feat(iast): add secure marks core and sanitize command injection (#13017)

## Overview
This PR implements the secure marks functionality for IAST, focusing on
command injection sanitization. It adds core functionality to mark
strings as secure after they've been validated or sanitized by security
functions.

## Motivation
- Improve IAST vulnerability detection accuracy by tracking sanitized
inputs
- Reduce false positives by properly marking strings that have been
secured
- Implement command injection protection as part of the secure marks
system

## Changes
- Added new `secure_marks` package in `ddtrace/appsec/_iast/`
- Implemented validators and sanitizers for command injection protection
- Added support for common security functions (shlex.quote, shlex.split,
django.utils.shlex.quote)
- Updated taint tracking to support secure marks
- Added comprehensive test coverage for the new functionality

## Testing Strategy
- Unit tests for validators and sanitizers
- Integration tests with common security functions
- C++ tests for taint range secure marks functionality
- Performance impact validated (import time improved by ~1.4ms)


## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met 
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

Author: avara1986

ddtrace/appsec/_iast/_ast/iastpatch.c

@@ -167,224 +167,62 @@ static const char* static_denylist[] = { "django.apps.config.",
                                          "django_filters.utils.",
                                          "django_filters.widgets." };
 
-static size_t static_stdlib_count = 216;
+static size_t static_stdlib_count = 215;
 static const char* static_stdlib_denylist[] = {
-    "__future__",
-    "_ast",
-    "_compression",
-    "_thread",
-    "abc",
-    "aifc",
-    "argparse",
-    "array",
-    "ast",
-    "asynchat",
-    "asyncio",
-    "asyncore",
-    "atexit",
-    "audioop",
-    "base64",
-    "bdb",
-    "binascii",
-    "bisect",
-    "builtins",
-    "bz2",
-    "cProfile",
-    "calendar",
-    "cgi",
-    "cgitb",
-    "chunk",
-    "cmath",
-    "cmd",
-    "code",
-    "codecs",
-    "codeop",
-    "collections",
-    "colorsys",
-    "compileall",
-    "concurrent",
-    "configparser",
-    "contextlib",
-    "contextvars",
-    "copy",
-    "copyreg",
-    "crypt",
-    "csv",
-    "ctypes",
-    "curses",
-    "dataclasses",
-    "datetime",
-    "dbm",
-    "decimal",
-    "difflib",
-    "dis",
-    "distutils",
-    "doctest",
-    "email",
-    "encodings",
-    "ensurepip",
-    "enum",
-    "errno",
-    "faulthandler",
-    "fcntl",
-    "filecmp",
-    "fileinput",
-    "fnmatch",
-    "fractions",
-    "ftplib",
-    "functools",
-    "gc",
-    "getopt",
-    "getpass",
-    "gettext",
-    "glob",
-    "graphlib",
-    "grp",
-    "gzip",
-    "hashlib",
-    "heapq",
-    "hmac",
-    "html",
-    "http",
-    "idlelib",
-    "imaplib",
-    "imghdr",
-    "imp",
-    "importlib",
-    "inspect",
-    "io",
-    "_io",
-    "ipaddress",
-    "itertools",
-    "json",
-    "keyword",
-    "lib2to3",
-    "linecache",
-    "locale",
-    "logging",
-    "lzma",
-    "mailbox",
-    "mailcap",
-    "marshal",
-    "math",
-    "mimetypes",
-    "mmap",
-    "modulefinder",
-    "msilib",
-    "msvcrt",
-    "multiprocessing",
-    "netrc",
-    "nis",
-    "nntplib",
-    "ntpath",
-    "numbers",
-    "opcode",
-    "operator",
-    "optparse",
-    "os",
-    "ossaudiodev",
-    "pathlib",
-    "pdb",
-    "pickle",
-    "pickletools",
-    "pipes",
-    "pkgutil",
-    "platform",
-    "plistlib",
-    "poplib",
-    "posix",
-    "posixpath",
-    "pprint",
-    "profile",
-    "pstats",
-    "pty",
-    "pwd",
-    "py_compile",
-    "pyclbr",
-    "pydoc",
-    "queue",
-    "quopri",
-    "random",
-    "re",
-    "readline",
-    "reprlib",
-    "resource",
-    "rlcompleter",
-    "runpy",
-    "sched",
-    "secrets",
-    "select",
-    "selectors",
-    "shelve",
-    "shlex",
-    "shutil",
-    "signal",
-    "site",
-    "smtpd",
-    "smtplib",
-    "sndhdr",
-    "socket",
-    "socketserver",
-    "spwd",
-    "sqlite3",
-    "sre",
-    "sre_compile",
-    "sre_constants",
-    "sre_parse",
-    "ssl",
