Merge branch '3.x-staging' into yunkim/openai-drop-metrics-logs

DataDog · Feb 4, 2025 · fcede41 · fcede41
2 parents 82c6ed0 + 3ac7025
commit fcede41
Show file tree

Hide file tree

Showing 47 changed files with 883 additions and 1,191 deletions.
diff --git a/benchmarks/sampling_rule_matches/scenario.py b/benchmarks/sampling_rule_matches/scenario.py
@@ -4,8 +4,8 @@
 
 import bm
 
+from ddtrace._trace.sampling_rule import SamplingRule
 from ddtrace._trace.span import Span
-from ddtrace.sampling_rule import SamplingRule
 
 
 def rands(size=6, chars=string.ascii_uppercase + string.digits):

diff --git a/ddtrace/__init__.py b/ddtrace/__init__.py
@@ -27,9 +27,11 @@
 from ._monkey import patch_all  # noqa: E402
 from .internal.compat import PYTHON_VERSION_INFO  # noqa: E402
 from .internal.utils.deprecations import DDTraceDeprecationWarning  # noqa: E402
-from ddtrace._trace.pin import Pin  # noqa: E402
-from ddtrace._trace.span import Span  # noqa: E402
-from ddtrace._trace.tracer import Tracer  # noqa: E402
+
+# TODO(munir): Remove the imports below in v3.0
+from ddtrace._trace import pin as _p  # noqa: E402, F401
+from ddtrace._trace import span as _s  # noqa: E402, F401
+from ddtrace._trace import tracer as _t  # noqa: E402, F401
 from ddtrace.vendor import debtcollector
 from .version import get_version  # noqa: E402
 
@@ -39,15 +41,6 @@
 
 _start_mini_agent()
 
-# DEV: Import deprecated tracer module in order to retain side-effect of package
-# initialization, which added this module to sys.modules. We catch deprecation
-# warnings as this is only to retain a side effect of the package
-# initialization.
-# TODO: Remove this in v3.0 when the ddtrace/tracer.py module is removed
-with warnings.catch_warnings():
-    warnings.simplefilter("ignore")
-    from .tracer import Tracer as _
-
 __version__ = get_version()
 
 # TODO: Deprecate accessing tracer from ddtrace.__init__ module in v4.0
@@ -57,36 +50,11 @@
 __all__ = [
     "patch",
     "patch_all",
-    "Pin",
-    "Span",
-    "Tracer",
     "config",
     "DDTraceDeprecationWarning",
 ]
 
 
-_DEPRECATED_TRACE_ATTRIBUTES = [
-    "Span",
-    "Tracer",
-    "Pin",
-]
-
-
-def __getattr__(name):
-    if name in _DEPRECATED_TRACE_ATTRIBUTES:
-        debtcollector.deprecate(
-            ("%s.%s is deprecated" % (__name__, name)),
-            message="Import from ddtrace.trace instead.",
-            category=DDTraceDeprecationWarning,
-            removal_version="3.0.0",
-        )
-
-    if name in globals():
-        return globals()[name]
-
-    raise AttributeError("%s has no attribute %s", __name__, name)
-
-
 def check_supported_python_version():
     if PYTHON_VERSION_INFO < (3, 8):
         deprecation_message = (

diff --git a/ddtrace/appsec/_iast/_evidence_redaction/_sensitive_handler.py b/ddtrace/appsec/_iast/_evidence_redaction/_sensitive_handler.py
@@ -10,6 +10,7 @@
 from ..constants import VULN_HEADER_INJECTION
 from ..constants import VULN_SQL_INJECTION
 from ..constants import VULN_SSRF
+from ..constants import VULN_XSS
 from .command_injection_sensitive_analyzer import command_injection_sensitive_analyzer
 from .default_sensitive_analyzer import default_sensitive_analyzer
 from .header_injection_sensitive_analyzer import header_injection_sensitive_analyzer
@@ -45,6 +46,7 @@ def __init__(self):
             VULN_SQL_INJECTION: sql_sensitive_analyzer,
             VULN_SSRF: url_sensitive_analyzer,
             VULN_HEADER_INJECTION: header_injection_sensitive_analyzer,
+            VULN_XSS: default_sensitive_analyzer,
             VULN_CODE_INJECTION: default_sensitive_analyzer,
         }
 

