[IAST] Fix flaky Interpolated Strings tests

tracer/src/Datadog.Trace/Iast/ITaintedObject.cs

@@ -17,4 +17,6 @@ internal interface ITaintedObject
     public ITaintedObject? Next { get; set; }
 
     public int PositiveHashCode { get; }
+
+    public void Invalidate();
 }

tracer/src/Datadog.Trace/Iast/Propagation/DefaultInterpolatedStringHandlerModuleImpl.cs

@@ -8,6 +8,7 @@
 #nullable enable
 
 using System;
+using System.Collections.Generic;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 using System.Text;
@@ -17,6 +18,9 @@ namespace Datadog.Trace.Iast.Propagation;
 
 internal static class DefaultInterpolatedStringHandlerModuleImpl
 {
+    [ThreadStatic]
+    private static Queue<object> _taintedRefStructs = new();  // Keep alive the tainted ref structs
+
     public static unsafe void Append(IntPtr target, string? value)
     {
         FullTaintIfAnyTainted(target, value);
@@ -51,7 +55,16 @@ public static unsafe void FullTaintIfAnyTainted(IntPtr target, string? input)
             var rangesResult = new[] { new Range(0, 0, tainted!.Ranges[0].Source, tainted.Ranges[0].SecureMarks) };
             if (!targetIsTainted)
             {
-                taintedObjects.Taint(target, rangesResult);
+                object targetObj = target;
+                _taintedRefStructs.Enqueue(targetObj);
+
+                // Safe guard to avoid memory leak
+                while (_taintedRefStructs.Count > 20)
+                {
+                    _taintedRefStructs.Dequeue();
+                }
+
+                taintedObjects.Taint(targetObj, rangesResult);
             }
             else
             {
@@ -91,6 +104,8 @@ public static unsafe void FullTaintIfAnyTainted(IntPtr target, string? input)
 
             var range = new Range(0, result.Length, taintedSelf.Ranges[0].Source, taintedSelf.Ranges[0].SecureMarks);
             taintedObjects.Taint(result, [range]);
+            _taintedRefStructs.Dequeue();
+            taintedSelf.Invalidate();
         }
         catch (Exception err)
         {

tracer/src/Datadog.Trace/Iast/TaintedObject.cs

@@ -29,4 +29,9 @@ public TaintedObject(object value, Range[] ranges)
     public Range[] Ranges { get; set; }
 
     public ITaintedObject? Next { get; set; }
+
+    public void Invalidate()
+    {
+        _weak.Target = null;
+    }
 }

tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/DefaultInterpolatedStringHandlerTests.cs

@@ -183,7 +183,22 @@ public void GivenAnExplicitInterpolatedString_WhenAddingTaintedValueMultipleValu
         AssertTainted(test.ToStringAndClear());
     }
 
-    [Fact (Skip = "Flaky test")]
+    [Fact]
+    public void GivenAnExplicitInterpolatedString_WhenAddingTaintedValuesAndGCCollects_GetString_Vulnerable()
+    {
+        var test = new DefaultInterpolatedStringHandler();
+        test.AppendLiteral(UntaintedValue);
+        test.AppendFormatted(new ReadOnlySpan<char>([' ', 'w', 'o', 'r', 'l', 'd', ' ']));
+        test.AppendFormatted(TaintedValue);
+        test.AppendFormatted(42);
+
+        GC.Collect();
+
+        AssertTainted(test.ToStringAndClear());
+    }
+
+
+    [Fact]
     public void GivenAnImplicitInterpolatedString_WhenAddingTaintedValue_GetString_Vulnerable()
     {
         var number = 5;
@@ -192,7 +207,7 @@ public void GivenAnImplicitInterpolatedString_WhenAddingTaintedValue_GetString_V
         AssertTainted(str);
     }
 
-    [Fact (Skip = "Flaky test")]
+    [Fact]
     public void GivenAnImplicitInterpolatedString_WhenAddingUntaintedValue_GetString_NonVulnerable()
     {
         var number = 5;
@@ -201,7 +216,7 @@ public void GivenAnImplicitInterpolatedString_WhenAddingUntaintedValue_GetString
         AssertNotTainted(str);
     }
 
-    [Fact (Skip = "Flaky test")]
+    [Fact]
     public void GivenAnImplicitInterpolatedString_WhenAddingTaintedValueAsObject_GetString_Vulnerable()
     {
         var number = 5;
@@ -210,7 +225,7 @@ public void GivenAnImplicitInterpolatedString_WhenAddingTaintedValueAsObject_Get
         AssertTainted(str);
     }
 
-    [Fact (Skip = "Flaky test")]
+    [Fact]
     public void GivenAnImplicitInterpolatedString_WhenAddingMultipleValuesWithTaintedValues_GetString_Vulnerable()
     {
         var order = new
@@ -240,7 +255,7 @@ public void GivenAnImplicitInterpolatedString_WhenAddingMultipleValuesWithTainte
         AssertTainted(sql);
     }
 
-    [Fact (Skip = "Flaky test")]
+    [Fact]
     public void GivenImplicitInterpolatedString_WhenAddingTaintedValuesNested_GetString_Vulnerable()
     {
         const int number = 42;
@@ -259,7 +274,7 @@ public void GivenImplicitInterpolatedString_WhenAddingTaintedValuesNested_GetStr
         AssertTainted(finalString);
     }
 
-    [Fact (Skip = "Flaky test")]
+    [Fact]
     public void GivenImplicitInterpolatedString_WhenAddingTaintedValuesComplex_GetString_Vulnerable()
     {
         var interpolatedString = $"""