chore(asm): don't load appsec modules (iast)... [backport 2.20] (#12298)

The goal is to make sure no appsec module is loaded if appsec is
disabled.
This PR is the first one of 2, handling IAST.
It removes all non guarded IAST import from outside appsec.

- ensure we don't load any iast module if iast is disabled
- replace `_is_iast_enabled()` by a field `_iast_enabled` in the asm
config

APPSEC-56626

## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if


[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking


[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance


policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

(cherry picked from commit ea2a9a5)

---------

Co-authored-by: Christophe Papazian <[email protected]>
Co-authored-by: Alberto Vara <[email protected]>

Author: 3 people

ddtrace/_monkey.py

@@ -7,8 +7,8 @@
 
 from ddtrace.appsec import load_common_appsec_modules
 from ddtrace.internal.telemetry.constants import TELEMETRY_NAMESPACE
+from ddtrace.settings.asm import config as asm_config
 
-from .appsec._iast._utils import _is_iast_enabled
 from .internal import telemetry
 from .internal.logger import get_logger
 from .internal.utils import formats
@@ -240,7 +240,7 @@ def patch_all(**patch_modules):
     modules.update(patch_modules)
 
     patch(raise_errors=False, **modules)
-    if _is_iast_enabled():
+    if asm_config._iast_enabled:
         from ddtrace.appsec._iast._patch_modules import patch_iast
         from ddtrace.appsec.iast import enable_iast_propagation
 

ddtrace/appsec/_asm_request_context.py

@@ -18,7 +18,6 @@
 from ddtrace.appsec._iast._iast_request_context import is_iast_request_enabled
 from ddtrace.appsec._iast._taint_tracking import OriginType
 from ddtrace.appsec._iast._taint_tracking._taint_objects import taint_pyobject
-from ddtrace.appsec._iast._utils import _is_iast_enabled
 from ddtrace.appsec._utils import add_context_log
 from ddtrace.appsec._utils import get_triggers
 from ddtrace.internal import core
@@ -493,7 +492,7 @@ def _on_wrapped_view(kwargs):
 
     # If IAST is enabled, taint the Flask function kwargs (path parameters)
 
-    if _is_iast_enabled() and kwargs:
+    if asm_config._iast_enabled and kwargs:
         if not is_iast_request_enabled():
             return return_value
 

ddtrace/appsec/_iast/__init__.py

@@ -38,7 +38,6 @@ def wrapped_function(wrapped, instance, args, kwargs):
 from ddtrace.settings.asm import config as asm_config
 
 from ._overhead_control_engine import OverheadControl
-from ._utils import _is_iast_enabled
 
 
 log = get_logger(__name__)
@@ -54,7 +53,7 @@ def ddtrace_iast_flask_patch():
     and must be before the `app.run()` call. It also requires `DD_IAST_ENABLED` to be
     activated.
     """
-    if not _is_iast_enabled():
+    if not asm_config._iast_enabled:
         return
 
     from ._ast.ast_patching import astpatch_module

ddtrace/appsec/_iast/_handlers.py

@@ -4,8 +4,6 @@
 from wrapt import when_imported
 from wrapt import wrap_function_wrapper as _w
 
-from ddtrace.appsec._iast import _is_iast_enabled
-from ddtrace.appsec._iast._iast_request_context import in_iast_context
 from ddtrace.appsec._iast._metrics import _set_metric_iast_instrumented_source
 from ddtrace.appsec._iast._patch import _iast_instrument_starlette_request
 from ddtrace.appsec._iast._patch import _iast_instrument_starlette_request_body
@@ -17,6 +15,7 @@
 from ddtrace.appsec._iast._taint_tracking._taint_objects import is_pyobject_tainted
 from ddtrace.appsec._iast._taint_utils import taint_structure
 from ddtrace.internal.logger import get_logger
+from ddtrace.settings.asm import config as asm_config
 
