fix(asm): add __deepcopy__ for wrapped builtin functions [backport 3.3] (#12953)

Backport ff1271b from #12948 to 3.3.



## Description

This PR fixes a NotImplementedError that occurred when trying to
deepcopy wrapped builtin functions (like `open`) while ASM or IAST were
enabled.

### The Problem
When ASM/IAST is enabled, we wrap certain builtin functions to add
security instrumentation. However, when these wrapped functions were
deepcopied, they would raise a NotImplementedError because the wrapper
didn't implement the `__deepcopy__` method:

```python
import copy

# This would raise NotImplementedError before the fix
copy.deepcopy(open)  # NotImplementedError: object proxy must define __deepcopy__()
```

### The Solution
We've modified the `BuiltinFunctionWrapper` class to properly handle
deepcopying by:
1. Implementing `__deepcopy__` to create a new wrapper instance
2. Preserving the original function type through the wrapper
3. Ensuring the wrapped function maintains its original type after
deepcopy

### Testing
- Added test cases to verify that wrapped builtin functions can be
deepcopied without errors
- Verified that the wrapper preserves all necessary attributes and
functionality
- Tested with Python 3.13 to ensure compatibility

### Impact
This fix resolves the NotImplementedError when deepcopying wrapped
builtin functions, making the ASM/IAST functionality more robust and
compatible with code that needs to deepcopy these functions.

## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met 
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

Co-authored-by: Alberto Vara <[email protected]>

Author: github-actions[bot]

ddtrace/appsec/_common_module_patches.py

@@ -1,5 +1,4 @@
 # This module must not import other modules unconditionally that require iast
-
 import ctypes
 import os
 from typing import Any
@@ -317,6 +316,7 @@ def wrap_object(module, name, factory, args=(), kwargs=None):
     (parent, attribute, original) = resolve_path(module, name)
     wrapper = factory(original, *args, **kwargs)
     apply_patch(parent, attribute, wrapper)
+    wrapper.__deepcopy__ = lambda memo: wrapper
     return wrapper
 
 

releasenotes/notes/appsec-deepcopy-error-0f898629251881d2.yaml

@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    ASM: Fixed a NotImplementedError that occurred when trying to deepcopy wrapped builtin functions (like `open`)
+    while ASM or IAST were enabled. The error was caused by the wrapper not implementing the `__deepcopy__` method.

tests/appsec/app.py

@@ -1,12 +1,14 @@
 """ This Flask application is imported on tests.appsec.appsec_utils.gunicorn_server
 """
+import copy
 import os
 import re
 import subprocess  # nosec
 
 from flask import Flask
 from flask import Response
 from flask import request
+from wrapt import FunctionWrapper
 
 
 import ddtrace.auto  # noqa: F401  # isort: skip
@@ -980,6 +982,12 @@ def iast_ast_patching_non_re_search():
     return resp
 
 
+@app.route("/common-modules-patch-read", methods=["GET"])
+def test_flask_common_modules_patch_read():
+    copy_open = copy.deepcopy(open)
+    return Response(f"OK: {isinstance(copy_open, FunctionWrapper)}")
+
+
 if __name__ == "__main__":
     env_port = os.getenv("FLASK_RUN_PORT", 8000)
     debug = asbool(os.getenv("FLASK_DEBUG", "false"))

