Skip to content

feat(iast): add support for langchain v0.1.0+ #13256

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 14 commits into
base: main
Choose a base branch
from
Draft

feat(iast): add support for langchain v0.1.0+ #13256

wants to merge 14 commits into from

Conversation

smola
Copy link
Member

@smola smola commented Apr 23, 2025
edited
Loading

Functionality

  • Support IAST propagation through LLM invocations. If any LLM prompt is tainted, then any LLM output is fully tainted too.
  • Support IAST propagation through PromptTemplate.format. This is necessary for tainting of LLM outputs, since prompts go through template rendering first.
  • Support via other mechanisms, like ChatPromptTemplate.format is also supported, via regular IAST patching. So langchain_core module is added to the IAST static allowlist.
  • Both sync and async calls are supported (e.g. invoke and ainvoke).

APPSEC-57223

Tests

  • Upgraded tests to check langchain v0.1.0, v0.2.0 and v0.3.0.
  • Moved integration tests out of the flask_test directory.

Checklist

  • PR author has checked that all the criteria below are met
  • The PR description includes an overview of the change
  • The PR description articulates the motivation for the change
  • The change includes tests OR the PR description describes a testing strategy
  • The PR description notes risks associated with the change, if any
  • Newly-added code is easy to change
  • The change follows the library release note guidelines
  • The change includes or references documentation updates if necessary
  • Backport labels are set (if applicable)

Reviewer Checklist

  • Reviewer has checked that all the criteria below are met
  • Title is accurate
  • All changes are related to the pull request's stated goal
  • Avoids breaking API changes
  • Testing strategy adequately addresses listed risks
  • Newly-added code is easy to change
  • Release note makes sense to a user of the library
  • If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
  • Backport labels are set in a manner that is consistent with the release branch maintenance policy

@smola smola added the ASM Application Security Monitoring label Apr 23, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 23, 2025
edited
Loading

CODEOWNERS have been resolved as:

releasenotes/notes/iast-langchain-0.1.0-e437ea90fe66ad31.yaml           @DataDog/apm-python
tests/appsec/integrations/langchain_tests/conftest.py                   @DataDog/asm-python
tests/appsec/integrations/langchain_tests/test_iast_langchain.py        @DataDog/asm-python
ddtrace/appsec/_iast/_ast/iastpatch.c                                   @DataDog/asm-python
ddtrace/contrib/internal/langchain/patch.py                             @DataDog/ml-observability
hatch.toml                                                              @DataDog/python-guild
tests/appsec/iast/conftest.py                                           @DataDog/asm-python
tests/appsec/iast/iast_utils.py                                         @DataDog/asm-python
tests/appsec/suitespec.yml                                              @DataDog/asm-python

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 23, 2025
edited
Loading

Bootstrap import analysis

Comparison of import times between this PR and base.

Summary

The average import time from this PR is: 234 ± 3 ms.

The average import time from base is: 237 ± 4 ms.

The import time difference between this PR and base is: -3.3 ± 0.2 ms.

Import time breakdown

The following import paths have shrunk:

ddtrace.auto 2.107 ms (0.90%)
ddtrace.bootstrap.sitecustomize 1.433 ms (0.61%)
ddtrace.bootstrap.preload 1.433 ms (0.61%)
ddtrace.internal.products 1.433 ms (0.61%)
ddtrace.internal.remoteconfig.client 0.668 ms (0.29%)
ddtrace 0.674 ms (0.29%)

@pr-commenter
Copy link

pr-commenter bot commented Apr 23, 2025
edited
Loading

Benchmarks

Benchmark execution time: 2025-05-08 16:09:04

Comparing candidate commit 73a7792 in PR branch smola/iast-langchain-upgrade with baseline commit 44d7aa4 in branch main.

Found 0 performance improvements and 4 performance regressions! Performance is the same for 524 metrics, 8 unstable metrics.

scenario:iast_aspects-ospathbasename_aspect

  • 🟥 execution_time [+677.444ns; +793.863ns] or [+16.512%; +19.350%]

scenario:iast_aspects-ospathjoin_aspect

  • 🟥 execution_time [+926.656ns; +986.115ns] or [+15.282%; +16.263%]

scenario:iast_aspects-ospathsplitdrive_aspect

  • 🟥 execution_time [+343.583ns; +499.112ns] or [+9.567%; +13.897%]

scenario:iast_aspects-swapcase_aspect

  • 🟥 execution_time [+243.934ns; +287.491ns] or [+10.079%; +11.878%]

@smola smola force-pushed the smola/iast-langchain-upgrade branch 2 times, most recently from f90f76b to 3e721dd Compare April 23, 2025 10:22
@smola smola changed the title [WIP] Upgrade IAST support for langchain v0.3.0+ feat(iast): add support for langchain v0.1.0+ Apr 23, 2025
@smola smola force-pushed the smola/iast-langchain-upgrade branch from 3e721dd to e170cc9 Compare April 23, 2025 10:42
avara1986
avara1986 reviewed Apr 24, 2025
View reviewed changes
Copy link
Member

@avara1986 avara1986 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

with this changes, theres lines of code are deprecated:

tests/appsec/iast/conftest.py:65

def iast_context(env, request_sampling=100.0, deduplication=False, asm_enabled=False):
    try:
        from ddtrace.contrib.internal.langchain.patch import patch as langchain_patch
        from ddtrace.contrib.internal.langchain.patch import unpatch as langchain_unpatch
    except Exception:
        langchain_patch = lambda: True  # noqa: E731
        langchain_unpatch = lambda: True  # noqa: E731

@smola smola mentioned this pull request May 7, 2025
Merged
2 tasks
@smola smola force-pushed the smola/iast-langchain-upgrade branch 2 times, most recently from d583616 to 5a7bba4 Compare May 7, 2025 17:40
smola added a commit that referenced this pull request May 7, 2025
@smola
chore(iast): improve detection of ddtrace frames (#13344)
bf8e827 
Use more robust method to filter out frames from `ddtrace` module. The
previous version would not work in some tests if the relevant frame was
in site-packages within a virtual env named `ddtrace`, which happens in
tests for #13256. This would generally not affect customers, but
misbehaves in our test suite.
@smola smola force-pushed the smola/iast-langchain-upgrade branch from 5a7bba4 to 48937b5 Compare May 8, 2025 08:08
@smola smola requested a review from avara1986 May 8, 2025 08:10
@smola smola force-pushed the smola/iast-langchain-upgrade branch 4 times, most recently from f6a177c to 73a7792 Compare May 8, 2025 15:14
@smola smola force-pushed the smola/iast-langchain-upgrade branch from 73a7792 to a87f6ae Compare May 9, 2025 11:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@avara1986 avara1986 avara1986 approved these changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
ASM Application Security Monitoring
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@smola @avara1986