chore(iast): taint tracking propagation, source (#6108)

Update IAST propagation:
- IAST compliance: rename "Input info" to "Source."
- Migrate Source to CPP.
- Add new dependencies to the setup: CMake. We need these dependencies
to build IAST binary.
- Update the setup to use IAST CMakeList file.
- Vendorize [pybind11](https://pybind11.readthedocs.io/en/stable/).

This PR is part of a bigger one:
#6283

## Migrate Source to CPP
We're working in parallel to migrate all IAST code to CPP. That's why
this PR changed many things to work with C++. We migrate Source first to
validate C++ is working, and the main features come later.
## Update setup
Extend the `build_ext` command to build C++ binaries with CMake
following the [pybind11 recommendations](https://github.com/pybind/).
## Pybind11
We vendorize pybind11 to fix the build wheel files. Why do we use this
approach?

- If we add pybind11 as a dependency, we need to find the Python binary
in our CMakeList file. With that, the Macos ARM wheel build fails
because CMake found the wrong Python version:
  ```
ld: warning: ignoring file
/Library/Frameworks/Python.framework/Versions/3.8/lib/libpython3.8.dylib,
building for macOS-arm64
  but attempting to link with a file built for macOS-x86_64
  ```
- Our first approach was to add pybind11 in `ddtrace/vendor` and link it
in `ddtrace/appsec/iast`, but it raised problems with Windows and
Alpine.
- Our second approach was to add it as a git submodule, but this change
forced us to update all CI steps. If we want to install ddtrace with
`pip install git@github...`, it raises errors with submodules.

## Checklist

- [x] Change(s) are motivated and described in the PR description.
- [x] Testing strategy is described if automated tests are not included
in the PR.
- [x] Risk is outlined (performance impact, potential for breakage,
maintainability, etc).
- [x] Change is maintainable (easy to change, telemetry, documentation).
- [x] [Library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/contributing.html#Release-Note-Guidelines)
are followed.
- [x] Documentation is included (in-code, generated user docs, [public
corp docs](https://github.com/DataDog/documentation/)).
- [x] Backport labels are set (if
[applicable](../docs/contributing.rst#release-branch-maintenance))

## Reviewer Checklist

- [x] Title is accurate.
- [x] No unnecessary changes are introduced.
- [x] Description motivates each change.
- [x] Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes unless absolutely necessary.
- [x] Testing strategy adequately addresses listed risk(s).
- [x] Change is maintainable (easy to change, telemetry, documentation).
- [x] Release note makes sense to a user of the library.
- [x] Reviewer has explicitly acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment.
- [x] Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](../docs/contributing.rst#release-branch-maintenance)

---------

Co-authored-by: Federico Mon <[email protected]>
Co-authored-by: Gabriele N. Tornetta <[email protected]>
Co-authored-by: Juanjo Alvarez Martinez <[email protected]>

Author: 4 people

ddtrace/appsec/_constants.py

@@ -4,15 +4,6 @@
 import six
 
 from ddtrace.internal.constants import HTTP_REQUEST_BLOCKED
-from ddtrace.internal.constants import HTTP_REQUEST_BODY
-from ddtrace.internal.constants import HTTP_REQUEST_COOKIE_NAME
-from ddtrace.internal.constants import HTTP_REQUEST_COOKIE_VALUE
-from ddtrace.internal.constants import HTTP_REQUEST_HEADER
-from ddtrace.internal.constants import HTTP_REQUEST_HEADER_NAME
-from ddtrace.internal.constants import HTTP_REQUEST_PARAMETER
-from ddtrace.internal.constants import HTTP_REQUEST_PATH
-from ddtrace.internal.constants import HTTP_REQUEST_PATH_PARAMETER
-from ddtrace.internal.constants import HTTP_REQUEST_QUERY
 from ddtrace.internal.constants import REQUEST_PATH_PARAMS
 from ddtrace.internal.constants import RESPONSE_HEADERS
 
@@ -89,15 +80,6 @@ class IAST(object):
     PATCH_MODULES = "_DD_IAST_PATCH_MODULES"
     DENY_MODULES = "_DD_IAST_DENY_MODULES"
     SEP_MODULES = ","
-    HTTP_REQUEST_BODY = HTTP_REQUEST_BODY
-    HTTP_REQUEST_HEADER = HTTP_REQUEST_HEADER
-    HTTP_REQUEST_HEADER_NAME = HTTP_REQUEST_HEADER_NAME
-    HTTP_REQUEST_PARAMETER = HTTP_REQUEST_PARAMETER
-    HTTP_REQUEST_PATH = HTTP_REQUEST_PATH
-    HTTP_REQUEST_PATH_PARAMETER = HTTP_REQUEST_PATH_PARAMETER
-    HTTP_REQUEST_QUERYSTRING = HTTP_REQUEST_QUERY
-    HTTP_REQUEST_COOKIE_NAME = HTTP_REQUEST_COOKIE_NAME
-    HTTP_REQUEST_COOKIE_VALUE = HTTP_REQUEST_COOKIE_VALUE
 