 from ._iast_request_context import is_iast_request_enabled
 from ._taint_tracking._taint_objects import taint_pyobject
@@ -47,7 +46,7 @@ def _on_set_http_meta_iast(
     response_headers,
     response_cookies,
 ):
-    if _is_iast_enabled():
+    if asm_config._iast_enabled:
         from ddtrace.appsec._iast.taint_sinks.insecure_cookie import asm_check_cookies
 
         if response_cookies:
@@ -56,7 +55,7 @@ def _on_set_http_meta_iast(
 
 def _on_request_init(wrapped, instance, args, kwargs):
     wrapped(*args, **kwargs)
-    if _is_iast_enabled() and in_iast_context():
+    if asm_config._iast_enabled and is_iast_request_enabled():
         try:
             instance.query_string = taint_pyobject(
                 pyobject=instance.query_string,
@@ -75,7 +74,7 @@ def _on_request_init(wrapped, instance, args, kwargs):
 
 
 def _on_flask_patch(flask_version):
-    if _is_iast_enabled():
+    if asm_config._iast_enabled:
         try_wrap_function_wrapper(
             "werkzeug.datastructures",
             "Headers.items",
@@ -129,16 +128,21 @@ def _on_flask_patch(flask_version):
             )
             _set_metric_iast_instrumented_source(OriginType.QUERY)
 
+        # Instrumented on _on_set_request_tags_iast
+        _set_metric_iast_instrumented_source(OriginType.COOKIE_NAME)
+        _set_metric_iast_instrumented_source(OriginType.COOKIE)
+        _set_metric_iast_instrumented_source(OriginType.PARAMETER_NAME)
+
 
 def _on_wsgi_environ(wrapped, _instance, args, kwargs):
-    if _is_iast_enabled() and args and in_iast_context():
+    if asm_config._iast_enabled and args and is_iast_request_enabled():
         return wrapped(*((taint_structure(args[0], OriginType.HEADER_NAME, OriginType.HEADER),) + args[1:]), **kwargs)
 
     return wrapped(*args, **kwargs)
 
 
 def _on_django_patch():
-    if _is_iast_enabled():
+    if asm_config._iast_enabled:
         try:
             # we instrument those sources on _on_django_func_wrapped
             _set_metric_iast_instrumented_source(OriginType.HEADER_NAME)
@@ -164,8 +168,8 @@ def _on_django_patch():
 def _on_django_func_wrapped(fn_args, fn_kwargs, first_arg_expected_type, *_):
     # If IAST is enabled, and we're wrapping a Django view call, taint the kwargs (view's
     # path parameters)
-    if _is_iast_enabled() and fn_args and isinstance(fn_args[0], first_arg_expected_type):
-        if not in_iast_context():
+    if asm_config._iast_enabled and fn_args and isinstance(fn_args[0], first_arg_expected_type):
+        if not is_iast_request_enabled():
             return
 
         http_req = fn_args[0]
@@ -272,32 +276,30 @@ def _patch_protobuf_class(cls):
 
 
 def _on_grpc_response(message):
-    if _is_iast_enabled():
+    if asm_config._iast_enabled:
         msg_cls = type(message)
         _patch_protobuf_class(msg_cls)
 
 
 def if_iast_taint_yield_tuple_for(origins, wrapped, instance, args, kwargs):
-    if _is_iast_enabled():
-        if not is_iast_request_enabled():
-            for key, value in wrapped(*args, **kwargs):
-                yield key, value
-        else:
+    if asm_config._iast_enabled and is_iast_request_enabled():
+        try:
             for key, value in wrapped(*args, **kwargs):
                 new_key = taint_pyobject(pyobject=key, source_name=key, source_value=key, source_origin=origins[0])
                 new_value = taint_pyobject(
                     pyobject=value, source_name=key, source_value=value, source_origin=origins[1]
                 )
                 yield new_key, new_value
-
+        except Exception:
+            log.debug("Unexpected exception while tainting pyobject", exc_info=True)
     else:
         for key, value in wrapped(*args, **kwargs):
             yield key, value
 
