Skip to content

feat(iast): security controls #13655

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 16 commits into from
Jun 18, 2025
Merged

feat(iast): security controls #13655

merged 16 commits into from
Jun 18, 2025

Conversation

avara1986
Copy link
Member

Handle IAST security controls custom validation and sanitization methods

Overview

The DD_IAST_SECURITY_CONTROLS_CONFIGURATION environment variable allows you to specify custom sanitizers and validators that IAST should recognize when analyzing your application for security vulnerabilities.

Format

The configuration uses the following format:

CONTROL_TYPE:VULNERABILITY_TYPES:MODULE:METHOD[:PARAMETER_POSITIONS]

Multiple security controls are separated by semicolons (;).

Fields

  1. CONTROL_TYPE: Either INPUT_VALIDATOR or SANITIZER
  2. VULNERABILITY_TYPES: Comma-separated list of vulnerability types or * for all types
  3. MODULE: Python module path (e.g., shlex, django.utils.http)
  4. METHOD: Method name to instrument
  5. PARAMETER_POSITIONS (Optional): Zero-based parameter positions to validate (INPUT_VALIDATOR only)

Vulnerability Types

Supported vulnerability types:

  • COMMAND_INJECTION / CMDI
  • CODE_INJECTION
  • SQL_INJECTION / SQLI
  • XSS
  • HEADER_INJECTION
  • PATH_TRAVERSAL
  • SSRF
  • UNVALIDATED_REDIRECT
  • INSECURE_COOKIE
  • NO_HTTPONLY_COOKIE
  • NO_SAMESITE_COOKIE
  • WEAK_CIPHER
  • WEAK_HASH
  • WEAK_RANDOMNESS
  • STACKTRACE_LEAK

Use * to apply to all vulnerability types.

Examples

Basic Examples

Input Validator for Command Injection

export DD_IAST_SECURITY_CONTROLS_CONFIGURATION="INPUT_VALIDATOR:COMMAND_INJECTION:shlex:quote"

Sanitizer for XSS

export DD_IAST_SECURITY_CONTROLS_CONFIGURATION="SANITIZER:XSS:html:escape"

Multiple Vulnerability Types

export DD_IAST_SECURITY_CONTROLS_CONFIGURATION="INPUT_VALIDATOR:COMMAND_INJECTION,XSS:custom.validator:validate_input"

All Vulnerability Types

export DD_IAST_SECURITY_CONTROLS_CONFIGURATION="SANITIZER:*:custom.sanitizer:sanitize_all"

Advanced Examples

Multiple Security Controls

export DD_IAST_SECURITY_CONTROLS_CONFIGURATION="INPUT_VALIDATOR:COMMAND_INJECTION:shlex:quote;SANITIZER:XSS:html:escape;SANITIZER:SQLI:custom.db:escape_sql"

Validator with Specific Parameter Positions

export DD_IAST_SECURITY_CONTROLS_CONFIGURATION="INPUT_VALIDATOR:COMMAND_INJECTION:custom.validator:validate:0,2"

This validates only the 1st and 3rd parameters (0-based indexing).

Complex Configuration

export DD_IAST_SECURITY_CONTROLS_CONFIGURATION="INPUT_VALIDATOR:COMMAND_INJECTION,XSS:security.validators:validate_user_input:0,1;SANITIZER:SQLI:database.utils:escape_sql_string;SANITIZER:*:security.sanitizers:clean_all_inputs"

How It Works

Input Validators

  • Purpose: Mark input parameters as safe after validation
  • When to use: When your function validates input and returns a boolean or throws an exception
  • Effect: Parameters are marked as secure for the specified vulnerability types
  • Parameter positions: Optionally specify which parameters to mark (0-based index)

Sanitizers

  • Purpose: Mark return values as safe after sanitization
  • When to use: When your function cleans/escapes input and returns the sanitized value
  • Effect: Return value is marked as secure for the specified vulnerability types

Integration with Existing Controls

Your custom security controls work alongside the built-in IAST security controls:

  • shlex.quote (Command injection sanitizer)
  • html.escape (XSS sanitizer)
  • Database escape functions (SQL injection sanitizers)
  • Django validators (Various validators)
  • And more...

