chore(iast): finer-grained header injection

[avara1986]

This pull request refines the header injection logic within the Django integration to enhance security and test coverage. The primary focus is on validating and mitigating header injection vulnerabilities in Django applications.

1. Django Header Injection Validation:

   • Refactored the header injection logic to ensure that all headers are set using the validated HttpResponse.headers interface.
   • Prevents direct manipulation of the internal _store attribute, which bypasses Django's built-in validation and could lead to header injection vulnerabilities.

2. Comprehensive Testing:

   • Added new integration tests that run a real Django application in a subprocess. This approach allows for accurate observation of how WSGI servers serialize HTTP responses.
   • Tests confirm that attempts to inject headers via the public headers interface are properly sanitized.

3. Flask and FastAPI Security Confirmation:

   • Conducted tests to confirm that both Flask and FastAPI frameworks are secure against header injection vulnerabilities.
   • These tests demonstrate that the existing security measures in Flask and FastAPI effectively prevent header injection attacks.

Testing Strategy:

• The integration tests for Django, Flask, and FastAPI ensure that header injection attempts are thwarted by the frameworks' security mechanisms.
• The tests highlight the importance of using validated interfaces for setting headers and the risks associated with manipulating internal attributes.

Checklist

• PR author has checked that all the criteria below are met
• The PR description includes an overview of the change
• The PR description articulates the motivation for the change
• The change includes tests OR the PR description describes a testing strategy
• The PR description notes risks associated with the change, if any
• Newly-added code is easy to change
• The change follows the library release note guidelines
• The change includes or references documentation updates if necessary
• Backport labels are set (if applicable)

Reviewer Checklist

• Reviewer has checked that all the criteria below are met
• Title is accurate
• All changes are related to the pull request's stated goal
• Avoids breaking API changes
• Testing strategy adequately addresses listed risks
• Newly-added code is easy to change
• Release note makes sense to a user of the library
• If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
• Backport labels are set in a manner that is consistent with the release branch maintenance policy

[github-actions]

CODEOWNERS have been resolved as:

tests/appsec/integrations/django_tests/django_app/manage.py             @DataDog/asm-python
tests/appsec/integrations/django_tests/test_iast_django_testagent.py    @DataDog/asm-python
tests/appsec/integrations/fastapi_tests/test_iast_fastapi_testagent.py  @DataDog/asm-python
.github/workflows/system-tests.yml                                      @DataDog/python-guild @DataDog/apm-core-python
ddtrace/appsec/_iast/_ast/iastpatch.c                                   @DataDog/asm-python
ddtrace/appsec/_iast/_handlers.py                                       @DataDog/asm-python
ddtrace/appsec/_iast/_patch_modules.py                                  @DataDog/asm-python
ddtrace/appsec/_iast/_stacktrace.c                                      @DataDog/asm-python
ddtrace/appsec/_iast/secure_marks/validators.py                         @DataDog/asm-python
ddtrace/appsec/_iast/taint_sinks/header_injection.py                    @DataDog/asm-python
hatch.toml                                                              @DataDog/python-guild
tests/appsec/app.py                                                     @DataDog/asm-python
tests/appsec/appsec_utils.py                                            @DataDog/asm-python
tests/appsec/integrations/django_tests/django_app/settings.py           @DataDog/asm-python
tests/appsec/integrations/django_tests/django_app/urls.py               @DataDog/asm-python
tests/appsec/integrations/django_tests/django_app/views.py              @DataDog/asm-python
tests/appsec/integrations/django_tests/test_iast_django.py              @DataDog/asm-python
tests/appsec/integrations/fastapi_tests/app.py                          @DataDog/asm-python
tests/appsec/integrations/fastapi_tests/test_fastapi_appsec_iast.py     @DataDog/asm-python
tests/appsec/integrations/flask_tests/test_flask_remoteconfig.py        @DataDog/asm-python
tests/appsec/integrations/flask_tests/test_iast_flask.py                @DataDog/asm-python
tests/appsec/integrations/flask_tests/test_iast_flask_testagent.py      @DataDog/asm-python
tests/appsec/integrations/flask_tests/utils.py                          @DataDog/asm-python
tests/appsec/integrations/utils_testagent.py                            @DataDog/asm-python
tests/appsec/suitespec.yml                                              @DataDog/asm-python

[github-actions]

Bootstrap import analysis

Comparison of import times between this PR and base.

Summary

The average import time from this PR is: 280 ± 6 ms.

The average import time from base is: 284 ± 5 ms.

The import time difference between this PR and base is: -4.0 ± 0.2 ms.

Import time breakdown

The following import paths have shrunk:

ddtrace.auto 2.116 ms (0.76%)

ddtrace.bootstrap.sitecustomize 1.436 ms (0.51%)

ddtrace.bootstrap.preload 1.436 ms (0.51%)

ddtrace.internal.remoteconfig.client 0.695 ms (0.25%)

ddtrace 0.680 ms (0.24%)

ddtrace.internal._unpatched 0.027 ms (0.01%)

[pr-commenter]

Benchmarks

Benchmark execution time: 2025-06-05 07:24:47

Comparing candidate commit df18e65 in PR branch avara1986/APPSEC-57163-header_injection with baseline commit 0b32ac2 in branch main.

Found 0 performance improvements and 1 performance regressions! Performance is the same for 552 metrics, 3 unstable metrics.

scenario:iastaspects-ljust_aspect

• 🟥 execution_time [+1.388µs; +1.484µs] or [+10.705%; +11.443%]