Skip to content

Commit

Permalink
fix(iast): add google.auth to the IAST denylist [backport 2.15] (#11243)
Browse files Browse the repository at this point in the history
Backport e33e235 from #11240 to 2.15.

This fix resolves an issue where importing the
``google.cloud.storage.batch`` module would fail raising an
AttributeError

```
  File "site-packages/google/auth/crypt/rsa.py", line 22, in <module>
    RSASigner = _cryptography_rsa.RSASigner
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: module 'google.auth.crypt._cryptography_rsa' has no attribute 'RSASigner'
```
tests_packages are working in this branch:

https://app.circleci.com/pipelines/github/DataDog/dd-trace-py/76358/workflows/427a6bbc-f088-4779-b6fd-35e8e6f988d5/jobs/4346061


## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met 
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

Co-authored-by: Alberto Vara <[email protected]>
  • Loading branch information
github-actions[bot] and avara1986 authored Oct 31, 2024
1 parent 76ae70b commit 07c4671
Show file tree
Hide file tree
Showing 4 changed files with 15 additions and 2 deletions.
1 change: 1 addition & 0 deletions ddtrace/appsec/_iast/_ast/ast_patching.py
Original file line number Diff line number Diff line change
Expand Up @@ -300,6 +300,7 @@
"uvicorn.",
"anyio.",
"httpcore.",
"google.auth.crypt.",
)


Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
fixes:
- |
Code Security: This fix resolves an issue where importing the ``google.cloud.storage.batch`` module would fail raising an ImportError
6 changes: 6 additions & 0 deletions tests/appsec/iast_packages/packages/pkg_google_api_core.py
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,12 @@
from .utils import ResultResponse


try:
from google.cloud.storage.batch import Batch # noqa:F401
except ModuleNotFoundError:
pass


pkg_google_api_core = Blueprint("package_google_api_core", __name__)


Expand Down
6 changes: 4 additions & 2 deletions tests/appsec/iast_packages/test_packages.py
Original file line number Diff line number Diff line change
Expand Up @@ -255,7 +255,7 @@ def uninstall(self, python_cmd):
PackageForTesting("fsspec", "2024.5.0", "", "/", ""),
PackageForTesting(
"google-auth",
"2.29.0",
"2.35.0",
"",
"",
"",
Expand All @@ -265,12 +265,14 @@ def uninstall(self, python_cmd):
),
PackageForTesting(
"google-api-core",
"2.19.0",
"2.22.0",
"",
"",
"",
import_name="google",
import_module_to_validate="google.auth.iam",
extras=[("google-cloud-storage", "2.18.2")],
test_e2e=True,
),
PackageForTesting(
"google-api-python-client",
Expand Down

0 comments on commit 07c4671

Please sign in to comment.