From 761577dfb7efab9e1cf482c6af1faec8c42e5e22 Mon Sep 17 00:00:00 2001 From: ishabi Date: Tue, 4 Feb 2025 15:38:54 +0100 Subject: [PATCH 1/8] Add test for location extended data --- manifests/dotnet.yml | 28 ++++++++++ manifests/golang.yml | 28 ++++++++++ manifests/java.yml | 28 ++++++++++ manifests/nodejs.yml | 29 +++++++++- manifests/php.yml | 28 ++++++++++ manifests/python.yml | 28 ++++++++++ manifests/ruby.yml | 28 ++++++++++ tests/appsec/iast/sink/test_code_injection.py | 18 +++++- .../iast/sink/test_command_injection.py | 16 +++++- .../iast/sink/test_email_html_injection.py | 18 +++++- .../iast/sink/test_hardcoded_passwords.py | 16 +++++- .../iast/sink/test_hardcoded_secrets.py | 16 +++++- .../appsec/iast/sink/test_header_injection.py | 16 +++++- .../iast/sink/test_hsts_missing_header.py | 16 +++++- .../iast/sink/test_insecure_auth_protocol.py | 21 ++++++- .../appsec/iast/sink/test_insecure_cookie.py | 16 +++++- tests/appsec/iast/sink/test_ldap_injection.py | 16 +++++- .../iast/sink/test_no_httponly_cookie.py | 16 +++++- .../iast/sink/test_no_samesite_cookie.py | 16 +++++- .../iast/sink/test_nosql_mongodb_injection.py | 16 +++++- tests/appsec/iast/sink/test_path_traversal.py | 16 +++++- .../iast/sink/test_reflection_injection.py | 16 +++++- tests/appsec/iast/sink/test_sql_injection.py | 16 +++++- tests/appsec/iast/sink/test_ssrf.py | 16 +++++- .../iast/sink/test_template_injection.py | 18 +++++- .../sink/test_trust_boundary_violation.py | 19 ++++++- .../sink/test_untrusted_deserialization.py | 16 +++++- .../iast/sink/test_unvalidated_redirect.py | 18 +++++- .../sink/test_unvalidated_redirect_forward.py | 18 +++++- tests/appsec/iast/sink/test_weak_cipher.py | 16 +++++- tests/appsec/iast/sink/test_weak_hash.py | 16 +++++- .../appsec/iast/sink/test_weak_randomness.py | 16 +++++- .../iast/sink/test_xcontent_sniffing.py | 16 +++++- .../appsec/iast/sink/test_xpath_injection.py | 16 +++++- tests/appsec/iast/sink/test_xss.py | 16 +++++- tests/appsec/iast/utils.py | 55 +++++++++++++++++++ utils/_features.py | 9 +++ 37 files changed, 696 insertions(+), 31 deletions(-) diff --git a/manifests/dotnet.yml b/manifests/dotnet.yml index f7e127cf728..f75ea001167 100644 --- a/manifests/dotnet.yml +++ b/manifests/dotnet.yml @@ -32,19 +32,24 @@ tests/: test_code_injection.py: TestCodeInjection: missing_feature TestCodeInjection_StackTrace: missing_feature + TestCodeInjection_ExtendedLocation: missing_feature test_command_injection.py: TestCommandInjection: v2.28.0 TestCommandInjection_StackTrace: missing_feature + TestCommandInjection_ExtendedLocation: missing_feature test_email_html_injection.py: TestEmailHtmlInjection: v3.2.0 TestEmailHtmlInjection_StackTrace: missing_feature + TestEmailHtmlInjection_ExtendedLocation: missing_feature test_hardcoded_passwords.py: Test_HardcodedPasswords: missing_feature Test_HardcodedPasswords_StackTrace: missing_feature + Test_HardcodedPasswords_ExtendedLocation: missing_feature test_hardcoded_secrets.py: Test_HardcodedSecrets: missing_feature Test_HardcodedSecretsExtended: missing_feature Test_HardcodedSecrets_StackTrace: missing_feature + Test_HardcodedSecrets_ExtendedLocation: missing_feature test_header_injection.py: TestHeaderInjection: v2.46.0 TestHeaderInjectionExclusionAccessControlAllow: missing_feature @@ -52,78 +57,101 @@ tests/: TestHeaderInjectionExclusionPragma: missing_feature TestHeaderInjectionExclusionTransferEncoding: missing_feature TestHeaderInjection_StackTrace: missing_feature + TestHeaderInjection_ExtendedLocation: missing_feature test_hsts_missing_header.py: Test_HstsMissingHeader: v2.44.0 Test_HstsMissingHeader_StackTrace: missing_feature + Test_HstsMissingHeader_ExtendedLocation: missing_feature test_insecure_auth_protocol.py: Test_InsecureAuthProtocol: v2.49.0 Test_InsecureAuthProtocol_StackTrace: missing_feature + Test_InsecureAuthProtocol_ExtendedLocation: missing_feature test_insecure_cookie.py: TestInsecureCookie: v2.39.0 TestInsecureCookieNameFilter: missing_feature TestInsecureCookie_StackTrace: missing_feature + TestInsecureCookie_ExtendedLocation: missing_feature test_ldap_injection.py: TestLDAPInjection: v2.36.0 TestLDAPInjection_StackTrace: missing_feature + TestLDAPInjection_ExtendedLocation: missing_feature test_no_httponly_cookie.py: TestNoHttponlyCookie: v2.39.0 TestNoHttponlyCookieNameFilter: missing_feature TestNoHttponlyCookie_StackTrace: missing_feature + TestNoHttponlyCookie_ExtendedLocation: missing_feature test_no_samesite_cookie.py: TestNoSamesiteCookie: v2.39.0 TestNoSamesiteCookieNameFilter: missing_feature TestNoSamesiteCookie_StackTrace: missing_feature + TestNoSamesiteCookie_ExtendedLocation: missing_feature test_nosql_mongodb_injection.py: TestNoSqlMongodbInjection: v2.47.0 TestNoSqlMongodbInjection_StackTrace: missing_feature + TestNoSqlMongodbInjection_ExtendedLocation: missing_feature test_path_traversal.py: TestPathTraversal: v2.31.0 TestPathTraversal_StackTrace: missing_feature + TestPathTraversal_ExtendedLocation: missing_feature test_reflection_injection.py: TestReflectionInjection: v2.48.0 TestReflectionInjection_StackTrace: missing_feature + TestReflectionInjection_ExtendedLocation: missing_feature test_sql_injection.py: TestSqlInjection: '*': v2.23.0 TestSqlInjection_StackTrace: missing_feature + TestSqlInjection_ExtendedLocation: missing_feature test_ssrf.py: TestSSRF: v2.36.0 TestSSRF_StackTrace: missing_feature + TestSSRF_ExtendedLocation: missing_feature test_template_injection.py: TestTemplateInjection: missing_feature test_trust_boundary_violation.py: Test_TrustBoundaryViolation: v2.43.0 Test_TrustBoundaryViolation_StackTrace: missing_feature + Test_TrustBoundaryViolation_ExtendedLocation: missing_feature test_untrusted_deserialization.py: TestUntrustedDeserialization: missing_feature TestUntrustedDeserialization_StackTrace: missing_feature + TestUntrustedDeserialization_ExtendedLocation: missing_feature test_unvalidated_redirect.py: TestUnvalidatedHeader: v2.44.0 TestUnvalidatedHeader_StackTrace: missing_feature + TestUnvalidatedHeader_ExtendedLocation: missing_feature TestUnvalidatedRedirect: v2.44.0 TestUnvalidatedRedirect_StackTrace: missing_feature + TestUnvalidatedRedirect_ExtendedLocation: missing_feature test_unvalidated_redirect_forward.py: TestUnvalidatedForward: missing_feature TestUnvalidatedForward_StackTrace: missing_feature + TestUnvalidatedForward_ExtendedLocation: missing_feature test_weak_cipher.py: TestWeakCipher: v2.24.0 TestWeakCipher_StackTrace: missing_feature + TestWeakCipher_ExtendedLocation: missing_feature test_weak_hash.py: TestDeduplication: v2.24.0 TestWeakHash: v2.24.0 TestWeakHash_StackTrace: missing_feature + TestWeakHash_ExtendedLocation: missing_feature test_weak_randomness.py: TestWeakRandomness: v2.39.0 TestWeakRandomness_StackTrace: missing_feature + TestWeakRandomness_ExtendedLocation: missing_feature test_xcontent_sniffing.py: Test_XContentSniffing: missing_feature Test_XContentSniffing_StackTrace: missing_feature + Test_XContentSniffing_ExtendedLocation: missing_feature test_xpath_injection.py: TestXPathInjection: v2.47.0 TestXPathInjection_StackTrace: missing_feature + TestXPathInjection_ExtendedLocation: missing_feature test_xss.py: TestXSS: missing_feature TestXSS_StackTrace: missing_feature + TestXSS_ExtendedLocation: missing_feature source/: test_body.py: TestRequestBody: v2.39.0 diff --git a/manifests/golang.yml b/manifests/golang.yml index 5b8c24e73a0..db0df04d33f 100644 --- a/manifests/golang.yml +++ b/manifests/golang.yml @@ -43,19 +43,24 @@ tests/: test_code_injection.py: TestCodeInjection: missing_feature TestCodeInjection_StackTrace: missing_feature + TestCodeInjection_ExtendedLocation: missing_feature test_command_injection.py: TestCommandInjection: missing_feature TestCommandInjection_StackTrace: missing_feature + TestCommandInjection_ExtendedLocation: missing_feature test_email_html_injection.py: TestEmailHtmlInjection: missing_feature TestEmailHtmlInjection_StackTrace: missing_feature + TestEmailHtmlInjection_ExtendedLocation: missing_feature test_hardcoded_passwords.py: Test_HardcodedPasswords: missing_feature Test_HardcodedPasswords_StackTrace: missing_feature + Test_HardcodedPasswords_ExtendedLocation: missing_feature test_hardcoded_secrets.py: Test_HardcodedSecrets: missing_feature Test_HardcodedSecretsExtended: missing_feature Test_HardcodedSecrets_StackTrace: missing_feature + Test_HardcodedSecrets_ExtendedLocation: missing_feature test_header_injection.py: TestHeaderInjection: missing_feature TestHeaderInjectionExclusionAccessControlAllow: missing_feature @@ -63,78 +68,101 @@ tests/: TestHeaderInjectionExclusionPragma: missing_feature TestHeaderInjectionExclusionTransferEncoding: missing_feature TestHeaderInjection_StackTrace: missing_feature + TestHeaderInjection_ExtendedLocation: missing_feature test_hsts_missing_header.py: Test_HstsMissingHeader: missing_feature Test_HstsMissingHeader_StackTrace: missing_feature + Test_HstsMissingHeader_ExtendedLocation: missing_feature test_insecure_auth_protocol.py: Test_InsecureAuthProtocol: missing_feature Test_InsecureAuthProtocol_StackTrace: missing_feature + Test_InsecureAuthProtocol_ExtendedLocation: missing_feature test_insecure_cookie.py: TestInsecureCookie: missing_feature TestInsecureCookieNameFilter: missing_feature TestInsecureCookie_StackTrace: missing_feature + TestInsecureCookie_ExtendedLocation: missing_feature test_ldap_injection.py: