o iZW@sxUddlZddlmZddlmZddlZddlZddlZddlmZddlm Z ddlm Z ddlm Z ddlm Z dd l mZdd lmZdd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddlm Z ee!Z"e#de$ej%ddd&ddde'fddZ(de$e'e'ffddZ)iZ*e$e'e e'gdffe+d<iZ,e$e'e e e-e'e'fgdffe+d<de'd e e'gdffd!d"Z.de'fd#d$Z/de'd e e e-e'e'fgdffd%d&Z0de'fd'd(Z1d)d*Z2de-e'fd+d,Z3ed-d.Gd/d0d0Z4Gd1d2d2Z5d?d3d4Z6ej7d5d6Z8ej7d7d8Z9ej7d9d:Z:ej7d;d<Z;ej7d=d>ZPATH LD_PRELOADLD_LIBRARY_PATHmd5) z *password*z*passwd*z *mysql_pwd*z*access_token*z *auth_token*z *api_key*z*apikey*z*secret*z *credentials* stripetokenz \b[A-Z_]+=\w+F shell_argsshellrNcCst|t|}tj||_|jr(|jj|_|jj|_|jj|_|jj|_dSg|_d|_g|_d|_t |tr?t |}nt t t|}|rN||n |d|_|dd|_t |jtret |jn|j|_|t||j|j|j|j|_dS)z For shell=True, the shell_args is parsed to extract environment variables, binary, and arguments. For shell=False, the first element is the binary and the rest are arguments. rFrN)rXr\r]get _cache_entryrQrNrOrP isinstanceshlexsplitrrZscrub_env_varstuplescrub_argumentsri)selfrqrr cache_keytokensrrrr@s.        zSubprocessCmdLine.__init__c Cst|D]D\}}t|j|r+|d\}}||jvr"|j|q|jd|qz|||_||dd|_ WdSt yHYdSwdS)aDExtract and scrub environment variables from shell command tokens. Args: tokens: list of command tokens to process Side effects: Updates self.env_vars, self.binary, and self.arguments Environment variables not in allowlist are scrubbed (value replaced with '?') =z%s=?rsN) enumeraterematch_COMPILED_ENV_VAR_REGEXPrxENV_VARS_ALLOWLISTrQr>rNrO IndexError)r|r~idxtokenvarvaluerrrry s    z SubprocessCmdLine.scrub_env_varscCsF|jr|j|jvrdd|jD|_dSd}g}t|j}|r|d}|jtjj D] }t ||r8d}nq-d}|sG| || q |d|vrW| d| q d |vre| d| q z$|d d|vry| d| Wq | |dg| | Wq ty| d| Ynw|s"||_dS) aScrub sensitive information from command arguments. This method processes command arguments to remove or obscure sensitive information like passwords, API keys, tokens, etc. It handles both standalone sensitive arguments and argument-value pairs. Side effects: Updates self.arguments with scrubbed values (sensitive data replaced with '?') Scrubbing rules: 1. If binary is in denylist, scrub all arguments 2. For each argument matching sensitive patterns: - If it contains '=', scrub the entire argument - If it's followed by another option, scrub only this argument - If it's followed by a value, scrub the value instead cSsg|]}dqS)?r).0_rrr 7sz5SubprocessCmdLine.scrub_arguments..N)-/rTFrrrs)rNlowerBINARIES_DENYLISTrO collectionsdequeSENSITIVE_WORDS_WILDCARDSrrrrr>popleftextendr)r|param_prefixesnew_args deque_argscurrent sensitive is_sensitiverrrr{$sR           -z!SubprocessCmdLine.scrub_argumentsstr_cCsHt||j}|dkrd|_|Sd|_d|}|d|t| |S)a1Truncate a string if it exceeds the size limit. Args: str_: String to potentially truncate Returns: str: Original string if under limit, or truncated string with message Side effects: Sets self.truncated = True if truncation occurred rFTz* "4kB argument truncated by %d characters")rbTRUNCATE_LIMITrP)r|roversizemsgrrrtruncate_stringms z!SubprocessCmdLine.truncate_stringcCs4|j|jg|j}|t|}t|}||fS)aKGenerate both list and string representations of the command. Returns: tuple[list[str], str]: (command_as_list, command_as_string) Note: The string representation may be truncated if it exceeds size limits. The list representation is derived from the truncated string. )rQrNrOrrrwrx)r| total_list truncated_strtruncated_listrrr_as_list_and_strings  z%SubprocessCmdLine._as_list_and_stringcCs@|jr |jjdur |jjS|\}}|jr||j_||j_|S)aGet the command as a list of strings. Returns: list[str]: Command represented as list of arguments Note: Result is cached for performance. Includes environment variables, binary, and arguments in that order. N)rurRrrSr|list_resstr_resrrrrR  zSubprocessCmdLine.as_listcCs@|jr |jjdur |jjS|\}}|jr||j_||j_|S)aGet the command as a shell-quoted string. Returns: str: Command represented as a shell-quoted string Note: Result is cached for performance. String may be truncated if it exceeds the size limit. N)rurSrrRrrrrrSrzSubprocessCmdLine.as_string)F)$rTrUrVrWr]dictrXrMrYrrr^rcrra classmethodrirkrrrrrcompilerrrZr[r@ryr{rrzrrRrSrrrrr\s.     $)I r\c Csddl}ddl}t|t||df|df|df|jdf|jdffD]\}}zt||Wq'ty<Yq'wt dS)aARemove instrumentation from subprocess and os functions. This function removes all patches applied by the patch() function, restoring the original behavior of subprocess and os functions. Also clears the command line cache. Note: Safe to call multiple times. Missing attributes are ignored. rNr3r1r2r@rA) r4rr remove_fromr?r unwrapAttributeErrorr\rk)r4robjattrrrrunpatchs       rc Cstrzt|dtrtD]}||dqt|ddd}Wnty8tjddd||i|YSwt j t j |j tjd4}|t j||jrX|t jd|t jd||i|} |t jt| | Wd S1s{wYd S||i|S) zTraced wrapper for os.system function. Note: Only instruments when AAP is enabled and WAF bypass is not active. Creates spans with shell command details, exit codes, and component tags. rTrrz2Could not trace subprocess execution for os.systemexc_inforesource span_typeyesr4N)r0rvrXrvaluesr\ Exceptionlogdebugrtracer SPAN_NAMErNr SYSTEM _set_tag_strSHELLrSrP TRUNCATED COMPONENT EXIT_CODE) modulepinwrappedinstanceargskwargsr!shellcmdspanretrrrr;s(  $ r;cCsxtjs ||i|Stjtjdtjd}|tj dg| tj d||i|WdS1s5wYdS)zTraced wrapper for os.fork function. Note: Only instruments when AAP is enabled. Creates spans with fork operation details. r1rzos.forkr4N) r-r/rrr rr rset_tagEXECrr)rrrrrrrrrrr<s  $r<cCs2tjs ||i|Sz)|\}}}} } t|tttfr,|gt|} tD]} | | q%t|dd} Wnt yJt j ddd||i|YSwt j tj| jtjd9} | tj| | jrj| tjd| tjd||i|}|tjkr| tjt||Wd S1swYd S) zTraced wrapper for os._spawnvef function (used by all os.spawn* variants). Note: Only instruments when AAP is enabled. Creates spans with spawn operation details and exit codes for P_WAIT mode. Frz1Could not trace subprocess execution for os.spawnTrrtruer4N)r-r/rvrZrzrXrrr\rrrrrr rrNr rrrrRrPrrrr4P_WAITr)rrrrrrmodefile func_argsrcommandsr!rrrrrrr= s.    $r=c Cs~trzKt|r |dn|d}t|tttfr5|ddr*tD]}||q"n t D]}||q.t|tr?t |n|}|dd} t || d} Wnt yetjddd||i|YSwtjtj| jtjd =ttj| | jrttjd | rttj| n ttj| ttj| j||i|Wd S1swYd S||i|S) a'Traced wrapper for subprocess.Popen.__init__ method. Note: Only instruments when AAP is enabled and WAF bypass is not active. Stores command details in context for later use by _traced_subprocess_wait. Creates a span that will be completed by the wait() method. rrrrFrz$Could not trace subprocess executionTrrrN) r0rbrvrZrzrXrtrrrrwrxr\rrrrrr rrNr rr set_itemCTX_SUBP_IS_SHELLrPCTX_SUBP_TRUNCATED CTX_SUBP_LINErSrRCTX_SUBP_BINARY) rrrrrrcmd_argsr! cmd_args_listis_shellrrrrrB-s8         $ rBc Cstritd}tjtj|tjdM}ttj r%| tj ttj n | tjttj ttj}|r?| tjd| tjd||i|} | tjt| | WdS1sbwYdS||i|S)aTraced wrapper for subprocess.Popen.wait method. Note: Only instruments when AAP is enabled and WAF bypass is not active. Retrieves command details stored by _traced_subprocess_init and completes the span with execution results and exit code. subprocess_popen_binaryrrrN)r0r find_itemrrr rr rrrrrrrrrrrrX) rrrrrrrNrrPrrrrrCWs   $rC)rN)=r dataclassesrrr4rrwrtypingrrrrddtrace._trace.pinr ddtrace.contribr -ddtrace.contrib.internal.subprocess.constantsr ddtrace.extr ddtrace.internalr ddtrace.internal.loggerr!ddtrace.internal.settings._configrddtrace.internal.settings.asmr-ddtrace.internal.threadsr ddtrace.tracerrTr_addrgetenvrxrXrrrrYrrZr$r)r+r,r0rKrMr\rwith_traced_moduler;r<r=rBrCrrrrsh                 * (   1 "!   ! )