Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(iast): ssrf vulnerability redacts the url query parameters correctly #11563

Merged
merged 7 commits into from
Nov 29, 2024
Merged

fix(iast): ssrf vulnerability redacts the url query parameters correctly #11563

merged 7 commits into from
Nov 29, 2024
+85 −32

Conversation

avara1986
Copy link
Member

@avara1986 avara1986 commented Nov 27, 2024
edited by gnufede
Loading

Code Security: Ensure IAST SSRF vulnerability redacts the url query parameters correctly.

Checklist

  • PR author has checked that all the criteria below are met
  • The PR description includes an overview of the change
  • The PR description articulates the motivation for the change
  • The change includes tests OR the PR description describes a testing strategy
  • The PR description notes risks associated with the change, if any
  • Newly-added code is easy to change
  • The change follows the library release note guidelines
  • The change includes or references documentation updates if necessary
  • Backport labels are set (if applicable)

Reviewer Checklist

  • Reviewer has checked that all the criteria below are met
  • Title is accurate
  • All changes are related to the pull request's stated goal
  • Avoids breaking API changes
  • Testing strategy adequately addresses listed risks
  • Newly-added code is easy to change
  • Release note makes sense to a user of the library
  • If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
  • Backport labels are set in a manner that is consistent with the release branch maintenance policy

@github-actions GitHub Actions
Copy link
Contributor

CODEOWNERS have been resolved as:

releasenotes/notes/iast-fix-ssrf-queryparam-redaction-78834d2fedfa6bdf.yaml  @DataDog/apm-python
ddtrace/appsec/_iast/_evidence_redaction/_sensitive_handler.py          @DataDog/asm-python
ddtrace/appsec/_iast/_evidence_redaction/url_sensitive_analyzer.py      @DataDog/asm-python
tests/appsec/iast/taint_sinks/test_command_injection_redacted.py        @DataDog/asm-python
tests/appsec/iast/taint_sinks/test_header_injection_redacted.py         @DataDog/asm-python
tests/appsec/iast/taint_sinks/test_sql_injection_redacted.py            @DataDog/asm-python
tests/appsec/iast/taint_sinks/test_ssrf_redacted.py                     @DataDog/asm-python

@pr-commenter
Copy link

pr-commenter bot commented Nov 27, 2024
edited
Loading

Benchmarks

Benchmark execution time: 2024-11-29 12:06:08

Comparing candidate commit 535f32b in PR branch avara1986/APPSEC-55770-ssrf_redaction_fix with baseline commit d4de162 in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 208 metrics, 2 unstable metrics.

@avara1986 avara1986 changed the title fix(iast): SSRF vulnerability redacts the url query parameters correctly fix(iast): ssrf vulnerability redacts the url query parameters correctly Nov 28, 2024
@avara1986 avara1986 marked this pull request as ready for review November 28, 2024 13:10
@avara1986 avara1986 requested review from a team as code owners November 28, 2024 13:10
@avara1986 avara1986 merged commit 2a58b90 into main Nov 29, 2024
281 checks passed
@avara1986 avara1986 deleted the avara1986/APPSEC-55770-ssrf_redaction_fix branch November 29, 2024 12:08
@github-actions GitHub Actions
Copy link
Contributor

The backport to 2.14 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.14 2.14
# Navigate to the new working tree
cd .worktrees/backport-2.14
# Create a new branch
git switch --create backport-11563-to-2.14
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 2a58b9081faea295502355b6f083cd0d9b0f1f98
# Push it to GitHub
git push --set-upstream origin backport-11563-to-2.14
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.14

Then, create a pull request where the base branch is 2.14 and the compare/head branch is backport-11563-to-2.14.

@github-actions GitHub Actions
Copy link
Contributor

The backport to 2.15 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.15 2.15
# Navigate to the new working tree
cd .worktrees/backport-2.15
# Create a new branch
git switch --create backport-11563-to-2.15
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 2a58b9081faea295502355b6f083cd0d9b0f1f98
# Push it to GitHub
git push --set-upstream origin backport-11563-to-2.15
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.15

Then, create a pull request where the base branch is 2.15 and the compare/head branch is backport-11563-to-2.15.

github-actions bot pushed a commit that referenced this pull request Nov 29, 2024
@avara1986 @github-actions
fix(iast): ssrf vulnerability redacts the url query parameters correc…
d1e5edd 
…tly (#11563)

Code Security: Ensure IAST SSRF vulnerability redacts the url query
parameters correctly.

## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

(cherry picked from commit 2a58b90)
@github-actions github-actions bot mentioned this pull request Nov 29, 2024
Open
2 tasks
github-actions bot pushed a commit that referenced this pull request Nov 29, 2024
@avara1986 @github-actions
fix(iast): ssrf vulnerability redacts the url query parameters correc…
fe6ddbd 
…tly (#11563)

Code Security: Ensure IAST SSRF vulnerability redacts the url query
parameters correctly.

## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

(cherry picked from commit 2a58b90)
@github-actions github-actions bot mentioned this pull request Nov 29, 2024
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gnufede gnufede gnufede approved these changes

@ZStriker19 ZStriker19 Awaiting requested review from ZStriker19 ZStriker19 is a code owner automatically assigned from DataDog/apm-python

@romainkomorndatadog romainkomorndatadog Awaiting requested review from romainkomorndatadog romainkomorndatadog is a code owner automatically assigned from DataDog/apm-python

@christophe-papazian christophe-papazian Awaiting requested review from christophe-papazian

Assignees
No one assigned
Labels
ASM Application Security Monitoring backport 2.14 backport 2.15 backport 2.16 backport 2.17
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@avara1986 @gnufede @christophe-papazian