Merge branch '2.10' into yunkim/backport-9759-to-210

.riot/requirements/15235b0.txt → .riot/requirements/12974a3.txt

@@ -2,35 +2,38 @@
 # This file is autogenerated by pip-compile with Python 3.8
 # by the following command:
 #
-#    pip-compile --no-annotate --resolver=backtracking .riot/requirements/15235b0.in
+#    pip-compile --no-annotate .riot/requirements/12974a3.in
 #
 attrs==23.2.0
-certifi==2023.11.17
+certifi==2024.7.4
 charset-normalizer==3.3.2
 click==7.1.2
-coverage[toml]==7.4.0
-exceptiongroup==1.2.0
+coverage[toml]==7.6.0
+deprecated==1.2.14
+exceptiongroup==1.2.2
 flask==1.1.4
-gunicorn==21.2.0
+gunicorn==22.0.0
 httpretty==1.0.5
 hypothesis==6.45.0
-idna==3.6
-importlib-metadata==7.0.1
+idna==3.7
+importlib-metadata==7.0.0
 iniconfig==2.0.0
 itsdangerous==1.1.0
 jinja2==2.11.3
 markupsafe==1.1.1
 mock==5.1.0
+opentelemetry-api==1.24.0
 opentracing==2.4.0
-packaging==23.2
-pluggy==1.3.0
-pytest==7.4.4
-pytest-cov==4.1.0
-pytest-mock==3.12.0
+packaging==24.1
+pluggy==1.5.0
+pytest==8.3.2
+pytest-cov==5.0.0
+pytest-mock==3.14.0
 pytest-randomly==3.15.0
-requests==2.31.0
+requests==2.32.3
 sortedcontainers==2.4.0
 tomli==2.0.1
-urllib3==2.1.0
+urllib3==2.2.2
 werkzeug==1.0.1
-zipp==3.17.0
+wrapt==1.16.0
+zipp==3.19.2

.riot/requirements/1153ad9.txt → .riot/requirements/1677649.txt

@@ -2,31 +2,36 @@
 # This file is autogenerated by pip-compile with Python 3.11
 # by the following command:
 #
-#    pip-compile --no-annotate --resolver=backtracking .riot/requirements/1153ad9.in
+#    pip-compile --no-annotate .riot/requirements/1677649.in
 #
 attrs==23.2.0
-certifi==2023.11.17
+certifi==2024.7.4
 charset-normalizer==3.3.2
 click==7.1.2
-coverage[toml]==7.4.0
+coverage[toml]==7.6.0
+deprecated==1.2.14
 flask==1.1.4
-gunicorn==21.2.0
+gunicorn==22.0.0
 httpretty==1.0.5
 hypothesis==6.45.0
-idna==3.6
+idna==3.7
+importlib-metadata==7.0.0
 iniconfig==2.0.0
 itsdangerous==1.1.0
 jinja2==2.11.3
 markupsafe==1.1.1
 mock==5.1.0
+opentelemetry-api==1.24.0
 opentracing==2.4.0
-packaging==23.2
-pluggy==1.3.0
-pytest==7.4.4
-pytest-cov==4.1.0
-pytest-mock==3.12.0
+packaging==24.1
+pluggy==1.5.0
+pytest==8.3.2
+pytest-cov==5.0.0
+pytest-mock==3.14.0
 pytest-randomly==3.15.0
-requests==2.31.0
+requests==2.32.3
 sortedcontainers==2.4.0
-urllib3==2.1.0
+urllib3==2.2.2
 werkzeug==1.0.1
+wrapt==1.16.0
+zipp==3.19.2

.riot/requirements/427c22a.txt → .riot/requirements/17c4377.txt

@@ -2,27 +2,29 @@
 # This file is autogenerated by pip-compile with Python 3.7
 # by the following command:
 #
-#    pip-compile --no-annotate --resolver=backtracking .riot/requirements/427c22a.in
+#    pip-compile --config=pyproject.toml --no-annotate --resolver=backtracking .riot/requirements/17c4377.in
 #
 attrs==23.2.0
-certifi==2023.11.17
+certifi==2024.7.4
 charset-normalizer==3.3.2
 click==7.1.2
 coverage[toml]==7.2.7
-exceptiongroup==1.2.0
+deprecated==1.2.14
+exceptiongroup==1.2.2
 flask==1.1.4
-gunicorn==21.2.0
+gunicorn==22.0.0
 httpretty==1.0.5
 hypothesis==6.45.0
-idna==3.6
+idna==3.7
 importlib-metadata==6.7.0
 iniconfig==2.0.0
 itsdangerous==1.1.0
 jinja2==2.11.3
 markupsafe==1.1.1
 mock==5.1.0
+opentelemetry-api==1.22.0
 opentracing==2.4.0
-packaging==23.2
+packaging==24.0
 pluggy==1.2.0
 pytest==7.4.4
 pytest-cov==4.1.0
@@ -34,4 +36,5 @@ tomli==2.0.1
 typing-extensions==4.7.1
 urllib3==2.0.7
 werkzeug==1.0.1
+wrapt==1.16.0
 zipp==3.15.0

