fix(iast): avoid patching errors from stopping module load [backport 2.5] (#8546)

Backport 476ecb0 from #8527 to 2.5.

IAST: This fix addresses an issue where AST patching would generate code
that fails to compile, thereby preventing the application from starting
correctly.

While the root cause is not addressed here, this PR ensures that if the
produced code fails to compile, we would load the original module
instead.

## Checklist
- [x] Change(s) are motivated and described in the PR description
- [x] Testing strategy is described if automated tests are not included
in the PR
- [x] Risks are described (performance impact, potential for breakage,
maintainability)
- [x] Change is maintainable (easy to change, telemetry, documentation)
- [x] [Library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
are followed or label `changelog/no-changelog` is set
- [x] Documentation is included (in-code, generated user docs, [public
corp docs](https://github.com/DataDog/documentation/))
- [x] Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))
- [x] If this PR changes the public interface, I've notified
`@DataDog/apm-tees`.
- [x] If change touches code that signs or publishes builds or packages,
or handles credentials of any kind, I've requested a review from
`@DataDog/security-design-and-guidance`.

## Reviewer Checklist

- [x] Title is accurate
- [x] All changes are related to the pull request's stated goal
- [x] Description motivates each change
- [x] Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- [x] Testing strategy adequately addresses listed risks
- [x] Change is maintainable (easy to change, telemetry, documentation)
- [x] Release note makes sense to a user of the library
- [x] Author has acknowledged and discussed the performance implications
of this PR as reported in the benchmarks PR comment
- [x] Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

Co-authored-by: Federico Mon <[email protected]>

Author: github-actions[bot]

ddtrace/appsec/_iast/_loader.py

@@ -14,6 +14,7 @@
 
 def _exec_iast_patched_module(module_watchdog, module):
     patched_source = None
+    compiled_code = None
     if IS_IAST_ENABLED:
         try:
             module_path, patched_source = astpatch_module(module)
@@ -22,8 +23,15 @@ def _exec_iast_patched_module(module_watchdog, module):
             patched_source = None
 
     if patched_source:
+        try:
+            # Patched source is compiled in order to execute it
+            compiled_code = compile(patched_source, module_path, "exec")
+        except Exception:
+            log.debug("Unexpected exception while compiling patched code", exc_info=True)
+            compiled_code = None
+
+    if compiled_code:
         # Patched source is executed instead of original module
-        compiled_code = compile(patched_source, module_path, "exec")
         exec(compiled_code, module.__dict__)  # nosec B102
     elif module_watchdog.loader is not None:
         module_watchdog.loader.exec_module(module)

releasenotes/notes/iast-fix-patching-compile-errors-2dae59d3d9eefb37.yaml

@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    Vulnerability Management for Code-level (IAST): This fix addresses an issue where AST patching would generate code that fails to compile, thereby preventing the application from starting correctly.

tests/appsec/iast/fixtures/loader.py

@@ -0,0 +1,5 @@
+#!/usr/bin/env python3
+
+
+def add(a, b):
+    return a + b

tests/appsec/iast/test_loader.py

@@ -0,0 +1,39 @@
+#!/usr/bin/env python3
+
+import importlib
+import sys
+
+import mock
+
+import ddtrace.appsec._iast._loader
+import ddtrace.bootstrap.preload
+from tests.utils import override_env
+
+
+ASPECTS_MODULE = "ddtrace.appsec._iast._taint_tracking.aspects"
+
+
+def test_patching_error():
+    """
+    When IAST is enabled and the loader fails to compile the module,
+    the module should still be imported successfully.
+    """
+    fixture_module = "tests.appsec.iast.fixtures.loader"
+    if fixture_module in sys.modules:
+        del sys.modules[fixture_module]
+
+    if ASPECTS_MODULE in sys.modules:
+        del sys.modules[ASPECTS_MODULE]
+
+    ddtrace.appsec._iast._loader.IS_IAST_ENABLED = True
+
+    with override_env({"DD_IAST_ENABLED": "true"}), mock.patch(
+        "ddtrace.appsec._iast._loader.compile", side_effect=ValueError
+    ) as loader_compile, mock.patch("ddtrace.appsec._iast._loader.exec") as loader_exec:
+        importlib.reload(ddtrace.bootstrap.preload)
+        imported_fixture_module = importlib.import_module(fixture_module)
+
+        imported_fixture_module.add(2, 1)
+        loader_compile.assert_called_once()
+        loader_exec.assert_not_called()
+        assert ASPECTS_MODULE not in sys.modules