o ilE@sddlmZddlmZddlmZddlmZddlmZddlm Z ddl m Z ddl m Z dd lmZd Ze eZGd d d Zd dZdddZddZGdddZGdddZejrfdddZddZdS))abc)Any)Optional)Union)IAST)taint_pyobject)is_pyobject_tainted) get_logger)config)zdjango-c@sfeZdZ   ddedededeeefde eede eeefd efd d Z d d Z ddZ dS)_DeepTaintCommandNFpre source_keyobj store_structkeystructis_keycCs.||_||_||_||_||_||_||_dSN)r r rrrrr)selfr r rrrrrrU/home/ubuntu/.local/lib/python3.10/site-packages/ddtrace/appsec/_iast/_taint_utils.py__init__s  z_DeepTaintCommand.__init__cCs^t|jtr|j|dSt|jtr%|jr|jdnd}||j|<dStdt|j)Nrzstore_struct of type ) isinstancerlistappenddictr ValueErrortype)rvaluerrrrstore+s  z_DeepTaintCommand.storecCs|d|j|j|j|j|S)NF) __class__r rrr)rrrrrpost4z_DeepTaintCommand.post)NNF) __name__ __module__ __qualname__boolstrrrrrrrrr!rrrrr s*    r cCs|j|jur|S|jj|jjf}|dkrt|S|dkr-|i}dd|D|_|S|dkrG|}|D] \}}t|||q9|S|dkrP||S|dkrY||S|S)N)builtinstuple)django.http.request HttpHeaderscSsi|] \}}|||fqSr)lower).0kvrrr Bsz@build_new_tainted_object_from_generic_object..)r* QueryDict)z"werkzeug.datastructures.structuresImmutableMultiDict)zwerkzeug.datastructuresr2)r r$r#r)items_storer __setitem__)initial_object wanted_object wanted_typeresr.r/rrr,build_new_tainted_object_from_generic_object8s&    r:Fc s|s|Sd}g}zztd|||g}|r|jr͈js%jntjtjrP|s3tjsIt jj jj r?|n|d}|njntjt j ri|tjtrmtjnj}g} t|D]!\} } g} | tdt| | | dd| tdt| | | qx|t| n5tjt jrg|fddjD} |t| njn tjj|sWntytjdddYnwW|r|d }|S|}|S|r|d }w|}w) ztaint any structured object use a queue like mechanism to avoid recursion Best effort: mutate mutable structures and rebuild immutable ones if possible NTpyobject source_name source_value source_origin)rcsg|] }tdj|qS)T)r r )r-r/commandr9rr sz#taint_structure..ztaint_structure errorexc_infor)r popr rrrr TEXT_TYPESrrr rrMappingrr!rr3rr'extendreversedSequencer:r Exceptionlogdebug) main_objr r>override_pyobject_taintedresultmain_resstacknew_objiterabletodor.r/ key_storerr@rtaint_structureVsd  " $ rWcCs t|dS)N_origins)hasattr)rrrr_is_tainted_struct rZc@s4eZdZdZdMddZddZd d Zed d Zd dZ ddZ ddZ ddZ ddZ ddZddZddZddZdd Zd!d"Zd#d$Zd%d&Zd'd(Zd)d*Zd+d,Zd-d.Zd/d0Zd1d2Zd3d4Zd5d6Zd7d8Zd9d:Zd;d<Z d=d>Z!d?d@Z"dAdBZ#dCdDZ$dEdFZ%dGdHZ&dIe'fdJdKZ(dLS)N LazyTaintListz Encapsulate a list to lazily taint all content on any depth It will appear and act as the original list except for some additional private fields rrF[]cCs4t|r|jn||_||_|d|_||_||_dS)N)rZ_objrX _origin_value_override_pyobject_tainted _source_name)r original_listoriginsrOr=rrrrs   zLazyTaintList.