o ia@sBddlmZddlZddlmZddlmZddlmZddlm Z ddlm Z ddlm Z dd l m Z dd l mZdd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddlmZddlmZddlm Z ddl!m"Z"ddl#m$Z%dZ&zddl'm&Z&Wn e(yYnwe"e)Z*ddZ+ddZ,ddZ-ddZ.d d!Z/dTd#e j0d$e1d%dfd&d'Z2d(d)Z3d*ed+e4ed,fd-e5e6efd%dfd.d/Z7d0d1Z8d"e8_9d2d3Z:d4d5Z;d6d7Zdd?Z@d@dAZAdBdCZBdDdEZCdFdGZDdHdIZEdJdKZFdLdMZGdNdOZHdPdQZIdRdSZJdS)U)MutableMappingN)Any)IAST)get_iast_stacktrace_reported)is_iast_request_enabled)set_iast_request_endpoint)set_iast_stacktrace_reported)$iast_instrumentation_wrapt_debug_log)!iast_propagation_listener_log_log)$_set_metric_iast_instrumented_source)WrapFunctonsForIAST) OriginType) origin_to_str)taint_pyobject)is_pyobject_tainted)taint_dictionary)taint_structure)cmdi_sanitizer)core) get_logger)config)MessageMapContainercCs|||i|trr9r r%r@r*r*r+_on_django_patchs0          rMTctx call_tracereturncKs8tjrtsdS|d}|r|f}t||idSdS)Nrequest)r/r0r find_item_taint_django_func_call)rNrOr)rQr(r*r*r+_on_django_middlewares  rTcGsBtjr|rt|d|rtsdSt|d||dSdSdSdS)Nr)r/r0 isinstancerrS)fn_args fn_kwargsfirst_arg_expected_type_r*r*r+_on_django_func_wrappeds  rZhttp_reqr(.r)cCs2t|dd}|durt|j|jt|jtjtj|_t|dddurTt |j dkrTt t|ddsTzt |j t tj|j tjd|_ WnQtyStjdddYnBwt|dddurtt|ddtst |jdkrt t|ddszt |jt tj|jtjd|_Wntytd ddYnwt|jtjtj|_t|jtjtj|_t|jtjtj|_t |jd |jtjd|_t |jt tj|jtjd|_t |j d t tj|jtjd|j d <t|j!tjtj|_!|rz|"D]\}}t |||tj#d||<qWdSt$ytd ddYdSwdS) Nresolver_match_bodyrrrrz'IAST can't set attribute http_req._bodyTrbodyz&IAST can't set attribute http_req.bodyr# PATH_INFO3Unexpected exception while tainting path parameters)%getattrrmethodrouterCOOKIESr r<r=lenr]rrrr9AttributeErrorlogdebugrUpropertyr_r GETr>r8POSTheadersr5r6r#r$ path_infoenvironMETArCr;r%)r[r(r)r\rErFr*r*r+rSs|    rScCst|||}t|tjrt|tj|tjd}|StdurFt|t rFt|tr>t |r>t t |}t||}t ||St|tjtj}|SrB)type__saved_getattrrUr TEXT_TYPESrr GRPC_BODYrrrfnextiter_patch_protobuf_classr)selfnameret first_key value_typer*r*r+_custom_protobuf_getattributes"   r}cCsHt|d}|s dSt|ds"z ||_t|_WdSty!YdSwdS)N__getattribute____datadog_custom)rbhasattrrrr}r~ TypeError)clsgetattr_methodr*r*r+rw,s    rwcCstjr t|}t|dSdS)N)r/r0rqrw)messagemsg_clsr*r*r+_on_grpc_response<s rc cstr=z(||i|D]\}}t||||dd}t||||dd}||fVq WdSty<tdddYdSw||i|D] \}}||fVqDdS)NrrrHrTr)rrr%r ) originsr&r'r(r)keyvaluenew_key new_valuer*r*r+r4Bs     r4cCs||i|}trGz,t|r|r4t|rt|dnd}|tjkr+|dvr+tj}t||||dWSW|St yFt dddY|Sw|S)Nrzhttp.request.body)cookiecookiesrrTr) rrrfstrr r6lowerr=rr%r )originoverride_pyobject_taintedr&r'r(r)rryr*r*r+r7Rs  r7c Csx||i|}tr:zg}|D]}t|s!|t||||dq||q|WSty9tdddY|Sw|Sr)rrappendrr%r )rr&r'r(r)rreselementr*r*r+&if_iast_taint_starlette_datastructures`s*  rc Cszt}|ddtttjtjttjttj|ddtt tj d|ddtt tj dttj |ddtt tj ttj |ddtt tj d|dd tt tj dttj |dd tt tjttj|dd tttj|dd t|dd t|ddtt tjd|ddtt tjd|ddtt tj |ttjttjWdStytdddYdSw)Nzstarlette.requests cookie_parserzstarlette.datastructureszQueryParams.__getitem__FzQueryParams.getzQueryParams.keyszHeaders.