diff --git a/ddtrace/appsec/_iast/_patch_modules.py b/ddtrace/appsec/_iast/_patch_modules.py
@@ -7,6 +7,7 @@
     "header_injection": True,
     "weak_cipher": True,
     "weak_hash": True,
+    "xss": True,
 }
 
 

diff --git a/ddtrace/appsec/_iast/constants.py b/ddtrace/appsec/_iast/constants.py
@@ -14,6 +14,7 @@
 VULN_CMDI = "COMMAND_INJECTION"
 VULN_HEADER_INJECTION = "HEADER_INJECTION"
 VULN_CODE_INJECTION = "CODE_INJECTION"
+VULN_XSS = "XSS"
 VULN_SSRF = "SSRF"
 VULN_STACKTRACE_LEAK = "STACKTRACE_LEAK"
 

diff --git a/ddtrace/appsec/_iast/taint_sinks/xss.py b/ddtrace/appsec/_iast/taint_sinks/xss.py
@@ -0,0 +1,78 @@
+from typing import Text
+
+from ddtrace.appsec._common_module_patches import try_unwrap
+from ddtrace.appsec._constants import IAST_SPAN_TAGS
+from ddtrace.appsec._iast import oce
+from ddtrace.appsec._iast._iast_request_context import is_iast_request_enabled
+from ddtrace.appsec._iast._metrics import _set_metric_iast_executed_sink
+from ddtrace.appsec._iast._metrics import _set_metric_iast_instrumented_sink
+from ddtrace.appsec._iast._metrics import increment_iast_span_metric
+from ddtrace.appsec._iast._patch import set_and_check_module_is_patched
+from ddtrace.appsec._iast._patch import set_module_unpatched
+from ddtrace.appsec._iast._patch import try_wrap_function_wrapper
+from ddtrace.appsec._iast._taint_tracking._taint_objects import is_pyobject_tainted
+from ddtrace.appsec._iast.constants import VULN_XSS
+from ddtrace.appsec._iast.taint_sinks._base import VulnerabilityBase
+from ddtrace.internal.logger import get_logger
+from ddtrace.settings.asm import config as asm_config
+
+
+log = get_logger(__name__)
+
+
+@oce.register
+class XSS(VulnerabilityBase):
+    vulnerability_type = VULN_XSS
+
+
+def get_version() -> Text:
+    return ""
+
+
+def patch():
+    if not asm_config._iast_enabled:
+        return
+
+    if not set_and_check_module_is_patched("flask", default_attr="_datadog_xss_patch"):
+        return
+    if not set_and_check_module_is_patched("django", default_attr="_datadog_xss_patch"):
+        return
+    if not set_and_check_module_is_patched("fastapi", default_attr="_datadog_xss_patch"):
+        return
+
+    try_wrap_function_wrapper(
+        "django.utils.safestring",
+        "mark_safe",
+        _iast_django_xss,
+    )
+
+    try_wrap_function_wrapper(
+        "django.template.defaultfilters",
+        "mark_safe",
+        _iast_django_xss,
+    )
+
+    _set_metric_iast_instrumented_sink(VULN_XSS)
+
+
+def unpatch():
+    try_unwrap("django.utils.safestring", "mark_safe")
+    try_unwrap("django.template.defaultfilters", "mark_safe")
+
+    set_module_unpatched("flask", default_attr="_datadog_xss_patch")
+    set_module_unpatched("django", default_attr="_datadog_xss_patch")
+    set_module_unpatched("fastapi", default_attr="_datadog_xss_patch")
+
+
