fix(iast): avoid crashing grpc patch if MessageMapContainer import fails [backport 2.9] (#9219)

Backport b2840ab from #9215 to 2.9.

Code Security: Fix an issue at GRPC patching where if `google._upb`
module wasn't available, an unhandled ImportError would be raised.

## Checklist

- [x] Change(s) are motivated and described in the PR description
- [x] Testing strategy is described if automated tests are not included
in the PR
- [x] Risks are described (performance impact, potential for breakage,
maintainability)
- [x] Change is maintainable (easy to change, telemetry, documentation)
- [x] [Library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
are followed or label `changelog/no-changelog` is set
- [x] Documentation is included (in-code, generated user docs, [public
corp docs](https://github.com/DataDog/documentation/))
- [x] Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))
- [x] If this PR changes the public interface, I've notified
`@DataDog/apm-tees`.

## Reviewer Checklist

- [x] Title is accurate
- [x] All changes are related to the pull request's stated goal
- [x] Description motivates each change
- [x] Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- [x] Testing strategy adequately addresses listed risks
- [x] Change is maintainable (easy to change, telemetry, documentation)
- [x] Release note makes sense to a user of the library
- [x] Author has acknowledged and discussed the performance implications
of this PR as reported in the benchmarks PR comment
- [x] Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

Co-authored-by: Federico Mon <[email protected]>

Author: github-actions[bot]

ddtrace/appsec/_handlers.py

@@ -1,3 +1,4 @@
+from collections.abc import MutableMapping
 import functools
 import io
 import json
@@ -19,6 +20,13 @@
 from ddtrace.vendor.wrapt import wrap_function_wrapper as _w
 
 
+MessageMapContainer = None
+try:
+    from google._upb._message import MessageMapContainer  # type: ignore[no-redef]
+except ImportError:
+    pass
+
+
 log = get_logger(__name__)
 _BODY_METHODS = {"POST", "PUT", "DELETE", "PATCH"}
 
@@ -359,10 +367,6 @@ def _on_django_patch():
 
 
 def _custom_protobuf_getattribute(self, name):
-    from collections.abc import MutableMapping
-
-    from google._upb._message import MessageMapContainer
-
     from ddtrace.appsec._iast._taint_tracking import taint_pyobject
     from ddtrace.appsec._iast._taint_tracking._native.taint_tracking import OriginType
     from ddtrace.appsec._iast._taint_utils import taint_structure
@@ -375,7 +379,7 @@ def _custom_protobuf_getattribute(self, name):
             source_value=ret,
             source_origin=OriginType.GRPC_BODY,
         )
-    elif isinstance(ret, MutableMapping):
+    elif MessageMapContainer is not None and isinstance(ret, MutableMapping):
         if isinstance(ret, MessageMapContainer) and len(ret):
             # Patch the message-values class
             first_key = next(iter(ret))
@@ -398,10 +402,14 @@ def _patch_protobuf_class(cls):
         return
 
     if not hasattr(getattr_method, "__datadog_custom"):
-        # Replace the class __getattribute__ method with our custom one
-        # (replacement is done at the class level because it would incur on a recursive loop with the instance)
-        cls.__saved_getattr = getattr_method
-        cls.__getattribute__ = _custom_protobuf_getattribute
+        try:
+            # Replace the class __getattribute__ method with our custom one
+            # (replacement is done at the class level because it would incur on a recursive loop with the instance)
+            cls.__saved_getattr = getattr_method
+            cls.__getattribute__ = _custom_protobuf_getattribute
+        except TypeError:
+            # Avoid failing on Python 3.12 while patching immutable types
+            pass
 
 
 def _on_grpc_response(response):

releasenotes/notes/asm-gprc-import-not-crash-e13c48dcbcc1985e.yaml

@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    Code Security: Avoid an ``ImportError`` at patching stage if ``google._upb`` module is not available.

tests/appsec/iast/test_grpc_iast.py

@@ -1,5 +1,6 @@
 import grpc
 from grpc._grpcio_metadata import __version__ as _GRPC_VERSION
+import mock
 
 from tests.contrib.grpc.common import GrpcBaseTestCase
 from tests.contrib.grpc.hello_pb2 import HelloRequest
@@ -72,3 +73,19 @@ def test_taint_iast_last(self):
                     res = stub1.SayHelloLast(requests_iterator)
                     assert hasattr(res, "message")
                     _check_test_range(res.message)
+
+    def test_taint_iast_patching_import_error(self):
+        with mock.patch.dict("sys.modules", {"google._upb._message": None}), override_env({"DD_IAST_ENABLED": "True"}):
+            from collections import UserDict
+
+            from ddtrace.appsec._handlers import _custom_protobuf_getattribute
+            from ddtrace.appsec._handlers import _patch_protobuf_class
+
+            class MyUserDict(UserDict):
+                pass
+
+            _patch_protobuf_class(MyUserDict)
+            original_dict = {"apple": 1, "banana": 2}
+            mutable_mapping = MyUserDict(original_dict)
+
+            _custom_protobuf_getattribute(mutable_mapping, "data")