TestLDAPInjection: missing_feature TestLDAPInjection_StackTrace: missing_feature + TestLDAPInjection_ExtendedLocation: missing_feature test_no_httponly_cookie.py: TestNoHttponlyCookie: missing_feature TestNoHttponlyCookieNameFilter: missing_feature TestNoHttponlyCookie_StackTrace: missing_feature + TestNoHttponlyCookie_ExtendedLocation: missing_feature test_no_samesite_cookie.py: TestNoSamesiteCookie: missing_feature TestNoSamesiteCookieNameFilter: missing_feature TestNoSamesiteCookie_StackTrace: missing_feature + TestNoSamesiteCookie_ExtendedLocation: missing_feature test_nosql_mongodb_injection.py: TestNoSqlMongodbInjection: missing_feature TestNoSqlMongodbInjection_StackTrace: missing_feature + TestNoSqlMongodbInjection_ExtendedLocation: missing_feature test_path_traversal.py: TestPathTraversal: missing_feature TestPathTraversal_StackTrace: missing_feature + TestPathTraversal_ExtendedLocation: missing_feature test_reflection_injection.py: TestReflectionInjection: missing_feature TestReflectionInjection_StackTrace: missing_feature + TestReflectionInjection_ExtendedLocation: missing_feature test_sql_injection.py: TestSqlInjection: missing_feature TestSqlInjection_StackTrace: missing_feature + TestSqlInjection_ExtendedLocation: missing_feature test_ssrf.py: TestSSRF: missing_feature TestSSRF_StackTrace: missing_feature + TestSSRF_ExtendedLocation: missing_feature test_template_injection.py: TestTemplateInjection: missing_feature test_trust_boundary_violation.py: Test_TrustBoundaryViolation: missing_feature Test_TrustBoundaryViolation_StackTrace: missing_feature + Test_TrustBoundaryViolation_ExtendedLocation: missing_feature test_untrusted_deserialization.py: TestUntrustedDeserialization: missing_feature TestUntrustedDeserialization_StackTrace: missing_feature + TestUntrustedDeserialization_ExtendedLocation: missing_feature test_unvalidated_redirect.py: TestUnvalidatedHeader: missing_feature TestUnvalidatedHeader_StackTrace: missing_feature + TestUnvalidatedHeader_ExtendedLocation: missing_feature TestUnvalidatedRedirect: missing_feature TestUnvalidatedRedirect_StackTrace: missing_feature + TestUnvalidatedRedirect_ExtendedLocation: missing_feature test_unvalidated_redirect_forward.py: TestUnvalidatedForward: missing_feature TestUnvalidatedForward_StackTrace: missing_feature + TestUnvalidatedForward_ExtendedLocation: missing_feature test_weak_cipher.py: TestWeakCipher: missing_feature TestWeakCipher_StackTrace: missing_feature + TestWeakCipher_ExtendedLocation: missing_feature test_weak_hash.py: TestDeduplication: missing_feature TestWeakHash: missing_feature TestWeakHash_StackTrace: missing_feature + TestWeakHash_ExtendedLocation: missing_feature test_weak_randomness.py: TestWeakRandomness: missing_feature TestWeakRandomness_StackTrace: missing_feature + TestWeakRandomness_ExtendedLocation: missing_feature test_xcontent_sniffing.py: Test_XContentSniffing: missing_feature Test_XContentSniffing_StackTrace: missing_feature + Test_XContentSniffing_ExtendedLocation: missing_feature test_xpath_injection.py: TestXPathInjection: missing_feature TestXPathInjection_StackTrace: missing_feature + TestXPathInjection_ExtendedLocation: missing_feature test_xss.py: TestXSS: '*': missing_feature TestXSS_StackTrace: missing_feature + TestXSS_ExtendedLocation: missing_feature source/: test_body.py: TestRequestBody: missing_feature diff --git a/manifests/java.yml b/manifests/java.yml index 8d1aab57d07..c8d51bc3ecf 100644 --- a/manifests/java.yml +++ b/manifests/java.yml @@ -62,6 +62,7 @@ tests/: test_code_injection.py: TestCodeInjection: missing_feature TestCodeInjection_StackTrace: missing_feature + TestCodeInjection_ExtendedLocation: missing_feature test_command_injection.py: TestCommandInjection: '*': v1.1.0 @@ -78,12 +79,15 @@ tests/: play: missing_feature ratpack: missing_feature spring-boot-3-native: missing_feature (GraalVM. Tracing support only) + TestCommandInjection_ExtendedLocation: missing_feature test_email_html_injection.py: TestEmailHtmlInjection: missing_feature TestEmailHtmlInjection_StackTrace: missing_feature + TestEmailHtmlInjection_ExtendedLocation: missing_feature test_hardcoded_passwords.py: Test_HardcodedPasswords: missing_feature Test_HardcodedPasswords_StackTrace: missing_feature + Test_HardcodedPasswords_ExtendedLocation: missing_feature test_hardcoded_secrets.py: Test_HardcodedSecrets: '*': missing_feature @@ -96,6 +100,7 @@ tests/: uds-spring-boot: v1.29.0 Test_HardcodedSecretsExtended: missing_feature Test_HardcodedSecrets_StackTrace: irrelevant (not expected to have a stack trace) + Test_HardcodedSecrets_ExtendedLocation: missing_feature test_header_injection.py: TestHeaderInjection: '*': missing_feature @@ -119,6 +124,7 @@ tests/: spring-boot-undertow: v1.43.0 spring-boot-wildfly: v1.43.0 uds-spring-boot: v1.43.0 + TestHeaderInjection_ExtendedLocation: missing_feature test_hsts_missing_header.py: Test_HstsMissingHeader: '*': v1.20.0 @@ -132,6 +138,7 @@ tests/: vertx3: missing_feature vertx4: missing_feature Test_HstsMissingHeader_StackTrace: irrelevant (not expected to have a stack trace) + Test_HstsMissingHeader_ExtendedLocation: missing_feature test_insecure_auth_protocol.py: Test_InsecureAuthProtocol: '*': v1.30.0 @@ -147,6 +154,7 @@ tests/: ratpack: missing_feature spring-boot-3-native: missing_feature (GraalVM. Tracing support only) spring-boot-openliberty: bug (APPSEC-54981) + Test_InsecureAuthProtocol_ExtendedLocation: missing_feature test_insecure_cookie.py: TestInsecureCookie: '*': v1.18.0 @@ -161,6 +169,7 @@ tests/: play: missing_feature ratpack: missing_feature spring-boot-3-native: missing_feature + TestInsecureCookie_ExtendedLocation: missing_feature test_ldap_injection.py: TestLDAPInjection: '*': v1.3.0 @@ -177,6 +186,7 @@ tests/: play: missing_feature (endpoint not implemented) ratpack: missing_feature (endpoint not implemented) spring-boot-3-native: missing_feature (GraalVM. Tracing support only) + TestLDAPInjection_ExtendedLocation: missing_feature test_no_httponly_cookie.py: TestNoHttponlyCookie: '*': v1.18.0 @@ -191,6 +201,7 @@ tests/: play: missing_feature ratpack: missing_feature spring-boot-3-native: missing_feature + TestNoHttponlyCookie_ExtendedLocation: missing_feature test_no_samesite_cookie.py: TestNoSamesiteCookie: '*': v1.18.0 @@ -205,9 +216,11 @@ tests/: play: missing_feature ratpack: missing_feature spring-boot-3-native: missing_feature + TestNoSamesiteCookie_ExtendedLocation: missing_feature test_nosql_mongodb_injection.py: TestNoSqlMongodbInjection: missing_feature TestNoSqlMongodbInjection_StackTrace: missing_feature + TestNoSqlMongodbInjection_ExtendedLocation: missing_feature test_path_traversal.py: TestPathTraversal: '*': v1.1.0 @@ -223,6 +236,7 @@ tests/: play: missing_feature ratpack: missing_feature spring-boot-3-native: missing_feature (GraalVM. Tracing support only) + TestPathTraversal_ExtendedLocation: missing_feature test_reflection_injection.py: TestReflectionInjection: '*': v1.31.0 @@ -236,6 +250,7 @@ tests/: play: missing_feature ratpack: missing_feature spring-boot-3-native: missing_feature (GraalVM. Tracing support only) + TestReflectionInjection_ExtendedLocation: missing_feature test_sql_injection.py: TestSqlInjection: '*': v1.1.0 @@ -251,6 +266,7 @@ tests/: play: missing_feature ratpack: missing_feature spring-boot-3-native: missing_feature (GraalVM. Tracing support only) + TestSqlInjection_ExtendedLocation: missing_feature test_ssrf.py: TestSSRF: '*': v1.13.0 @@ -266,6 +282,7 @@ tests/: ratpack: missing_feature (No endpoint implemented) spring-boot-3-native: missing_feature (GraalVM. Tracing support only) vertx4: missing_feature (No endpoint implemented) + TestSSRF_ExtendedLocation: missing_feature test_template_injection.py: TestTemplateInjection: missing_feature test_trust_boundary_violation.py: @@ -289,6 +306,7 @@ tests/: spring-boot-3-native: missing_feature (GraalVM. Tracing support only) vertx3: missing_feature vertx4: missing_feature + Test_TrustBoundaryViolation_ExtendedLocation: missing_feature test_untrusted_deserialization.py: TestUntrustedDeserialization: '*': v1.38.0 @@ -310,6 +328,7 @@ tests/: spring-boot-3-native: missing_feature (No endpoint implemented) vertx3: missing_feature (No endpoint implemented) vertx4: missing_feature (No endpoint implemented) + TestUntrustedDeserialization_ExtendedLocation: missing_feature test_unvalidated_redirect.py: TestUnvalidatedHeader: '*': v1.15.0 @@ -326,6 +345,7 @@ tests/: play: missing_feature ratpack: missing_feature spring-boot-3-native: missing_feature (GraalVM. Tracing support only) + TestUnvalidatedHeader_ExtendedLocation: missing_feature TestUnvalidatedRedirect: '*': v1.15.0 akka-http: missing_feature @@ -340,6 +360,7 @@ tests/: play: missing_feature ratpack: missing_feature spring-boot-3-native: missing_feature (GraalVM. Tracing support only) + TestUnvalidatedRedirect_ExtendedLocation: missing_feature test_unvalidated_redirect_forward.py: TestUnvalidatedForward: '*': v1.15.0 @@ -359,6 +380,7 @@ tests/: ratpack: irrelevant (No forward) resteasy-netty3: irrelevant (No forward) spring-boot-3-native: missing_feature (GraalVM. Tracing support only) + TestUnvalidatedForward_ExtendedLocation: missing_feature test_weak_cipher.py: TestWeakCipher: '*': v0.108.0 @@ -368,6 +390,7 @@ tests/: '*': v1.43.0 play: missing_feature (no endpoint) spring-boot-3-native: missing_feature (GraalVM. Tracing support only) + TestWeakCipher_ExtendedLocation: missing_feature