+def _iast_django_xss(wrapped, instance, args, kwargs):
+    if args and len(args) >= 1:
+        _iast_report_xss(args[0])
+    return wrapped(*args, **kwargs)
+
+
+def _iast_report_xss(code_string: Text):
+    increment_iast_span_metric(IAST_SPAN_TAGS.TELEMETRY_EXECUTED_SINK, XSS.vulnerability_type)
+    _set_metric_iast_executed_sink(XSS.vulnerability_type)
+    if is_iast_request_enabled():
+        if is_pyobject_tainted(code_string):
+            XSS.report(evidence_value=code_string)
diff --git a/ddtrace/constants.py b/ddtrace/constants.py
@@ -1,39 +1,37 @@
-from ddtrace.internal.utils.deprecations import DDTraceDeprecationWarning as _DDTraceDeprecationWarning
-from ddtrace.vendor import debtcollector as _debtcollector
-
-
-# TODO: Deprecate and remove the SAMPLE_RATE_METRIC_KEY constant.
-# This key enables legacy trace sampling support in the Datadog agent.
-_SAMPLE_RATE_METRIC_KEY = SAMPLE_RATE_METRIC_KEY = "_sample_rate"
-_SAMPLING_PRIORITY_KEY = SAMPLING_PRIORITY_KEY = "_sampling_priority_v1"
-_ANALYTICS_SAMPLE_RATE_KEY = ANALYTICS_SAMPLE_RATE_KEY = "_dd1.sr.eausr"
-_SAMPLING_AGENT_DECISION = SAMPLING_AGENT_DECISION = "_dd.agent_psr"
-_SAMPLING_RULE_DECISION = SAMPLING_RULE_DECISION = "_dd.rule_psr"
-_SAMPLING_LIMIT_DECISION = SAMPLING_LIMIT_DECISION = "_dd.limit_psr"
+"""
+This module contains constants used across ddtrace products.
+
+Constants that should NOT be referenced by ddtrace users are marked with a leading underscore.
+"""
+_SAMPLING_PRIORITY_KEY = "_sampling_priority_v1"
+_ANALYTICS_SAMPLE_RATE_KEY = "_dd1.sr.eausr"
+_SAMPLING_AGENT_DECISION = "_dd.agent_psr"
+_SAMPLING_RULE_DECISION = "_dd.rule_psr"
+_SAMPLING_LIMIT_DECISION = "_dd.limit_psr"
 _SINGLE_SPAN_SAMPLING_MECHANISM = "_dd.span_sampling.mechanism"
 _SINGLE_SPAN_SAMPLING_RATE = "_dd.span_sampling.rule_rate"
 _SINGLE_SPAN_SAMPLING_MAX_PER_SEC = "_dd.span_sampling.max_per_second"
 _SINGLE_SPAN_SAMPLING_MAX_PER_SEC_NO_LIMIT = -1
 _APM_ENABLED_METRIC_KEY = "_dd.apm.enabled"
 
-_ORIGIN_KEY = ORIGIN_KEY = "_dd.origin"
-_USER_ID_KEY = USER_ID_KEY = "_dd.p.usr.id"
-_HOSTNAME_KEY = HOSTNAME_KEY = "_dd.hostname"
-_RUNTIME_FAMILY = RUNTIME_FAMILY = "_dd.runtime_family"
+_ORIGIN_KEY = "_dd.origin"
+_USER_ID_KEY = "_dd.p.usr.id"
+_HOSTNAME_KEY = "_dd.hostname"
+_RUNTIME_FAMILY = "_dd.runtime_family"
 ENV_KEY = "env"
 VERSION_KEY = "version"
 SERVICE_KEY = "service.name"
-_BASE_SERVICE_KEY = BASE_SERVICE_KEY = "_dd.base_service"
+_BASE_SERVICE_KEY = "_dd.base_service"
 SERVICE_VERSION_KEY = "service.version"
 SPAN_KIND = "span.kind"
-_SPAN_MEASURED_KEY = SPAN_MEASURED_KEY = "_dd.measured"
-_KEEP_SPANS_RATE_KEY = KEEP_SPANS_RATE_KEY = "_dd.tracer_kr"
-_MULTIPLE_IP_HEADERS = MULTIPLE_IP_HEADERS = "_dd.multiple-ip-headers"
+_SPAN_MEASURED_KEY = "_dd.measured"
+_KEEP_SPANS_RATE_KEY = "_dd.tracer_kr"
+_MULTIPLE_IP_HEADERS = "_dd.multiple-ip-headers"
 
