Skip to content

Commit

Permalink
fix(iast): add more modules to the IAST patching denylist to improve …
Browse files Browse the repository at this point in the history 
…startup time [backport 2.18] (#11909)

Backport 30e3b76 from #11907 to 2.18.

## Description

Adds a bunch of image handling, scientific/numerical computing, linting
and other modules where propagation doesn't matter to the IAST denylist.

## Checklist
- [X] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met 
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

---------

Co-authored-by: Juanjo Alvarez Martinez <juanjo.alvarezmartinez@datadoghq.com>
Co-authored-by: Federico Mon <federico.mon@datadoghq.com>
  • Loading branch information
@github-actions @juanjux @gnufede
3 people authored Jan 14, 2025
1 parent 0a56ee9 commit e632119
Show file tree
Hide file tree
Showing 3 changed files with 99 additions and 46 deletions.
42 changes: 42 additions & 0 deletions ddtrace/appsec/_iast/_ast/ast_patching.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,47 @@
# Prefixes for modules where IAST patching is allowed
IAST_ALLOWLIST: Tuple[Text, ...] = ("tests.appsec.iast.",)
IAST_DENYLIST: Tuple[Text, ...] = (
"altgraph.",
"dipy.",
"black.",
"mypy.",
"mypy_extensions.",
"autopep8.",
"pycodestyle.",
"pydicom.",
"pyinstaller.",
"pystray.",
"contourpy.",
"cx_logging.",
"dateutil.",
"pytz.",
"wcwidth.",
"win32ctypes.",
"xlib.",
"cycler.",
"cython.",
"dnspython.",
"elasticdeform.",
"numpy.",
"matplotlib.",
"skbase.",
"scipy.",
"networkx.",
"imageio.",
"fonttools.",
"nibabel.",
"nilearn.",
"gprof2dot.",
"h5py.",
"kiwisolver.",
"pandas.",
"pdf2image.",
"pefile.",
"pil.",
"threadpoolctl.",
"tifffile.",
"tqdm.",
"trx.",
"flask.",
"werkzeug.",
"aiohttp._helpers.",
Expand Down Expand Up @@ -111,6 +152,7 @@
"difflib.",
"dill.info.",
"dill.settings.",
"silk.", # django-silk package
"django.apps.config.",
"django.apps.registry.",
"django.conf.",
Expand Down
4 changes: 4 additions & 0 deletions releasenotes/notes/denylist-extend-more-f0d96917c50d43cf.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
fixes:
- |
Add more modules to the IAST patching denylist to improve startup time
99 changes: 53 additions & 46 deletions tests/appsec/iast_packages/test_packages.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -402,16 +402,17 @@ def uninstall(self, python_cmd):
import_module_to_validate="multidict._multidict_py",
test_propagation=True,
),
## Skip due to numpy added to the denylist
# Python 3.12 fails in all steps with "import error" when import numpy
PackageForTesting(
"numpy",
"1.24.4",
"9 8 7 6 5 4 3",
[3, 4, 5, 6, 7, 8, 9],
5,
skip_python_version=[(3, 12)],
import_module_to_validate="numpy.core._internal",
),
# PackageForTesting(
# "numpy",
# "1.24.4",
# "9 8 7 6 5 4 3",
# [3, 4, 5, 6, 7, 8, 9],
# 5,
# skip_python_version=[(3, 12)],
# import_module_to_validate="numpy.core._internal",
# ),
PackageForTesting(
"oauthlib",
"3.2.2",
Expand All @@ -430,8 +431,9 @@ def uninstall(self, python_cmd):
{"is_version_valid": True, "requirement": "example-package>=1.0.0", "specifier": ">=1.0.0", "version": "1.2.3"},
"",
),
## Skip due to pandas added to the denylist
# Pandas dropped Python 3.8 support in pandas>2.0.3
PackageForTesting("pandas", "2.2.2", "foobar", "Written value: foobar", "", skip_python_version=[(3, 8)]),
