chore(iast): update test to find leaks (#7629)

Update IAST test with memray to find possible leaksm. Add regression
tests for #7630

Those tests implement memray and pytest-memray, those are inspired in
this PR #7112 thanks
@pablogsal

More Info:
https://github.com/bloomberg/memray
https://github.com/bloomberg/pytest-memray

## Checklist

- [x] Change(s) are motivated and described in the PR description.
- [x] Testing strategy is described if automated tests are not included
in the PR.
- [x] Risk is outlined (performance impact, potential for breakage,
maintainability, etc).
- [x] Change is maintainable (easy to change, telemetry, documentation).
- [x] [Library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
are followed. If no release note is required, add label
`changelog/no-changelog`.
- [x] Documentation is included (in-code, generated user docs, [public
corp docs](https://github.com/DataDog/documentation/)).
- [x] Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist

- [x] Title is accurate.
- [x] No unnecessary changes are introduced.
- [x] Description motivates each change.
- [x] Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes unless absolutely necessary.
- [x] Testing strategy adequately addresses listed risk(s).
- [x] Change is maintainable (easy to change, telemetry, documentation).
- [x] Release note makes sense to a user of the library.
- [x] Reviewer has explicitly acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment.
- [x] Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)
- [x] If this PR touches code that signs or publishes builds or
packages, or handles credentials of any kind, I've requested a review
from `@DataDog/security-design-and-guidance`.
- [x] This PR doesn't touch any of that.

---------

Co-authored-by: Gabriele N. Tornetta <[email protected]>

Author: avara1986

.circleci/config.templ.yml

@@ -432,7 +432,14 @@ jobs:
     <<: *machine_executor
     steps:
       - run_test:
-          pattern: 'appsec_iast'
+          pattern: 'appsec_iast$'
+          snapshot: true
+
+  appsec_iast_memcheck:
+    <<: *machine_executor
+    steps:
+      - run_test:
+          pattern: 'appsec_iast_memcheck'
           snapshot: true
 
   appsec_integrations:

.riot/requirements/1b5d605.txt

@@ -0,0 +1,37 @@
+#
+# This file is autogenerated by pip-compile with python 3.9
+# To update, run:
+#
+#    pip-compile --no-annotate --resolver=backtracking .riot/requirements/1b5d605.in
+#
+attrs==23.1.0
+certifi==2023.7.22
+cffi==1.16.0
+charset-normalizer==3.3.2
+coverage[toml]==7.3.2
+cryptography==41.0.5
+exceptiongroup==1.1.3
+hypothesis==6.45.0
+idna==3.4
+iniconfig==2.0.0
+jinja2==3.1.2
+markdown-it-py==3.0.0
+markupsafe==2.1.3
+mdurl==0.1.2
+memray==1.10.0
+mock==5.1.0
+opentracing==2.4.0
+packaging==23.2
+pluggy==1.3.0
+pycparser==2.21
+pycryptodome==3.19.0
+pygments==2.16.1
+pytest==7.4.3
+pytest-cov==4.1.0
+pytest-memray==1.5.0
+pytest-mock==3.12.0
+requests==2.31.0
+rich==13.7.0
+sortedcontainers==2.4.0
+tomli==2.0.1
+urllib3==2.1.0

.riot/requirements/7121e51.txt

@@ -0,0 +1,35 @@
+#
+# This file is autogenerated by pip-compile with Python 3.11
+# by the following command:
+#
+#    pip-compile --no-annotate .riot/requirements/7121e51.in
+#
+attrs==23.1.0
+certifi==2023.7.22
+cffi==1.16.0
+charset-normalizer==3.3.2
+coverage[toml]==7.3.2
+cryptography==41.0.5
+hypothesis==6.45.0
+idna==3.4
+iniconfig==2.0.0
+jinja2==3.1.2
+markdown-it-py==3.0.0
+markupsafe==2.1.3
+mdurl==0.1.2
+memray==1.10.0
+mock==5.1.0
+opentracing==2.4.0
+packaging==23.2
+pluggy==1.3.0
+pycparser==2.21
+pycryptodome==3.19.0
+pygments==2.16.1
+pytest==7.4.3
+pytest-cov==4.1.0
+pytest-memray==1.5.0
+pytest-mock==3.12.0
+requests==2.31.0
+rich==13.7.0
+sortedcontainers==2.4.0
+urllib3==2.1.0

