Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(iast): xss vulnerability for jinja2 [backport 3.0] #12253

Merged
merged 2 commits into from
Feb 11, 2025
Merged

chore(iast): xss vulnerability for jinja2 [backport 3.0] #12253

merged 2 commits into from
Feb 11, 2025

Conversation

github-actions[bot]
Copy link
Contributor

@github-actions github-actions bot commented Feb 7, 2025

Backport a8dfadf from #12238 to 3.0.

Even when starting the application with ddtrace-run ddtrace-run, jinja2.FILTERS is created before this patch function executes. Therefore, we update the in-memory object with the newly patched version.

Checklist

  • PR author has checked that all the criteria below are met
  • The PR description includes an overview of the change
  • The PR description articulates the motivation for the change
  • The change includes tests OR the PR description describes a testing strategy
  • The PR description notes risks associated with the change, if any
  • Newly-added code is easy to change
  • The change follows the library release note guidelines
  • The change includes or references documentation updates if necessary
  • Backport labels are set (if applicable)

Reviewer Checklist

  • Reviewer has checked that all the criteria below are met
  • Title is accurate
  • All changes are related to the pull request's stated goal
  • Avoids breaking API changes
  • Testing strategy adequately addresses listed risks
  • Newly-added code is easy to change
  • Release note makes sense to a user of the library
  • If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
  • Backport labels are set in a manner that is consistent with the release branch maintenance policy

@avara1986 @github-actions
chore(iast): xss vulnerability for jinja2 (#12238)
a91a228 
Even when starting the application with `ddtrace-run ddtrace-run`,
`jinja2.FILTERS` is created before this patch function executes.
Therefore, we update the in-memory object with the newly patched
version.
## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

(cherry picked from commit a8dfadf)
@github-actions github-actions bot requested a review from a team as a code owner February 7, 2025 12:05
@github-actions github-actions bot added changelog/no-changelog A changelog entry is not required for this PR. ASM Application Security Monitoring labels Feb 7, 2025
@pr-commenter
Copy link

pr-commenter bot commented Feb 7, 2025
edited
Loading

Benchmarks

Benchmark execution time: 2025-02-07 16:35:15

Comparing candidate commit be741fe in PR branch backport-12238-to-3.0 with baseline commit 8c5a0c7 in branch 3.0.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 394 metrics, 2 unstable metrics.

@github-actions GitHub Actions
Copy link
Contributor Author

github-actions bot commented Feb 7, 2025

CODEOWNERS have been resolved as:

ddtrace/appsec/_iast/taint_sinks/xss.py                                 @DataDog/asm-python
tests/appsec/integrations/fastapi_tests/test_fastapi_appsec_iast.py     @DataDog/asm-python
tests/appsec/integrations/flask_tests/test_iast_flask.py                @DataDog/asm-python

@avara1986 avara1986 merged commit 4099cbd into 3.0 Feb 11, 2025
356 of 358 checks passed
@avara1986 avara1986 deleted the backport-12238-to-3.0 branch February 11, 2025 09:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@datadog-datadog-prod-us1 datadog-datadog-prod-us1[bot] datadog-datadog-prod-us1[bot] left review comments

@avara1986 avara1986 avara1986 approved these changes

Assignees
No one assigned
Labels
ASM Application Security Monitoring changelog/no-changelog A changelog entry is not required for this PR.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@avara1986