fix(asm): make sure iast is not loaded by exploit prevention if disabled

[christophe-papazian]

Make sure, if iast is disabled, that we don't load any iast modules in the common module mechanism used both by iast and exploit prevention.

APPSEC-56659

Checklist

• PR author has checked that all the criteria below are met
• The PR description includes an overview of the change
• The PR description articulates the motivation for the change
• The change includes tests OR the PR description describes a testing strategy
• The PR description notes risks associated with the change, if any
• Newly-added code is easy to change
• The change follows the library release note guidelines
• The change includes or references documentation updates if necessary
• Backport labels are set (if applicable)

Reviewer Checklist

• Reviewer has checked that all the criteria below are met
• Title is accurate
• All changes are related to the pull request's stated goal
• Avoids breaking API changes
• Testing strategy adequately addresses listed risks
• Newly-added code is easy to change
• Release note makes sense to a user of the library
• If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
• Backport labels are set in a manner that is consistent with the release branch maintenance policy

[github-actions]

CODEOWNERS have been resolved as:

releasenotes/notes/no_IAST_unguarded_loading_in_common_module_patches-123cf6d3f8844823.yaml  @DataDog/apm-python
ddtrace/appsec/_common_module_patches.py                                @DataDog/asm-python
ddtrace/appsec/_iast/_iast_request_context.py                           @DataDog/asm-python

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 11.18421% with 135 lines in your changes missing coverage. Please review.

Please upload report for BASE (3.x-staging@4d20460). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
...appsec/integrations/flask_tests/test_iast_flask.py	0.00%	36 Missing ⚠️
...tegrations/django_tests/test_django_appsec_iast.py	0.00%	31 Missing ⚠️
ddtrace/appsec/_common_module_patches.py	25.92%	20 Missing ⚠️
ddtrace/appsec/_iast/_handlers.py	0.00%	17 Missing ⚠️
tests/contrib/dbapi/test_dbapi_appsec.py	0.00%	6 Missing ⚠️
ddtrace/appsec/_iast/_pytest_plugin.py	0.00%	3 Missing ⚠️
ddtrace/settings/asm.py	25.00%	3 Missing ⚠️
...appsec/iast/fixtures/integration/main_configure.py	0.00%	3 Missing ⚠️
ddtrace/appsec/_iast/_iast_request_context.py	60.00%	2 Missing ⚠️
ddtrace/appsec/_iast/_loader.py	0.00%	2 Missing ⚠️
... and 8 more

Additional details and impacted files

@@              Coverage Diff               @@
##             3.x-staging   #12198   +/-   ##
==============================================
  Coverage               ?    8.85%           
==============================================
  Files                  ?     1598           
  Lines                  ?   134811           
  Branches               ?        0           
==============================================
  Hits                   ?    11942           
  Misses                 ?   122869           
  Partials               ?        0           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[pr-commenter]

Benchmarks

Benchmark execution time: 2025-02-03 17:33:12

Comparing candidate commit 7cf5404 in PR branch christophe-papazian/exploit_prevention_on_windows with baseline commit 1419b2f in branch 3.x-staging.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 394 metrics, 2 unstable metrics.

[github-actions]

The backport to 2.19 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.19 2.19
# Navigate to the new working tree
cd .worktrees/backport-2.19
# Create a new branch
git switch --create backport-12198-to-2.19
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 362fa22be2f7f6b61b023adb2aa56949aa163210
# Push it to GitHub
git push --set-upstream origin backport-12198-to-2.19
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.19

Then, create a pull request where the base branch is 2.19 and the compare/head branch is backport-12198-to-2.19.