
     when_imported("django.utils.http")(
         lambda _: try_wrap_function_wrapper(

ddtrace/appsec/_iast/_stacktrace.c

@@ -144,7 +144,8 @@ _is_ddtrace_filename(const char* filename)
 static inline bool
 _is_site_packages_filename(const char* filename)
 {
-    const bool res = filename && PURELIB_PATH && strncmp(filename, PURELIB_PATH, PURELIB_PATH_LEN) == 0;
+    const bool res = filename && PURELIB_PATH &&
+                     (strstr(filename, "site-packages/") || strncmp(filename, PURELIB_PATH, PURELIB_PATH_LEN) == 0);
     return res;
 }
 

ddtrace/appsec/_iast/secure_marks/validators.py

@@ -95,6 +95,10 @@ def unvalidated_redirect_validator(wrapped: Callable, instance: Any, args: Seque
     return create_validator(VulnerabilityType.UNVALIDATED_REDIRECT, wrapped, instance, args, kwargs)
 
 
+def header_injection_validator(wrapped: Callable, instance: Any, args: Sequence, kwargs: dict) -> bool:
+    return create_validator(VulnerabilityType.HEADER_INJECTION, wrapped, instance, args, kwargs)
+
+
 def ssrf_validator(wrapped: Callable, instance: Any, args: Sequence, kwargs: dict) -> bool:
     """Validator for ssrf functions.