chore(iast): fix fstring log message (#13601)

Fix IAST validation in fstring aspect. We're considering as unexpected
error, format errors like: `Unknown format code 'd' for object of type
'str'`

this PR fixes an error in
https://github.com/DataDog/dd-trace-py/pull/13600/files#r2128401733

part of #13600

APPSEC-57578

## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met 
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

Author: avara1986

benchmarks/bm/iast_fixtures/str_methods.py

@@ -1263,10 +1263,6 @@ def do_customspec_formatspec():
     return f"{c!s:<20s}"
 
 
-def do_fstring(a, b):
-    return f"{a} + {b} = {a + b}"
-
-
 def _preprocess_lexer_input(text):
     """Apply preprocessing such as decoding the input, removing BOM and normalizing newlines."""
     # text now *is* a unicode string

benchmarks/bm/iast_fixtures/str_methods_py3.py

@@ -20,6 +20,10 @@ def do_fstring(a: str) -> str:
     return f"{a}"
 
 
+def do_fstring_operations(a, b):
+    return f"{a} + {b} = {a + b}"
+
+
 def do_zero_padding_fstring(a: int, spec: str = "05d") -> str:
     return f"{a:{spec}}"
 

ddtrace/appsec/_iast/_taint_tracking/aspects.py

@@ -449,11 +449,11 @@ def format_value_aspect(
         return format(new_text)
 
     if format_spec:
+        new_new_text = f"{new_text:{format_spec}}"  # type: ignore[str-bytes-safe]
         try:
             # Apply formatting
             text_ranges = get_tainted_ranges(new_text)
             if text_ranges:
-                new_new_text = ("{:%s}" % format_spec).format(new_text)
                 try:
                     new_ranges = list()
                     for text_range in text_ranges:
@@ -462,12 +462,12 @@ def format_value_aspect(
                         taint_pyobject_with_ranges(new_new_text, tuple(new_ranges))
                     return new_new_text
                 except ValueError:
-                    return ("{:%s}" % format_spec).format(new_text)
+                    return new_new_text
             else:
-                return ("{:%s}" % format_spec).format(new_text)
+                return new_new_text
         except Exception as e:
             iast_propagation_error_log(f"format_value_aspect. {e}")
-            return ("{:%s}" % format_spec).format(new_text)
+            return new_new_text
 
     return format(new_text)
 

tests/appsec/iast/aspects/aspect_utils.py

@@ -65,56 +65,57 @@ def create_taint_range_with_format(text_input: Any, fn_origin: str = "") -> Any:
     return text_output
 
 
-class BaseReplacement:
-    def _to_tainted_string_with_origin(self, text: TEXT_TYPE) -> TEXT_TYPE:
-        if not isinstance(text, (str, bytes, bytearray)):
-            return text
-
-        # CAVEAT: the sequences ":+-" and "-+:" can be escaped with  "::++--" and "--+*::"
-        elements = re.split(r"(\:\+-<[0-9a-zA-Z\-]+>|<[0-9a-zA-Z\-]+>-\+\:)", text)
-
-        ranges: List[TaintRange] = []
-        ranges_append = ranges.append
-        new_text = text.__class__()
-        context: Optional[EscapeContext] = None
-        for index, element in enumerate(elements):
-            if index % 2 == 0:
-                element = element.replace("::++--", ":+-")
-                element = element.replace("--++::", "-+:")
-                new_text += element
+def _to_tainted_string_with_origin(text: TEXT_TYPE) -> TEXT_TYPE:
+    if not isinstance(text, (str, bytes, bytearray)):
+        return text
+
+    # CAVEAT: the sequences ":+-" and "-+:" can be escaped with  "::++--" and "--+*::"
+    elements = re.split(r"(\:\+-<[0-9a-zA-Z\-]+>|<[0-9a-zA-Z\-]+>-\+\:)", text)
+
+    ranges: List[TaintRange] = []
+    ranges_append = ranges.append
+    new_text = text.__class__()
+    context: Optional[EscapeContext] = None
+    for index, element in enumerate(elements):
+        if index % 2 == 0:
+            element = element.replace("::++--", ":+-")
+            element = element.replace("--++::", "-+:")
+            new_text += element
+        else:
+            separator = element
+            if element.startswith(":"):
+                id_evidence = separator[4:-1]
+                start = len(new_text)
+                context = EscapeContext(id_evidence, start)
             else:
-                separator = element
-                if element.startswith(":"):
-                    id_evidence = separator[4:-1]
-                    start = len(new_text)
-                    context = EscapeContext(id_evidence, start)
-                else:
-                    id_evidence = separator[1:-4]
-                    end = len(new_text)
-                    assert context is not None
-                    start = context.position
-                    if start != end:
-                        assert isinstance(id_evidence, str)
-
-                        ranges_append(
-                            TaintRange(
-                                start,
-                                end - start,
-                                Source(name=id_evidence, value=new_text[start:], origin=OriginType.PARAMETER),
-                            )
+                id_evidence = separator[1:-4]
+                end = len(new_text)
+                assert context is not None
+                start = context.position
+                if start != end:
+                    assert isinstance(id_evidence, str)
+
+                    ranges_append(
+                        TaintRange(
+                            start,
+                            end - start,
+                            Source(name=id_evidence, value=new_text[start:], origin=OriginType.PARAMETER),
                         )
-        set_ranges(new_text, tuple(ranges))
-        return new_text
+                    )
+    set_ranges(new_text, tuple(ranges))
+    return new_text
+
 
+class BaseReplacement:
     def _assert_format_result(
         self,
         taint_escaped_template: TEXT_TYPE,
         taint_escaped_parameter: Any,
         expected_result: TEXT_TYPE,
         escaped_expected_result: TEXT_TYPE,
     ) -> None:
-        template = self._to_tainted_string_with_origin(taint_escaped_template)
-        parameter = self._to_tainted_string_with_origin(taint_escaped_parameter)
+        template = _to_tainted_string_with_origin(taint_escaped_template)
+        parameter = _to_tainted_string_with_origin(taint_escaped_parameter)
         result = mod.do_format_with_positional_parameter(template, parameter)
 
         assert result == expected_result

tests/appsec/iast/aspects/test_format_map_aspect_fixtures.py

@@ -8,6 +8,7 @@
 from ddtrace.appsec._iast._taint_tracking import as_formatted_evidence
 from ddtrace.appsec._iast._taint_tracking import get_ranges
 from tests.appsec.iast.aspects.aspect_utils import BaseReplacement
+from tests.appsec.iast.aspects.aspect_utils import _to_tainted_string_with_origin
 from tests.appsec.iast.iast_utils import _iast_patched_module
 
 
@@ -22,8 +23,8 @@ def _assert_format_map_result(
         expected_result,  # type: str
         escaped_expected_result,  # type: str
     ):  # type: (...) -> None
-        template = self._to_tainted_string_with_origin(taint_escaped_template)
-        mapping = {key: self._to_tainted_string_with_origin(value) for key, value in taint_escaped_mapping.items()}
+        template = _to_tainted_string_with_origin(taint_escaped_template)
+        mapping = {key: _to_tainted_string_with_origin(value) for key, value in taint_escaped_mapping.items()}
 
         assert isinstance(template, str)
         result = mod.do_format_map(template, mapping)