chore(iast): fix iast span metrics [backport 2.21] (#13087)

backport #13075 to 2.21

Partial backport of #13046 to align the functions parameters.


(cherry picked from commit 9c8c6d0)

## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met 
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

Author: avara1986

ddtrace/appsec/_iast/_metrics.py

@@ -8,6 +8,8 @@
 from ddtrace.appsec._constants import TELEMETRY_INFORMATION_VERBOSITY
 from ddtrace.appsec._constants import TELEMETRY_MANDATORY_VERBOSITY
 from ddtrace.appsec._deduplications import deduplication
+from ddtrace.appsec._iast._taint_tracking import OriginType
+from ddtrace.appsec._iast._taint_tracking import origin_to_str
 from ddtrace.appsec._iast._utils import _is_iast_debug_enabled
 from ddtrace.internal import telemetry
 from ddtrace.internal.logger import get_logger
@@ -139,11 +141,7 @@ def _set_span_tag_iast_executed_sink(span):
 
 
 def _metric_key_as_snake_case(key):
-    from ._taint_tracking import OriginType
-
     if isinstance(key, OriginType):
-        from ._taint_tracking import origin_to_str
-
         key = origin_to_str(key)
     key = key.replace(".", "_")
     return key.lower()

ddtrace/appsec/_iast/_taint_tracking/_taint_objects.py

@@ -37,35 +37,64 @@ def is_pyobject_tainted(pyobject: Any) -> bool:
 
 
 def _taint_pyobject_base(pyobject: Any, source_name: Any, source_value: Any, source_origin=None) -> Any:
-    if not asm_config.is_iast_request_enabled:
+    """Mark a Python object as tainted with information about its origin.
+
+    This function is the base for marking objects as tainted, setting their origin and range.
+    It is optimized for:
+    1. Early validations to avoid unnecessary operations
+    2. Efficient type conversions
+    3. Special case handling (empty objects)
+    4. Robust error handling
+
+    Performance optimizations:
+    - Early return for disabled IAST or non-taintable types
+    - Efficient string length calculation only when needed
+    - Optimized bytes/bytearray to string conversion using decode()
+    - Minimized object allocations and method calls
+
+    Args:
+        pyobject (Any): The object to mark as tainted. Must be a taintable type.
+        source_name (Any): Name of the taint source (e.g., parameter name).
+        source_value (Any): Original value that caused the taint.
+        source_origin (Optional[OriginType]): Origin of the taint. Defaults to PARAMETER.
+
+    Returns:
+        Any: The tainted object if operation was successful, original object if failed.
+
+    Note:
+        - Only applies to taintable types defined in IAST.TAINTEABLE_TYPES
+        - Returns unmodified object for empty strings
+        - Automatically handles bytes/bytearray to str conversion
+    """
+    # Early type validation
+    if not isinstance(pyobject, IAST.TAINTEABLE_TYPES):  # type: ignore[misc]
         return pyobject
 
-    if not isinstance(pyobject, IAST.TAINTEABLE_TYPES):  # type: ignore[misc]
+    # Fast path for empty strings
+    if isinstance(pyobject, IAST.TEXT_TYPES) and not pyobject:
         return pyobject
-    # We need this validation in different condition if pyobject is not a text type and creates a side-effect such as
-    # __len__ magic method call.
-    pyobject_len = 0
-    if isinstance(pyobject, IAST.TEXT_TYPES):
-        pyobject_len = len(pyobject)
-        if pyobject_len == 0:
-            return pyobject
 
+    # Efficient source_name conversion
     if isinstance(source_name, (bytes, bytearray)):
-        source_name = str(source_name, encoding="utf8", errors="ignore")
-    if isinstance(source_name, OriginType):
+        source_name = source_name.decode("utf-8", errors="ignore")
+    elif isinstance(source_name, OriginType):
         source_name = origin_to_str(source_name)
 