tests/appsec/appsec/test_common_modules.py

@@ -0,0 +1,132 @@
+import builtins
+import copy
+import types
+
+import pytest
+from wrapt import FunctionWrapper
+
+from ddtrace.appsec._common_module_patches import patch_common_modules
+from ddtrace.appsec._common_module_patches import try_unwrap
+from ddtrace.appsec._common_module_patches import try_wrap_function_wrapper
+from ddtrace.appsec._common_module_patches import unpatch_common_modules
+
+
+def test_patch_read():
+    unpatch_common_modules()
+    copy_open = copy.deepcopy(open)
+
+    assert copy_open is open
+    assert type(open) == types.BuiltinFunctionType
+    assert not isinstance(open, FunctionWrapper)
+    assert not isinstance(copy_open, FunctionWrapper)
+    assert isinstance(open, types.BuiltinFunctionType)
+
+
+def test_patch_read_enabled():
+    unpatch_common_modules()
+    original_open = open
+    try:
+        patch_common_modules()
+        copy_open = copy.deepcopy(open)
+
+        assert type(open) == FunctionWrapper
+        assert isinstance(copy_open, FunctionWrapper)
+        assert isinstance(open, FunctionWrapper)
+        assert hasattr(open, "__wrapped__")
+        assert open.__wrapped__ is original_open
+    finally:
+        unpatch_common_modules()
+
+
+@pytest.mark.parametrize(
+    "builtin_function_name",
+    [
+        "all",
+        "any",
+        "ascii",
+        "bin",
+        "bool",
+        "breakpoint",
+        "bytearray",
+        "bytes",
+        "callable",
+        "chr",
+        "classmethod",
+        "compile",
+        "complex",
+        "copyright",
+        "credits",
+        "delattr",
+        "dict",
+        "dir",
+        "divmod",
+        "enumerate",
+        "eval",
+        "exec",
+        "exit",
+        "filter",
+        "float",
+        "format",
+        "frozenset",
+        "getattr",
+        "globals",
+        "hasattr",
+        "hash",
+        "help",
+        "hex",
+        "id",
+        "input",
+        "int",
+        "isinstance",
+        "issubclass",
+        "iter",
+        "len",
+        "license",
+        "list",
+        "locals",
+        "map",
+        "max",
+        "memoryview",
+        "min",
+        "next",
+        "object",
+        "oct",
+        "open",
+        "ord",
+        "pow",
+        "print",
+        "property",
+        "quit",
+        "range",
+        "repr",
+        "reversed",
+        "round",
+        "set",
+        "setattr",
+        "slice",
+        "sorted",
+        "staticmethod",
+        "str",
+        "sum",
+        "super",
+        "tuple",
+        "vars",
+        "zip",
+    ],
+)
+def test_other_builtin_functions(builtin_function_name):
+    def dummywrapper(callable, instance, args, kwargs):  # noqa: A002
+        return callable(*args, **kwargs)
+
+    try:
+        try_wrap_function_wrapper("builtins", builtin_function_name, dummywrapper)
+
+        original_func = getattr(builtins, builtin_function_name)
+        copy_func = copy.deepcopy(original_func)
+
+        assert type(original_func) == FunctionWrapper
+        assert isinstance(copy_func, FunctionWrapper)
+        assert isinstance(original_func, FunctionWrapper)
+        assert hasattr(original_func, "__wrapped__")
+    finally:
+        try_unwrap("builtins", builtin_function_name)

tests/appsec/integrations/flask_tests/test_appsec_flask.py

@@ -5,6 +5,8 @@
 from ddtrace.contrib.internal.sqlite3.patch import patch
 from ddtrace.ext import http
 from ddtrace.internal import constants
+from tests.appsec.appsec_utils import flask_server
+from tests.appsec.integrations.flask_tests.utils import _PORT
 import tests.appsec.rules as rules
 from tests.contrib.flask import BaseFlaskTestCase
 from tests.utils import override_global_config
@@ -85,3 +87,23 @@ def test_route(user_id):
 
             resp = self.client.get("/checkuser/%s" % _ALLOWED_USER, headers={"Accept": "text/html"})
             assert resp.status_code == 200
+
+
+@pytest.mark.parametrize(
+    "iast_enabled",
+    ["true", "false"],
+)
+@pytest.mark.parametrize("appsec_enabled", ["true", "false"])
+def test_flask_common_modules_patch_read(iast_enabled, appsec_enabled):
+    with flask_server(
+        appsec_enabled=iast_enabled, iast_enabled=appsec_enabled, token=None, port=_PORT, assert_debug=False
+    ) as context:
+        _, flask_client, pid = context
+
+        response = flask_client.get("/common-modules-patch-read")
+
+        assert response.status_code == 200
+        if iast_enabled == appsec_enabled == "false":
+            assert response.content == b"OK: False"
+        else:
+            assert response.content == b"OK: True"