test_weak_hash.py: TestDeduplication: '*': v0.108.0 @@ -381,6 +404,7 @@ tests/: '*': v1.43.0 play: missing_feature (no endpoint) spring-boot-3-native: missing_feature (GraalVM. Tracing support only) + TestWeakHash_ExtendedLocation: missing_feature test_weak_randomness.py: TestWeakRandomness: '*': v1.15.0 @@ -390,6 +414,7 @@ tests/: '*': v1.43.0 play: missing_feature (no endpoint) spring-boot-3-native: missing_feature (GraalVM. Tracing support only) + TestWeakRandomness_ExtendedLocation: missing_feature test_xcontent_sniffing.py: Test_XContentSniffing: '*': v1.22.0 @@ -403,6 +428,7 @@ tests/: vertx3: missing_feature vertx4: missing_feature Test_XContentSniffing_StackTrace: irrelevant (not expected to have a stack trace) + Test_XContentSniffing_ExtendedLocation: missing_feature test_xpath_injection.py: TestXPathInjection: '*': v1.18.0 @@ -414,6 +440,7 @@ tests/: play: missing_feature ratpack: missing_feature spring-boot-3-native: missing_feature + TestXPathInjection_ExtendedLocation: missing_feature test_xss.py: TestXSS: '*': v1.19.0 @@ -435,6 +462,7 @@ tests/: spring-boot-3-native: missing_feature (GraalVM. Tracing support only) vertx3: missing_feature vertx4: missing_feature + TestXSS_ExtendedLocation: missing_feature source/: test_body.py: TestRequestBody: diff --git a/manifests/nodejs.yml b/manifests/nodejs.yml index a3f8c1de909..28d2d9f8f7c 100644 --- a/manifests/nodejs.yml +++ b/manifests/nodejs.yml @@ -101,6 +101,7 @@ tests/: TestCodeInjection_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature + TestCodeInjection_ExtendedLocation: missing_feature test_command_injection.py: TestCommandInjection: '*': *ref_3_11_0 @@ -108,14 +109,17 @@ tests/: TestCommandInjection_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature + TestCommandInjection_ExtendedLocation: missing_feature test_email_html_injection.py: TestEmailHtmlInjection: missing_feature TestEmailHtmlInjection_StackTrace: missing_feature + TestEmailHtmlInjection_ExtendedLocation: missing_feature test_hardcoded_passwords.py: Test_HardcodedPasswords: '*': *ref_5_13_0 nextjs: missing_feature Test_HardcodedPasswords_StackTrace: missing_feature + Test_HardcodedPasswords_ExtendedLocation: missing_feature test_hardcoded_secrets.py: Test_HardcodedSecrets: '*': *ref_4_18_0 @@ -124,6 +128,7 @@ tests/: '*': *ref_5_11_0 nextjs: missing_feature Test_HardcodedSecrets_StackTrace: missing_feature + Test_HardcodedSecrets_ExtendedLocation: missing_feature test_header_injection.py: TestHeaderInjection: '*': *ref_4_21_0 @@ -147,14 +152,17 @@ tests/: TestHeaderInjection_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature + TestHeaderInjection_ExtendedLocation: missing_feature test_hsts_missing_header.py: Test_HstsMissingHeader: '*': *ref_4_8_0 nextjs: missing_feature Test_HstsMissingHeader_StackTrace: missing_feature + Test_HstsMissingHeader_ExtendedLocation: missing_feature test_insecure_auth_protocol.py: Test_InsecureAuthProtocol: missing_feature Test_InsecureAuthProtocol_StackTrace: missing_feature + Test_InsecureAuthProtocol_ExtendedLocation: missing_feature test_insecure_cookie.py: TestInsecureCookie: '*': *ref_4_1_0 @@ -165,6 +173,7 @@ tests/: TestInsecureCookie_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature + TestInsecureCookie_ExtendedLocation: missing_feature test_ldap_injection.py: TestLDAPInjection: '*': *ref_4_1_0 @@ -172,6 +181,7 @@ tests/: TestLDAPInjection_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature + TestLDAPInjection_ExtendedLocation: missing_feature test_no_httponly_cookie.py: TestNoHttponlyCookie: '*': *ref_4_3_0 @@ -182,6 +192,7 @@ tests/: TestNoHttponlyCookie_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature + TestNoHttponlyCookie_ExtendedLocation: missing_feature test_no_samesite_cookie.py: TestNoSamesiteCookie: '*': *ref_4_3_0 @@ -192,6 +203,7 @@ tests/: TestNoSamesiteCookie_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature + TestNoSamesiteCookie_ExtendedLocation: missing_feature test_nosql_mongodb_injection.py: TestNoSqlMongodbInjection: '*': *ref_4_17_0 @@ -199,6 +211,7 @@ tests/: TestNoSqlMongodbInjection_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature + TestNoSqlMongodbInjection_ExtendedLocation: missing_feature test_path_traversal.py: TestPathTraversal: '*': *ref_3_19_0 @@ -206,9 +219,11 @@ tests/: TestPathTraversal_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature + TestPathTraversal_ExtendedLocation: missing_feature test_reflection_injection.py: TestReflectionInjection: missing_feature TestReflectionInjection_StackTrace: missing_feature + TestReflectionInjection_ExtendedLocation: missing_feature test_sql_injection.py: TestSqlInjection: '*': *ref_3_11_0 @@ -216,6 +231,7 @@ tests/: TestSqlInjection_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature + TestSqlInjection_ExtendedLocation: missing_feature test_ssrf.py: TestSSRF: '*': *ref_4_1_0 @@ -223,6 +239,7 @@ tests/: TestSSRF_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature + TestSSRF_ExtendedLocation: missing_feature test_template_injection.py: TestTemplateInjection: '*': *ref_5_26_0 @@ -230,11 +247,13 @@ tests/: test_trust_boundary_violation.py: Test_TrustBoundaryViolation: missing_feature Test_TrustBoundaryViolation_StackTrace: missing_feature + Test_TrustBoundaryViolation_ExtendedLocation: missing_feature test_untrusted_deserialization.py: TestUntrustedDeserialization: '*': *ref_5_32_0 nextjs: missing_feature TestUntrustedDeserialization_StackTrace: missing_feature + TestUntrustedDeserialization_ExtendedLocation: missing_feature test_unvalidated_redirect.py: TestUnvalidatedHeader: '*': *ref_4_3_0 @@ -242,15 +261,17 @@ tests/: TestUnvalidatedHeader_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature + TestUnvalidatedHeader_ExtendedLocation: missing_feature TestUnvalidatedRedirect: '*': *ref_4_3_0 nextjs: missing_feature TestUnvalidatedRedirect_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature + TestUnvalidatedRedirect_ExtendedLocation: missing_feature test_unvalidated_redirect_forward.py: TestUnvalidatedForward: missing_feature - TestUnvalidatedForward_StackTrace: missing_feature + TestUnvalidatedForward_ExtendedLocation: missing_feature test_weak_cipher.py: TestWeakCipher: '*': *ref_3_6_0 @@ -258,6 +279,7 @@ tests/: TestWeakCipher_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature + TestWeakCipher_ExtendedLocation: missing_feature test_weak_hash.py: TestDeduplication: '*': *ref_3_11_0 @@ -268,6 +290,7 @@ tests/: TestWeakHash_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature + TestWeakHash_ExtendedLocation: missing_feature test_weak_randomness.py: TestWeakRandomness: '*': *ref_5_1_0 @@ -275,17 +298,21 @@ tests/: TestWeakRandomness_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature + TestWeakRandomness_ExtendedLocation: missing_feature test_xcontent_sniffing.py: Test_XContentSniffing: '*': *ref_4_8_0 nextjs: missing_feature Test_XContentSniffing_StackTrace: missing_feature + Test_XContentSniffing_ExtendedLocation: missing_feature test_xpath_injection.py: TestXPathInjection: missing_feature TestXPathInjection_StackTrace: missing_feature + TestXPathInjection_ExtendedLocation: missing_feature test_xss.py: TestXSS: missing_feature TestXSS_StackTrace: missing_feature + TestXSS_ExtendedLocation: missing_feature source/: test_body.py: TestRequestBody: diff --git a/manifests/php.yml b/manifests/php.yml index 9800e5def28..281a4d3bcdc 100644 --- a/manifests/php.yml +++ b/manifests/php.yml @@ -27,19 +27,24 @@ tests/: test_code_injection.py: TestCodeInjection: missing_feature TestCodeInjection_StackTrace: missing_feature + TestCodeInjection_ExtendedLocation: missing_feature test_command_injection.py: TestCommandInjection: missing_feature TestCommandInjection_StackTrace: missing_feature + TestCommandInjection_ExtendedLocation: missing_feature test_email_html_injection.py: TestEmailHtmlInjection: missing_feature TestEmailHtmlInjection_StackTrace: missing_feature + TestEmailHtmlInjection_ExtendedLocation: missing_feature test_hardcoded_passwords.py: Test_HardcodedPasswords: missing_feature Test_HardcodedPasswords_StackTrace: missing_feature + Test_HardcodedPasswords_ExtendedLocation: missing_feature test_hardcoded_secrets.py: Test_HardcodedSecrets: missing_feature Test_HardcodedSecretsExtended: missing_feature Test_HardcodedSecrets_StackTrace: missing_feature + Test_HardcodedSecrets_ExtendedLocation: missing_feature test_header_injection.py: TestHeaderInjection: missing_feature TestHeaderInjectionExclusionAccessControlAllow: missing_feature @@ -47,78 +52,101 @@ tests/: TestHeaderInjectionExclusionPragma: missing_feature TestHeaderInjectionExclusionTransferEncoding: missing_feature TestHeaderInjection_StackTrace: missing_feature + TestHeaderInjection_ExtendedLocation: missing_feature test_hsts_missing_header.py: Test_HstsMissingHeader: missing_feature Test_HstsMissingHeader_StackTrace: missing_feature + Test_HstsMissingHeader_ExtendedLocation: missing_feature test_insecure_auth_protocol.py: Test_InsecureAuthProtocol: missing_feature Test_InsecureAuthProtocol_StackTrace: missing_feature + Test_InsecureAuthProtocol_ExtendedLocation: missing_feature test_insecure_cookie.py: TestInsecureCookie: missing_feature TestInsecureCookieNameFilter: missing_feature TestInsecureCookie_StackTrace: missing_feature + TestInsecureCookie_ExtendedLocation: missing_feature test_ldap_injection.py: TestLDAPInjection: missing_feature