o Á¿iGã@sdZddlmZddlmZddlmZddlmZddlm Z ddlm Z ddl m Z dd l m Z dd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddl mZ!dd l"m#Z#ddl$m%Z&e#e'ƒZ(dd„Z)dS)adInteractive Application Security Testing (IAST) module. This module implements IAST functionality by patching security-sensitive functions (sink points) in various Python modules using wrapt. IAST enables runtime security analysis by instrumenting code to track tainted data propagation through the application. The patching mechanism works by: 1. Identifying security-sensitive functions (sinks) in various modules 2. Wrapping these functions using wrapt to enable taint tracking 3. Implementing sanitizers and validators for different types of vulnerabilities 4. Enabling propagation tracking through AST-based instrumentation Supported vulnerability types include: - Command Injection - Code Injection - SQL Injection - Cross-Site Scripting (XSS) - Path Traversal - Header Injection - Unvalidated Redirects - Insecure Cookie - Server-Side Request Forgery (SSRF) é)ÚWrapFunctonsForIAST)Ú_apply_custom_security_controls)Úpatch)Úcmdi_sanitizer)Úpath_traversal_sanitizer)Úsqli_sanitizer)Úheader_injection_sanitizer)Ú xss_sanitizer)Úheader_injection_validator)Ússrf_validator)Úunvalidated_redirect_validator)Ú get_logger)ÚconfigcCstjrtƒtƒtƒtƒtƒtƒtƒt ƒtj r‚t ƒt ƒ}t |ƒ| ddt¡| ddt¡| ddt¡| ddt¡| d d t¡| d d t¡| d d t¡| d dt¡| ddt¡| ddt¡| ddt¡| ddt¡| ¡dSdS)aæPatch security-sensitive functions (sink points) for IAST analysis. This function implements the core IAST patching mechanism in two phases: 1. Sink Points Phase (when _DD_IAST_SINK_POINTS_ENABLED): - Patches vulnerability detection functions for command injection, XSS, code injection, header injection, insecure cookies, and unvalidated redirects 2. Propagation Phase (when _DD_IAST_PROPAGATION_ENABLED): - Enables JSON tainting for data flow tracking - Configures sanitizers for input validation (SQL injection, XSS, path traversal) - Sets up validators for security checks (SSRF, header injection, unvalidated redirects) - Applies custom security controls and taint tracking ÚshlexÚquotezmysql.connector.conversionzMySQLConverter.escapezpymysql.connectionszConnection.escape_stringzpymysql.convertersÚ escape_stringzwerkzeug.utilsÚ_str_header_valueÚsecure_filenamezdjango.http.responsez#ResponseHeaders._convert_to_charsetz$HttpResponseBase._convert_to_charsetzdjango.utils.httpÚurl_has_allowed_host_and_schemez urllib.parseÚurlparseÚhtmlÚescapeN)Ú asm_configÚ_iast_sink_points_enabledÚcode_injection_patchÚheader_injection_patchÚinsecure_cookie_patchÚunstrusted_serialization_patchÚunvalidated_redirect_patchÚweak_cipher_patchÚweak_hash_patchÚ xss_patchÚ_iast_propagation_enabledÚjson_tainting_patchrrÚ wrap_functionrrrrr r r r r)Ú iast_funcs©r&úM/home/ubuntu/.local/lib/python3.10/site-packages/ddtrace/appsec/_iast/main.pyÚ patch_iast3s>ÿÿ Ïr(N)*Ú__doc__Ú#ddtrace.appsec._iast._patch_modulesrrÚ+ddtrace.appsec._iast._patches.json_taintingrr#Ú!ddtrace.appsec._iast.secure_marksrrrÚ,ddtrace.appsec._iast.secure_marks.sanitizersrr Ú,ddtrace.appsec._iast.secure_marks.validatorsr r r Ú/ddtrace.appsec._iast.taint_sinks.code_injectionrÚ1ddtrace.appsec._iast.taint_sinks.header_injectionrÚ0ddtrace.appsec._iast.taint_sinks.insecure_cookierÚ8ddtrace.appsec._iast.taint_sinks.untrusted_serializationrÚ5ddtrace.appsec._iast.taint_sinks.unvalidated_redirectrÚ,ddtrace.appsec._iast.taint_sinks.weak_cipherrÚ*ddtrace.appsec._iast.taint_sinks.weak_hashr Ú$ddtrace.appsec._iast.taint_sinks.xssr!Úddtrace.internal.loggerr Úddtrace.internal.settings.asmrrÚ__name__Úlogr(r&r&r&r'Ús0