diff --git a/ddtrace/appsec/_iast/_taint_tracking/aspects.py b/ddtrace/appsec/_iast/_taint_tracking/aspects.py index 374e1f46e55..56ba0cf73e5 100644 --- a/ddtrace/appsec/_iast/_taint_tracking/aspects.py +++ b/ddtrace/appsec/_iast/_taint_tracking/aspects.py @@ -441,6 +441,8 @@ def format_value_aspect( else: new_text = element if not isinstance(new_text, IAST.TEXT_TYPES): + if format_spec: + return format(new_text, format_spec) return format(new_text) try: diff --git a/releasenotes/notes/fix-fstring-zeropadding-e8e463a4d8623040.yaml b/releasenotes/notes/fix-fstring-zeropadding-e8e463a4d8623040.yaml new file mode 100644 index 00000000000..99f4706de38 --- /dev/null +++ b/releasenotes/notes/fix-fstring-zeropadding-e8e463a4d8623040.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - | + Code Security: This fix solves an issue with fstrings where formatting was not applied to int parameters diff --git a/tests/appsec/iast/aspects/test_str_py3.py b/tests/appsec/iast/aspects/test_str_py3.py index 5437c631984..c93c35844cb 100644 --- a/tests/appsec/iast/aspects/test_str_py3.py +++ b/tests/appsec/iast/aspects/test_str_py3.py @@ -52,6 +52,11 @@ def test_string_fstring_with_format_tainted(self): result = mod_py3.do_repr_fstring_with_format(string_input) # pylint: disable=no-member assert as_formatted_evidence(result) == "':+-foo-+:' " + def test_int_fstring_zero_padding_tainted(self): + int_input = 5 + result = mod_py3.do_zero_padding_fstring(int_input) # pylint: disable=no-member + assert result == "00005" + def test_string_fstring_repr_str_twice_tainted(self): # type: () -> None string_input = "foo" diff --git a/tests/appsec/iast/fixtures/aspects/str_methods_py3.py b/tests/appsec/iast/fixtures/aspects/str_methods_py3.py index 864e868a762..9698afed88c 100644 --- a/tests/appsec/iast/fixtures/aspects/str_methods_py3.py +++ b/tests/appsec/iast/fixtures/aspects/str_methods_py3.py @@ -9,6 +9,10 @@ from typing import Tuple # noqa:F401 +def do_zero_padding_fstring(a): # type: (int) -> str + return f"{a:05d}" + + def do_fmt_value(a): # type: (str) -> str return f"{a:<8s}bar"