fix(iast): avoid reporting line number 0 [backport 2.5] (#8553)

github-actions[bot] · gnufede · web-flow · commit 7696cf3a20cd · 2024-02-28T18:38:51.000+01:00
Backport 84b3d5e from #8549 to 2.5. IAST: This fix addresses an issue where a vulnerability would be reported at line 0 if we couldn't extract the proper line number, whereas the default line number should be -1. ## Checklist - [x] Change(s) are motivated and described in the PR description - [x] Testing strategy is described if automated tests are not included in the PR - [x] Risks are described (performance impact, potential for breakage, maintainability) - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] [Library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) are followed or label `changelog/no-changelog` is set - [x] Documentation is included (in-code, generated user docs, [public corp docs](https://github.com/DataDog/documentation/)) - [x] Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) - [x] If this PR changes the public interface, I've notified `@DataDog/apm-tees`. - [x] If change touches code that signs or publishes builds or packages, or handles credentials of any kind, I've requested a review from `@DataDog/security-design-and-guidance`. ## Reviewer Checklist - [x] Title is accurate - [x] All changes are related to the pull request's stated goal - [x] Description motivates each change - [x] Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - [x] Testing strategy adequately addresses listed risks - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] Release note makes sense to a user of the library - [x] Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - [x] Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) Co-authored-by: Federico Mon <federico.mon@datadoghq.com>
diff --git a/ddtrace/appsec/_iast/_stacktrace.c b/ddtrace/appsec/_iast/_stacktrace.c
@@ -122,8 +122,8 @@ get_file_and_line(PyObject* Py_UNUSED(module), PyObject* cwd_obj)
     return result;
 
 exit_0:; // fix: "a label can only be part of a statement and a declaration is not a statement" error
-    // Return "", 0
-    PyObject* line_obj = Py_BuildValue("i", 0);
+    // Return "", -1
+    PyObject* line_obj = Py_BuildValue("i", -1);
     filename_o = PyUnicode_FromString("");
     result = PyTuple_Pack(2, filename_o, line_obj);
     Py_DecRef(cwd_bytes);
diff --git a/ddtrace/appsec/_iast/taint_sinks/_base.py b/ddtrace/appsec/_iast/taint_sinks/_base.py
@@ -94,6 +94,9 @@ def wrapper(wrapped, instance, args, kwargs):
     @classmethod
     @taint_sink_deduplication
     def _prepare_report(cls, span, vulnerability_type, evidence, file_name, line_number, sources):
+        if line_number is not None and (line_number == 0 or line_number < -1):
+            line_number = -1
+
         report = core.get_item(IAST.CONTEXT_KEY, span=span)
         if report:
             report.vulnerabilities.add(
diff --git a/releasenotes/notes/iast-fix-report-line-number-0-c951395b4e5d6dc4.yaml b/releasenotes/notes/iast-fix-report-line-number-0-c951395b4e5d6dc4.yaml
@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    Vulnerability Management for Code-level (IAST): This fix addresses an issue where a vulnerability would be reported at line 0 if we couldn't extract the proper line number, whereas the default line number should be -1.
diff --git a/tests/appsec/iast/fixtures/taint_sinks/weak_algorithms.py b/tests/appsec/iast/fixtures/taint_sinks/weak_algorithms.py
@@ -5,13 +5,13 @@
 import os
 
 
-def parametrized_week_hash(hash_func, method):
+def parametrized_weak_hash(hash_func, method):
     import hashlib
 
     m = getattr(hashlib, hash_func)()
     m.update(b"Nobody inspects")
     m.update(b" the spammish repetition")
-    # label parametrized_week_hash
+    # label parametrized_weak_hash
     getattr(m, method)()
 
 
diff --git a/tests/appsec/iast/iast_utils.py b/tests/appsec/iast/iast_utils.py
@@ -11,10 +11,13 @@ def get_line(label, filename=None):
     raise AssertionError("label %s not found" % label)
 
