From 5e6184cc9782eb40a4eee307abc144653e5ff7d7 Mon Sep 17 00:00:00 2001 From: Federico Mon Date: Fri, 26 Apr 2024 18:36:46 +0200 Subject: [PATCH] fix(iast): fstring int formatting (#9106) IAST: This fixes an issue where f-strings receiving int parameters were not properly formatted. ## Checklist - [x] Change(s) are motivated and described in the PR description - [x] Testing strategy is described if automated tests are not included in the PR - [x] Risks are described (performance impact, potential for breakage, maintainability) - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] [Library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) are followed or label `changelog/no-changelog` is set - [x] Documentation is included (in-code, generated user docs, [public corp docs](https://github.com/DataDog/documentation/)) - [x] Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) - [x] If this PR changes the public interface, I've notified `@DataDog/apm-tees`. ## Reviewer Checklist - [x] Title is accurate - [x] All changes are related to the pull request's stated goal - [x] Description motivates each change - [x] Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - [x] Testing strategy adequately addresses listed risks - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] Release note makes sense to a user of the library - [x] Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - [x] Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) --- ddtrace/appsec/_iast/_taint_tracking/aspects.py | 2 ++ .../notes/fix-fstring-zeropadding-e8e463a4d8623040.yaml | 4 ++++ tests/appsec/iast/aspects/test_str_py3.py | 5 +++++ tests/appsec/iast/fixtures/aspects/str_methods_py3.py | 4 ++++ 4 files changed, 15 insertions(+) create mode 100644 releasenotes/notes/fix-fstring-zeropadding-e8e463a4d8623040.yaml diff --git a/ddtrace/appsec/_iast/_taint_tracking/aspects.py b/ddtrace/appsec/_iast/_taint_tracking/aspects.py index 374e1f46e55..56ba0cf73e5 100644 --- a/ddtrace/appsec/_iast/_taint_tracking/aspects.py +++ b/ddtrace/appsec/_iast/_taint_tracking/aspects.py @@ -441,6 +441,8 @@ def format_value_aspect( else: new_text = element if not isinstance(new_text, IAST.TEXT_TYPES): + if format_spec: + return format(new_text, format_spec) return format(new_text) try: diff --git a/releasenotes/notes/fix-fstring-zeropadding-e8e463a4d8623040.yaml b/releasenotes/notes/fix-fstring-zeropadding-e8e463a4d8623040.yaml new file mode 100644 index 00000000000..99f4706de38 --- /dev/null +++ b/releasenotes/notes/fix-fstring-zeropadding-e8e463a4d8623040.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - | + Code Security: This fix solves an issue with fstrings where formatting was not applied to int parameters diff --git a/tests/appsec/iast/aspects/test_str_py3.py b/tests/appsec/iast/aspects/test_str_py3.py index 5437c631984..c93c35844cb 100644 --- a/tests/appsec/iast/aspects/test_str_py3.py +++ b/tests/appsec/iast/aspects/test_str_py3.py @@ -52,6 +52,11 @@ def test_string_fstring_with_format_tainted(self): result = mod_py3.do_repr_fstring_with_format(string_input) # pylint: disable=no-member assert as_formatted_evidence(result) == "':+-foo-+:' " + def test_int_fstring_zero_padding_tainted(self): + int_input = 5 + result = mod_py3.do_zero_padding_fstring(int_input) # pylint: disable=no-member + assert result == "00005" + def test_string_fstring_repr_str_twice_tainted(self): # type: () -> None string_input = "foo" diff --git a/tests/appsec/iast/fixtures/aspects/str_methods_py3.py b/tests/appsec/iast/fixtures/aspects/str_methods_py3.py index 864e868a762..9698afed88c 100644 --- a/tests/appsec/iast/fixtures/aspects/str_methods_py3.py +++ b/tests/appsec/iast/fixtures/aspects/str_methods_py3.py @@ -9,6 +9,10 @@ from typing import Tuple # noqa:F401 +def do_zero_padding_fstring(a): # type: (int) -> str + return f"{a:05d}" + + def do_fmt_value(a): # type: (str) -> str return f"{a:<8s}bar"