.riot/requirements/861bff5.txt

@@ -0,0 +1,37 @@
+#
+# This file is autogenerated by pip-compile with Python 3.10
+# by the following command:
+#
+#    pip-compile --no-annotate --resolver=backtracking .riot/requirements/861bff5.in
+#
+attrs==23.1.0
+certifi==2023.7.22
+cffi==1.16.0
+charset-normalizer==3.3.2
+coverage[toml]==7.3.2
+cryptography==41.0.5
+exceptiongroup==1.1.3
+hypothesis==6.45.0
+idna==3.4
+iniconfig==2.0.0
+jinja2==3.1.2
+markdown-it-py==3.0.0
+markupsafe==2.1.3
+mdurl==0.1.2
+memray==1.10.0
+mock==5.1.0
+opentracing==2.4.0
+packaging==23.2
+pluggy==1.3.0
+pycparser==2.21
+pycryptodome==3.19.0
+pygments==2.16.1
+pytest==7.4.3
+pytest-cov==4.1.0
+pytest-memray==1.5.0
+pytest-mock==3.12.0
+requests==2.31.0
+rich==13.7.0
+sortedcontainers==2.4.0
+tomli==2.0.1
+urllib3==2.1.0

.riot/requirements/f43b103.txt

@@ -0,0 +1,38 @@
+#
+# This file is autogenerated by pip-compile with Python 3.8
+# by the following command:
+#
+#    pip-compile --no-annotate .riot/requirements/f43b103.in
+#
+attrs==23.1.0
+certifi==2023.7.22
+cffi==1.16.0
+charset-normalizer==3.3.2
+coverage[toml]==7.3.2
+cryptography==41.0.5
+exceptiongroup==1.1.3
+hypothesis==6.45.0
+idna==3.4
+iniconfig==2.0.0
+jinja2==3.1.2
+markdown-it-py==3.0.0
+markupsafe==2.1.3
+mdurl==0.1.2
+memray==1.10.0
+mock==5.1.0
+opentracing==2.4.0
+packaging==23.2
+pluggy==1.3.0
+pycparser==2.21
+pycryptodome==3.19.0
+pygments==2.16.1
+pytest==7.4.3
+pytest-cov==4.1.0
+pytest-memray==1.5.0
+pytest-mock==3.12.0
+requests==2.31.0
+rich==13.7.0
+sortedcontainers==2.4.0
+tomli==2.0.1
+typing-extensions==4.8.0
+urllib3==2.1.0

riotfile.py

@@ -150,6 +150,21 @@ def select_pys(min_version=MIN_PYTHON_VERSION, max_version=MAX_PYTHON_VERSION):
                 "_DD_APPSEC_DEDUPLICATION_ENABLED": "false",
             },
         ),
+        Venv(
+            name="appsec_iast_memcheck",
+            pys=select_pys(min_version="3.8", max_version="3.11"),
+            command="pytest {cmdargs} --memray --stacks=35 tests/appsec/iast_memcheck/",
+            pkgs={
+                "requests": latest,
+                "pycryptodome": latest,
+                "cryptography": latest,
+                "pytest-memray": latest,
+            },
+            env={
+                "DD_IAST_REQUEST_SAMPLING": "100",  # Override default 30% to analyze all IAST requests
+                "_DD_APPSEC_DEDUPLICATION_ENABLED": "false",
+            },
+        ),
         Venv(
             name="appsec_integrations",
             command="pytest {cmdargs} tests/appsec/integrations/",

tests/.suitespec.json

@@ -407,6 +407,15 @@
             "@appsec_iast",
             "tests/appsec/iast/*"
         ],
+        "appsec_iast_memcheck": [
+            "@bootstrap",
+            "@core",
+            "@tracing",
+            "@appsec",
+            "@appsec_iast",
+            "tests/appsec/iast/*",
+            "tests/appsec/iast_memcheck/*"
+        ],
         "appsec_integrations": [
             "@bootstrap",
             "@core",

tests/appsec/iast/test_iast_mem_check.py

@@ -0,0 +1,38 @@
+import inspect
+import os
+from typing import TYPE_CHECKING
+
+
+if TYPE_CHECKING:  # pragma: no cover
+    from typing import Optional
+    from typing import Text
+    from typing import Tuple
+
+
+FIRST_FRAME_NO_DDTRACE = 1
+
+DD_TRACE_INSTALLED_PREFIX = os.sep + "ddtrace" + os.sep
+SITE_PACKAGES_PREFIX = os.sep + "site-packages" + os.sep
+TESTS_PREFIX = os.sep + "tests" + os.sep
+
+
+def get_info_frame(cwd):
+    # type: (Text) -> Optional[Tuple[Text, int]]
+    """Get the filename (path + filename) and line number of the original wrapped function to report it.
+
+    CAVEAT: We should migrate this function to native code to improve the performance.
+    """
+    stack = inspect.stack()
+    for frame in stack[FIRST_FRAME_NO_DDTRACE:]:
+        filename = frame.filename
+        lineno = frame.lineno
+        if (
+            (DD_TRACE_INSTALLED_PREFIX in filename and TESTS_PREFIX not in filename)
+            or (cwd not in filename)
+            or (SITE_PACKAGES_PREFIX in filename)
+        ):
+            continue
+
+        return filename, lineno
+
+    return None