o i=@sddlZddlmZddlZddlZddlZddlmZddlmZddl Z ddl m Z ddl m Z ddlmZddlmZdd lmZdd lmZdd lmZdd lmZdd lmZddlmZeeZehdZ eeegZ!dZ"dee#dee#fddZ$GdddZ%ej&ddGddde%Z'ej&ddGdddZ(ej&ddGdd d Z)ej&Gd!d"d"e%Z*ej&Gd#d$d$e%Z+dS)%N)reduce)Any)Optional) STACK_TRACE) report_stack)sensitive_handler)is_iast_request_enabled)_get_source_index)VULN_INSECURE_HASHING_TYPE)VULN_WEAK_CIPHER_TYPE)VULN_WEAK_RANDOMNESS) get_logger)config>_rangesdialect_evidences_with_no_sourcesvaluereturncCs.|durdStj}t||kr|d|S|S)z5Truncate evidence value if it exceeds the max length.N) asm_config!_iast_truncation_max_value_lengthlen)r max_lengthrQ/home/ubuntu/.local/lib/python3.10/site-packages/ddtrace/appsec/_iast/reporter.py_truncate_evidence_values   rc@seZdZddZdS)NotNoneDictablecCstj|dddS)NcSsdd|DS)NcSs&i|]\}}|dur|tvr||qSN) ATTRS_TO_SKIP).0kvrrr -s&z>NotNoneDictable._to_dict....r)xrrr-sz*NotNoneDictable._to_dict..) dict_factory) dataclassesasdictselfrrr_to_dict*szNotNoneDictable._to_dictN)__name__ __module__ __qualname__r*rrrrr)s rF)eqc@sneZdZUdZeeed<dZeeed<ej e dZ e e ed<dZ ee ed<ddZd d Zd d ZdS) EvidenceNrrdefault_factoryr valuePartscCsB|jsdSd}|jD]}tj|dd}t|}||N}q |S)NrT) sort_keys)r2jsondumpszlibcrc32encode)r)_hashpartjson_str part_hashrrr_valueParts_hash8s  zEvidence._valueParts_hashcCst|j|fSr)hashrr=r(rrr__hash__DszEvidence.__hash__cCs|j|jko ||kSr)rr=)r)otherrrr__eq__GszEvidence.__eq__)r+r,r-rrstr__annotations__rr&fieldlistrdictr2r=r?rArrrrr/1s  r/T) unsafe_hashc@seZdZUejddddZeed<ejdddZe eed<dZ e e ed<dZ e eed<ejdddd d Z e e ed <ejdddd d Ze e ed <d dZddZddZdS)LocationF)comparer>reprspanId)initrIstackIdNpathline)rIr>rJdefaultmethod class_namecCtt||_dSrr6r7rJr8r>r(rrr __post_init__TzLocation.__post_init__cCd|jd|jdS)NzLocation(path='z', line=))rNrOr(rrr__repr__WzLocation.__repr__cCsti}|jdur |j|d<|jr|j|d<|jdur|j|d<|jr&|j|d<|jr.|j|d<|jr8t|j|d<|S)NrKrNrOrRclassrM)rKrNrOrRrSrMrB)r)resultrrrr*Zs       zLocation._to_dict)r+r,r-r&rDrKintrCrMrrNrBrOrRrSrVrZr*rrrrrHKs  rHc@s^eZdZUeed<eed<eed<ejddde j vddZ e ed<dd Z d d Zd d ZdS) VulnerabilitytypeevidencelocationFPYTEST_CURRENT_TEST)rLrIr>rJr>cCrTrrUr(rrrrVrrWzVulnerability.__post_init__cCrX)NzVulnerability(type='z ', location=rY)r`rbr(rrrrZur[zVulnerability.__repr__cCs"|j|j|j|jd}|S)N)r`rarbr>)r`rar*rbr>)r)to_dictrrrr*xs zVulnerability._to_dictN)r+r,r-rBrCr/rHr&rDosenvironr>r^rVrZr*rrrrr_ks   r_c@steZdZUeed<eed<ejdddZee ed<ejdddZ eeed<ejdddZ eeed<d d Z dS) SourceoriginnameNF)rQrJredactedrpatterncCst|j|jfS)a`origin & name serve as hashes. This approach aims to mitigate false positives when searching for identical sources in a list, especially when sources undergo changes. The provided example illustrates how two sources with different attributes could actually represent the same source. For example: Source(origin=, name='string1', redacted=False, value="password", pattern=None) could be the same source as the one below: Source(origin=, name='string1', redacted=True, value=None, pattern='ab') :return: )r>rhrir(rrrr?s zSource.