Skip to content

fix(asm): fix reading wsgi input #4114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 25 commits into from
Aug 23, 2022
Merged

fix(asm): fix reading wsgi input #4114

merged 25 commits into from
Aug 23, 2022

Conversation

@gnufede
Copy link
Member

@gnufede gnufede commented Aug 17, 2022

Description

Fixes an issue with Flask as we read the body request and it is consumed (so Flask cannot parse it afterwards).

Checklist

Relevant issue(s)

Not reported

Testing strategy

Unit tests for Django, Flask and Pylons.

Reviewer Checklist

  • Title is accurate.
  • Description motivates each change.
  • No unnecessary changes were introduced in this PR.
  • PR cannot be broken up into smaller PRs.
  • Avoid breaking API changes unless absolutely necessary.
  • Tests provided or description of manual testing performed is included in the code or PR.
  • Release note has been added for fixes and features, or else changelog/no-changelog label added.
  • All relevant GitHub issues are correctly linked.
  • Backports are identified and tagged with Mergifyio.
  • Add to milestone.

@gnufede gnufede added the ASM Application Security Monitoring label Aug 17, 2022
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 17, 2022
View reviewed changes
tests/contrib/flask/app.py
@app.route("/body")
def body():
data = request.get_json()
return data, 200

Check warning

Code scanning / CodeQL

Reflected server-side cross-site scripting

Cross-site scripting vulnerability due to [a user-provided value](1).
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 17, 2022
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 17, 2022
View reviewed changes
tests/contrib/django/views.py
content_type = request.META["CONTENT_TYPE"]
if content_type in ("application/json", "application/xml", "text/xml"):
data = request.body
return HttpResponse(data, status=200)

Check warning

Code scanning / CodeQL

Reflected server-side cross-site scripting

Cross-site scripting vulnerability due to [a user-provided value](1).
tests/contrib/django/views.py
return HttpResponse(data, status=200)
else:
data = request.POST
return HttpResponse(str(dict(data)), status=200)

Check warning

Code scanning / CodeQL

Reflected server-side cross-site scripting

Cross-site scripting vulnerability due to [a user-provided value](1).
@avara1986
Copy link
Member

avara1986 commented Aug 18, 2022
edited
Loading

Benchmarks of appsec enabled:

scripts/perf-run-scenario flask_simple ddtrace==1.4.0rc2 datadog/dd-trace-py@avara1986/APPSEC-5142-fix-reading-body ./artifacts/


+---------------------------------+-------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------+
| Benchmark                       | /artifacts/41d46418-2f38-4a52-91d5-819bfbad8552/flask_simple/1.4.0rc2//results.json | /artifacts/41d46418-2f38-4a52-91d5-819bfbad8552/flask_simple/1.4.0rc2.dev60+g4b147835//results.json |
+=================================+=====================================================================================+=====================================================================================================+
| flasksimple-baseline            | 1.97 ms                                                                             | 2.23 ms: 1.13x slower                                                                               |
+---------------------------------+-------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------+
| flasksimple-tracer              | 2.34 ms                                                                             | 1.91 ms: 1.23x faster                                                                               |
+---------------------------------+-------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------+
| flasksimple-profiler            | 2.55 ms                                                                             | 1.91 ms: 1.34x faster                                                                               |
+---------------------------------+-------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------+
| flasksimple-appsec-get          | 2.24 ms                                                                             | 2.47 ms: 1.10x slower                                                                               |
+---------------------------------+-------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------+
| flasksimple-appsec-post         | 2.36 ms                                                                             | 2.16 ms: 1.09x faster                                                                               |
+---------------------------------+-------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------+
| flasksimple-tracer-and-profiler | 2.24 ms                                                                             | 2.32 ms: 1.04x slower                                                                               |
+---------------------------------+-------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------+
| Geometric mean                  | (ref)                                                                               | 1.04x faster                                                                                        |
+---------------------------------+-------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------+

Benchmark hidden because not significant (1): flasksimple-tracer-and-profiler-and-appsec

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 18, 2022
View reviewed changes
benchmarks/flask_simple/app.py
@app.route("/post-view", methods=["POST"])
def post_view():
data = request.data
return data, 200

Check warning

Code scanning / CodeQL

Reflected server-side cross-site scripting

Cross-site scripting vulnerability due to [a user-provided value](1).
@codecov-commenter
Copy link

codecov-commenter commented Aug 18, 2022
edited
Loading

Codecov Report

Merging #4114 (34410ca) into 1.x (a940ef1) will decrease coverage by 0.05%.
The diff coverage is 40.14%.