 
-def get_line_and_hash(label, vuln_type, filename=None):
+def get_line_and_hash(label, vuln_type, filename=None, fixed_line=None):
     """return the line number and the associated vulnerability hash for `label` and source file `filename`"""
 
-    line = get_line(label, filename=filename)
+    if fixed_line is not None:
+        line = fixed_line
+    else:
+        line = get_line(label, filename=filename)
     rep = "Vulnerability(type='%s', location=Location(path='%s', line=%s))" % (vuln_type, filename, line)
     hash_value = zlib.crc32(rep.encode())
 
diff --git a/tests/appsec/iast/taint_sinks/test_weak_hash.py b/tests/appsec/iast/taint_sinks/test_weak_hash.py
@@ -9,7 +9,7 @@
 from ddtrace.appsec._iast.taint_sinks.weak_hash import unpatch_iast
 from ddtrace.internal import core
 from tests.appsec.iast.fixtures.taint_sinks.weak_algorithms import hashlib_new
-from tests.appsec.iast.fixtures.taint_sinks.weak_algorithms import parametrized_week_hash
+from tests.appsec.iast.fixtures.taint_sinks.weak_algorithms import parametrized_weak_hash
 from tests.appsec.iast.iast_utils import get_line_and_hash
 from tests.utils import override_env
 
@@ -28,10 +28,10 @@
     ],
 )
 def test_weak_hash_hashlib(iast_span_defaults, hash_func, method):
-    parametrized_week_hash(hash_func, method)
+    parametrized_weak_hash(hash_func, method)
 
     line, hash_value = get_line_and_hash(
-        "parametrized_week_hash", VULN_INSECURE_HASHING_TYPE, filename=WEAK_ALGOS_FIXTURES_PATH
+        "parametrized_weak_hash", VULN_INSECURE_HASHING_TYPE, filename=WEAK_ALGOS_FIXTURES_PATH
     )
 
     span_report = core.get_item(IAST.CONTEXT_KEY, span=iast_span_defaults)
@@ -42,6 +42,32 @@ def test_weak_hash_hashlib(iast_span_defaults, hash_func, method):
     assert list(span_report.vulnerabilities)[0].hash == hash_value
 
 
+@pytest.mark.parametrize(
+    "hash_func,method,fake_line",
+    [
+        ("md5", "hexdigest", 0),
+        ("md5", "hexdigest", -100),
+        ("md5", "hexdigest", -1),
+    ],
+)
+def test_ensure_line_reported_is_minus_one_for_edge_cases(iast_span_defaults, hash_func, method, fake_line):
+    with mock.patch(
+        "ddtrace.appsec._iast.taint_sinks._base.get_info_frame", return_value=(WEAK_ALGOS_FIXTURES_PATH, fake_line)
+    ):
+        parametrized_weak_hash(hash_func, method)
+
+    _, hash_value = get_line_and_hash(
+        "parametrized_weak_hash", VULN_INSECURE_HASHING_TYPE, filename=WEAK_ALGOS_FIXTURES_PATH, fixed_line=-1
+    )
+
+    span_report = core.get_item(IAST.CONTEXT_KEY, span=iast_span_defaults)
+    assert list(span_report.vulnerabilities)[0].type == VULN_INSECURE_HASHING_TYPE
+    assert list(span_report.vulnerabilities)[0].location.path == WEAK_ALGOS_FIXTURES_PATH
+    assert list(span_report.vulnerabilities)[0].location.line == -1
+    assert list(span_report.vulnerabilities)[0].evidence.value == hash_func
+    assert list(span_report.vulnerabilities)[0].hash == hash_value
+
+
 @pytest.mark.parametrize("hash_func", ["md5", "sha1"])
 def test_weak_hash_hashlib_no_digest(iast_span_md5_and_sha1_configured, hash_func):
     import hashlib

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +fixes:
 +  - |
 +    Vulnerability Management for Code-level (IAST): This fix addresses an issue where a vulnerability would be reported at line 0 if we couldn't extract the proper line number, whereas the default line number should be -1.