checkpoint

Signed-off-by: Juanjo Alvarez <[email protected]>
DataDog · Jan 20, 2025 · 6a7c552 · 6a7c552
1 parent f8aaa13
commit 6a7c552
Show file tree

Hide file tree

Showing 7 changed files with 219 additions and 144 deletions.
diff --git a/ddtrace/appsec/_iast/_handlers.py b/ddtrace/appsec/_iast/_handlers.py
@@ -405,7 +405,6 @@ def _on_set_request_tags_iast(request, span, flask_config):
         )
 
 
-# JJJ try except... el decode podria fallar
 def _on_django_finalize_response_pre(response):
     if not _is_iast_enabled() or not is_iast_request_enabled():
         return
@@ -422,7 +421,7 @@ def _on_flask_finalize_request_post(response, _):
         return
 
     try:
-        content = response.content.decode("utf-8")
+        content = response[0].decode("utf-8")
         asm_check_stacktrace_leak(content)
     except Exception:
         log.debug("Unexpected exception checking for stacktrace leak", exc_info=True)

diff --git a/ddtrace/appsec/_iast/_listener.py b/ddtrace/appsec/_iast/_listener.py
@@ -1,4 +1,4 @@
-from ddtrace.appsec._iast._handlers import _on_django_func_wrapped
+from ddtrace.appsec._iast._handlers import _on_django_func_wrapped, _on_flask_finalize_request_post
 from ddtrace.appsec._iast._handlers import _on_django_patch
 from ddtrace.appsec._iast._handlers import _on_flask_patch
 from ddtrace.appsec._iast._handlers import _on_grpc_response

diff --git a/ddtrace/appsec/_iast/taint_sinks/stacktrace_leak.py b/ddtrace/appsec/_iast/taint_sinks/stacktrace_leak.py
@@ -5,8 +5,6 @@
 from .._metrics import increment_iast_span_metric, _set_metric_iast_executed_sink
 from .._taint_tracking._errors import iast_taint_log_error
 from ..constants import VULN_STACKTRACE_LEAK
-from .. import _is_iast_enabled
-from .._iast_request_context import is_iast_request_enabled
 from ..constants import STACKTRACE_FILE_LINE
 from ..constants import STACKTRACE_EXCEPTION_REGEX
 from ..constants import HTML_TAGS_REMOVE

diff --git a/tests/appsec/integrations/django_tests/django_app/urls.py b/tests/appsec/integrations/django_tests/django_app/urls.py
@@ -81,4 +81,5 @@ def shutdown(request):
     handler("appsec/validate_querydict/$", views.validate_querydict, name="validate_querydict"),
     path("appsec/path-params/<int:year>/<str:month>/", views.path_params_view, name="path-params-view"),
     path("appsec/checkuser/<str:user_id>/", views.checkuser_view, name="checkuser"),
+    path("appsec/stacktrace_leak/", views.stacktrace_leak_view),
 ]
diff --git a/tests/appsec/integrations/django_tests/django_app/views.py b/tests/appsec/integrations/django_tests/django_app/views.py
@@ -273,3 +273,7 @@ def validate_querydict(request):
     return HttpResponse(
         "x=%s, all=%s, keys=%s, urlencode=%s" % (str(res), str(lres), str(keys), qd.urlencode()), status=200
     )
+
+def stacktrace_leak_view(request):
+    from tests.appsec.iast.taint_sinks.test_stacktrace_leak import _html_django_stacktrace
+    return HttpResponse(_html_django_stacktrace)
diff --git a/tests/appsec/integrations/django_tests/test_django_appsec_iast.py b/tests/appsec/integrations/django_tests/test_django_appsec_iast.py
@@ -7,7 +7,7 @@
 from ddtrace.appsec._iast import oce
 from ddtrace.appsec._iast._patch_modules import patch_iast
 from ddtrace.appsec._iast._utils import _is_python_version_supported as python_supported_by_iast
-from ddtrace.appsec._iast.constants import VULN_CMDI
+from ddtrace.appsec._iast.constants import VULN_CMDI, VULN_STACKTRACE_LEAK
 from ddtrace.appsec._iast.constants import VULN_HEADER_INJECTION
 from ddtrace.appsec._iast.constants import VULN_INSECURE_COOKIE
 from ddtrace.appsec._iast.constants import VULN_SQL_INJECTION
@@ -886,3 +886,24 @@ def test_django_insecure_cookie_special_characters(client, test_spans, tracer):
         assert "line" not in vulnerability["location"].keys()
         assert vulnerability["location"]["spanId"]
         assert vulnerability["hash"]
+
+@pytest.mark.skipif(not python_supported_by_iast(), reason="Python version not supported by IAST")
+def test_django_stacktrace_leak(client, test_spans):
+    with override_global_config(dict(_iast_enabled=True, _deduplication_enabled=False)):
+        oce.reconfigure()
+        root_span, _ = _aux_appsec_get_root_span(
+            client,
+            test_spans,
+            tracer,
+            url="/appsec/stacktrace_leak/",
+        )
+
+        assert root_span.get_metric(IAST.ENABLED) == 1.0
+
+        loaded = json.loads(root_span.get_tag(IAST.JSON))
+        assert loaded["sources"] == []
+        assert len(loaded["vulnerabilities"]) == 1
+        vulnerability = loaded["vulnerabilities"][0]
+        assert vulnerability["type"] == VULN_STACKTRACE_LEAK
+        assert vulnerability["evidence"] == {"valueParts": [{"value": "Module: home.foobaruser.sources.minimal-django-example.app\nException: IndexError"}]}
+        assert vulnerability["hash"]