-    "stat",
-    "statistics",
-    "string",
-    "stringprep",
-    "struct",
-    "subprocess",
-    "sunau",
-    "symtable",
-    "sys",
-    "sysconfig",
-    "syslog",
-    "tabnanny",
-    "tarfile",
-    "telnetlib",
-    "tempfile",
-    "termios",
-    "test",
-    "textwrap",
-    "threading",
-    "time",
-    "timeit",
-    "tkinter",
-    "token",
-    "tokenize",
-    "tomllib",
-    "trace",
-    "traceback",
-    "tracemalloc",
-    "tty",
-    "turtle",
-    "turtledemo",
-    "types",
-    "typing",
-    "unicodedata",
-    "unittest",
-    "uu",
-    "uuid",
-    "venv",
-    "warnings",
-    "wave",
-    "weakref",
-    "webbrowser",
-    "winreg",
-    "winsound",
-    "wsgiref",
-    "xdrlib",
-    "xml",
-    "xmlrpc",
-    "zipapp",
-    "zipfile",
-    "zipimport",
-    "zlib",
-    "zoneinfo",
+    "__future__",   "_ast",        "_compression", "_thread",
+    "abc",          "aifc",        "argparse",     "array",
+    "ast",          "asynchat",    "asyncio",      "asyncore",
+    "atexit",       "audioop",     "base64",       "bdb",
+    "binascii",     "bisect",      "builtins",     "bz2",
+    "cProfile",     "calendar",    "cgi",          "cgitb",
+    "chunk",        "cmath",       "cmd",          "code",
+    "codecs",       "codeop",      "collections",  "colorsys",
+    "compileall",   "concurrent",  "configparser", "contextlib",
+    "contextvars",  "copy",        "copyreg",      "crypt",
+    "csv",          "ctypes",      "curses",       "dataclasses",
+    "datetime",     "dbm",         "decimal",      "difflib",
+    "dis",          "distutils",   "doctest",      "email",
+    "encodings",    "ensurepip",   "enum",         "errno",
+    "faulthandler", "fcntl",       "filecmp",      "fileinput",
+    "fnmatch",      "fractions",   "ftplib",       "functools",
+    "gc",           "getopt",      "getpass",      "gettext",
+    "glob",         "graphlib",    "grp",          "gzip",
+    "hashlib",      "heapq",       "hmac",         "html",
+    "http",         "idlelib",     "imaplib",      "imghdr",
+    "imp",          "importlib",   "inspect",      "io",
+    "_io",          "ipaddress",   "itertools",    "json",
+    "keyword",      "lib2to3",     "linecache",    "locale",
+    "logging",      "lzma",        "mailbox",      "mailcap",
+    "marshal",      "math",        "mimetypes",    "mmap",
+    "modulefinder", "msilib",      "msvcrt",       "multiprocessing",
+    "netrc",        "nis",         "nntplib",      "ntpath",
+    "numbers",      "opcode",      "operator",     "optparse",
+    "os",           "ossaudiodev", "pathlib",      "pdb",
+    "pickle",       "pickletools", "pipes",        "pkgutil",
+    "platform",     "plistlib",    "poplib",       "posix",
+    "posixpath",    "pprint",      "profile",      "pstats",
+    "pty",          "pwd",         "py_compile",   "pyclbr",
+    "pydoc",        "queue",       "quopri",       "random",
+    "re",           "readline",    "reprlib",      "resource",
+    "rlcompleter",  "runpy",       "sched",        "secrets",
+    "select",       "selectors",   "shelve",       "shutil",
+    "signal",       "site",        "smtpd",        "smtplib",
+    "sndhdr",       "socket",      "socketserver", "spwd",
+    "sqlite3",      "sre",         "sre_compile",  "sre_constants",
+    "sre_parse",    "ssl",         "stat",         "statistics",
+    "string",       "stringprep",  "struct",       "subprocess",
+    "sunau",        "symtable",    "sys",          "sysconfig",
+    "syslog",       "tabnanny",    "tarfile",      "telnetlib",
+    "tempfile",     "termios",     "test",         "textwrap",
+    "threading",    "time",        "timeit",       "tkinter",
+    "token",        "tokenize",    "tomllib",      "trace",
+    "traceback",    "tracemalloc", "tty",          "turtle",
+    "turtledemo",   "types",       "typing",       "unicodedata",
+    "unittest",     "uu",          "uuid",         "venv",
+    "warnings",     "wave",        "weakref",      "webbrowser",
+    "winreg",       "winsound",    "wsgiref",      "xdrlib",
+    "xml",          "xmlrpc",      "zipapp",       "zipfile",
+    "zipimport",    "zlib",        "zoneinfo",
 };
 