@@            Coverage Diff             @@
##              1.x    #4114      +/-   ##
==========================================
- Coverage   78.86%   78.80%   -0.06%     
==========================================
  Files         720      720              
  Lines       57386    57504     +118     
==========================================
+ Hits        45255    45316      +61     
- Misses      12131    12188      +57
Impacted Files Coverage Δ
ddtrace/contrib/flask/patch.py 0.00% <0.00%> (ø)
tests/contrib/django/django1_app/urls.py 100.00% <ø> (ø)
tests/contrib/django/django_app/urls.py 92.59% <ø> (ø)
tests/contrib/flask/app.py 0.00% <0.00%> (ø)
tests/contrib/flask/test_flask_appsec.py 0.00% <0.00%> (ø)
tests/internal/test_module.py 0.00% <0.00%> (ø)
tests/profiling/collector/test_threading.py 0.00% <0.00%> (ø)
tests/profiling/collector/test_traceback.py 0.00% <0.00%> (ø)
tests/tracer/test_forksafe.py 69.76% <9.09%> (-11.01%) ⬇️
ddtrace/internal/forksafe.py 83.58% <66.66%> (-2.63%) ⬇️
... and 10 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@gnufede gnufede marked this pull request as ready for review August 18, 2022 11:14
@gnufede gnufede requested a review from a team as a code owner August 18, 2022 11:14
brettlangdon
brettlangdon reviewed Aug 18, 2022
View reviewed changes
Copy link
Member

@brettlangdon brettlangdon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

flask is the only server which is having this problem?

P403n1x87
P403n1x87 reviewed Aug 18, 2022
View reviewed changes
@avara1986
Copy link
Member

avara1986 commented Aug 18, 2022

flask is the only server which is having this problem?

Yes, Django and Pylons have other approach when you try to retrieve the body

juanjux
juanjux previously approved these changes Aug 22, 2022
View reviewed changes
@avara1986 avara1986 self-requested a review August 22, 2022 12:36
avara1986
avara1986 previously approved these changes Aug 22, 2022
View reviewed changes
@brettlangdon brettlangdon dismissed stale reviews from avara1986 and juanjux via a5f55ec August 22, 2022 12:41
@brettlangdon
Copy link
Member

brettlangdon commented Aug 22, 2022

@Mergifyio backport 1.4

@mergify
Copy link
Contributor

mergify bot commented Aug 22, 2022
edited
Loading

backport 1.4

✅ Backports have been created

mabdinur
mabdinur approved these changes Aug 22, 2022
View reviewed changes
Copy link
Contributor

@mabdinur mabdinur left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we run the new benchmarks and include the results in the PR description? It seems like an interesting to document

@avara1986
Copy link
Member

avara1986 commented Aug 22, 2022
edited
Loading

Can we run the new benchmarks and include the results in the PR description? It seems like an interesting to document

why are these results not valid? #4114 (comment)

@brettlangdon brettlangdon merged commit 90e11db into 1.x Aug 23, 2022
@brettlangdon brettlangdon deleted the avara1986/APPSEC-5142-fix-reading-body branch August 23, 2022 12:33
@github-actions github-actions bot added this to the v1.5.0 milestone Aug 23, 2022
@mergify mergify bot mentioned this pull request Aug 23, 2022
Merged
mergify bot pushed a commit that referenced this pull request Aug 23, 2022
@gnufede @mergify
fix(asm): fix reading wsgi input (#4114)
c9cb65d 
* feat(asm): added tests to check error reading body

