feat(iast): unvalidated redirect vulnerability

[avara1986]

This PR adds IAST detection capabilities for unvalidated redirect vulnerabilities in major Python web frameworks:

• Django
• Flask
• FastAPI

Unvalidated redirects occur when an application redirects users to URLs that are controlled by user input without proper validation, which can lead to phishing attacks and other security issues.

Implementation Details

• Added new taint sink for invalidated redirect detection
• Implemented framework-specific detection for:
  • Django redirect functions and responses
  • Flask redirect functions
  • FastAPI redirect responses
• Enhanced taint tracking to properly handle URL parameters in redirects
• Added evidence redaction for sensitive URL parameters

Documentation

• Added docstrings explaining the vulnerability detection logic

• Updated IAST documentation to include unvalidated redirect checks

  Tasks

APPSEC-11498
APPSEC-11502
APPSEC-57164

Checklist

• PR author has checked that all the criteria below are met
• The PR description includes an overview of the change
• The PR description articulates the motivation for the change
• The change includes tests OR the PR description describes a testing strategy
• The PR description notes risks associated with the change, if any
• Newly-added code is easy to change
• The change follows the library release note guidelines
• The change includes or references documentation updates if necessary
• Backport labels are set (if applicable)

Reviewer Checklist

• Reviewer has checked that all the criteria below are met
• Title is accurate
• All changes are related to the pull request's stated goal
• Avoids breaking API changes
• Testing strategy adequately addresses listed risks
• Newly-added code is easy to change
• Release note makes sense to a user of the library
• If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
• Backport labels are set in a manner that is consistent with the release branch maintenance policy

[github-actions]

CODEOWNERS have been resolved as:

ddtrace/appsec/_iast/taint_sinks/unvalidated_redirect.py                @DataDog/asm-python
releasenotes/notes/iast-feat-unvalidated-redirect-7d1fcbe25889589a.yaml  @DataDog/apm-python
tests/appsec/iast/taint_sinks/test_unvalidated_redirect_redacted.py     @DataDog/asm-python
ddtrace/appsec/_iast/_evidence_redaction/_sensitive_handler.py          @DataDog/asm-python
ddtrace/appsec/_iast/_patch_modules.py                                  @DataDog/asm-python
ddtrace/appsec/_iast/_taint_tracking/taint_tracking/taint_range.cpp     @DataDog/asm-python
ddtrace/appsec/_iast/_taint_tracking/taint_tracking/taint_range.h       @DataDog/asm-python
ddtrace/appsec/_iast/constants.py                                       @DataDog/asm-python
ddtrace/appsec/_iast/secure_marks/validators.py                         @DataDog/asm-python
ddtrace/appsec/_iast/taint_sinks/_base.py                               @DataDog/asm-python
ddtrace/appsec/_iast/taint_sinks/header_injection.py                    @DataDog/asm-python
tests/appsec/integrations/django_tests/django_app/urls.py               @DataDog/asm-python
tests/appsec/integrations/django_tests/django_app/views.py              @DataDog/asm-python
tests/appsec/integrations/django_tests/test_django_appsec_iast.py       @DataDog/asm-python
tests/appsec/integrations/fastapi_tests/test_fastapi_appsec_iast.py     @DataDog/asm-python
tests/appsec/integrations/flask_tests/test_iast_flask.py                @DataDog/asm-python

[github-actions]

Bootstrap import analysis

Comparison of import times between this PR and base.

Summary

The average import time from this PR is: 236 ± 3 ms.

The average import time from base is: 239 ± 8 ms.

The import time difference between this PR and base is: -2.7 ± 0.3 ms.

Import time breakdown

The following import paths have shrunk:

ddtrace.auto 1.998 ms (0.85%)

ddtrace.bootstrap.sitecustomize 1.320 ms (0.56%)

ddtrace.bootstrap.preload 1.320 ms (0.56%)

ddtrace.internal.remoteconfig.client 0.654 ms (0.28%)

ddtrace 0.677 ms (0.29%)

ddtrace.internal._unpatched 0.024 ms (0.01%)

[pr-commenter]

Benchmarks

Benchmark execution time: 2025-05-27 11:48:38

Comparing candidate commit c417c69 in PR branch avara1986/APPSEC-11498-unvalidated_redirect with baseline commit 24b7e46 in branch main.

Found 2 performance improvements and 3 performance regressions! Performance is the same for 508 metrics, 7 unstable metrics.

scenario:iast_aspects-ospathsplitdrive_aspect

• 🟥 execution_time [+434.727ns; +525.622ns] or [+12.136%; +14.673%]

scenario:iast_aspects-split_aspect

• 🟥 execution_time [+188.770ns; +210.176ns] or [+12.985%; +14.457%]

scenario:iast_aspects-splitlines_aspect

• 🟥 execution_time [+201.950ns; +227.058ns] or [+13.815%; +15.532%]

scenario:iastdjangostartup-appsec

• 🟩 execution_time [-1070.169ms; -887.268ms] or [-54.349%; -45.060%]

scenario:iastdjangostartup-tracer

• 🟩 execution_time [-872.378ms; -773.333ms] or [-49.356%; -43.752%]