TestLDAPInjection_StackTrace: missing_feature + TestLDAPInjection_ExtendedLocation: missing_feature test_no_httponly_cookie.py: TestNoHttponlyCookie: missing_feature TestNoHttponlyCookieNameFilter: missing_feature TestNoHttponlyCookie_StackTrace: missing_feature + TestNoHttponlyCookie_ExtendedLocation: missing_feature test_no_samesite_cookie.py: TestNoSamesiteCookie: missing_feature TestNoSamesiteCookieNameFilter: missing_feature TestNoSamesiteCookie_StackTrace: missing_feature + TestNoSamesiteCookie_ExtendedLocation: missing_feature test_nosql_mongodb_injection.py: TestNoSqlMongodbInjection: missing_feature TestNoSqlMongodbInjection_StackTrace: missing_feature + TestNoSqlMongodbInjection_ExtendedLocation: missing_feature test_path_traversal.py: TestPathTraversal: missing_feature TestPathTraversal_StackTrace: missing_feature + TestPathTraversal_ExtendedLocation: missing_feature test_reflection_injection.py: TestReflectionInjection: missing_feature TestReflectionInjection_StackTrace: missing_feature + TestReflectionInjection_ExtendedLocation: missing_feature test_sql_injection.py: TestSqlInjection: missing_feature TestSqlInjection_StackTrace: missing_feature + TestSqlInjection_ExtendedLocation: missing_feature test_ssrf.py: TestSSRF: missing_feature TestSSRF_StackTrace: missing_feature + TestSSRF_ExtendedLocation: missing_feature test_template_injection.py: TestTemplateInjection: missing_feature test_trust_boundary_violation.py: Test_TrustBoundaryViolation: missing_feature Test_TrustBoundaryViolation_StackTrace: missing_feature + Test_TrustBoundaryViolation_ExtendedLocation: missing_feature test_untrusted_deserialization.py: TestUntrustedDeserialization: missing_feature TestUntrustedDeserialization_StackTrace: missing_feature + TestUntrustedDeserialization_ExtendedLocation: missing_feature test_unvalidated_redirect.py: TestUnvalidatedHeader: missing_feature TestUnvalidatedHeader_StackTrace: missing_feature + TestUnvalidatedHeader_ExtendedLocation: missing_feature TestUnvalidatedRedirect: missing_feature TestUnvalidatedRedirect_StackTrace: missing_feature + TestUnvalidatedRedirect_ExtendedLocation: missing_feature test_unvalidated_redirect_forward.py: TestUnvalidatedForward: missing_feature TestUnvalidatedForward_StackTrace: missing_feature + TestUnvalidatedForward_ExtendedLocation: missing_feature test_weak_cipher.py: TestWeakCipher: missing_feature TestWeakCipher_StackTrace: missing_feature + TestWeakCipher_ExtendedLocation: missing_feature test_weak_hash.py: TestDeduplication: missing_feature TestWeakHash: missing_feature TestWeakHash_StackTrace: missing_feature + TestWeakHash_ExtendedLocation: missing_feature test_weak_randomness.py: TestWeakRandomness: missing_feature TestWeakRandomness_StackTrace: missing_feature + TestWeakRandomness_ExtendedLocation: missing_feature test_xcontent_sniffing.py: Test_XContentSniffing: missing_feature Test_XContentSniffing_StackTrace: missing_feature + Test_XContentSniffing_ExtendedLocation: missing_feature test_xpath_injection.py: TestXPathInjection: missing_feature TestXPathInjection_StackTrace: missing_feature + TestXPathInjection_ExtendedLocation: missing_feature test_xss.py: TestXSS: '*': missing_feature TestXSS_StackTrace: missing_feature + TestXSS_ExtendedLocation: missing_feature source/: test_body.py: TestRequestBody: missing_feature diff --git a/manifests/python.yml b/manifests/python.yml index 349ac2565ab..74564560608 100644 --- a/manifests/python.yml +++ b/manifests/python.yml @@ -52,21 +52,26 @@ tests/: test_code_injection.py: TestCodeInjection: v2.20.0 TestCodeInjection_StackTrace: v2.20.0 + TestCodeInjection_ExtendedLocation: missing_feature test_command_injection.py: TestCommandInjection: '*': v2.10.0 fastapi: v2.15.0 TestCommandInjection_StackTrace: v2.19.0.dev + TestCommandInjection_ExtendedLocation: missing_feature test_email_html_injection.py: TestEmailHtmlInjection: missing_feature TestEmailHtmlInjection_StackTrace: missing_feature + TestEmailHtmlInjection_ExtendedLocation: missing_feature test_hardcoded_passwords.py: Test_HardcodedPasswords: missing_feature Test_HardcodedPasswords_StackTrace: missing_feature + Test_HardcodedPasswords_ExtendedLocation: missing_feature test_hardcoded_secrets.py: Test_HardcodedSecrets: missing_feature Test_HardcodedSecretsExtended: missing_feature Test_HardcodedSecrets_StackTrace: missing_feature + Test_HardcodedSecrets_ExtendedLocation: missing_feature test_header_injection.py: TestHeaderInjection: '*': v2.10.0 @@ -78,44 +83,54 @@ tests/: TestHeaderInjection_StackTrace: '*': v2.19.0.dev fastapi: v2.20.0.dev + TestHeaderInjection_ExtendedLocation: missing_feature test_hsts_missing_header.py: Test_HstsMissingHeader: missing_feature Test_HstsMissingHeader_StackTrace: missing_feature + Test_HstsMissingHeader_ExtendedLocation: missing_feature test_insecure_auth_protocol.py: Test_InsecureAuthProtocol: missing_feature Test_InsecureAuthProtocol_StackTrace: missing_feature + Test_InsecureAuthProtocol_ExtendedLocation: missing_feature test_insecure_cookie.py: TestInsecureCookie: '*': v1.19.0 fastapi: v2.16.0-dev TestInsecureCookieNameFilter: missing_feature TestInsecureCookie_StackTrace: missing_feature + TestInsecureCookie_ExtendedLocation: missing_feature test_ldap_injection.py: TestLDAPInjection: missing_feature TestLDAPInjection_StackTrace: missing_feature + TestLDAPInjection_ExtendedLocation: missing_feature test_no_httponly_cookie.py: TestNoHttponlyCookie: '*': v1.19.0 fastapi: v2.16.0-dev TestNoHttponlyCookieNameFilter: missing_feature TestNoHttponlyCookie_StackTrace: missing_feature + TestNoHttponlyCookie_ExtendedLocation: missing_feature test_no_samesite_cookie.py: TestNoSamesiteCookie: '*': v1.19.0 fastapi: v2.16.0-dev TestNoSamesiteCookieNameFilter: missing_feature TestNoSamesiteCookie_StackTrace: missing_feature + TestNoSamesiteCookie_ExtendedLocation: missing_feature test_nosql_mongodb_injection.py: TestNoSqlMongodbInjection: missing_feature TestNoSqlMongodbInjection_StackTrace: missing_feature + TestNoSqlMongodbInjection_ExtendedLocation: missing_feature test_path_traversal.py: TestPathTraversal: '*': v2.10.0 fastapi: v2.15.0 TestPathTraversal_StackTrace: v2.19.0.dev + TestPathTraversal_ExtendedLocation: missing_feature test_reflection_injection.py: TestReflectionInjection: missing_feature TestReflectionInjection_StackTrace: missing_feature + TestReflectionInjection_ExtendedLocation: missing_feature test_sql_injection.py: TestSqlInjection: django-poc: v1.18.0 @@ -124,51 +139,64 @@ tests/: pylons: missing_feature python3.12: v1.18.0 TestSqlInjection_StackTrace: v2.19.0.dev + TestSqlInjection_ExtendedLocation: missing_feature test_ssrf.py: TestSSRF: '*': v2.10.0 fastapi: v2.15.0 TestSSRF_StackTrace: v2.19.0.dev + TestSSRF_ExtendedLocation: missing_feature test_template_injection.py: TestTemplateInjection: missing_feature test_trust_boundary_violation.py: Test_TrustBoundaryViolation: missing_feature Test_TrustBoundaryViolation_StackTrace: missing_feature + Test_TrustBoundaryViolation_ExtendedLocation: missing_feature test_untrusted_deserialization.py: TestUntrustedDeserialization: missing_feature TestUntrustedDeserialization_StackTrace: missing_feature + TestUntrustedDeserialization_ExtendedLocation: missing_feature test_unvalidated_redirect.py: TestUnvalidatedHeader: missing_feature TestUnvalidatedHeader_StackTrace: missing_feature + TestUnvalidatedHeader_ExtendedLocation: missing_feature TestUnvalidatedRedirect: missing_feature TestUnvalidatedRedirect_StackTrace: missing_feature + TestUnvalidatedRedirect_ExtendedLocation: missing_feature test_unvalidated_redirect_forward.py: TestUnvalidatedForward: missing_feature TestUnvalidatedForward_StackTrace: missing_feature + TestUnvalidatedForward_ExtendedLocation: missing_feature test_weak_cipher.py: TestWeakCipher: '*': v1.18.0 fastapi: v2.15.0 TestWeakCipher_StackTrace: v2.19.0.dev + TestWeakCipher_ExtendedLocation: missing_feature test_weak_hash.py: TestDeduplication: '*': v1.18.0 TestWeakHash: '*': v1.18.0 TestWeakHash_StackTrace: v2.19.0.dev + TestWeakHash_ExtendedLocation: missing_feature test_weak_randomness.py: TestWeakRandomness: '*': v2.0.0 TestWeakRandomness_StackTrace: v2.19.0.dev + TestWeakRandomness_ExtendedLocation: missing_feature test_xcontent_sniffing.py: Test_XContentSniffing: missing_feature Test_XContentSniffing_StackTrace: missing_feature + Test_XContentSniffing_ExtendedLocation: missing_feature test_xpath_injection.py: TestXPathInjection: missing_feature TestXPathInjection_StackTrace: missing_feature + TestXPathInjection_ExtendedLocation: missing_feature test_xss.py: TestXSS: missing_feature TestXSS_StackTrace: missing_feature + TestXSS_ExtendedLocation: missing_feature source/: test_body.py: TestRequestBody: diff --git a/manifests/ruby.yml b/manifests/ruby.yml index 66d7d239363..d9b1d99d809 100644 --- a/manifests/ruby.yml +++ b/manifests/ruby.yml @@ -29,19 +29,24 @@ tests/: test_code_injection.py: TestCodeInjection: missing_feature TestCodeInjection_StackTrace: missing_feature + TestCodeInjection_ExtendedLocation: missing_feature test_command_injection.py: TestCommandInjection: missing_feature TestCommandInjection_StackTrace: missing_feature + TestCommandInjection_ExtendedLocation: missing_feature test_email_html_injection.py: TestEmailHtmlInjection: missing_feature TestEmailHtmlInjection_StackTrace: missing_feature + TestEmailHtmlInjection_ExtendedLocation: missing_feature test_hardcoded_passwords.py: Test_HardcodedPasswords: missing_feature Test_HardcodedPasswords_StackTrace: missing_feature + Test_HardcodedPasswords_ExtendedLocation: missing_feature test_hardcoded_secrets.py: Test_HardcodedSecrets: missing_feature Test_HardcodedSecretsExtended: missing_feature Test_HardcodedSecrets_StackTrace: missing_feature + Test_HardcodedSecrets_ExtendedLocation: missing_feature test_header_injection.py: TestHeaderInjection: missing_feature TestHeaderInjectionExclusionAccessControlAllow: missing_feature @@ -49,77 +54,100 @@ tests/: TestHeaderInjectionExclusionPragma: missing_feature TestHeaderInjectionExclusionTransferEncoding: missing_feature TestHeaderInjection_StackTrace: missing_feature + TestHeaderInjection_ExtendedLocation: missing_feature test_hsts_missing_header.py: Test_HstsMissingHeader: missing_feature Test_HstsMissingHeader_StackTrace: missing_feature + Test_HstsMissingHeader_ExtendedLocation: missing_feature test_insecure_auth_protocol.py: Test_InsecureAuthProtocol: missing_feature Test_InsecureAuthProtocol_StackTrace: missing_feature + Test_InsecureAuthProtocol_ExtendedLocation: missing_feature test_insecure_cookie.py: TestInsecureCookie: missing_feature TestInsecureCookieNameFilter: missing_feature TestInsecureCookie_StackTrace: missing_feature + TestInsecureCookie_ExtendedLocation: missing_feature test_ldap_injection.py: TestLDAPInjection: missing_feature TestLDAPInjection_StackTrace: missing_feature + TestLDAPInjection_ExtendedLocation: missing_feature test_no_httponly_cookie.py: TestNoHttponlyCookie: missing_feature TestNoHttponlyCookieNameFilter: missing_feature TestNoHttponlyCookie_StackTrace: missing_feature + TestNoHttponlyCookie_ExtendedLocation: missing_feature test_no_samesite_cookie.py: TestNoSamesiteCookie: missing_feature TestNoSamesiteCookieNameFilter: missing_feature TestNoSamesiteCookie_StackTrace: missing_feature + TestNoSamesiteCookie_ExtendedLocation: missing_feature test_nosql_mongodb_injection.py: TestNoSqlMongodbInjection: missing_feature TestNoSqlMongodbInjection_StackTrace: missing_feature + TestNoSqlMongodbInjection_ExtendedLocation: missing_feature test_path_traversal.py: TestPathTraversal: missing_feature TestPathTraversal_StackTrace: missing_feature + TestPathTraversal_ExtendedLocation: missing_feature test_reflection_injection.py: TestReflectionInjection: missing_feature TestReflectionInjection_StackTrace: missing_feature + TestReflectionInjection_ExtendedLocation: missing_feature test_sql_injection.py: TestSqlInjection: missing_feature TestSqlInjection_StackTrace: missing_feature + TestSqlInjection_ExtendedLocation: missing_feature test_ssrf.py: TestSSRF: missing_feature TestSSRF_StackTrace: missing_feature + TestSSRF_ExtendedLocation: missing_feature test_template_injection.py: TestTemplateInjection: missing_feature test_trust_boundary_violation.py: Test_TrustBoundaryViolation: missing_feature Test_TrustBoundaryViolation_StackTrace: missing_feature + Test_TrustBoundaryViolation_ExtendedLocation: missing_feature test_untrusted_deserialization.py: TestUntrustedDeserialization: missing_feature TestUntrustedDeserialization_StackTrace: missing_feature + TestUntrustedDeserialization_ExtendedLocation: missing_feature test_unvalidated_redirect.py: TestUnvalidatedHeader: missing_feature TestUnvalidatedHeader_StackTrace: missing_feature + TestUnvalidatedHeader_ExtendedLocation: missing_feature TestUnvalidatedRedirect: missing_feature TestUnvalidatedRedirect_StackTrace: missing_feature + TestUnvalidatedRedirect_ExtendedLocation: missing_feature test_unvalidated_redirect_forward.py: TestUnvalidatedForward: missing_feature TestUnvalidatedForward_StackTrace: missing_feature + TestUnvalidatedForward_ExtendedLocation: missing_feature test_weak_cipher.py: TestWeakCipher: missing_feature TestWeakCipher_StackTrace: missing_feature + TestWeakCipher_ExtendedLocation: missing_feature test_weak_hash.py: TestDeduplication: missing_feature TestWeakHash: missing_feature TestWeakHash_StackTrace: missing_feature + TestWeakHash_ExtendedLocation: missing_feature test_weak_randomness.py: TestWeakRandomness: missing_feature TestWeakRandomness_StackTrace: missing_feature + TestWeakRandomness_ExtendedLocation: missing_feature test_xcontent_sniffing.py: Test_XContentSniffing: missing_feature Test_XContentSniffing_StackTrace: missing_feature + Test_XContentSniffing_ExtendedLocation: missing_feature test_xpath_injection.py: TestXPathInjection: missing_feature TestXPathInjection_StackTrace: missing_feature + TestXPathInjection_ExtendedLocation: missing_feature test_xss.py: TestXSS: missing_feature TestXSS_StackTrace: missing_feature + TestXSS_ExtendedLocation: missing_feature source/: test_body.py: TestRequestBody: missing_feature diff --git a/tests/appsec/iast/sink/test_code_injection.py b/tests/appsec/iast/sink/test_code_injection.py index 2a9e0ee534b..38c0bccdeaf 100644 --- a/tests/appsec/iast/sink/test_code_injection.py +++ b/tests/appsec/iast/sink/test_code_injection.py @@ -2,8 +2,8 @@ # This product includes software developed at Datadog (https://www.datadoghq.com/). # Copyright 2021 Datadog, Inc. -from utils import context, missing_feature, features, rfc, weblog -from ..utils import BaseSinkTest, validate_stack_traces +from utils import missing_feature, features, rfc, weblog +from ..utils import BaseSinkTest, validate_stack_traces, validate_extended_location_data @features.iast_sink_code_injection @@ -36,3 +36,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "CODE_INJECTION" + + def setup_extended_location_data(self): + self.r = weblog.post("/iast/code_injection/test_insecure", data={"code": "1+2"}) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_command_injection.py b/tests/appsec/iast/sink/test_command_injection.py index 317367cb28a..171c2fa7cfc 100644 --- a/tests/appsec/iast/sink/test_command_injection.py +++ b/tests/appsec/iast/sink/test_command_injection.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, features, rfc, weblog -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @features.iast_sink_command_injection @@ -48,3 +48,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "COMMAND_INJECTION" + + def setup_extended_location_data(self): + self.r = weblog.post("/iast/cmdi/test_insecure", data={"cmd": "ls"}) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_email_html_injection.py b/tests/appsec/iast/sink/test_email_html_injection.py index 740ecc7ec35..cb673057280 100644 --- a/tests/appsec/iast/sink/test_email_html_injection.py +++ b/tests/appsec/iast/sink/test_email_html_injection.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, features, weblog, rfc -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @features.iast_sink_email_html_injection @@ -36,3 +36,19 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "EMAIL_HTML_INJECTION" + + def setup_extended_location_data(self): + self.r = weblog.post( + "/iast/email_html_injection/test_insecure", data={"username": "Josh", "email": "fakeemail@localhost"} + ) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_hardcoded_passwords.py b/tests/appsec/iast/sink/test_hardcoded_passwords.py index 6f6c58359dd..d3c6a30ec3e 100644 --- a/tests/appsec/iast/sink/test_hardcoded_passwords.py +++ b/tests/appsec/iast/sink/test_hardcoded_passwords.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import interfaces, weblog, features, context, rfc -from ..utils import validate_stack_traces +from ..utils import validate_extended_location_data, validate_stack_traces # Test_HardcodedPasswords doesn't inherit from BaseSinkTest # Hardcode passwords detection implementation change a lot between different languages @@ -71,3 +71,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "HARDCODED_PASSWORD" + + def setup_extended_location_data(self): + self.r = weblog.get("/iast/hardcoded_passwords/test_insecure") + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_hardcoded_secrets.py b/tests/appsec/iast/sink/test_hardcoded_secrets.py index 28eda35e9f6..94bb78bb41d 100644 --- a/tests/appsec/iast/sink/test_hardcoded_secrets.py +++ b/tests/appsec/iast/sink/test_hardcoded_secrets.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import interfaces, weblog, features, context, rfc, weblog -from ..utils import validate_stack_traces +from ..utils import validate_extended_location_data, validate_stack_traces # Test_HardcodedSecrets and Test_HardcodedSecretsExtended don't inherit from BaseSinkTest # Hardcode secrets detection implementation change a lot between different languages @@ -99,3 +99,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "HARDCODED_SECRET" + + def setup_extended_location_data(self): + self.r = weblog.get("/iast/hardcoded_secrets/test_insecure") + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_header_injection.py b/tests/appsec/iast/sink/test_header_injection.py index 0804d74fd18..de857a167f3 100644 --- a/tests/appsec/iast/sink/test_header_injection.py +++ b/tests/appsec/iast/sink/test_header_injection.