* feat(asm): added tests to check error reading body. Django tests

* feat(asm): added tests to check error reading body. Pylons tests

* feat(asm): added tests to check error reading body. Pylons tests

* fix(asm): Reset wsgi input after reading it

* chore(asm): add release notes

* feat: update django tests

* chore(asm): move seek to a better place

* feat: update django tests

* feat: update tests

* feat: update tests

* feat: update tests

* feat: update tests

* feat: update tests

* feat: update tests

* fix(asm): workaround for non seekable wsgi.input

* fix(asm): ensure attr seekable exists for wsgi.input

* feat(asm): add benchmark

* fix(asm): ensure attr seekable exists for wsgi.input

* fix(asm): ensure attr seekable exists for wsgi.input

* Update releasenotes/notes/asm-fix-reset-wsgi-input-035e0a7d917af2b2.yaml

Co-authored-by: Alberto Vara <alberto.vara@datadoghq.com>
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Co-authored-by: Brett Langdon <brett.langdon@datadoghq.com>
(cherry picked from commit 90e11db)

# Conflicts:
#	benchmarks/set_http_meta/scenario.py
#	ddtrace/contrib/flask/patch.py
#	tests/contrib/django/test_django_appsec.py
#	tests/contrib/flask/test_flask_appsec.py
#	tests/contrib/pylons/test_pylons.py
brettlangdon pushed a commit that referenced this pull request Aug 23, 2022
@mergify
fix(asm): fix reading wsgi input (backport #4114) (#4127)
d0268d0 
This is an automatic backport of pull request #4114 done by [Mergify](https://mergify.com).
Cherry-pick of 90e11db has failed:
```
On branch mergify/bp/1.4/pr-4114
Your branch is up to date with 'origin/1.4'.

You are currently cherry-picking commit 90e11db.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   benchmarks/flask_simple/app.py
	modified:   benchmarks/flask_simple/config.yaml
	modified:   benchmarks/flask_simple/gunicorn.conf.py
	modified:   benchmarks/flask_simple/scenario.py
	modified:   benchmarks/flask_simple/utils.py
	modified:   benchmarks/span/utils.py
	new file:   releasenotes/notes/asm-fix-reset-wsgi-input-035e0a7d917af2b2.yaml
	modified:   tests/contrib/django/django1_app/urls.py
	modified:   tests/contrib/django/django_app/urls.py
	modified:   tests/contrib/django/views.py
	modified:   tests/contrib/flask/app.py
	modified:   tests/contrib/pylons/app/controllers/root.py
	modified:   tests/contrib/pylons/app/router.py

Unmerged paths:
  (use "git add/rm <file>..." as appropriate to mark resolution)
	deleted by us:   benchmarks/set_http_meta/scenario.py
	both modified:   ddtrace/contrib/flask/patch.py
	both modified:   tests/contrib/django/test_django_appsec.py
	both modified:   tests/contrib/flask/test_flask_appsec.py
	both modified:   tests/contrib/pylons/test_pylons.py

```


To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/github/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

---


<details>
<summary>Mergify commands and options</summary>

<br />

More conditions and actions can be found in the [documentation](https://docs.mergify.com/).

You can also trigger Mergify actions by commenting on this pull request:

- `@Mergifyio refresh` will re-evaluate the rules
- `@Mergifyio rebase` will rebase this PR on its base branch
- `@Mergifyio update` will merge the base branch into this PR
- `@Mergifyio backport <destination>` will backport this PR on `<destination>` branch

Additionally, on Mergify [dashboard](https://dashboard.mergify.com/) you can:

- look at your merge queues
- generate the Mergify configuration with the config editor.

Finally, you can contact us on https://mergify.com
</details>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@juanjux juanjux juanjux approved these changes

@brettlangdon brettlangdon brettlangdon approved these changes

@mabdinur mabdinur mabdinur approved these changes

@avara1986 avara1986 avara1986 left review comments

@P403n1x87 P403n1x87 Awaiting requested review from P403n1x87

Assignees

No one assigned

Labels

ASM Application Security Monitoring

Projects

None yet

Milestone

v1.5.0

Development

Successfully merging this pull request may close these issues.

8 participants

@gnufede @avara1986 @codecov-commenter @brettlangdon @juanjux @P403n1x87 @mabdinur