+    # Efficient source_value conversion
     if isinstance(source_value, (bytes, bytearray)):
-        source_value = str(source_value, encoding="utf8", errors="ignore")
+        source_value = source_value.decode("utf-8", errors="ignore")
+
+    # Default source_origin
     if source_origin is None:
         source_origin = OriginType.PARAMETER
 
     try:
-        pyobject_newid = set_ranges_from_values(pyobject, pyobject_len, source_name, source_value, source_origin)
-        return pyobject_newid
+        # Calculate length only for text types
+        pyobject_len = len(pyobject) if isinstance(pyobject, IAST.TEXT_TYPES) else 0
+        return set_ranges_from_values(pyobject, pyobject_len, source_name, source_value, source_origin)
     except ValueError:
         iast_propagation_debug_log(f"Tainting object error (pyobject type {type(pyobject)})", exc_info=True)
-    return pyobject
+        return pyobject
 
 
 def taint_pyobject_with_ranges(pyobject: Any, ranges: Tuple) -> bool:
@@ -95,48 +124,50 @@ def get_tainted_ranges(pyobject: Any) -> Tuple:
 
 def taint_pyobject(pyobject: Any, source_name: Any, source_value: Any, source_origin=None) -> Any:
     try:
-        if source_origin is None:
-            source_origin = OriginType.PARAMETER
-
-        res = _taint_pyobject_base(pyobject, source_name, source_value, source_origin)
-        _set_metric_iast_executed_source(source_origin)
-        increment_iast_span_metric(IAST_SPAN_TAGS.TELEMETRY_EXECUTED_SOURCE, source_origin)
-        return res
+        if asm_config.is_iast_request_enabled:
+            if source_origin is None:
+                source_origin = OriginType.PARAMETER
+
+            res = _taint_pyobject_base(pyobject, source_name, source_value, source_origin)
+            _set_metric_iast_executed_source(source_origin)
+            increment_iast_span_metric(IAST_SPAN_TAGS.TELEMETRY_EXECUTED_SOURCE, source_origin)
+            return res
     except ValueError:
         iast_propagation_debug_log(f"taint_pyobject error (pyobject type {type(pyobject)})", exc_info=True)
     return pyobject
 
 
 def copy_ranges_to_string(pyobject: str, ranges: Sequence[TaintRange]) -> str:
     # NB this function uses comment-based type annotation because TaintRange is conditionally imported
-    if not isinstance(pyobject, IAST.TAINTEABLE_TYPES):  # type: ignore[misc]
-        return pyobject
-
-    for r in ranges:
-        _is_string_in_source_value = False
-        if r.source.value:
-            if isinstance(pyobject, (bytes, bytearray)):
-                pyobject_str = str(pyobject, encoding="utf8", errors="ignore")
-            else:
-                pyobject_str = pyobject
-            _is_string_in_source_value = pyobject_str in r.source.value
+    if asm_config.is_iast_request_enabled:
+        if not isinstance(pyobject, IAST.TAINTEABLE_TYPES):  # type: ignore[misc]
+            return pyobject
 
-        if _is_string_in_source_value:
+        for r in ranges:
+            _is_string_in_source_value = False
+            if r.source.value:
+                if isinstance(pyobject, (bytes, bytearray)):
+                    pyobject_str = str(pyobject, encoding="utf8", errors="ignore")
+                else:
+                    pyobject_str = pyobject
+                _is_string_in_source_value = pyobject_str in r.source.value
+
+            if _is_string_in_source_value:
+                pyobject = _taint_pyobject_base(
+                    pyobject=pyobject,
+                    source_name=r.source.name,
+                    source_value=r.source.value,
+                    source_origin=r.source.origin,
+                )
+                break
+        else:
+            # no total match found, maybe partial match, just take the first one
             pyobject = _taint_pyobject_base(
                 pyobject=pyobject,
-                source_name=r.source.name,
-                source_value=r.source.value,
-                source_origin=r.source.origin,
+                source_name=ranges[0].source.name,
+                source_value=ranges[0].source.value,
+                source_origin=ranges[0].source.origin,
             )
-            break
-    else:
-        # no total match found, maybe partial match, just take the first one
-        pyobject = _taint_pyobject_base(
-            pyobject=pyobject,
-            source_name=ranges[0].source.name,
-            source_value=ranges[0].source.value,
-            source_origin=ranges[0].source.origin,
-        )
     return pyobject
 