# PackageForTesting("pandas", "2.2.2", "foobar", "Written value: foobar", "", skip_python_version=[(3, 8)]),
PackageForTesting(
"platformdirs",
"4.2.2",
Expand Down Expand Up @@ -479,15 +481,16 @@ def uninstall(self, python_cmd):
),
# # TODO: patching Pytest fails: ImportError: cannot import name 'Dir' from '_pytest.main'
# PackageForTesting("pytest", "8.2.1", "", "", "", test_e2e=False),
PackageForTesting(
"python-dateutil",
"2.8.2",
"Sat Oct 11 17:13:46 UTC 2003",
"Sat, 11 Oct 2003 17:13:46 GMT",
"And the Easter of that year is: 2004-04-11",
import_name="dateutil",
import_module_to_validate="dateutil.relativedelta",
),
## Skip due to python-dateutil added to the denylist
# PackageForTesting(
# "python-dateutil",
# "2.8.2",
# "Sat Oct 11 17:13:46 UTC 2003",
# "Sat, 11 Oct 2003 17:13:46 GMT",
# "And the Easter of that year is: 2004-04-11",
# import_name="dateutil",
# import_module_to_validate="dateutil.relativedelta",
# ),
PackageForTesting(
"python-multipart",
"0.0.5", # this version validates APPSEC-55240 issue, don't upgrade it
Expand All @@ -499,13 +502,14 @@ def uninstall(self, python_cmd):
test_import=False,
test_propagation=True,
),
PackageForTesting(
"pytz",
"2024.1",
"America/New_York",
"Current time in America/New_York: replaced_time",
"",
),
## Skip due to pytz added to the denylist
# PackageForTesting(
# "pytz",
# "2024.1",
# "America/New_York",
# "Current time in America/New_York: replaced_time",
# "",
# ),
PackageForTesting(
"PyYAML",
"6.0.1",
Expand Down Expand Up @@ -584,7 +588,8 @@ def uninstall(self, python_cmd):
"",
import_module_to_validate="tomlkit.items",
),
PackageForTesting("tqdm", "4.66.4", "", "", "", test_e2e=False, import_module_to_validate="tqdm.std"),
## Skip due to tqdm added to the denylist
# PackageForTesting("tqdm", "4.66.4", "", "", "", test_e2e=False, import_module_to_validate="tqdm.std"),
# Python 3.8 and 3.9 fail with ImportError: cannot import name 'get_host' from 'urllib3.util.url'
PackageForTesting(
"urllib3",
Expand Down Expand Up @@ -663,15 +668,16 @@ def uninstall(self, python_cmd):
"",
skip_python_version=[(3, 6), (3, 7), (3, 8)],
),
PackageForTesting(
"pillow",
"10.3.0",
"Hello, Pillow!",
"Image correctly generated",
"",
import_name="PIL.Image",
skip_python_version=[(3, 6), (3, 7), (3, 8)],
),
## Skip due to pillow added to the denylist
# PackageForTesting(
# "pillow",
# "10.3.0",
# "Hello, Pillow!",
# "Image correctly generated",
# "",
# import_name="PIL.Image",
# skip_python_version=[(3, 6), (3, 7), (3, 8)],
# ),
PackageForTesting(
"aiobotocore", "2.13.0", "", "", "", test_e2e=False, test_import=False, import_name="aiobotocore.session"
),
Expand Down Expand Up @@ -745,16 +751,17 @@ def uninstall(self, python_cmd):
"",
test_e2e=False,
),
# scipy dropped Python 3.8 support in scipy > 1.10.1
PackageForTesting(
"scipy",
"1.13.0",
"1,2,3,4,5",
"Mean: 3.0, Standard Deviation: 1.581",
"",
import_name="scipy.special",
skip_python_version=[(3, 8)],
),
## Skip due to scipy added to the denylist
# # scipy dropped Python 3.8 support in scipy > 1.10.1
# PackageForTesting(
# "scipy",
# "1.13.0",
# "1,2,3,4,5",
# "Mean: 3.0, Standard Deviation: 1.581",
# "",
# import_name="scipy.special",
# skip_python_version=[(3, 8)],
# ),
PackageForTesting(
"iniconfig",
"2.0.0",
Expand Down

0 comments on commit e632119

Please sign in to comment.