o i@s.dZddlmZddlmZddlmZddlmZ ee Z idej dej dejd ejd ejd ejd ejd ejdejdejdejdejdejdejdejdejZdZdZGdddZdede efddZ!dede e"fdd Z#d!ede efd"d#Z$de efd$d%Z%d&S)'aModule for parsing and applying DD_IAST_SECURITY_CONTROLS_CONFIGURATION. This module handles the configuration of custom security controls via environment variables. It supports both INPUT_VALIDATOR and SANITIZER types with configurable vulnerability types, modules, methods, and parameter positions. Format: CONTROL_TYPE:VULNERABILITY_TYPES:MODULE:METHOD[:PARAMETER_POSITIONS] Example: INPUT_VALIDATOR:COMMAND_INJECTION,XSS:shlex:quote )Optional)VulnerabilityType) get_logger)configCODE_INJECTIONCOMMAND_INJECTIONHEADER_INJECTIONUNVALIDATED_REDIRECTINSECURE_COOKIENO_HTTPONLY_COOKIENO_SAMESITE_COOKIEPATH_TRAVERSAL SQL_INJECTIONSQLISSRFSTACKTRACE_LEAK WEAK_CIPHER WEAK_HASHWEAK_RANDOMNESSXSS SANITIZERINPUT_VALIDATORc @sFeZdZdZ d dedeedededeeef dd Z d d Z dS) SecurityControlz3Represents a single security control configuration.N control_typevulnerability_types module_path method_name parameterscCsF||_||_||_||_|pg|_|jttfvr!td|dS)aInitialize a security control configuration. Args: control_type: Either SC_VALIDATOR or SC_SANITIZER vulnerability_types: list of vulnerability types this control applies to module_path: Python module path (e.g., "shlex", "django.utils.http") method_name: Name of the method to wrap parameters: Optional list of parameter types for overloaded methods zInvalid control type: N) upperrrrrr SC_VALIDATOR SC_SANITIZER ValueError)selfrrrrrr#c/home/ubuntu/.local/lib/python3.10/site-packages/ddtrace/appsec/_iast/secure_marks/configuration.py__init__/s  zSecurityControl.__init__c Cs0d|jddd|jDd|jd|jd S)NzSecurityControl(type=z, vulns=cSsg|]}|jqSr#)name).0vr#r#r$ Lsz,SecurityControl.__repr__..z , module=z , method=))rrrr)r"r#r#r$__repr__Is zSecurityControl.__repr__)N) __name__ __module__ __qualname____doc__strlistrrintr%r+r#r#r#r$r,s  r vuln_stringreturncCs`|dkr ttSg}|dD]}|}|tvr&td||t|q|S)aParse comma-separated vulnerability types or '*' for all types. Args: vuln_string: Comma-separated vulnerability type names or '*' Returns: list of VulnerabilityType enum values Raises: ValueError: If an unknown vulnerability type is specified *,zUnknown vulnerability type: )stripr1VULNERABILITY_TYPE_MAPPINGvaluessplitrr!append)r3r vuln_namer#r#r$parse_vulnerability_typesQs  r=positions_stringc CsL|sgSz dd|dDWSty%}ztd||d}~ww)aParse comma-separated parameter positions. Args: positions_string: Comma-separated parameter positions (e.g., "0,1,3") Returns: list of integer positions Raises: ValueError: If positions cannot be parsed as integers cSsg|]}t|qSr#)r2r7)r'posr#r#r$r)zsz$parse_parameters..r6zInvalid parameter positions: N)r7r:r!)r>er#r#r$parse_parametersjs rA config_stringc Cs|sgSg}|dD]p}|}|sq |d}t|dkr(td|q zD|d}t|d}|d}|d}d }t|dkrW|drWt|d}t|||||d } || t d | Wq t y}tjd |d dYq w|S)avParse the DD_IAST_SECURITY_CONTROLS_CONFIGURATION environment variable. Args: config_string: Configuration string with format: CONTROL_TYPE:VULNERABILITY_TYPES:MODULE:METHOD[:PARAMETERS][:PARAMETER_POSITIONS] Returns: list of SecurityControl objects Raises: ValueError: If the configuration format is invalid ;:z;Invalid security control configuration (missing fields): %srN)rrrrrzParsed security control: %sz#Failed to parse security control %sTexc_info) r7r:lenlogwarningr=rArr;debug Exception) rBsecurity_controlscontrol_configfieldsrrrrrsecurity_controlr#r#r$parse_security_controls_configsB          rTcCsRtj}|sgSzt|}tdt||WSty(tjdddgYSw)zGet security controls configuration from DD_IAST_SECURITY_CONTROLS_CONFIGURATION environment variable. Returns: list of SecurityControl objects parsed from the environment variable z3Loaded %s custom security controls from environmentz7Failed to parse DD_IAST_SECURITY_CONTROLS_CONFIGURATIONTrI) asm_config_iast_security_controlsrTrLinforKrOerror)rBcontrolsr#r#r$get_security_controls_from_envs rZN)&r/typingr$ddtrace.appsec._iast._taint_trackingrddtrace.internal.loggerrddtrace.internal.settings.asmrrUr,rLrrrr r r r r rrrrrrrr8r rrr0r1r=r2rArTrZr#r#r#r$s\        %<