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, features, missing_feature, rfc, weblog -from ..utils import BaseSinkTest, validate_stack_traces, assert_iast_vulnerability +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces, assert_iast_vulnerability class _BaseTestHeaderInjectionReflectedExclusion: @@ -117,3 +117,17 @@ class TestHeaderInjectionExclusionTransferEncoding(_BaseTestHeaderInjectionRefle origin_header = "accept-encoding" reflected_header = "transfer-encoding" headers = {"accept-encoding": "foo, bar"} + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "HEADER_INJECTION" + + def setup_extended_location_data(self): + self.r = weblog.post("/iast/header_injection/test_insecure", data={"test": "dummyvalue"}) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_hsts_missing_header.py b/tests/appsec/iast/sink/test_hsts_missing_header.py index 1b372e52f52..f2030d79a8e 100644 --- a/tests/appsec/iast/sink/test_hsts_missing_header.py +++ b/tests/appsec/iast/sink/test_hsts_missing_header.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, features, rfc, weblog -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @features.iast_sink_hsts_missing_header @@ -39,3 +39,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "HSTS_HEADER_MISSING" + + def setup_extended_location_data(self): + self.r = weblog.get("/iast/hstsmissing/test_insecure", headers={"X-Forwarded-Proto": "https"}) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_insecure_auth_protocol.py b/tests/appsec/iast/sink/test_insecure_auth_protocol.py index 754e682b191..195114edeef 100644 --- a/tests/appsec/iast/sink/test_insecure_auth_protocol.py +++ b/tests/appsec/iast/sink/test_insecure_auth_protocol.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, features, rfc, weblog -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @features.iast_sink_insecure_auth_protocol @@ -47,3 +47,22 @@ def setup_stack_trace(self): @missing_feature(library="java", reason="Not implemented yet") def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "INSECURE_AUTH_PROTOCOL" + + def setup_extended_location_data(self): + self.r = weblog.get( + "/iast/insecure-auth-protocol/test_insecure", + headers={ + "Authorization": 'Digest username="WATERFORD", realm="Users", nonce="c5rcvu346qavqf3hnmsrnqj5up", uri="/api/partner/validate", response="57c8d9f11ec7a2f1ab13c5e166b2c505"' + }, + ) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_insecure_cookie.py b/tests/appsec/iast/sink/test_insecure_cookie.py index 09f750aff7b..bb483db3e84 100644 --- a/tests/appsec/iast/sink/test_insecure_cookie.py +++ b/tests/appsec/iast/sink/test_insecure_cookie.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, bug, weblog, features, rfc, scenarios, flaky -from ..utils import BaseSinkTest, BaseTestCookieNameFilter, validate_stack_traces +from ..utils import BaseSinkTest, BaseTestCookieNameFilter, validate_extended_location_data, validate_stack_traces @features.iast_sink_insecure_cookie @@ -62,3 +62,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "INSECURE_COOKIE" + + def setup_extended_location_data(self): + self.r = weblog.get("/iast/insecure-cookie/test_insecure") + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_ldap_injection.py b/tests/appsec/iast/sink/test_ldap_injection.py index 527fac132b4..6c3ced0b599 100644 --- a/tests/appsec/iast/sink/test_ldap_injection.py +++ b/tests/appsec/iast/sink/test_ldap_injection.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, features, rfc, weblog -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @features.iast_sink_ldap_injection @@ -42,3 +42,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "LDAP_INJECTION" + + def setup_extended_location_data(self): + self.r = weblog.post("/iast/ldapi/test_insecure", data={"username": "ssam", "password": "sammy"}) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_no_httponly_cookie.py b/tests/appsec/iast/sink/test_no_httponly_cookie.py index 819c921e370..54b10427858 100644 --- a/tests/appsec/iast/sink/test_no_httponly_cookie.py +++ b/tests/appsec/iast/sink/test_no_httponly_cookie.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, bug, weblog, features, rfc, scenarios, flaky -from ..utils import BaseSinkTest, BaseTestCookieNameFilter, validate_stack_traces +from ..utils import BaseSinkTest, BaseTestCookieNameFilter, validate_extended_location_data, validate_stack_traces @features.iast_sink_http_only_cookie @@ -62,3 +62,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "NO_HTTPONLY_COOKIE" + + def setup_extended_location_data(self): + self.r = weblog.get("/iast/no-httponly-cookie/test_insecure") + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_no_samesite_cookie.py b/tests/appsec/iast/sink/test_no_samesite_cookie.py index 28ccd6387cf..6ae149cc2d5 100644 --- a/tests/appsec/iast/sink/test_no_samesite_cookie.py +++ b/tests/appsec/iast/sink/test_no_samesite_cookie.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, bug, weblog, features, rfc, scenarios, flaky -from ..utils import BaseSinkTest, BaseTestCookieNameFilter, validate_stack_traces +from ..utils import BaseSinkTest, BaseTestCookieNameFilter, validate_extended_location_data, validate_stack_traces @features.iast_sink_samesite_cookie @@ -62,3 +62,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "NO_SAMESITE_COOKIE" + + def setup_extended_location_data(self): + self.r = weblog.get("/iast/no-samesite-cookie/test_insecure") + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_nosql_mongodb_injection.py b/tests/appsec/iast/sink/test_nosql_mongodb_injection.py index 419df3636e8..dcdda8302eb 100644 --- a/tests/appsec/iast/sink/test_nosql_mongodb_injection.py +++ b/tests/appsec/iast/sink/test_nosql_mongodb_injection.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, scenarios, features, rfc, weblog -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @scenarios.integrations @@ -51,3 +51,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "NOSQL_MONGODB_INJECTION" + + def setup_extended_location_data(self): + self.r = weblog.post("/iast/mongodb-nosql-injection/test_insecure", data={"key": "somevalue"}) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_path_traversal.py b/tests/appsec/iast/sink/test_path_traversal.py index fd66fb82179..a1beb4d3067 100644 --- a/tests/appsec/iast/sink/test_path_traversal.py +++ b/tests/appsec/iast/sink/test_path_traversal.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, features, weblog, rfc -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @features.iast_sink_path_traversal @@ -48,3 +48,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "PATH_TRAVERSAL" + + def setup_extended_location_data(self): + self.r = weblog.post("/iast/path_traversal/test_insecure", data={"path": "/var/log"}) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_reflection_injection.py b/tests/appsec/iast/sink/test_reflection_injection.py index 4c32f4a2b9b..5504c7c3f9c 100644 --- a/tests/appsec/iast/sink/test_reflection_injection.py +++ b/tests/appsec/iast/sink/test_reflection_injection.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import missing_feature, features, rfc, weblog -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @features.iast_sink_reflection_injection @@ -40,3 +40,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "REFLECTION_INJECTION" + + def setup_extended_location_data(self): + self.r = weblog.post("/iast/reflection_injection/test_insecure", data={"param": "ReflectionInjection"}) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_sql_injection.py b/tests/appsec/iast/sink/test_sql_injection.py index 1747838537c..29bf6aa37f8 100644 --- a/tests/appsec/iast/sink/test_sql_injection.py +++ b/tests/appsec/iast/sink/test_sql_injection.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, features, bug, rfc, weblog -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @features.iast_sink_sql_injection @@ -53,3 +53,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "SQL_INJECTION" + + def setup_extended_location_data(self): + self.r = weblog.post("/iast/sqli/test_insecure", data={"username": "shaquille_oatmeal", "password": "123456"}) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_ssrf.py b/tests/appsec/iast/sink/test_ssrf.py index 75ec87dafdc..07fd6bee7a1 100644 --- a/tests/appsec/iast/sink/test_ssrf.py +++ b/tests/appsec/iast/sink/test_ssrf.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import bug, context, missing_feature, features, rfc, weblog -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @features.iast_sink_ssrf @@ -48,3 +48,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "SSRF" + + def setup_extended_location_data(self): + self.r = weblog.post("/iast/ssrf/test_insecure", data={"url": "https://www.datadoghq.com"}) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_template_injection.py b/tests/appsec/iast/sink/test_template_injection.py index b54dea2d1d8..1485e3df162 100644 --- a/tests/appsec/iast/sink/test_template_injection.py +++ b/tests/appsec/iast/sink/test_template_injection.py @@ -2,8 +2,8 @@ # This product includes software developed at Datadog (https://www.datadoghq.com/). # Copyright 2021 Datadog, Inc. -from utils import features -from ..utils import BaseSinkTest +from utils import features, weblog, rfc +from ..utils import BaseSinkTest, validate_extended_location_data @features.iast_sink_template_injection @@ -16,3 +16,17 @@ class TestTemplateInjection(BaseSinkTest): secure_endpoint = "/iast/template_injection/test_secure" data = {"template": "Hello"} + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "TEMPLATE_INJECTION" + + def setup_extended_location_data(self): + self.r = weblog.post("/iast/template_injection/test_insecure", data={"template": "Hello"}) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_trust_boundary_violation.py b/tests/appsec/iast/sink/test_trust_boundary_violation.py index ede2601f657..6cf9292ea6e 100644 --- a/tests/appsec/iast/sink/test_trust_boundary_violation.py +++ b/tests/appsec/iast/sink/test_trust_boundary_violation.