Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(iast): improve check of module names for deny and allow lists #10651

Merged
merged 2 commits into from
Sep 13, 2024
Merged

chore(iast): improve check of module names for deny and allow lists #10651

merged 2 commits into from
Sep 13, 2024

Conversation

gnufede
Copy link
Member

@gnufede gnufede commented Sep 13, 2024
edited
Loading

Code Security: This PR changes the way we match modules and submodules for the IAST patching allowlist and denylist. From now on, we try to match full module names and avoid prefixes, for instance "crypto." in the denylist will now make IAST not patch crypto module but it will patch cryptography module.

Checklist

  • PR author has checked that all the criteria below are met
  • The PR description includes an overview of the change
  • The PR description articulates the motivation for the change
  • The change includes tests OR the PR description describes a testing strategy
  • The PR description notes risks associated with the change, if any
  • Newly-added code is easy to change
  • The change follows the library release note guidelines
  • The change includes or references documentation updates if necessary
  • Backport labels are set (if applicable)

Reviewer Checklist

  • Reviewer has checked that all the criteria below are met
  • Title is accurate
  • All changes are related to the pull request's stated goal
  • Avoids breaking API changes
  • Testing strategy adequately addresses listed risks
  • Newly-added code is easy to change
  • Release note makes sense to a user of the library
  • If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
  • Backport labels are set in a manner that is consistent with the release branch maintenance policy

@github-actions GitHub Actions
Copy link
Contributor

CODEOWNERS have been resolved as:

ddtrace/appsec/_iast/_ast/ast_patching.py                               @DataDog/asm-python

@datadog-dd-trace-py-rkomorn
Copy link

datadog-dd-trace-py-rkomorn bot commented Sep 13, 2024
edited
Loading

Datadog Report

Branch report: gnufede/change-iast-allow-deny-lists-chec
Commit report: e05dde3
Test service: dd-trace-py

✅ 0 Failed, 1868 Passed, 213 Skipped, 41m 6.56s Total Time

@pr-commenter
Copy link

pr-commenter bot commented Sep 13, 2024
edited
Loading

Benchmarks

Benchmark execution time: 2024-09-13 09:26:15

Comparing candidate commit e05dde3 in PR branch gnufede/change-iast-allow-deny-lists-chec with baseline commit 15a9399 in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 10 metrics, 2 unstable metrics.

@gnufede gnufede added changelog/no-changelog A changelog entry is not required for this PR. ASM Application Security Monitoring labels Sep 13, 2024
@gnufede gnufede marked this pull request as ready for review September 13, 2024 09:34
@gnufede gnufede requested a review from a team as a code owner September 13, 2024 09:34
@gnufede gnufede enabled auto-merge (squash) September 13, 2024 09:34
@gnufede gnufede merged commit bd1933f into main Sep 13, 2024
543 of 545 checks passed
@gnufede gnufede deleted the gnufede/change-iast-allow-deny-lists-chec branch September 13, 2024 09:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juanjux juanjux juanjux approved these changes

Assignees
No one assigned
Labels
ASM Application Security Monitoring changelog/no-changelog A changelog entry is not required for this PR.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gnufede @juanjux