 
 @six.add_metaclass(Constant_Class)  # required for python2/3 compatibility

ddtrace/appsec/iast/_ast/aspects/__init__.py

@@ -3,7 +3,7 @@
 from builtins import str as builtin_str
 import codecs
 
-from ddtrace.appsec.iast._input_info import Input_info
+from ddtrace.appsec.iast._taint_tracking import OriginType
 from ddtrace.appsec.iast._taint_tracking import add_taint_pyobject
 from ddtrace.appsec.iast._taint_tracking import get_tainted_ranges
 from ddtrace.appsec.iast._taint_tracking import is_pyobject_tainted
@@ -14,7 +14,9 @@
 def str_aspect(*args, **kwargs):
     result = builtin_str(*args, **kwargs)
     if isinstance(args[0], (str, bytes, bytearray)) and is_pyobject_tainted(args[0]):
-        result = taint_pyobject(result, Input_info("str_aspect", result, 0))
+        result = taint_pyobject(
+            result, source_name="str_aspect", source_value=result, source_origin=OriginType.PARAMETER
+        )
 
     return result
 

ddtrace/appsec/iast/_patch.py

@@ -3,7 +3,6 @@
 import sys
 from typing import TYPE_CHECKING
 
-from ddtrace.appsec.iast._input_info import Input_info
 from ddtrace.appsec.iast._util import _is_iast_enabled
 from ddtrace.internal.logger import get_logger
 from ddtrace.vendor.wrapt import FunctionWrapper
@@ -144,7 +143,7 @@ def if_iast_taint_returned_object_for(origin, wrapped, instance, args, kwargs):
 
             if not is_pyobject_tainted(value):
                 name = str(args[0]) if len(args) else "http.request.body"
-                return taint_pyobject(value, Input_info(name, value, origin))
+                return taint_pyobject(pyobject=value, source_name=name, source_value=value, source_origin=origin)
         except Exception:
             log.debug("Unexpected exception while tainting pyobject", exc_info=True)
     return value
@@ -155,9 +154,8 @@ def if_iast_taint_yield_tuple_for(origins, wrapped, instance, args, kwargs):
         from ddtrace.appsec.iast._taint_tracking import taint_pyobject
 
         for key, value in wrapped(*args, **kwargs):
-            new_key = taint_pyobject(key, Input_info(key, key, origins[0]))
-            new_value = taint_pyobject(value, Input_info(key, value, origins[1]))
-
+            new_key = taint_pyobject(pyobject=key, source_name=key, source_value=key, source_origin=origins[0])
+            new_value = taint_pyobject(pyobject=value, source_name=key, source_value=value, source_origin=origins[1])
             yield new_key, new_value
 
     else:

ddtrace/appsec/iast/_taint_dict.py

@@ -7,12 +7,12 @@
     from typing import Dict
     from typing import Tuple
 
-    from ddtrace.appsec.iast._input_info import Input_info
+    from ddtrace.appsec.iast._taint_tracking import Source
 
-_IAST_TAINT_DICT = {}  # type: Dict[int, Tuple[Tuple[Input_info, int, int],...]]
+_IAST_TAINT_DICT = {}  # type: Dict[int, Tuple[Tuple[Source, int, int],...]]
 
 
-def get_taint_dict():  # type: () -> Dict[int, Tuple[Tuple[Input_info, int, int],...]]
+def get_taint_dict():  # type: () -> Dict[int, Tuple[Tuple[Source, int, int],...]]
     return _IAST_TAINT_DICT
 
 

ddtrace/appsec/iast/_taint_tracking/Constants.h

@@ -0,0 +1,2 @@
+#pragma once
+#define PY_MODULE_NAME "ddtrace.appsec.iast._taint_tracking._native"