__init__cCs|rkt|tjrAt|r|jr?z t||j||jd}W|Sty.t j d|ddY|St y>t j dddY|Sw|St|t j rVt|sVt||j|jd}|St|t jrkt|skt||j|j|jd}|S)Nr;z)IAST SystemError while tainting value: %sTrC.IAST Unexpected exception while tainting valuererOrerOr=)rrrFrrbrrcra SystemErrorrLrMrKrrGrZ LazyTaintDictrXrJr\)rrrrr_taints@       zLazyTaintList._taintcCs*t|r|j}t|j||j|j|jdSNrh)rZr`r\rXrbrcrotherrrr__add__szLazyTaintList.__add__cCtSr)rrrrrr zLazyTaintList.__class__cC ||jvSrr`ritemrrr __contains__r[zLazyTaintList.__contains__cC |j|=dSrrtrrrrr __delitem__ zLazyTaintList.__delitem__cCt|r|j}|j|kSrrZr`rmrrr__eq__ zLazyTaintList.__eq__cCt|r|j}|j|kSrr}rmrrr__ge__rzLazyTaintList.__ge__cCs||j|Srrkr`ryrrr __getitem__zLazyTaintList.__getitem__cCt|r|j}|j|kSrr}rmrrr__gt__rzLazyTaintList.__gt__cCs t|r|j}|j|7_dSrr}rmrrr__iadd__zLazyTaintList.__iadd__cCs|j|9_dSrrtrmrrr__imul__zLazyTaintList.__imul__csfddttjDS)Nc3|]}|VqdSrrr-irqrr z)LazyTaintList.__iter__..)rangelenr`rqrrqr__iter__r"zLazyTaintList.__iter__cCt|r|j}|j|kSrr}rmrrr__le__rzLazyTaintList.__le__cC t|jSrrr`rqrrr__len__r[zLazyTaintList.__len__cCt|r|j}|j|kSrr}rmrrr__lt__rzLazyTaintList.__lt__cCst|j||j|j|jdSrl)r\r`rXrbrcrmrrr__mul__ zLazyTaintList.__mul__cCt|r|j}|j|kSrr}rmrrr__ne__ rzLazyTaintList.__ne__cCrrreprr`rqrrr__repr__r[zLazyTaintList.__repr__cs fddtttjDS)Nc3rrrrrqrrrrz-LazyTaintList.__reversed__..)rIrrr`rqrrqr __reversed__s zLazyTaintList.__reversed__cC||j|<dSrrtrrrrrrr5zLazyTaintList.__setitem__cCrrr'r`rqrrr__str__r[zLazyTaintList.__str__cCs|j|dSr)r`rrurrrrrzLazyTaintList.appendcC|jdSrr`clearrqrrrrzLazyTaintList.clearcCst|j|j|j|jdSrl)r\r`copyrXrbrcrqrrrr!rzLazyTaintList.copycG |jj|Sr)r`countrargsrrrr)r{zLazyTaintList.countcGrr)r`rHrrrrrH,r{zLazyTaintList.extendcGrr)r`indexrrrrr/r{zLazyTaintList.indexcGrr)r`insertrrrrr2r{zLazyTaintList.insertcGs||jj|Srrkr`rErrrrrE5rzLazyTaintList.popcGrrr`removerrrrr8r{zLazyTaintList.removecGrr)r`reverserrrrr;r{zLazyTaintList.reversecGrr)r`sortrrrrr>r{zLazyTaintList.sortcC|Srr)rprotorrr __conform__BzLazyTaintList.__conform__returncCs*ddlm}||j}||}|SNr)psycopg2.extensions extensionsadaptr` getquotedrk)rextrrrrrEs  zLazyTaintList.getquotedN)r]Fr^))r#r$r%__doc__rrkropropertyr rwrzr~rrrrrrrrrrrrrr5rrrrrrHrrrErrrrbytesrrrrrr\sL  r\c@sXeZdZdRddZdSddZedd Zd d Zd d ZddZ ddZ ddZ ddZ ddZ ddZddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd.d/Zed0d1ZdSd2d3Zd4d5Zd6d7Zd8d9Zd:d;Z dd?Z"d@dAZ#dBdCZ$dSdDdEZ%dFdGZ&dHdIZ'dSdJdKZ(dLdMZ)dNdOZ*dSdPdQZ+dS)Trjr]FcCsRddlm}||_||_|dr|dn|j|_|dr |dn|j|_||_dS)Nr) OriginTyper_) $ddtrace.appsec._iast._taint_trackingrr`rXPARAMETER_NAME _origin_key PARAMETERrarb)r original_dictrerOrrrrrNs  zLazyTaintDict.