 

ddtrace/appsec/_iast/_taint_utils.py

@@ -520,7 +520,7 @@ def supported_dbapi_integration(integration_name):
     return integration_name in DBAPI_INTEGRATIONS or integration_name.startswith(DBAPI_PREFIXES)
 
 
-def check_tainted_dbapi_args(args, kwargs, tracer, integration_name, method):
+def check_tainted_dbapi_args(args, kwargs, integration_name, method):
     if supported_dbapi_integration(integration_name) and method.__name__ == "execute":
         return len(args) and args[0] and is_pyobject_tainted(args[0])
 

ddtrace/appsec/_iast/taint_sinks/ast_taint.py

@@ -36,11 +36,15 @@ def ast_function(
         and cls_name == "Random"
         and func_name in DEFAULT_WEAK_RANDOMNESS_FUNCTIONS
     ):
-        if asm_config._iast_enabled and asm_config.is_iast_request_enabled:
-            # Weak, run the analyzer
+        if asm_config.is_iast_request_enabled:
+            if WeakRandomness.has_quota():
+                WeakRandomness.report(evidence_value=cls_name + "." + func_name)
+
+            # Reports Span Metrics
             increment_iast_span_metric(IAST_SPAN_TAGS.TELEMETRY_EXECUTED_SINK, WeakRandomness.vulnerability_type)
+            # Report Telemetry Metrics
             _set_metric_iast_executed_sink(WeakRandomness.vulnerability_type)
-            WeakRandomness.report(evidence_value=cls_name + "." + func_name)
+
     elif hasattr(func, "__module__") and DEFAULT_PATH_TRAVERSAL_FUNCTIONS.get(func.__module__):
         if func_name in DEFAULT_PATH_TRAVERSAL_FUNCTIONS[func.__module__]:
             check_and_report_path_traversal(*args, **kwargs)

ddtrace/appsec/_iast/taint_sinks/code_injection.py

@@ -2,8 +2,10 @@
 from typing import Text
 
 from ddtrace.appsec._common_module_patches import try_unwrap
+from ddtrace.appsec._constants import IAST
 from ddtrace.appsec._constants import IAST_SPAN_TAGS
 from ddtrace.appsec._iast import oce
+from ddtrace.appsec._iast._logs import iast_error
 from ddtrace.appsec._iast._metrics import _set_metric_iast_executed_sink
 from ddtrace.appsec._iast._metrics import _set_metric_iast_instrumented_sink
 from ddtrace.appsec._iast._metrics import increment_iast_span_metric
@@ -79,8 +81,14 @@ class CodeInjection(VulnerabilityBase):
 
 
 def _iast_report_code_injection(code_string: Text):
-    increment_iast_span_metric(IAST_SPAN_TAGS.TELEMETRY_EXECUTED_SINK, CodeInjection.vulnerability_type)
-    _set_metric_iast_executed_sink(CodeInjection.vulnerability_type)
-    if asm_config.is_iast_request_enabled:
-        if is_pyobject_tainted(code_string):
-            CodeInjection.report(evidence_value=code_string)
+    reported = False
+    try:
+        if asm_config.is_iast_request_enabled:
+            if isinstance(code_string, IAST.TEXT_TYPES) and CodeInjection.has_quota():
+                if is_pyobject_tainted(code_string):
+                    CodeInjection.report(evidence_value=code_string)
+            increment_iast_span_metric(IAST_SPAN_TAGS.TELEMETRY_EXECUTED_SINK, CodeInjection.vulnerability_type)
+            _set_metric_iast_executed_sink(CodeInjection.vulnerability_type)
+    except Exception as e:
+        iast_error(f"propagation::sink_point::Error in _iast_report_code_injection. {e}")
+    return reported

