fix(iast): ast patching error in mysqlsh [backport 3.10] (#14002)

Backport 46f013d from #13979 to 3.10.

The AST analysis could yield unexpected or incorrect results when
analyzingcode that overwrites built-in or global names at runtime. A
notable example is `mysqlsh` (MySQL Shell), which reassigns `globals`
with something like: `globals = ShellGlobals()`. Since `globals` is a
built-in function in Python, reassigning it alters the global
namespace's behavior during analysis. This can cause dynamic
instrumentation, taint tracking, or symbol resolution to behave
incorrectly or inconsistently

How to test manually, create this Dockerfile

```
FROM python:3.13-slim

RUN apt-get update && \
    apt-get install -y gnupg wget lsb-release && \
    wget https://dev.mysql.com/get/mysql-apt-config_0.8.29-1_all.deb && \
    DEBIAN_FRONTEND=noninteractive dpkg -i mysql-apt-config_0.8.29-1_all.deb && \
    apt-get update && \
    apt-get install -y mysql-shell vim && \
    rm -f mysql-apt-config_0.8.29-1_all.deb && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/*

RUN pip install bytecode wrapt envier
ADD . /app
WORKDIR /app
```

and execute:
```
docker build -t python-mysqlsh .
docker run -it --rm python-mysqlsh bash
>>> export PATH=$PATH:$PWD && export PYTHONPATH=$PYTHONPATH:$PWD
>>> DD_TRACE_DEBUG=true DD_IAST_ENABLED=true python -m ddtrace.commands.ddtrace_run mysqlsh
```

## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met 
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

Co-authored-by: Alberto Vara <[email protected]>

Author: github-actions[bot]

ddtrace/appsec/_iast/_ast/iastpatch.c

@@ -20,7 +20,7 @@ static size_t cached_packages_count = 0;
 static const char* static_allowlist[] = {
     "jinja2.",     "pygments.",       "multipart.", "sqlalchemy.",     "python_multipart.",
     "attrs.",      "jsonschema.",     "s3fs.",      "mysql.",          "pymysql.",
-    "markupsafe.", "werkzeug.utils.", "langchain.", "langchain_core.", "django.http.response"
+    "markupsafe.", "werkzeug.utils.", "langchain.", "langchain_core.", "django.http.response."
 };
 static const size_t static_allowlist_count = sizeof(static_allowlist) / sizeof(static_allowlist[0]);
 
@@ -170,6 +170,7 @@ static const char* static_denylist[] = {
     "django_filters.rest_framework.filterset.",
     "django_filters.utils.",
     "django_filters.widgets.",
+    "mysqlsh.",
 };
 static const size_t static_denylist_count = sizeof(static_denylist) / sizeof(static_denylist[0]);
 

ddtrace/appsec/_iast/_loader.py

@@ -11,6 +11,32 @@
 
 
 def _exec_iast_patched_module(module_watchdog, module):
+    """Execute a Python module with IAST (Interactive Application Security Testing) instrumentation.
+
+    This function performs dynamic code transformation using AST (Abstract Syntax Tree) patching
+    to inject security vulnerability detection capabilities into Python modules at runtime.
+    It's a core component of the IAST engine that enables taint tracking and vulnerability
+    detection without modifying the original source code.
+
+    How it works:
+    1. Attempts to patch the module's AST using astpatch_module()
+    2. If successful, compiles the patched AST into executable bytecode
+    3. Executes the instrumented bytecode instead of the original module
+    4. Falls back to executing the original module if patching fails
+
+    Runtime Considerations:
+    - The AST analysis could yield unexpected or incorrect results when analyzing
+      code that overwrites built-in or global names at runtime
+    - A notable example is `mysqlsh` (MySQL Shell), which reassigns `globals` with
+      something like: `globals = ShellGlobals()`. Since `globals` is a built-in
+      function in Python, reassigning it alters the global namespace's behavior
+      during analysis. This can cause dynamic instrumentation, taint tracking,
+      or symbol resolution to behave incorrectly or inconsistently
+    - The function gracefully handles compilation and execution errors by falling
+      back to the original module execution
+    - All exceptions during patching are logged but don't prevent module execution
+    """
+
     patched_ast = None
     compiled_code = None
     if IS_IAST_ENABLED:
@@ -19,7 +45,6 @@ def _exec_iast_patched_module(module_watchdog, module):
         except Exception:
             iast_compiling_debug_log("Unexpected exception while AST patching", exc_info=True)
             patched_ast = None
-
     if patched_ast:
         try:
             # Patched source is compiled in order to execute it
@@ -30,8 +55,12 @@ def _exec_iast_patched_module(module_watchdog, module):
 
     if compiled_code:
         iast_compiling_debug_log(f"INSTRUMENTED CODE. executing {module_path}")
-        # Patched source is executed instead of original module
-        exec(compiled_code, module.__dict__)  # nosec B102
+        try:
+            # Patched source is executed instead of original module
+            exec(compiled_code, module.__dict__)  # nosec B102
+        except TypeError:
+            iast_compiling_debug_log("INSTRUMENTED CODE. Unexpected exception", exc_info=True)
+            module_watchdog.loader.exec_module(module)
     elif module_watchdog.loader is not None:
         try:
             iast_compiling_debug_log(f"DEFAULT CODE. executing {module}")

releasenotes/notes/iast-fix-mysqlsh-b397bf8415716ba3.yaml

@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Code Security: AST analysis may fail or behave unexpectedly in cases where code overrides Python built-ins or 
+    globals at runtime, e.g., ``mysqlsh`` (MySQL Shell) reassigns globals with a custom object. 
+    This can interfere with analysis or instrumentation logic.

tests/appsec/iast/_ast/fixtures/del_variables_at_runtime.py

@@ -0,0 +1,19 @@
+class ShellGlobals(object):
+    def __setattr__(self, name, value):
+        self.__dict__[name] = value
+
+    def __delattr__(self, name):
+        del self.__dict__[name]
+
+    def __getattr__(self, name):
+        # backwards compatibility
+        if name == "mysql":
+            return "mysql"
+        elif name == "mysqlx":
+            return "mysqlx"
+        return self.__dict__[name]
+
+
+globals = ShellGlobals()  # noqa: A001
+
+del ShellGlobals

tests/appsec/iast/_ast/test_corner_cases.py

@@ -0,0 +1,13 @@
+import sys
+
+import pytest
+
+from tests.appsec.iast.iast_utils import _iast_patched_module
+
+
+@pytest.mark.skipif(sys.version_info < (3, 9), reason="This test doesn't raises an error on 3.8")
+def test_string_proper_method_called():
+    """Fixed in ddtrace/appsec/_iast/_loader.py except TypeError:"""
+    with pytest.raises(TypeError):
+        mod = _iast_patched_module("tests.appsec.iast._ast.fixtures.del_variables_at_runtime")
+        assert mod