__hash__) r+r,r-rBrCr&rDrjrboolrrkr?rrrrrgs  rgc @sheZdZUdZdZeed<eje dZ e e ed<eje dZ e eed<defdd Zd d Zd edd fddZd edd fddZdedd fddZdeeefdd fddZd/ddZdddefddZdeeeffddZd d!Zed"edee e e effd#d$Zd%d&Zdeeeffd'd(Z d)ed*e ede ede efd+d,Z!d0defd-d.Z"d S)1IastSpanReporterz3 Class representing an IAST span reporter. r stacktrace_idr0sourcesvulnerabilitiesrcCs"ttjddt|j|jBDS)zq Computes the hash value of the IAST span reporter. Returns: - int: Hash value. css|]}t|VqdSr)r>)robjrrr sz,IastSpanReporter.__hash__..)roperatorxorsetrorpr(rrrr?s"zIastSpanReporter.__hash__cCs|jD]}||qdS)zQ Populates the stacktrace_id of provided vulnerabilities if any. N)rp_populate_stacktrace_idr) vulnerabilityrrrrVs  zIastSpanReporter.__post_init__rxNcCs|||j|dS)z Appends a vulnerability to the IAST span reporter. Args: - vulnerability (Vulnerability): Vulnerability to append. N)rvrpaddrwrrr_append_vulnerabilitys z&IastSpanReporter._append_vulnerabilitycCs@|jd7_t|j}t|tjdsd|j_dS|j|j_dS)zH Populates the stacktrace_id of the IAST span reporter. )stack_id namespaceN)rnrBrrIASTrbrM)r)rxstr_idrrrrvs   z(IastSpanReporter._populate_stacktrace_idr;cCs4t}|j|_|t||||j|_dS)z Merges the current IAST span reporter with another IAST span reporter from a JSON string. Args: - json_str (str): JSON string. N)rmrn _from_dictr4loads_merge)r)r;r@rrr _merge_jsons   zIastSpanReporter._merge_jsondatacCs.t}|j|_|||||j|_dS)z Merges the current IAST span reporter with another IAST span reporter from a dictionary. Args: - data (dict[str, Any]): dictionary. N)rmrnrr)r)rr@rrr _merge_dicts    zIastSpanReporter._merge_dictr@cCs(t|j}|j|j|_|||dS)z Merges the current IAST span reporter with another IAST span reporter. Args: - other (IastSpanReporter): IAST span reporter to merge. N)rro_update_vulnerabilities)r)r@len_previous_sourcesrrrrs zIastSpanReporter._mergeoffsetcCsd|jD],}t|dr)t|jdr)|jjdur)|jjD]}d|vr(|d||d<q|j|qdS)Nrar2source)rphasattrrar2ry)r)r@rvulnr:rrrrs    z(IastSpanReporter._update_vulnerabilitiesc Cs@ddlm}g|_|dD]/}t||d|dd}d|vr$|d|_d|vr-|d|_d |vr6|d |_|j|q t|_ |d D]X}t }d |d vrW|d d |_ d|d vrft |d d|_d |d vrs|d d |_ d|d vr|d d|_|t|d|t|dd|dd|ddddqEdS)z5Initializes the IAST span reporter from a dictionary.r{) str_to_originrorhri)rhrirrjrkrprangesrar2rr`rbrKrNrO)rKrNrO)r`rarbN)_taint_trackingrrorgrrjrkappendrurpr/rrr2rrzr_rH)r)rrirrarrrrsJ              zIastSpanReporter._from_dictcCs"dd|jDdd|jDdS)NcSg|]}|qSrr*rrrrr "z-IastSpanReporter._to_dict..cSrrrrrrrr#rrorprr(rrrr* szIastSpanReporter._to_dictpyobjectcCsddlm}t}||}t}t|sggfS|D](}t|jj|jj|jjd}||vr2| || |j |j |j |j |dq||fS)z Extracts