ddtrace/appsec/_iast/taint_sinks/command_injection.py

@@ -3,6 +3,7 @@
 
 from ddtrace.appsec._constants import IAST_SPAN_TAGS
 from ddtrace.appsec._iast import oce
+from ddtrace.appsec._iast._logs import iast_error
 from ddtrace.appsec._iast._metrics import _set_metric_iast_executed_sink
 from ddtrace.appsec._iast._metrics import _set_metric_iast_instrumented_sink
 from ddtrace.appsec._iast._metrics import increment_iast_span_metric
@@ -46,19 +47,25 @@ class CommandInjection(VulnerabilityBase):
 def _iast_report_cmdi(shell_args: Union[str, List[str]]) -> None:
     report_cmdi = ""
 
-    increment_iast_span_metric(IAST_SPAN_TAGS.TELEMETRY_EXECUTED_SINK, CommandInjection.vulnerability_type)
-    _set_metric_iast_executed_sink(CommandInjection.vulnerability_type)
-
-    if asm_config.is_iast_request_enabled and CommandInjection.has_quota():
-        from .._taint_tracking.aspects import join_aspect
-
-        if isinstance(shell_args, (list, tuple)):
-            for arg in shell_args:
-                if is_pyobject_tainted(arg):
-                    report_cmdi = join_aspect(" ".join, 1, " ", shell_args)
-                    break
-        elif is_pyobject_tainted(shell_args):
-            report_cmdi = shell_args
-
-        if report_cmdi:
-            CommandInjection.report(evidence_value=report_cmdi)
+    try:
+        if asm_config.is_iast_request_enabled:
+            if CommandInjection.has_quota():
+                from .._taint_tracking.aspects import join_aspect
+
+                if isinstance(shell_args, (list, tuple)):
+                    for arg in shell_args:
+                        if is_pyobject_tainted(arg):
+                            report_cmdi = join_aspect(" ".join, 1, " ", shell_args)
+                            break
+                elif is_pyobject_tainted(shell_args):
+                    report_cmdi = shell_args
+
+                if report_cmdi:
+                    CommandInjection.report(evidence_value=report_cmdi)
+
+            # Reports Span Metrics
+            increment_iast_span_metric(IAST_SPAN_TAGS.TELEMETRY_EXECUTED_SINK, CommandInjection.vulnerability_type)
+            # Report Telemetry Metrics
+            _set_metric_iast_executed_sink(CommandInjection.vulnerability_type)
+    except Exception as e:
+        iast_error(f"propagation::sink_point::Error in _iast_report_ssrf. {e}")

ddtrace/appsec/_iast/taint_sinks/header_injection.py

@@ -6,6 +6,8 @@
 from ddtrace.appsec._common_module_patches import try_unwrap
 from ddtrace.appsec._constants import IAST_SPAN_TAGS
 from ddtrace.appsec._iast import oce
+from ddtrace.appsec._iast._logs import iast_error
+from ddtrace.appsec._iast._logs import iast_instrumentation_wrapt_debug_log
 from ddtrace.appsec._iast._metrics import _set_metric_iast_executed_sink
 from ddtrace.appsec._iast._metrics import _set_metric_iast_instrumented_sink
 from ddtrace.appsec._iast._metrics import increment_iast_span_metric
@@ -18,7 +20,6 @@
 from ddtrace.internal.logger import get_logger
 from ddtrace.settings.asm import config as asm_config
 
-from .._logs import iast_instrumentation_wrapt_debug_log
 from ._base import VulnerabilityBase
 