__init__NcCs|dur|j}|r^t|tjr5t|r|jr3z t||||d}W|Sty2tj dddY|Sw|St|t j rJt |sJt ||j|jd}|St|t jr^t |s^t||j|j|d}|S)Nr;rfTrCrgrh)rarrrFrrbrrKrLrMrrGrZrjrXrJr\)rrroriginrrrrkWs>      zLazyTaintDict._taintcCrpr)rrqrrrr trrzLazyTaintDict.__class__cCrsrrtrurrrrwxr[zLazyTaintDict.__contains__cCrxrrtryrrrrz{r{zLazyTaintDict.__delitem__cCr|rr}rmrrrr~~rzLazyTaintDict.__eq__cCrrr}rmrrrrrzLazyTaintDict.__ge__cCs||j||SrrryrrrrrzLazyTaintDict.__getitem__cCrrr}rmrrrrrzLazyTaintDict.__gt__cCs t|r|j}|j|O_dSrr}rmrrr__ior__rzLazyTaintDict.__ior__cC t|Sr)iterkeysrqrrrrr{zLazyTaintDict.__iter__cCrrr}rmrrrrrzLazyTaintDict.__le__cCrrrrqrrrrr[zLazyTaintDict.__len__cCrrr}rmrrrrrzLazyTaintDict.__lt__cCrrr}rmrrrrrzLazyTaintDict.__ne__cCs&t|r|j}t|j|B|j|jdSNrg)rZr`rjrXrbrmrrr__or__szLazyTaintDict.__or__cCrrrrqrrrrr[zLazyTaintDict.__repr__cCrr)rIrrqrrrrr{zLazyTaintDict.__reversed__cCrrrtrrrrr5rzLazyTaintDict.__setitem__cCrrrrqrrrrr[zLazyTaintDict.__str__cCrrrrqrrrrrzLazyTaintDict.clearcCst|j|j|jdSr)rjr`rrXrbrqrrrrs zLazyTaintDict.copycGs tj|Sr)rfromkeys)clsrrrrrs zLazyTaintDict.fromkeyscCs,t}|j||}||ur|S|||Sr)objectr`getrk)rrdefaultobserverr9rrrrs  zLazyTaintDict.getccs"|D] }|||fVqdSr)rrr.rrrr3s zLazyTaintDict.itemsccs(|jD] }||||jVqdSr)r`rrkrrrrrrszLazyTaintDict.keyscGs||jj|dS)NrErrrrrrEzLazyTaintDict.popcCs&|j\}}||||||fSr)r`popitemrk)rr.r/rrrrszLazyTaintDict.popitemcGrrrrrrrrr{zLazyTaintDict.removecGs||jj||dSr)rkr` setdefaultrrrrrzLazyTaintDict.setdefaultcOs|jj|i|dSr)r`update)rrkargsrrrrszLazyTaintDict.updateccs|D]\}}|VqdSr)r3)r_r/rrrvaluesszLazyTaintDict.valuescC||jj||d|S)N)r)rkr`getlist)rrrrrrrrzLazyTaintDict.getlistcC|j||dSr)r`setlist)rrlist_rrrrrzLazyTaintDict.setlistcCrr)r` appendlist)rrrvrrrrrzLazyTaintDict.appendlistcCr)N) default_list)rkr`setlistdefault)rrrrrrrrzLazyTaintDict.setlistdefaultcCs||j|jSr)rkr`listsrarqrrrrrzLazyTaintDict.listscCrrrrqrrrrrzLazyTaintDict.dictcCs||jj|d|jS)N)safe)rkr` urlencodera)rrrrrrrzLazyTaintDict.urlencode)r]Fr),r#r$r%rrkrr rwrzr~rrrrrrrrrrrrr5rrr classmethodrrr3rrErrrrrrrrrrrrrrrrrjMsT        rjcCs<t|tjrt|||f|St|tjrt|||f|SdSr)rrrGrjrJr\)rN origin_key origin_valuerOrrrrW s  cCs||i|}t|||ddS)NT)rO)rW)rr original_funcinstancerkwargsrPrrrtaint_dictionarysrN)F) collectionsrtypingrrrddtrace.appsec._constantsr3ddtrace.appsec._iast._taint_tracking._taint_objectsr8ddtrace.appsec._iast._taint_tracking._taint_objects_baserddtrace.internal.loggerr ddtrace.internal.settings.asmr asm_configDBAPI_PREFIXESr#rLr r:rWrZr\rj_iast_lazy_taintrrrrrs,          =7<