ddtrace/appsec/iast/_taint_tracking/TaintTracking/Source.cpp

@@ -0,0 +1,86 @@
+#include <pybind11/pybind11.h>
+
+#include <sstream>
+#include <string>
+#include <utility>
+
+#include "TaintTracking/Source.h"
+
+using namespace std;
+namespace py = pybind11;
+using namespace pybind11::literals;
+
+Source::Source(string name, string value, OriginType origin)
+  : name(move(name))
+  , value(move(value))
+  , origin(origin)
+{}
+
+Source::Source(int name, string value, OriginType origin)
+  : name(origin_to_str(OriginType{ name }))
+  , value(move(value))
+  , origin(origin)
+{}
+
+string
+Source::toString() const
+{
+    ostringstream ret;
+    ret << "Source at " << this << " "
+        << "[name=" << name << ", value=" << string(value) << ", origin=" << origin_to_str(origin) << "]";
+    return ret.str();
+}
+
+Source::operator std::string() const
+{
+    return toString();
+}
+
+// Note: don't use size_t or long, if the hash is bigger than an int, Python
+// will re-hash it!
+int
+Source::get_hash() const
+{
+    return std::hash<size_t>()(std::hash<string>()(name) ^ (long)origin ^ std::hash<string>()(value));
+};
+
+void
+pyexport_source(py::module& m)
+{
+    m.def("origin_to_str", &origin_to_str, "origin"_a);
+    py::enum_<TagMappingMode>(m, "TagMappingMode")
+      .value("Normal", TagMappingMode::Normal)
+      .value("Mapper", TagMappingMode::Mapper)
+      .value("Mapper_Replace", TagMappingMode::Mapper_Replace)
+      .export_values();
+
+    py::enum_<OriginType>(m, "OriginType")
+      .value("PARAMETER", OriginType::PARAMETER)
+      .value("PARAMETER_NAME", OriginType::PARAMETER_NAME)
+      .value("HEADER", OriginType::HEADER)
+      .value("HEADER_NAME", OriginType::HEADER_NAME)
+      .value("PATH", OriginType::PATH)
+      .value("BODY", OriginType::BODY)
+      .value("QUERY", OriginType::QUERY)
+      .value("PATH_PARAMETER", OriginType::PATH_PARAMETER)
+      .value("COOKIE", OriginType::COOKIE)
+      .value("COOKIE_NAME", OriginType::COOKIE_NAME)
+      .export_values();
+
+    py::class_<Source>(m, "Source")
+      .def(py::init<string, string, const OriginType>(), "name"_a = "", "value"_a = "", "origin"_a = OriginType())
+      .def(py::init<int, string, const OriginType>(), "name"_a = "", "value"_a = "", "origin"_a = OriginType())
+      .def_readonly("name", &Source::name)
+      .def_readonly("origin", &Source::origin)
+      .def_readonly("value", &Source::value)
+      .def("to_string", &Source::toString)
+      .def("__hash__",
+           [](const Source& self) { return hash<string>{}(self.name + self.value) * (33 + int(self.origin)); })
+      .def("__str__", &Source::toString)
+      .def("__repr__", &Source::toString)
+      .def("__eq__", [](const Source* self, const Source* other) {
+          if (other == nullptr)
+              return false;
+          return self->name == other->name && self->origin == other->origin && self->value == other->value;
+      });
+}

ddtrace/appsec/iast/_taint_tracking/TaintTracking/Source.h

@@ -0,0 +1,96 @@
+#pragma once
+#include "structmember.h"
+#include <Python.h>
+#include <iostream>
+#include <pybind11/pybind11.h>
+#include <sstream>
+#include <string.h>
+
+using namespace std;
+namespace py = pybind11;
+
+enum class OriginType
+{
+    PARAMETER = 0,
+    PARAMETER_NAME,
+    HEADER,
+    HEADER_NAME,
+    PATH,
+    BODY,
+    QUERY,
+    PATH_PARAMETER,
+    COOKIE,
+    COOKIE_NAME
+};
+
+enum class TagMappingMode
+{
+    Normal,
+    Mapper,
+    Mapper_Replace
+};
+
+struct Source
+{
+    Source(string, string, OriginType);
+    Source(int, string, OriginType);
+    Source() = default;
+    string name;
+    string value;
+    OriginType origin;
+    int refcount = 0;
+
+    [[nodiscard]] string toString() const;
+
+    inline void set_values(string name = "", string value = "", OriginType origin = OriginType())
+    {
+        this->name = move(name);
+        this->value = move(value);
+        this->origin = origin;
+    }
+
+    [[nodiscard]] int get_hash() const;
+
+    static inline size_t hash(const string& name, const string& value, const OriginType origin)
+    {
+        return std::hash<size_t>()(std::hash<string>()(name + value) ^ (int)origin);
+    };
+
+    explicit operator std::string() const;
+};
+
+using SourcePtr = Source*;
+
+inline string
+origin_to_str(OriginType origin_type)
+{
+    switch (origin_type) {
+        case OriginType::PARAMETER:
+            return "http.request.parameter";
+        case OriginType::PARAMETER_NAME:
+            return "http.request.parameter.name";
+        case OriginType::HEADER:
+            return "http.request.header";
+        case OriginType::HEADER_NAME:
+            return "http.request.header.name";
+        case OriginType::PATH:
+            return "http.request.path";
+        case OriginType::BODY:
+            return "http.request.body";
+        case OriginType::QUERY:
+            return "http.request.query";
+        case OriginType::PATH_PARAMETER:
+            return "http.request.path.parameter";
+        case OriginType::COOKIE_NAME:
+            return "http.request.cookie.name";
+        case OriginType::COOKIE:
+            return "http.request.cookie.value";
+        default:
+            return "";
+    }
+}
+
+using SourcePtr = Source*;
+
+void
+pyexport_source(py::module& m);