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, features, rfc, weblog -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @features.iast_sink_trustboundaryviolation @@ -43,3 +43,20 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "TRUST_BOUNDARY_VIOLATION" + + def setup_extended_location_data(self): + self.r = weblog.get( + "/iast/trust-boundary-violation/test_insecure", + params={"username": "shaquille_oatmeal", "password": "123456"}, + ) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_untrusted_deserialization.py b/tests/appsec/iast/sink/test_untrusted_deserialization.py index ed6919a66ae..2e1f52ed2e3 100644 --- a/tests/appsec/iast/sink/test_untrusted_deserialization.py +++ b/tests/appsec/iast/sink/test_untrusted_deserialization.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import features, weblog, rfc -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @features.iast_sink_untrusted_deserialization @@ -32,3 +32,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "UNTRUSTED_DESERIALIZATION" + + def setup_extended_location_data(self): + self.r = weblog.get("/iast/untrusted_deserialization/test_insecure") + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_unvalidated_redirect.py b/tests/appsec/iast/sink/test_unvalidated_redirect.py index 6caff555643..14092d378e5 100644 --- a/tests/appsec/iast/sink/test_unvalidated_redirect.py +++ b/tests/appsec/iast/sink/test_unvalidated_redirect.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, irrelevant, features, missing_feature, rfc, weblog -from ..utils import BaseSinkTestWithoutTelemetry, validate_stack_traces +from ..utils import BaseSinkTestWithoutTelemetry, validate_extended_location_data, validate_stack_traces def _expected_location(): @@ -99,3 +99,19 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "UNVALIDATED_REDIRECT" + + def setup_extended_location_data(self): + self.r = weblog.post( + "/iast/unvalidated_redirect/test_insecure_header", data={"location": "http://dummy.location.com"} + ) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_unvalidated_redirect_forward.py b/tests/appsec/iast/sink/test_unvalidated_redirect_forward.py index ca85e9cf69b..8ae41e4424e 100644 --- a/tests/appsec/iast/sink/test_unvalidated_redirect_forward.py +++ b/tests/appsec/iast/sink/test_unvalidated_redirect_forward.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, features, missing_feature, rfc, weblog -from ..utils import BaseSinkTestWithoutTelemetry, validate_stack_traces +from ..utils import BaseSinkTestWithoutTelemetry, validate_extended_location_data, validate_stack_traces def _expected_location(): @@ -46,3 +46,19 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "UNVALIDATED_REDIRECT" + + def setup_extended_location_data(self): + self.r = weblog.post( + "/iast/unvalidated_redirect/test_insecure_forward", data={"location": "http://dummy.location.com"} + ) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_weak_cipher.py b/tests/appsec/iast/sink/test_weak_cipher.py index b2604f18abf..0ed70daed61 100644 --- a/tests/appsec/iast/sink/test_weak_cipher.py +++ b/tests/appsec/iast/sink/test_weak_cipher.py @@ -2,7 +2,7 @@ # This product includes software developed at Datadog (https://www.datadoghq.com/). # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, flaky, features, weblog, rfc -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @features.weak_cipher_detection @@ -46,3 +46,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "WEAK_CIPHER" + + def setup_extended_location_data(self): + self.r = weblog.get("/iast/insecure_cipher/test_insecure_algorithm") + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_weak_hash.py b/tests/appsec/iast/sink/test_weak_hash.py index ecc322da203..d29121ad9c3 100644 --- a/tests/appsec/iast/sink/test_weak_hash.py +++ b/tests/appsec/iast/sink/test_weak_hash.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import weblog, context, missing_feature, features, rfc, scenarios -from ..utils import BaseSinkTest, assert_iast_vulnerability, validate_stack_traces +from ..utils import BaseSinkTest, assert_iast_vulnerability, validate_extended_location_data, validate_stack_traces def _expected_location(): @@ -104,3 +104,17 @@ def test_insecure_hash_multiple(self): vulnerability_type="WEAK_HASH", expected_location=_expected_location(), ) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "WEAK_HASH" + + def setup_extended_location_data(self): + self.r = weblog.get("/iast/insecure_hashing/test_md5_algorithm") + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_weak_randomness.py b/tests/appsec/iast/sink/test_weak_randomness.py index 893441b4088..d6f238a544e 100644 --- a/tests/appsec/iast/sink/test_weak_randomness.py +++ b/tests/appsec/iast/sink/test_weak_randomness.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import features, weblog, rfc -from ..utils import BaseSinkTestWithoutTelemetry, validate_stack_traces +from ..utils import BaseSinkTestWithoutTelemetry, validate_extended_location_data, validate_stack_traces @features.iast_sink_weakrandomness @@ -34,3 +34,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "WEAK_RANDOMNESS" + + def setup_extended_location_data(self): + self.r = weblog.get("/iast/weak_randomness/test_insecure") + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_xcontent_sniffing.py b/tests/appsec/iast/sink/test_xcontent_sniffing.py index 77e996ca0d7..23188f5a0bb 100644 --- a/tests/appsec/iast/sink/test_xcontent_sniffing.py +++ b/tests/appsec/iast/sink/test_xcontent_sniffing.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, features, rfc, weblog -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @features.iast_sink_xcontentsniffing @@ -37,3 +37,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "XCONTENTTYPE_HEADER_MISSING" + + def setup_extended_location_data(self): + self.r = weblog.get("/iast/xcontent-missing-header/test_insecure") + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_xpath_injection.py b/tests/appsec/iast/sink/test_xpath_injection.py index 3add0f480b6..b8f37e7588f 100644 --- a/tests/appsec/iast/sink/test_xpath_injection.py +++ b/tests/appsec/iast/sink/test_xpath_injection.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import features, weblog, rfc -from ..utils import BaseSinkTestWithoutTelemetry, validate_stack_traces +from ..utils import BaseSinkTestWithoutTelemetry, validate_extended_location_data, validate_stack_traces @features.iast_sink_xpathinjection @@ -30,3 +30,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "XPATH_INJECTION" + + def setup_extended_location_data(self): + self.r = weblog.post("/iast/xpathi/test_insecure", data={"expression": "expression"}) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_xss.py b/tests/appsec/iast/sink/test_xss.py index 74449793c7c..a353d1e37a7 100644 --- a/tests/appsec/iast/sink/test_xss.py +++ b/tests/appsec/iast/sink/test_xss.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import features, weblog, rfc -from ..utils import BaseSinkTestWithoutTelemetry, validate_stack_traces +from ..utils import BaseSinkTestWithoutTelemetry, validate_extended_location_data, validate_stack_traces @features.iast_sink_xss @@ -30,3 +30,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "XSS" + + def setup_extended_location_data(self): + self.r = weblog.post("/iast/xss/test_insecure", data={"param": "param"}) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/utils.py b/tests/appsec/iast/utils.py index 23a94f5217d..a0f0a4a9c68 100644 --- a/tests/appsec/iast/utils.py +++ b/tests/appsec/iast/utils.py @@ -250,6 +250,61 @@ def validate_stack_traces(request): assert locationFrame is not None, "location not found in stack trace" +def validate_extended_location_data(request, vulnerability_type): + spans = [span for _, span in interfaces.library.get_root_spans(request=request)] + assert spans, "No root span found" + span = spans[0] + + iast = span.get("meta", {}).get("_dd.iast.json") + assert iast and iast["vulnerabilities"], "Expected at least one vulnerability" + + # Filter by vulnerability + if vulnerability_type: + vulns = [v for v in iast["vulnerabilities"] if not vulnerability_type or v["type"] == vulnerability_type] + assert vulns, f"No vulnerability of type {vulnerability_type}" + + vuln = vulns[0] + location = vuln["location"] + + # Check extended data if stack trace exists + if "meta_struct" in span and "_dd.stack" in span["meta_struct"]: + assert "vulnerability" in span["meta_struct"]["_dd.stack"], "'exploit' not found in '_dd.stack'" + stack_trace = span["meta_struct"]["_dd.stack"]["vulnerability"][0] + + assert "language" in stack_trace + assert stack_trace["language"] in ( + "php", + "python", + "nodejs", + "java", + "dotnet", + "go", + "ruby", + ), "unexpected language" + assert "frames" in stack_trace + + # Verify frame matches location + location_match = False + for frame in stack_trace["frames"]: + if stack_trace["language"] in ("nodejs"): + if ( + frame.get("file", "").endswith(location["path"]) + and location["line"] == frame["line"] + and location.get("class", "") == frame.get("class_name", "") + and location.get("method", "") == frame.get("function", "") + ): + location_match = True + break + + assert location_match, "location not found in stack trace" + # Check extended data if on location if stack trace do not exists + else: + assert all(field in location for field in ["path", "line"]) + + if context.library.library not in ("python", "nodejs"): + assert all(field in location for field in ["class", "method"]) + + class BaseSinkTest(BaseSinkTestWithoutTelemetry): def setup_telemetry_metric_instrumented_sink(self): self.setup_insecure() diff --git a/utils/_features.py b/utils/_features.py index ff70aaca8b8..30331d3e8f0 100644 --- a/utils/_features.py +++ b/utils/_features.py @@ -2291,6 +2291,15 @@ def iast_stack_trace(test_object): pytest.mark.features(feature_id=329)(test_object) return test_object + @staticmethod + def iast_extended_location(test_object): + """IAST: Extended location data + + https://feature-parity.us1.prod.dog/#/?feature=364 + """ + pytest.mark.features(feature_id=364)(test_object) + return test_object + @staticmethod def djm_ssi_k8s(test_object): """Data Jobs Monitoring: Java lib auto instrumentation for Spark applications on K8s. From 398dc955363d29775f43780ef88c7a8bec4933f0 Mon Sep 17 00:00:00 2001 From: ishabi Date: Tue, 4 Feb 2025 15:52:24 +0100 Subject: [PATCH 2/8] Add TestUnvalidatedForward_StackTrace --- manifests/nodejs.