 
 def if_iast_taint_returned_object_for(origin, wrapped, instance, args, kwargs):
     value = wrapped(*args, **kwargs)
-    if _is_iast_enabled() and is_iast_request_enabled():
+    if asm_config._iast_enabled and is_iast_request_enabled():
         try:
             if not is_pyobject_tainted(value):
                 name = str(args[0]) if len(args) else "http.request.body"
@@ -311,7 +313,7 @@ def if_iast_taint_returned_object_for(origin, wrapped, instance, args, kwargs):
 
 def if_iast_taint_starlette_datastructures(origin, wrapped, instance, args, kwargs):
     value = wrapped(*args, **kwargs)
-    if _is_iast_enabled() and is_iast_request_enabled():
+    if asm_config._iast_enabled and is_iast_request_enabled():
         try:
             res = []
             for element in value:
@@ -417,14 +419,7 @@ def _on_pre_tracedrequest_iast(ctx):
 
 
 def _on_set_request_tags_iast(request, span, flask_config):
-    if _is_iast_enabled():
-        _set_metric_iast_instrumented_source(OriginType.COOKIE_NAME)
-        _set_metric_iast_instrumented_source(OriginType.COOKIE)
-        _set_metric_iast_instrumented_source(OriginType.PARAMETER_NAME)
-
-        if not is_iast_request_enabled():
-            return
-
+    if asm_config._iast_enabled and is_iast_request_enabled():
         request.cookies = taint_structure(
             request.cookies,
             OriginType.COOKIE_NAME,

ddtrace/appsec/_iast/_iast_request_context.py

@@ -5,7 +5,6 @@
 
 from ddtrace.appsec._constants import APPSEC
 from ddtrace.appsec._constants import IAST
-from ddtrace.appsec._iast import _is_iast_enabled
 from ddtrace.appsec._iast import oce
 from ddtrace.appsec._iast._metrics import _set_metric_iast_request_tainted
 from ddtrace.appsec._iast._metrics import _set_span_tag_iast_executed_sink
@@ -17,6 +16,7 @@
 from ddtrace.internal import core
 from ddtrace.internal.logger import get_logger
 from ddtrace.internal.utils.formats import asbool
+from ddtrace.settings.asm import config as asm_config
 from ddtrace.trace import Span
 
 
@@ -57,7 +57,7 @@ def in_iast_context() -> bool:
 
 
 def start_iast_context():
-    if _is_iast_enabled():
+    if asm_config._iast_enabled:
         create_propagation_context()
         core.set_item(_IAST_CONTEXT, IASTEnvironment())
 
@@ -150,7 +150,7 @@ def _iast_end_request(ctx=None, span=None, *args, **kwargs):
             else:
                 req_span = ctx.get_item("req_span")
 
-        if _is_iast_enabled():
+        if asm_config._iast_enabled:
             existing_data = req_span.get_tag(IAST.JSON)
             if existing_data is None:
                 if req_span.get_metric(IAST.ENABLED) is None:
@@ -173,7 +173,7 @@ def _iast_end_request(ctx=None, span=None, *args, **kwargs):
 
 def _iast_start_request(span=None, *args, **kwargs):
     try:
-        if _is_iast_enabled():
+        if asm_config._iast_enabled:
             start_iast_context()
             request_iast_enabled = False
             if oce.acquire_request(span):

ddtrace/appsec/_iast/_loader.py

@@ -1,14 +1,14 @@
 #!/usr/bin/env python3
 
 from ddtrace.internal.logger import get_logger
+from ddtrace.settings.asm import config as asm_config
 
 from ._ast.ast_patching import astpatch_module
-from ._utils import _is_iast_enabled
 
 
 log = get_logger(__name__)
 
-IS_IAST_ENABLED = _is_iast_enabled()
+IS_IAST_ENABLED = asm_config._iast_enabled
 
 
 def _exec_iast_patched_module(module_watchdog, module):

ddtrace/appsec/_iast/_pytest_plugin.py

@@ -4,9 +4,9 @@
 from typing import List
 
 from ddtrace.appsec._constants import IAST
-from ddtrace.appsec._iast._utils import _is_iast_enabled
 from ddtrace.appsec._iast.reporter import Vulnerability
 from ddtrace.internal.logger import get_logger
+from ddtrace.settings.asm import config as asm_config
 
 
 log = get_logger(__name__)
@@ -20,7 +20,7 @@ class VulnerabilityFoundInTest(Vulnerability):
 try:
     import pytest
 