 /* --- Helper function: str_in_list ---

ddtrace/appsec/_iast/_handlers.py

@@ -6,6 +6,8 @@
 
 from ddtrace.appsec._iast._iast_request_context import get_iast_stacktrace_reported
 from ddtrace.appsec._iast._iast_request_context import set_iast_stacktrace_reported
+from ddtrace.appsec._iast._logs import iast_instrumentation_wrapt_debug_log
+from ddtrace.appsec._iast._logs import iast_propagation_listener_log_log
 from ddtrace.appsec._iast._metrics import _set_metric_iast_instrumented_source
 from ddtrace.appsec._iast._patch import _iast_instrument_starlette_request
 from ddtrace.appsec._iast._patch import _iast_instrument_starlette_request_body
@@ -15,14 +17,12 @@
 from ddtrace.appsec._iast._taint_tracking import OriginType
 from ddtrace.appsec._iast._taint_tracking import origin_to_str
 from ddtrace.appsec._iast._taint_tracking._taint_objects import is_pyobject_tainted
+from ddtrace.appsec._iast._taint_tracking._taint_objects import taint_pyobject
 from ddtrace.appsec._iast._taint_utils import taint_structure
+from ddtrace.appsec._iast.secure_marks.sanitizers import cmdi_sanitizer
 from ddtrace.internal.logger import get_logger
 from ddtrace.settings.asm import config as asm_config
 
-from ._logs import iast_instrumentation_wrapt_debug_log
-from ._logs import iast_propagation_listener_log_log
-from ._taint_tracking._taint_objects import taint_pyobject
-
 
 MessageMapContainer = None
 try:
@@ -55,6 +55,11 @@ def _on_request_init(wrapped, instance, args, kwargs):
 
 
 def _on_flask_patch(flask_version):
+    """Handle Flask framework patch event.
+
+    Args:
+        flask_version: The version tuple of Flask being patched
+    """
     if asm_config._iast_enabled:
         try:
             try_wrap_function_wrapper(
@@ -148,6 +153,7 @@ def _on_wsgi_environ(wrapped, _instance, args, kwargs):
 
 
 def _on_django_patch():
+    """Handle Django framework patch event."""
     if asm_config._iast_enabled:
         try:
             when_imported("django.http.request")(
@@ -157,7 +163,7 @@ def _on_django_patch():
                     functools.partial(if_iast_taint_returned_object_for, OriginType.PARAMETER),
                 )
             )
-
+            try_wrap_function_wrapper("django.utils.shlex", "quote", cmdi_sanitizer)
             # we instrument those sources on _on_django_func_wrapped
             _set_metric_iast_instrumented_source(OriginType.HEADER_NAME)
             _set_metric_iast_instrumented_source(OriginType.HEADER)

ddtrace/appsec/_iast/_patch_modules.py

@@ -1,5 +1,9 @@
 from wrapt.importer import when_imported
 
+from ddtrace.appsec._common_module_patches import try_wrap_function_wrapper
+from ddtrace.appsec._iast.secure_marks.sanitizers import cmdi_sanitizer
+from ddtrace.appsec._iast.secure_marks.sanitizers import sqli_sanitizer
+
 
 IAST_PATCH = {
     "code_injection": True,
@@ -23,4 +27,47 @@ def patch_iast(patch_modules=IAST_PATCH):
     for module in (m for m, e in patch_modules.items() if e):
         when_imported("hashlib")(_on_import_factory(module, "ddtrace.appsec._iast.taint_sinks.%s", raise_errors=False))
 
+    when_imported("shlex")(
+        lambda _: try_wrap_function_wrapper(
+            "shlex",
+            "quote",
+            cmdi_sanitizer,
+        )
+    )
+    when_imported("shlex")(
+        lambda _: try_wrap_function_wrapper(
+            "shlex",
+            "split",
+            cmdi_sanitizer,
+        )
+    )
+    when_imported("psycopg2.adapt")(
+        lambda _: try_wrap_function_wrapper(
+            "psycopg2.adapt",
+            "quote_ident",
+            sqli_sanitizer,
+        )
+    )
+    when_imported("psycopg2.extensions")(
+        lambda _: try_wrap_function_wrapper(
+            "psycopg2.extensions",
+            "quote_ident",
+            sqli_sanitizer,
+        )
+    )
+    # TODO: APPSEC-56947 task
+    # when_imported("mysql.connector.conversion")(
+    #     lambda _: try_wrap_function_wrapper(
+    #         "mysql.connector.conversion",
+    #         "MySQLConverter.escape",
+    #         sqli_sanitizer,
+    #     )
+    # )
+    # when_imported("werkzeug.utils")(
+    #     lambda _: try_wrap_function_wrapper(
+    #         "werkzeug.utils",
+    #         "secure_filename",
+    #         path_traversal_sanitizer,
+    #     )
+    # )
     when_imported("json")(_on_import_factory("json_tainting", "ddtrace.appsec._iast._patches.%s", raise_errors=False))