.riot/requirements/135aac0.txt → .riot/requirements/18589ec.txt

@@ -2,35 +2,38 @@
 # This file is autogenerated by pip-compile with Python 3.9
 # by the following command:
 #
-#    pip-compile --no-annotate --resolver=backtracking .riot/requirements/135aac0.in
+#    pip-compile --no-annotate .riot/requirements/18589ec.in
 #
 attrs==23.2.0
-certifi==2023.11.17
+certifi==2024.7.4
 charset-normalizer==3.3.2
 click==7.1.2
-coverage[toml]==7.4.0
-exceptiongroup==1.2.0
+coverage[toml]==7.6.0
+deprecated==1.2.14
+exceptiongroup==1.2.2
 flask==1.1.4
-gunicorn==21.2.0
+gunicorn==22.0.0
 httpretty==1.0.5
 hypothesis==6.45.0
-idna==3.6
-importlib-metadata==7.0.1
+idna==3.7
+importlib-metadata==7.0.0
 iniconfig==2.0.0
 itsdangerous==1.1.0
 jinja2==2.11.3
 markupsafe==1.1.1
 mock==5.1.0
+opentelemetry-api==1.24.0
 opentracing==2.4.0
-packaging==23.2
-pluggy==1.3.0
-pytest==7.4.4
-pytest-cov==4.1.0
-pytest-mock==3.12.0
+packaging==24.1
+pluggy==1.5.0
+pytest==8.3.2
+pytest-cov==5.0.0
+pytest-mock==3.14.0
 pytest-randomly==3.15.0
-requests==2.31.0
+requests==2.32.3
 sortedcontainers==2.4.0
 tomli==2.0.1
-urllib3==2.1.0
+urllib3==2.2.2
 werkzeug==1.0.1
-zipp==3.17.0
+wrapt==1.16.0
+zipp==3.19.2

.riot/requirements/118cb50.txt → .riot/requirements/1a14242.txt

@@ -2,33 +2,38 @@
 # This file is autogenerated by pip-compile with Python 3.10
 # by the following command:
 #
-#    pip-compile --no-annotate .riot/requirements/118cb50.in
+#    pip-compile --no-annotate .riot/requirements/1a14242.in
 #
 attrs==23.2.0
-certifi==2023.11.17
+certifi==2024.7.4
 charset-normalizer==3.3.2
 click==7.1.2
-coverage[toml]==7.4.0
-exceptiongroup==1.2.0
+coverage[toml]==7.6.0
+deprecated==1.2.14
+exceptiongroup==1.2.2
 flask==1.1.4
-gunicorn==21.2.0
+gunicorn==22.0.0
 httpretty==1.0.5
 hypothesis==6.45.0
-idna==3.6
+idna==3.7
+importlib-metadata==7.0.0
 iniconfig==2.0.0
 itsdangerous==1.1.0
 jinja2==2.11.3
 markupsafe==1.1.1
 mock==5.1.0
+opentelemetry-api==1.24.0
 opentracing==2.4.0
-packaging==23.2
-pluggy==1.3.0
-pytest==7.4.4
-pytest-cov==4.1.0
-pytest-mock==3.12.0
+packaging==24.1
+pluggy==1.5.0
+pytest==8.3.2
+pytest-cov==5.0.0
+pytest-mock==3.14.0
 pytest-randomly==3.15.0
-requests==2.31.0
+requests==2.32.3
 sortedcontainers==2.4.0
 tomli==2.0.1
-urllib3==2.1.0
+urllib3==2.2.2
 werkzeug==1.0.1
+wrapt==1.16.0
+zipp==3.19.2

