From 75f459581d4b80493689ebb767fafb4e9fb0386f Mon Sep 17 00:00:00 2001 From: Alberto Vara Date: Thu, 10 Apr 2025 14:43:38 +0200 Subject: [PATCH 1/3] fix(iast): excluded exception on invalid f-string --- ddtrace/appsec/_iast/_taint_tracking/aspects.py | 14 +++++++------- tests/appsec/iast/aspects/test_str_py3.py | 13 +++++++++++++ 2 files changed, 20 insertions(+), 7 deletions(-) diff --git a/ddtrace/appsec/_iast/_taint_tracking/aspects.py b/ddtrace/appsec/_iast/_taint_tracking/aspects.py index 8b52878f275..fa2f512f81a 100644 --- a/ddtrace/appsec/_iast/_taint_tracking/aspects.py +++ b/ddtrace/appsec/_iast/_taint_tracking/aspects.py @@ -449,8 +449,8 @@ def format_value_aspect( return format(new_text, format_spec) return format(new_text) - try: - if format_spec: + if format_spec: + try: # Apply formatting text_ranges = get_tainted_ranges(new_text) if text_ranges: @@ -466,11 +466,11 @@ def format_value_aspect( return ("{:%s}" % format_spec).format(new_text) else: return ("{:%s}" % format_spec).format(new_text) - else: - return format(new_text) - except Exception as e: - iast_propagation_error_log(f"format_value_aspect. {e}") - return new_text + except Exception as e: + iast_propagation_error_log(f"format_value_aspect. {e}") + return ("{:%s}" % format_spec).format(new_text) + + return format(new_text) def incremental_translation(self, incr_coder, funcode, empty): diff --git a/tests/appsec/iast/aspects/test_str_py3.py b/tests/appsec/iast/aspects/test_str_py3.py index ba468c34286..b4a4291ea8d 100644 --- a/tests/appsec/iast/aspects/test_str_py3.py +++ b/tests/appsec/iast/aspects/test_str_py3.py @@ -1,3 +1,5 @@ +from hypothesis import given +from hypothesis.strategies import text import pytest from ddtrace.appsec._iast._taint_tracking import as_formatted_evidence @@ -10,6 +12,17 @@ mod_py3 = _iast_patched_module("benchmarks.bm.iast_fixtures.str_methods_py3") +@given(text()) +def test_int_fstring_zero_padding_text(text): + with pytest.raises(ValueError) as excinfo: + f"{text:05d}" + assert str(excinfo.value) == "Unknown format code 'd' for object of type 'str'" + + with pytest.raises(ValueError) as excinfo: + mod_py3.do_zero_padding_fstring(text) + assert str(excinfo.value) == "Unknown format code 'd' for object of type 'str'" + + class TestOperatorsReplacement(BaseReplacement): @staticmethod def test_taint(): # type: () -> None From 619342a20cb0d0bb81e890c1c1f079740a66e7cd Mon Sep 17 00:00:00 2001 From: Alberto Vara Date: Thu, 10 Apr 2025 15:13:23 +0200 Subject: [PATCH 2/3] fix(iast): excluded exception on invalid f-string --- .../notes/iast-fstring-exception-d460a37b6e44f972.yaml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 releasenotes/notes/iast-fstring-exception-d460a37b6e44f972.yaml diff --git a/releasenotes/notes/iast-fstring-exception-d460a37b6e44f972.yaml b/releasenotes/notes/iast-fstring-exception-d460a37b6e44f972.yaml new file mode 100644 index 00000000000..62acc1c5ece --- /dev/null +++ b/releasenotes/notes/iast-fstring-exception-d460a37b6e44f972.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + Code Security: This fixes a bug with f-strings when IAST is enabled: when building an invalid string that + should raise an "Unknown format code X" exception, the error wasn't being triggered in certain cases. + + From fef883bdad2234110e74ff4265e593be3ece88bf Mon Sep 17 00:00:00 2001 From: Alberto Vara Date: Thu, 10 Apr 2025 19:24:27 +0200 Subject: [PATCH 3/3] Update releasenotes/notes/iast-fstring-exception-d460a37b6e44f972.yaml Co-authored-by: Munir Abdinur --- .../notes/iast-fstring-exception-d460a37b6e44f972.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/releasenotes/notes/iast-fstring-exception-d460a37b6e44f972.yaml b/releasenotes/notes/iast-fstring-exception-d460a37b6e44f972.yaml index 62acc1c5ece..a22008a34ca 100644 --- a/releasenotes/notes/iast-fstring-exception-d460a37b6e44f972.yaml +++ b/releasenotes/notes/iast-fstring-exception-d460a37b6e44f972.yaml @@ -1,7 +1,4 @@ --- fixes: - | - Code Security: This fixes a bug with f-strings when IAST is enabled: when building an invalid string that - should raise an "Unknown format code X" exception, the error wasn't being triggered in certain cases. - - + IAST: Fixes a bug where invalid f-strings didn’t raise the expected "Unknown format code" error when IAST was enabled.