o Á¿i—ã@sfdZddlZddlmZddlmZeeƒZdd„Z dd„Z d d „Z dd d „Z ddd„Z ddd„ZdS)a& IAST (Interactive Application Security Testing) Product Entry Point This module serves as the main entry point for IAST instrumentation and addresses critical compatibility issues with Gevent-based applications. === GEVENT COMPATIBILITY === Applications using Gunicorn with the Gevent worker class may experience random worker timeouts during shutdown sequences when IAST is enabled. This occurs because IAST's dynamic code instrumentation interferes with Gevent's monkey patching mechanism. Root Cause: ----------- IAST relies on modules like `importlib.metadata`, `importlib`, and `subprocess` which, when loaded at module level, cannot be properly released from memory. This creates conflicts between the in-memory versions of these modules and Gevent's monkey patching, leading to sporadic blocking operations that can cause worker timeouts. Caveat: Adding incorrect top-level imports (especially `importlib.metadata` or `subprocess`) could reintroduce the flaky gevent timeout errors. Always import these modules locally within functions when needed. Note on inspect module: While the `inspect` module can also cause gevent conflicts, we cannot drop it from sys.modules as it breaks pytest's test collection phase. Pytest creates inspect.Signature objects that must remain valid throughout its lifecycle. éN)Ú get_logger)ÚconfigcCs0ztj|=WdStyt d|¡YdSw)aÐ Safely remove a module from sys.modules to prevent gevent conflicts. Modules like `importlib.metadata` and `inspect` must be removed from memory after IAST initialization to avoid conflicts with Gevent's monkey patching. If these modules remain loaded, they can interfere with Gevent's concurrency model and cause sporadic worker timeouts in Gunicorn applications. Args: module: Name of the module to remove from sys.modules z?IAST: %s module wasn't loaded, drop from sys.modules not neededN)ÚsysÚmodulesÚKeyErrorÚlogÚdebug)Úmodule©r úQ/home/ubuntu/.local/lib/python3.10/site-packages/ddtrace/internal/iast/product.pyÚ _drop_safe)s   ÿr cCsDtjr ddlm}ddlm}t d¡|ƒ|ƒtdƒdSdS)a³ Initialize IAST instrumentation during the preload phase. This function runs early in the application lifecycle (before Gevent's cleanup_loaded_modules if present) to ensure IAST instrumentation is properly established without interfering with Gevent's monkey patching. The initialization includes: 1. Enabling IAST propagation (AST-based taint tracking) 2. Patching taint sink points for vulnerability detection 3. Cleaning up problematic modules from memory This early initialization is critical for Gevent compatibility and prevents random worker timeouts that can occur when IAST modules conflict with Gevent's concurrency mechanisms. r)Úenable_iast_propagation)Ú patch_iastzEnabling IAST by auto importzimportlib.metadataN) Ú asm_configÚ _iast_enabledÚddtrace.appsec._iastr Úddtrace.appsec._iast.mainrrrr )r rr r r Ú post_preload;s    ôrcCs"tjrddlm}| ¡dSdS)z! Start the IAST product. r©ÚAppSecIastSpanProcessorN)rrÚddtrace.appsec._iast.processorrÚenablerr r r Ústart^s  ýrFcCódS)z# Restart the IAST product. Nr ©Újoinr r r ÚrestarthórcCr)z Stop the IAST product. Nr rr r r ÚstoporrcCr)z4 Clean up IAST product at application exit. Nr rr r r Úat_exitvrr)F)Ú__doc__rÚddtrace.internal.loggerrÚddtrace.internal.settings.asmrrÚ__name__rr rrrrrr r r r Ús  #