ddtrace/appsec/iast/_taint_tracking/TaintTracking/_taint_tracking.h

@@ -0,0 +1,12 @@
+#pragma once
+#include <pybind11/pybind11.h>
+
+#include "TaintTracking/Source.h"
+#include "TaintedObject/TaintedObject.h"
+
+inline void
+pyexport_m_taint_tracking(py::module& m)
+{
+    py::module m_taint_tracking = m.def_submodule("taint_tracking", "Taint Tracking");
+    pyexport_source(m_taint_tracking);
+}

ddtrace/appsec/iast/_taint_tracking/__init__.py

@@ -1,11 +1,12 @@
 #!/usr/bin/env python3
-
 from typing import TYPE_CHECKING
 
 from ddtrace.appsec.iast import oce
 from ddtrace.appsec.iast._metrics import _set_metric_iast_executed_source
 from ddtrace.appsec.iast._taint_dict import get_taint_dict
 from ddtrace.appsec.iast._taint_tracking._native import ops  # noqa: F401
+from ddtrace.appsec.iast._taint_tracking._native.taint_tracking import OriginType  # noqa: F401
+from ddtrace.appsec.iast._taint_tracking._native.taint_tracking import Source  # noqa: F401
 
 
 setup = ops.setup
@@ -15,11 +16,10 @@
     from typing import Any
     from typing import Dict
     from typing import List
+    from typing import Optional
     from typing import Tuple
     from typing import Union
 
-    from ddtrace.appsec.iast._input_info import Input_info
-
 
 def add_taint_pyobject(pyobject, op1, op2):  # type: (Any, Any, Any) -> Any
     if not (is_pyobject_tainted(op1) or is_pyobject_tainted(op2)):
@@ -39,7 +39,8 @@ def add_taint_pyobject(pyobject, op1, op2):  # type: (Any, Any, Any) -> Any
     return pyobject
 
 
-def taint_pyobject(pyobject, input_info):  # type: (Any, Input_info) -> Any
+def taint_pyobject(pyobject, source_name=None, source_value=None, source_origin=None, start=0, len_pyobject=0):
+    # type: (Any, Optional[str], Optional[str], Optional[OriginType], int, int) -> Any
     # Request is not analyzed
     if not oce.request_has_quota:
         return pyobject
@@ -48,14 +49,19 @@ def taint_pyobject(pyobject, input_info):  # type: (Any, Input_info) -> Any
     if not pyobject or not isinstance(pyobject, (str, bytes, bytearray)):
         return pyobject
 
-    if input_info is None:
-        return pyobject
-
-    len_pyobject = len(pyobject)
+    if len_pyobject is None:
+        len_pyobject = len(pyobject)
     pyobject = new_pyobject_id(pyobject, len_pyobject)
+    if isinstance(source_name, (bytes, bytearray)):
+        source_name = str(source_name, encoding="utf8")
+    if isinstance(source_value, (bytes, bytearray)):
+        source_value = str(source_value, encoding="utf8")
+    if source_origin is None:
+        source_origin = OriginType.PARAMETER
+    source = Source(source_name, source_value, source_origin)
     taint_dict = get_taint_dict()
-    taint_dict[id(pyobject)] = ((input_info, 0, len_pyobject),)
-    _set_metric_iast_executed_source(input_info.origin)
+    taint_dict[id(pyobject)] = ((source, 0, len_pyobject),)
+    _set_metric_iast_executed_source(source.origin)
     return pyobject
 
 
@@ -73,7 +79,7 @@ def get_tainted_ranges(pyobject):  # type: (Any) -> tuple
     return get_taint_dict().get(id(pyobject), tuple())
 
 
-def taint_ranges_as_evidence_info(pyobject):  # type: (Any) -> Tuple[List[Dict[str, Union[Any, int]]], list[Input_info]]
+def taint_ranges_as_evidence_info(pyobject):  # type: (Any) -> Tuple[List[Dict[str, Union[Any, int]]], list[Source]]
     value_parts = []
     sources = []
     current_pos = 0