__getitem__z Headers.getz Headers.keysz URL.__init__r.z Request.bodyzFormData.__getitem__Tz FormData.getz FormData.keysrr)r r1r2r3rr r<r=r r7r8rr>r6r5_iast_instrument_starlette_urlr$"_iast_instrument_starlette_request'_iast_instrument_starlette_request_bodyr9r:r;r%r rLr*r*r+_on_iast_fastapi_patchws            rcCs"|j}t|d||ddS)N flask_request flask_config)span_on_set_request_tags_iastget_item)rN current_spanr*r*r+_on_pre_tracedrequest_iastsrcCstrHz4|jdurt|j|jjt|jtjtj dd|_t|j tj tj dd|_ t|j tj tj dd|_ WdStyGtdddYdSwdS)NTrz1Unexpected exception while tainting Flask requestr)rurl_rulerrcrulerrr r<r=r(r>r8formr%r )rQrrr*r*r+rs4  rcCs`|rtrtr dSzddlm}|jjddd}||WdSty/tdddYdSw NrHiast_check_stacktrace_leakutf-8ignoreerrors1Unexpected exception checking for stacktrace leakTr)rrtaint_sinks.stacktrace_leakrcontentdecoder%r )rNafter_request_tagsrQresponserrr*r*r+ _on_django_finalize_response_pres  rcCsh|rtjrts dSzddlm}|j}|jjdd}|||WdSt y3t dddYdSw)NrH)1asm_report_stacktrace_leak_from_django_debug_page__name__zFUnexpected exception checking for stacktrace leak on 500 response viewTr) r/r0rrrrtb_frame f_globalsgetr%r )rQrexc_type exc_valuetbrexc_namemoduler*r*r+!_on_django_technical_500_responses   rcCsd|rtrtr dSzddlm}|djddd}||WdSty1tjddd YdSw) NrHrrrrrrTr)rrrrrr%rhri)rrYrrr*r*r+_on_flask_finalize_request_post s  rcCsZ|rtsdSzddlm}|jddd}||WdSty,tjdddYdSwr)rrrrr%rhri)r_rYrrr*r*r+_on_asgi_finalize_responses   rcCsT|rtjsdSzddlm}||tdWdSty)tjdddYdSw)NrHrTrr)r/r0rrrr%rhri)htmlrr*r*r+!_on_werkzeug_render_debugger_html&s   rcCs&dd}||i|t||j_dS)Ncsfdd}|S)zMThis pattern comes from a Request._receive property, which returns a callablecs$IdH}t|tjtjddS)NTr)_receiverr r9)r_rxr*r+wrapped_property_call8szR_iast_instrument_starlette_request..receive..wrapped_property_callr*)rxrr*rr+receive5s z3_iast_instrument_starlette_request..receive)rj __class__r)r&r'r(r)rr*r*r+r4s rcs.||i|IdH}t|ttj|tjdSNr^)rrr r$r9)r&r'r(r)resultr*r*r+rCs rcCsz1tr)t|d||dr,|dD]\}}t|||tjd|d|<qWdSWdSWdStyAtdddYdSw)Nrc path_paramsr^raTr) rrrrCrr r;r%r )scoperdrErFr*r*r+ _iast_instrument_starlette_scopeKs   rcCs,dtfdd}t||j_||i|dS)NrPcSs t|jjttj|jjtjdSr)r componentsr#rr r$rr*r*r+r#Ys z,_iast_instrument_starlette_url..path)rrjrr#)r&r'r(r)r#r*r*r+rXs r)T)Kcollections.abcrr2typingrddtrace.appsec._constantsr/ddtrace.appsec._iast._iast_request_context_baserrrrddtrace.appsec._iast._logsr r ddtrace.appsec._iast._metricsr #ddtrace.appsec._iast._patch_modulesr $ddtrace.appsec._iast._taint_trackingr r3ddtrace.appsec._iast._taint_tracking._taint_objectsr8ddtrace.appsec._iast._taint_tracking._taint_objects_baser!ddtrace.appsec._iast._taint_utilsrr,ddtrace.appsec._iast.secure_marks.sanitizersrddtrace.internalrddtrace.internal.loggerrddtrace.internal.settings.asmrr/rgoogle._upb._message ImportErrorrrhr,rArGrJrMExecutionContextboolrTrZtupledictrrSr}rrwrr4r7rrrrrrrrrrrrrr*r*r*r+sp                      P * BU