 APPSEC_ENV = "DD_APPSEC_ENABLED"
-_CONFIG_ENDPOINT_ENV = CONFIG_ENDPOINT_ENV = "_DD_CONFIG_ENDPOINT"
-_CONFIG_ENDPOINT_RETRIES_ENV = CONFIG_ENDPOINT_RETRIES_ENV = "_DD_CONFIG_ENDPOINT_RETRIES"
-_CONFIG_ENDPOINT_TIMEOUT_ENV = CONFIG_ENDPOINT_TIMEOUT_ENV = "_DD_CONFIG_ENDPOINT_TIMEOUT"
+_CONFIG_ENDPOINT_ENV = "_DD_CONFIG_ENDPOINT"
+_CONFIG_ENDPOINT_RETRIES_ENV = "_DD_CONFIG_ENDPOINT_RETRIES"
+_CONFIG_ENDPOINT_TIMEOUT_ENV = "_DD_CONFIG_ENDPOINT_TIMEOUT"
 IAST_ENV = "DD_IAST_ENABLED"
 
 MANUAL_DROP_KEY = "manual.drop"
@@ -53,38 +51,3 @@
 AUTO_KEEP = 1
 # Use this to explicitly inform the backend that a trace should be kept and stored.
 USER_KEEP = 2
-
-
-_DEPRECATED_MODULE_ATTRIBUTES = [
-    "ANALYTICS_SAMPLE_RATE_KEY",
-    "SAMPLE_RATE_METRIC_KEY",
-    "SAMPLING_PRIORITY_KEY",
-    "SAMPLING_AGENT_DECISION",
-    "SAMPLING_RULE_DECISION",
-    "SAMPLING_LIMIT_DECISION",
-    "USER_ID_KEY",
-    "ORIGIN_KEY",
-    "HOSTNAME_KEY",
-    "RUNTIME_FAMILY",
-    "BASE_SERVICE_KEY",
-    "SPAN_MEASURED_KEY",
-    "KEEP_SPANS_RATE_KEY",
-    "MULTIPLE_IP_HEADERS",
-    "CONFIG_ENDPOINT_ENV",
-    "CONFIG_ENDPOINT_RETRIES_ENV",
-    "CONFIG_ENDPOINT_TIMEOUT_ENV",
-]
-
-
-def __getattr__(name):
-    if name in _DEPRECATED_MODULE_ATTRIBUTES:
-        _debtcollector.deprecate(
-            ("%s.%s is deprecated" % (__name__, name)),
-            category=_DDTraceDeprecationWarning,
-            removal_version="3.0.0",
-        )
-
-    if name in globals():
-        return globals()[name]
-
-    raise AttributeError("%s has no attribute %s", __name__, name)
diff --git a/ddtrace/context.py b/ddtrace/context.py
diff --git a/ddtrace/filters.py b/ddtrace/filters.py
diff --git a/ddtrace/pin.py b/ddtrace/pin.py
diff --git a/ddtrace/provider.py b/ddtrace/provider.py
diff --git a/ddtrace/sampler.py b/ddtrace/sampler.py
diff --git a/ddtrace/sampling_rule.py b/ddtrace/sampling_rule.py
diff --git a/ddtrace/span.py b/ddtrace/span.py
diff --git a/ddtrace/tracer.py b/ddtrace/tracer.py
diff --git a/ddtrace/tracing/__init__.py b/ddtrace/tracing/__init__.py