tainted ranges as evidence information. Args: - pyobject (Any): Python object. Returns: - tuple[set[Source], list[dict]]: Set of Source objects and list of tainted ranges as dictionaries. r)get_tainted_ranges)rhrir)startendlengthr) 8ddtrace.appsec._iast._taint_tracking._taint_objects_baserrErrgrrhrirrrr)rrrotainted_rangestainted_ranges_to_dict_rangerrrrtaint_ranges_as_evidence_info&s  z.IastSpanReporter.taint_ranges_as_evidence_infocCsTts tddS||jj\}}||j_|D]}||jvr'|j|g|_qdS)Nziast::propagation::context::add_ranges_to_evidence_and_extract_sources. No request quota or this vulnerability is outside the context)rlogdebugrrarrro)r)rrorrrrr*add_ranges_to_evidence_and_extract_sourcesCs z;IastSpanReporter.add_ranges_to_evidence_and_extract_sourcescCsts tdiS|jD]_}t|j|j|jj|j }|rO|d}|D]}d|vr2t |d|d<q$|d}d}|j D] }||vrEd|_ q<||j_ d|j_ q |jj durl|jt vrl||jj |jj|j |j_ d|j_ q |S)z Builds and scrubs value parts of vulnerabilities. Returns: - dict[str, Any]: Dictionary representation of the IAST span reporter. zviast::propagation::context::build_and_scrub_value_parts. No request quota or this vulnerability is outside the contextredacted_value_partsrredacted_sourcesrN)rrrrprscrub_evidencer`rarrorrr2EVIDENCES_WITH_NO_SOURCESget_unredacted_value_partsr*)r)rscrubbing_resultrr:rrrrrrbuild_and_scrub_value_partsPs<   z,IastSpanReporter.build_and_scrub_value_partsevidence_valuerc Csg}d}|D]4}||dkr|dt|||dit||d}|t||d|d|d|d}q|t|krN|dt||di|S)a( Gets unredacted value parts of evidence. Args: - evidence_value (str): Evidence value. - ranges (list[dict]): list of tainted ranges. - sources (list[Any]): list of sources. Returns: - list[dict]: list of unredacted value parts. rrrrr)rrN)rrr r)r)rrro value_parts from_indexrange_ source_indexrrrrus    z+IastSpanReporter.get_unredacted_value_partscsTddlmddlmGfdddtj}|r!tj||dStj||dS)z Converts the IAST span reporter to a JSON string. Returns: - str: JSON representation of the IAST span reporter. r{) OriginType) origin_to_strcseZdZfddZdS)z3IastSpanReporter._to_str..OriginTypeEncodercs t|r |Stj||Sr) isinstancer4 JSONEncoderrQ)r)rqrrrrrQs z;IastSpanReporter._to_str..OriginTypeEncoder.defaultN)r+r,r-rQrrrrOriginTypeEncodersr)cls)rrrr4rr5r*)r) dict_datarrrr_to_strs  zIastSpanReporter._to_str)r@rmrNr)#r+r,r-__doc__rnr^rCr&rDrErorgrurpr_r?rVrzrvrBrrFrrrrrr* staticmethodtuplerrrrrrrrrrms*        )$ &%#rm),r& functoolsrr4rsretypingrrr6ddtrace.appsec._constantsr/ddtrace.appsec._exploit_prevention.stack_tracesr;ddtrace.appsec._iast._evidence_redaction._sensitive_handlerr/ddtrace.appsec._iast._iast_request_context_baserddtrace.appsec._iast._utilsr ddtrace.appsec._iast.constantsr r r ddtrace.internal.loggerr ddtrace.internal.settings.asmrrr+r frozensetrr"DEFAULT_EVIDENCE_TRUNCATION_LENGTHrBrr dataclassr/rHr_rgrmrrrrsD