chore(iast): taint parameter name and header name in fastapi

DataDog · Jan 23, 2025 · 2729de4 · 2729de4
1 parent ff41c13
commit 2729de4
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/ddtrace/appsec/_iast/_handlers.py b/ddtrace/appsec/_iast/_handlers.py
@@ -319,7 +319,7 @@ def if_iast_taint_starlette_datastructures(origin, wrapped, instance, args, kwar
                     res.append(
                         taint_pyobject(
                             pyobject=element,
-                            source_name=origin_to_str(origin),
+                            source_name=element,
                             source_value=element,
                             source_origin=origin,
                         )

diff --git a/tests/contrib/fastapi/test_fastapi_appsec_iast.py b/tests/contrib/fastapi/test_fastapi_appsec_iast.py
@@ -120,6 +120,8 @@ async def test_route(request: Request):
                 "ranges_start": ranges_result[0].start,
                 "ranges_length": ranges_result[0].length,
                 "ranges_origin": origin_to_str(ranges_result[0].source.origin),
+                "ranges_origin_name": ranges_result[0].source.name,
+                "ranges_origin_value": ranges_result[0].source.value,
             }
         )
 
@@ -137,6 +139,8 @@ async def test_route(request: Request):
         assert result["ranges_start"] == 0
         assert result["ranges_length"] == 15
         assert result["ranges_origin"] == "http.request.parameter.name"
+        assert result["ranges_origin_name"] == "iast_queryparam"
+        assert result["ranges_origin_value"] == "iast_queryparam"
 
 
 def test_query_param_name_source_post(fastapi_application, client, tracer, test_spans):
@@ -153,6 +157,8 @@ async def test_route(request: Request):
                 "ranges_start": ranges_result[0].start,
                 "ranges_length": ranges_result[0].length,
                 "ranges_origin": origin_to_str(ranges_result[0].source.origin),
+                "ranges_origin_name": ranges_result[0].source.name,
+                "ranges_origin_value": ranges_result[0].source.value,
             }
         )
 
@@ -170,6 +176,8 @@ async def test_route(request: Request):
         assert result["ranges_start"] == 0
         assert result["ranges_length"] == 15
         assert result["ranges_origin"] == "http.request.parameter.name"
+        assert result["ranges_origin_name"] == "iast_queryparam"
+        assert result["ranges_origin_value"] == "iast_queryparam"
 
 
 def test_header_value_source(fastapi_application, client, tracer, test_spans):
@@ -217,6 +225,8 @@ async def test_route(request: Request):
                 "ranges_start": ranges_result[0].start,
                 "ranges_length": ranges_result[0].length,
                 "ranges_origin": origin_to_str(ranges_result[0].source.origin),
+                "ranges_origin_name": ranges_result[0].source.name,
+                "ranges_origin_value": ranges_result[0].source.value,
             }
         )
 
@@ -234,6 +244,8 @@ async def test_route(request: Request):
         assert result["ranges_start"] == 0
         assert result["ranges_length"] == 11
         assert result["ranges_origin"] == "http.request.header.name"
+        assert result["ranges_origin_name"] == "iast_header"
+        assert result["ranges_origin_value"] == "iast_header"
 
 
 @pytest.mark.skipif(sys.version_info < (3, 9), reason="typing.Annotated was introduced on 3.9")