-    @pytest.fixture(autouse=_is_iast_enabled())
+    @pytest.fixture(autouse=asm_config._iast_enabled)
     def ddtrace_iast(request, ddspan):
         """
         Extract the vulnerabilities discovered in tests.
@@ -72,7 +72,7 @@ def extract_code_snippet(filepath, line_number, context=3):
 
 
 def print_iast_report(terminalreporter):
-    if not _is_iast_enabled():
+    if not asm_config._iast_enabled:
         return
 
     if not vuln_data:

ddtrace/appsec/_iast/_utils.py

@@ -1,29 +1,8 @@
-from functools import lru_cache
-import sys
 from typing import List
 
-from ddtrace.internal.logger import get_logger
 from ddtrace.settings.asm import config as asm_config
 
 
-@lru_cache(maxsize=1)
-def _is_python_version_supported() -> bool:
-    # IAST supports Python versions 3.6 to 3.13
-    return (3, 6, 0) <= sys.version_info < (3, 14, 0)
-
-
-def _is_iast_enabled():
-    if not asm_config._iast_enabled:
-        return False
-
-    if not _is_python_version_supported():
-        log = get_logger(__name__)
-        log.info("IAST is not compatible with the current Python version")
-        return False
-
-    return True
-
-
 def _get_source_index(sources: List, source) -> int:
     i = 0
     for source_ in sources:

ddtrace/appsec/_iast/taint_sinks/insecure_cookie.py

@@ -1,8 +1,9 @@
 from typing import Dict
 from typing import Optional
 
+from ddtrace.settings.asm import config as asm_config
+
 from ..._constants import IAST_SPAN_TAGS
-from .. import _is_iast_enabled
 from .. import oce
 from .._iast_request_context import is_iast_request_enabled
 from .._metrics import _set_metric_iast_executed_sink
@@ -36,7 +37,7 @@ class NoSameSite(VulnerabilityBase):
 def asm_check_cookies(cookies: Optional[Dict[str, str]]) -> None:
     if not cookies:
         return
-    if _is_iast_enabled() and is_iast_request_enabled():
+    if asm_config._iast_enabled and is_iast_request_enabled():
         try:
             for cookie_key, cookie_value in cookies.items():
                 lvalue = cookie_value.lower().replace(" ", "")

ddtrace/contrib/dbapi/__init__.py

@@ -4,15 +4,14 @@
 import wrapt
 
 from ddtrace import config
-from ddtrace.appsec._iast._utils import _is_iast_enabled
+from ddtrace.appsec._constants import IAST_SPAN_TAGS
 from ddtrace.internal import core
 from ddtrace.internal.constants import COMPONENT
 from ddtrace.internal.logger import get_logger
 from ddtrace.internal.utils import ArgumentError
 from ddtrace.internal.utils import get_argument_value
+from ddtrace.settings.asm import config as asm_config
 
-from ...appsec._constants import IAST_SPAN_TAGS
-from ...appsec._iast._metrics import increment_iast_span_metric
 from ...constants import _ANALYTICS_SAMPLE_RATE_KEY
 from ...constants import _SPAN_MEASURED_KEY
 from ...constants import SPAN_KIND
@@ -103,9 +102,10 @@ def _trace_method(self, method, name, resource, extra_tags, dbm_propagator, *arg
             # set span.kind to the type of request being performed
             s.set_tag_str(SPAN_KIND, SpanKind.CLIENT)
 
-            if _is_iast_enabled():
+            if asm_config._iast_enabled:
                 try:
                     from ddtrace.appsec._iast._metrics import _set_metric_iast_executed_sink
+                    from ddtrace.appsec._iast._metrics import increment_iast_span_metric
                     from ddtrace.appsec._iast._taint_utils import check_tainted_dbapi_args
                     from ddtrace.appsec._iast.taint_sinks.sql_injection import SqlInjection