 
@@ -122,19 +123,23 @@ def _process_header(headers_args):
     header_name, header_value = headers_args
     if header_name is None:
         return
-
-    for header_to_exclude in HEADER_INJECTION_EXCLUSIONS:
-        header_name_lower = header_name.lower()
-        if header_name_lower == header_to_exclude or header_name_lower.startswith(header_to_exclude):
-            return
-
-    increment_iast_span_metric(IAST_SPAN_TAGS.TELEMETRY_EXECUTED_SINK, HeaderInjection.vulnerability_type)
-    _set_metric_iast_executed_sink(HeaderInjection.vulnerability_type)
-
-    if asm_config.is_iast_request_enabled and HeaderInjection.has_quota():
-        if is_pyobject_tainted(header_name) or is_pyobject_tainted(header_value):
-            header_evidence = add_aspect(add_aspect(header_name, HEADER_NAME_VALUE_SEPARATOR), header_value)
-            HeaderInjection.report(evidence_value=header_evidence)
+    try:
+        for header_to_exclude in HEADER_INJECTION_EXCLUSIONS:
+            header_name_lower = header_name.lower()
+            if header_name_lower == header_to_exclude or header_name_lower.startswith(header_to_exclude):
+                return
+
+        if asm_config.is_iast_request_enabled:
+            if HeaderInjection.has_quota() and (is_pyobject_tainted(header_name) or is_pyobject_tainted(header_value)):
+                header_evidence = add_aspect(add_aspect(header_name, HEADER_NAME_VALUE_SEPARATOR), header_value)
+                HeaderInjection.report(evidence_value=header_evidence)
+
+            # Reports Span Metrics
+            increment_iast_span_metric(IAST_SPAN_TAGS.TELEMETRY_EXECUTED_SINK, HeaderInjection.vulnerability_type)
+            # Report Telemetry Metrics
+            _set_metric_iast_executed_sink(HeaderInjection.vulnerability_type)
+    except Exception as e:
+        iast_error(f"propagation::sink_point::Error in _iast_report_header_injection. {e}")
 
 
 def _iast_report_header_injection(headers_or_args) -> None:

ddtrace/appsec/_iast/taint_sinks/path_traversal.py

@@ -2,6 +2,7 @@
 
 from ddtrace.appsec._constants import IAST_SPAN_TAGS
 from ddtrace.appsec._iast import oce
+from ddtrace.appsec._iast._logs import iast_error
 from ddtrace.appsec._iast._metrics import _set_metric_iast_executed_sink
 from ddtrace.appsec._iast._metrics import _set_metric_iast_instrumented_sink
 from ddtrace.appsec._iast._metrics import increment_iast_span_metric
@@ -30,9 +31,15 @@ def check_and_report_path_traversal(*args: Any, **kwargs: Any) -> None:
         _set_metric_iast_instrumented_sink(VULN_PATH_TRAVERSAL)
         IS_REPORTED_INTRUMENTED_SINK = True
 
-    if asm_config.is_iast_request_enabled and PathTraversal.has_quota():
-        filename_arg = args[0] if args else kwargs.get("file", None)
-        if is_pyobject_tainted(filename_arg):
-            PathTraversal.report(evidence_value=filename_arg)
-    increment_iast_span_metric(IAST_SPAN_TAGS.TELEMETRY_EXECUTED_SINK, PathTraversal.vulnerability_type)
-    _set_metric_iast_executed_sink(PathTraversal.vulnerability_type)
+    try:
+        if asm_config.is_iast_request_enabled:
+            filename_arg = args[0] if args else kwargs.get("file", None)
+            if PathTraversal.has_quota() and is_pyobject_tainted(filename_arg):
+                PathTraversal.report(evidence_value=filename_arg)
+
+            # Reports Span Metrics
+            increment_iast_span_metric(IAST_SPAN_TAGS.TELEMETRY_EXECUTED_SINK, PathTraversal.vulnerability_type)
+            # Report Telemetry Metrics
+            _set_metric_iast_executed_sink(PathTraversal.vulnerability_type)
+    except Exception as e:
+        iast_error(f"propagation::sink_point::Error in check_and_report_path_traversal. {e}")