.riot/requirements/17a929f.txt → .riot/requirements/5c0475c.txt

@@ -2,31 +2,36 @@
 # This file is autogenerated by pip-compile with Python 3.12
 # by the following command:
 #
-#    pip-compile --no-annotate .riot/requirements/17a929f.in
+#    pip-compile --no-annotate .riot/requirements/5c0475c.in
 #
 attrs==23.2.0
-certifi==2023.11.17
+certifi==2024.7.4
 charset-normalizer==3.3.2
 click==7.1.2
-coverage[toml]==7.4.0
+coverage[toml]==7.6.0
+deprecated==1.2.14
 flask==1.1.4
-gunicorn==21.2.0
+gunicorn==22.0.0
 httpretty==1.0.5
 hypothesis==6.45.0
-idna==3.6
+idna==3.7
+importlib-metadata==7.0.0
 iniconfig==2.0.0
 itsdangerous==1.1.0
 jinja2==2.11.3
 markupsafe==1.1.1
 mock==5.1.0
+opentelemetry-api==1.24.0
 opentracing==2.4.0
-packaging==23.2
-pluggy==1.3.0
-pytest==7.4.4
-pytest-cov==4.1.0
-pytest-mock==3.12.0
+packaging==24.1
+pluggy==1.5.0
+pytest==8.3.2
+pytest-cov==5.0.0
+pytest-mock==3.14.0
 pytest-randomly==3.15.0
-requests==2.31.0
+requests==2.32.3
 sortedcontainers==2.4.0
-urllib3==2.1.0
+urllib3==2.2.2
 werkzeug==1.0.1
+wrapt==1.16.0
+zipp==3.19.2

ddtrace/appsec/_iast/_taint_tracking/_native.cpp

@@ -60,14 +60,15 @@ PYBIND11_MODULE(_native, m)
 {
     const char* env_iast_enabled = std::getenv("DD_IAST_ENABLED");
     if (env_iast_enabled == nullptr) {
-        throw py::import_error("IAST not enabled");
-    }
-
-    std::string iast_enabled = std::string(env_iast_enabled);
-    std::transform(
-      iast_enabled.begin(), iast_enabled.end(), iast_enabled.begin(), [](unsigned char c) { return std::tolower(c); });
-    if (iast_enabled != "true" && iast_enabled != "1") {
-        throw py::import_error("IAST not enabled");
+        py::module::import("logging").attr("warning")("IAST not enabled but native module is being loaded");
+    } else {
+        std::string iast_enabled = std::string(env_iast_enabled);
+        std::transform(iast_enabled.begin(), iast_enabled.end(), iast_enabled.begin(), [](unsigned char c) {
+            return std::tolower(c);
+        });
+        if (iast_enabled != "true" && iast_enabled != "1") {
+            py::module::import("logging").attr("warning")("IAST not enabled but native module is being loaded");
+        }
     }
 
     initializer = make_unique<Initializer>();

releasenotes/notes/iast-dont-throw-native-a1d1adcf209dc529.yaml

@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    Code Security: Logs warning instead of throwing an exception in the native module if IAST is not enabled by env var.

riotfile.py

@@ -333,6 +333,8 @@ def select_pys(min_version=MIN_PYTHON_VERSION, max_version=MAX_PYTHON_VERSION):
                 "flask": "<=2.2.3",
                 "httpretty": "<1.1",
                 "werkzeug": "<2.0",
+                # FIXME: ddtrace does not support the latest versions of opentelemetry-api
+                "opentelemetry-api": "<1.25.0",
                 "pytest-randomly": latest,
                 "markupsafe": "<2.0",
             },

tests/appsec/iast/test_env_var.py

@@ -48,6 +48,18 @@ def test_env_var_iast_unset(monkeypatch, capfd):
     assert "IAST enabled" not in captured.err
 
 
+@pytest.mark.subprocess(
+    env=dict(DD_IAST_ENABLED="False"), err=b"WARNING:root:IAST not enabled but native module is being loaded\n"
+)
+def test_env_var_iast_disabled_native_module_warning():
+    import ddtrace.appsec._iast._taint_tracking._native  # noqa: F401
+
+
+@pytest.mark.subprocess(env=dict(DD_IAST_ENABLED="True"), err=None)
+def test_env_var_iast_enabled_no__native_module_warning():
+    import ddtrace.appsec._iast._taint_tracking._native  # noqa: F401
+
+
 @pytest.mark.xfail(reason="IAST not working with Gevent yet")
 def test_env_var_iast_enabled_gevent_unload_modules_true(capfd):
     # type: (...) -> None

tests/appsec/integrations/test_flask_entrypoint_iast_patches.py

@@ -182,8 +182,6 @@ def test_ddtrace_iast_flask_app_create_app_patch_all_enable_iast_propagation_dis
     import dis
     import io
 
-    import pytest
-
     from ddtrace import ModuleWatchdog
     from tests.utils import override_env
     from tests.utils import override_global_config
@@ -204,5 +202,3 @@ def _uninstall_watchdog_and_reload():
         # Should have replaced the binary op with the aspect in add_test:
         assert "(add_aspect)" not in str_output
         assert "BINARY_ADD" in str_output or "BINARY_OP" in str_output
-        with pytest.raises(ImportError):
-            assert flask_entrypoint_views.add_test() == []