Checklist

  • PR author has checked that all the criteria below are met
  • The PR description includes an overview of the change
  • The PR description articulates the motivation for the change
  • The change includes tests OR the PR description describes a testing strategy
  • The PR description notes risks associated with the change, if any
  • Newly-added code is easy to change
  • The change follows the library release note guidelines
  • The change includes or references documentation updates if necessary
  • Backport labels are set (if applicable)

Reviewer Checklist

  • Reviewer has checked that all the criteria below are met
  • Title is accurate
  • All changes are related to the pull request's stated goal
  • Avoids breaking API changes
  • Testing strategy adequately addresses listed risks
  • Newly-added code is easy to change
  • Release note makes sense to a user of the library
  • If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
  • Backport labels are set in a manner that is consistent with the release branch maintenance policy

@avara1986 avara1986 added the ASM Application Security Monitoring label Jun 12, 2025
datadog-datadog-prod-us1[bot]
datadog-datadog-prod-us1 bot reviewed Jun 12, 2025
View reviewed changes
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jun 12, 2025
edited
Loading

CODEOWNERS have been resolved as:

ddtrace/appsec/_iast/secure_marks/README_CONFIGURATION.md               @DataDog/asm-python
ddtrace/appsec/_iast/secure_marks/configuration.py                      @DataDog/asm-python
releasenotes/notes/iast-security-controls-9cb913d485cd5e4b.yaml         @DataDog/apm-python
tests/appsec/iast/secure_marks/__init__.py                              @DataDog/asm-python
tests/appsec/iast/secure_marks/test_security_controls_configuration.py  @DataDog/asm-python
ddtrace/appsec/_common_module_patches.py                                @DataDog/asm-python
ddtrace/appsec/_iast/_patch_modules.py                                  @DataDog/asm-python
ddtrace/appsec/_iast/main.py                                            @DataDog/asm-python
ddtrace/appsec/_iast/secure_marks/__init__.py                           @DataDog/asm-python
ddtrace/appsec/_iast/secure_marks/sanitizers.py                         @DataDog/asm-python
ddtrace/appsec/_iast/secure_marks/validators.py                         @DataDog/asm-python
ddtrace/settings/asm.py                                                 @DataDog/asm-python
docs/configuration.rst                                                  @DataDog/python-guild
docs/spelling_wordlist.txt                                              @DataDog/python-guild
tests/appsec/integrations/django_tests/django_app/urls.py               @DataDog/asm-python
tests/appsec/integrations/django_tests/django_app/views.py              @DataDog/asm-python
tests/appsec/integrations/django_tests/test_iast_django.py              @DataDog/asm-python
tests/telemetry/test_writer.py                                          @DataDog/apm-python

github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 12, 2025
View reviewed changes
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jun 12, 2025
edited
Loading

Bootstrap import analysis

Comparison of import times between this PR and base.

Summary

The average import time from this PR is: 299 ± 5 ms.

The average import time from base is: 303 ± 5 ms.

The import time difference between this PR and base is: -4.8 ± 0.2 ms.

Import time breakdown

The following import paths have shrunk:

ddtrace.auto 2.267 ms (0.76%)
ddtrace.bootstrap.sitecustomize 1.598 ms (0.54%)
ddtrace.bootstrap.preload 1.598 ms (0.54%)
ddtrace.internal.remoteconfig.client 0.699 ms (0.23%)
ddtrace 0.668 ms (0.22%)

@pr-commenter
Copy link

pr-commenter bot commented Jun 12, 2025
edited
Loading

Benchmarks

Benchmark execution time: 2025-06-18 15:29:46

Comparing candidate commit 018c26f in PR branch avara1986/APPSEC-56901-iast_security_controls with baseline commit b80973a in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 561 metrics, 3 unstable metrics.

@avara1986 avara1986 marked this pull request as ready for review June 12, 2025 17:40
@avara1986 avara1986 requested review from a team as code owners June 12, 2025 17:40
@avara1986 avara1986 requested a review from a team as a code owner June 13, 2025 09:33
@avara1986 avara1986 marked this pull request as draft June 16, 2025 14:08
@avara1986 avara1986 mentioned this pull request Jun 18, 2025
Merged
2 tasks
@avara1986 avara1986 marked this pull request as ready for review June 18, 2025 11:58
avara1986 added a commit that referenced this pull request Jun 18, 2025
@avara1986
chore(ci): remove duplicated functions (#13706)
b80973a 
Cherry pick some refactor that I made in security controls:
#13655

## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met 
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)
@avara1986 avara1986 enabled auto-merge (squash) June 18, 2025 14:51
@avara1986 avara1986 merged commit be1b1b1 into main Jun 18, 2025
520 checks passed
@avara1986 avara1986 deleted the avara1986/APPSEC-56901-iast_security_controls branch June 18, 2025 15:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@datadog-datadog-prod-us1 datadog-datadog-prod-us1[bot] datadog-datadog-prod-us1[bot] left review comments

@emmettbutler emmettbutler emmettbutler approved these changes

@christophe-papazian christophe-papazian christophe-papazian approved these changes

@P403n1x87 P403n1x87 Awaiting requested review from P403n1x87 P403n1x87 is a code owner automatically assigned from DataDog/apm-python

Assignees
No one assigned
Labels
ASM Application Security Monitoring
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@avara1986 @emmettbutler @christophe-papazian