From b6ff124c71e3c0081cb0959f6f947ae70effbc05 Mon Sep 17 00:00:00 2001 From: Federico Mon Date: Fri, 29 Nov 2024 13:11:53 +0100 Subject: [PATCH] fix(iast): add psycopg and psycopg2 to denylist (#11571) Code security: This fix resolves an issue where the patching of psycopg is producing bad code. Since it's not required to patch psycopg or psycopg2 modules, we will avoid patching them altogether, with the benefit of a small performance improvement. ## Checklist - [x] PR author has checked that all the criteria below are met - The PR description includes an overview of the change - The PR description articulates the motivation for the change - The change includes tests OR the PR description describes a testing strategy - The PR description notes risks associated with the change, if any - Newly-added code is easy to change - The change follows the [library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) - The change includes or references documentation updates if necessary - Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) ## Reviewer Checklist - [x] Reviewer has checked that all the criteria below are met - Title is accurate - All changes are related to the pull request's stated goal - Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - Testing strategy adequately addresses listed risks - Newly-added code is easy to change - Release note makes sense to a user of the library - If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) --------- Co-authored-by: Alberto Vara --- ddtrace/appsec/_iast/_ast/ast_patching.py | 3 +++ .../fix-iast-add-psycopg-to-denylist-a88961e04125e674.yaml | 4 ++++ 2 files changed, 7 insertions(+) create mode 100644 releasenotes/notes/fix-iast-add-psycopg-to-denylist-a88961e04125e674.yaml diff --git a/ddtrace/appsec/_iast/_ast/ast_patching.py b/ddtrace/appsec/_iast/_ast/ast_patching.py index eca157eb3a5..6a1e4c2d3b6 100644 --- a/ddtrace/appsec/_iast/_ast/ast_patching.py +++ b/ddtrace/appsec/_iast/_ast/ast_patching.py @@ -280,6 +280,9 @@ "pkg_resources.", "pluggy.", "protobuf.", + "psycopg.", # PostgreSQL adapter for Python (v3) + "_psycopg.", # PostgreSQL adapter for Python (v3) + "psycopg2.", # PostgreSQL adapter for Python (v2) "pycparser.", # this package is called when a module is imported, propagation is not needed "pytest.", # Testing framework "_pytest.", diff --git a/releasenotes/notes/fix-iast-add-psycopg-to-denylist-a88961e04125e674.yaml b/releasenotes/notes/fix-iast-add-psycopg-to-denylist-a88961e04125e674.yaml new file mode 100644 index 00000000000..ad7d174986a --- /dev/null +++ b/releasenotes/notes/fix-iast-add-psycopg-to-denylist-a88961e04125e674.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - | + Code security: This fix resolves a patching issue with `psycopg3`.