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/nodejs.yml b/manifests/nodejs.yml index 28d2d9f8f7c..97ee2af1a3c 100644 --- a/manifests/nodejs.yml +++ b/manifests/nodejs.yml @@ -271,6 +271,7 @@ tests/: TestUnvalidatedRedirect_ExtendedLocation: missing_feature test_unvalidated_redirect_forward.py: TestUnvalidatedForward: missing_feature + TestUnvalidatedForward_StackTrace: missing_feature TestUnvalidatedForward_ExtendedLocation: missing_feature test_weak_cipher.py: TestWeakCipher: From c0252723eef680e9a9f3877a34dd34e93d02c06d Mon Sep 17 00:00:00 2001 From: ishabi Date: Tue, 4 Feb 2025 15:53:43 +0100 Subject: [PATCH 3/8] add context to test code injection --- tests/appsec/iast/sink/test_code_injection.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/appsec/iast/sink/test_code_injection.py b/tests/appsec/iast/sink/test_code_injection.py index 07607e1dbd2..f92ce45b38c 100644 --- a/tests/appsec/iast/sink/test_code_injection.py +++ b/tests/appsec/iast/sink/test_code_injection.py @@ -2,7 +2,7 @@ # This product includes software developed at Datadog (https://www.datadoghq.com/). # Copyright 2021 Datadog, Inc. -from utils import missing_feature, features, rfc, weblog +from utils import context, missing_feature, features, rfc, weblog from ..utils import BaseSinkTest, validate_stack_traces, validate_extended_location_data From 9235c344b2625403a11026bbf9e4513b67ffa0c1 Mon Sep 17 00:00:00 2001 From: ishabi Date: Tue, 4 Feb 2025 16:23:58 +0100 Subject: [PATCH 4/8] fix order --- manifests/dotnet.yml | 58 +++++++++---------- manifests/golang.yml | 56 +++++++++--------- manifests/java.yml | 56 +++++++++--------- manifests/nodejs.yml | 57 +++++++++--------- manifests/php.yml | 56 +++++++++--------- manifests/python.yml | 56 +++++++++--------- manifests/ruby.yml | 56 +++++++++--------- .../iast/sink/test_command_injection.py | 2 +- .../iast/sink/test_email_html_injection.py | 2 +- .../iast/sink/test_hardcoded_passwords.py | 2 +- .../iast/sink/test_hardcoded_secrets.py | 2 +- .../appsec/iast/sink/test_header_injection.py | 2 +- .../iast/sink/test_hsts_missing_header.py | 2 +- .../iast/sink/test_insecure_auth_protocol.py | 2 +- .../appsec/iast/sink/test_insecure_cookie.py | 2 +- tests/appsec/iast/sink/test_ldap_injection.py | 2 +- .../iast/sink/test_no_httponly_cookie.py | 2 +- .../iast/sink/test_no_samesite_cookie.py | 2 +- .../iast/sink/test_nosql_mongodb_injection.py | 2 +- tests/appsec/iast/sink/test_path_traversal.py | 2 +- .../iast/sink/test_reflection_injection.py | 2 +- tests/appsec/iast/sink/test_sql_injection.py | 2 +- tests/appsec/iast/sink/test_ssrf.py | 2 +- .../iast/sink/test_template_injection.py | 2 +- .../sink/test_trust_boundary_violation.py | 2 +- .../sink/test_untrusted_deserialization.py | 2 +- .../iast/sink/test_unvalidated_redirect.py | 18 +++++- .../sink/test_unvalidated_redirect_forward.py | 2 +- tests/appsec/iast/sink/test_weak_cipher.py | 2 +- tests/appsec/iast/sink/test_weak_hash.py | 2 +- .../appsec/iast/sink/test_weak_randomness.py | 2 +- .../iast/sink/test_xcontent_sniffing.py | 2 +- .../appsec/iast/sink/test_xpath_injection.py | 2 +- tests/appsec/iast/sink/test_xss.py | 2 +- 34 files changed, 241 insertions(+), 224 deletions(-) diff --git a/manifests/dotnet.yml b/manifests/dotnet.yml index f75ea001167..3b2251ee260 100644 --- a/manifests/dotnet.yml +++ b/manifests/dotnet.yml @@ -31,127 +31,127 @@ tests/: sink/: test_code_injection.py: TestCodeInjection: missing_feature - TestCodeInjection_StackTrace: missing_feature TestCodeInjection_ExtendedLocation: missing_feature + TestCodeInjection_StackTrace: missing_feature test_command_injection.py: TestCommandInjection: v2.28.0 - TestCommandInjection_StackTrace: missing_feature TestCommandInjection_ExtendedLocation: missing_feature + TestCommandInjection_StackTrace: missing_feature test_email_html_injection.py: TestEmailHtmlInjection: v3.2.0 - TestEmailHtmlInjection_StackTrace: missing_feature TestEmailHtmlInjection_ExtendedLocation: missing_feature + TestEmailHtmlInjection_StackTrace: missing_feature test_hardcoded_passwords.py: Test_HardcodedPasswords: missing_feature - Test_HardcodedPasswords_StackTrace: missing_feature Test_HardcodedPasswords_ExtendedLocation: missing_feature + Test_HardcodedPasswords_StackTrace: missing_feature test_hardcoded_secrets.py: Test_HardcodedSecrets: missing_feature Test_HardcodedSecretsExtended: missing_feature - Test_HardcodedSecrets_StackTrace: missing_feature Test_HardcodedSecrets_ExtendedLocation: missing_feature + Test_HardcodedSecrets_StackTrace: missing_feature test_header_injection.py: TestHeaderInjection: v2.46.0 TestHeaderInjectionExclusionAccessControlAllow: missing_feature TestHeaderInjectionExclusionContentEncoding: missing_feature TestHeaderInjectionExclusionPragma: missing_feature TestHeaderInjectionExclusionTransferEncoding: missing_feature - TestHeaderInjection_StackTrace: missing_feature TestHeaderInjection_ExtendedLocation: missing_feature + TestHeaderInjection_StackTrace: missing_feature test_hsts_missing_header.py: Test_HstsMissingHeader: v2.44.0 - Test_HstsMissingHeader_StackTrace: missing_feature Test_HstsMissingHeader_ExtendedLocation: missing_feature + Test_HstsMissingHeader_StackTrace: missing_feature test_insecure_auth_protocol.py: Test_InsecureAuthProtocol: v2.49.0 - Test_InsecureAuthProtocol_StackTrace: missing_feature Test_InsecureAuthProtocol_ExtendedLocation: missing_feature + Test_InsecureAuthProtocol_StackTrace: missing_feature test_insecure_cookie.py: TestInsecureCookie: v2.39.0 TestInsecureCookieNameFilter: missing_feature - TestInsecureCookie_StackTrace: missing_feature TestInsecureCookie_ExtendedLocation: missing_feature + TestInsecureCookie_StackTrace: missing_feature test_ldap_injection.py: TestLDAPInjection: v2.36.0 - TestLDAPInjection_StackTrace: missing_feature TestLDAPInjection_ExtendedLocation: missing_feature + TestLDAPInjection_StackTrace: missing_feature test_no_httponly_cookie.py: TestNoHttponlyCookie: v2.39.0 TestNoHttponlyCookieNameFilter: missing_feature - TestNoHttponlyCookie_StackTrace: missing_feature TestNoHttponlyCookie_ExtendedLocation: missing_feature + TestNoHttponlyCookie_StackTrace: missing_feature test_no_samesite_cookie.py: TestNoSamesiteCookie: v2.39.0 TestNoSamesiteCookieNameFilter: missing_feature - TestNoSamesiteCookie_StackTrace: missing_feature TestNoSamesiteCookie_ExtendedLocation: missing_feature + TestNoSamesiteCookie_StackTrace: missing_feature test_nosql_mongodb_injection.py: TestNoSqlMongodbInjection: v2.47.0 - TestNoSqlMongodbInjection_StackTrace: missing_feature TestNoSqlMongodbInjection_ExtendedLocation: missing_feature + TestNoSqlMongodbInjection_StackTrace: missing_feature test_path_traversal.py: TestPathTraversal: v2.31.0 - TestPathTraversal_StackTrace: missing_feature TestPathTraversal_ExtendedLocation: missing_feature + TestPathTraversal_StackTrace: missing_feature test_reflection_injection.py: TestReflectionInjection: v2.48.0 - TestReflectionInjection_StackTrace: missing_feature TestReflectionInjection_ExtendedLocation: missing_feature + TestReflectionInjection_StackTrace: missing_feature test_sql_injection.py: TestSqlInjection: - '*': v2.23.0 - TestSqlInjection_StackTrace: missing_feature + '*': v2.23.0 TestSqlInjection_ExtendedLocation: missing_feature + TestSqlInjection_StackTrace: missing_feature test_ssrf.py: TestSSRF: v2.36.0 - TestSSRF_StackTrace: missing_feature TestSSRF_ExtendedLocation: missing_feature + TestSSRF_StackTrace: missing_feature test_template_injection.py: TestTemplateInjection: missing_feature test_trust_boundary_violation.py: Test_TrustBoundaryViolation: v2.43.0 - Test_TrustBoundaryViolation_StackTrace: missing_feature Test_TrustBoundaryViolation_ExtendedLocation: missing_feature + Test_TrustBoundaryViolation_StackTrace: missing_feature test_untrusted_deserialization.py: TestUntrustedDeserialization: missing_feature - TestUntrustedDeserialization_StackTrace: missing_feature TestUntrustedDeserialization_ExtendedLocation: missing_feature + TestUntrustedDeserialization_StackTrace: missing_feature test_unvalidated_redirect.py: TestUnvalidatedHeader: v2.44.0 - TestUnvalidatedHeader_StackTrace: missing_feature TestUnvalidatedHeader_ExtendedLocation: missing_feature + TestUnvalidatedHeader_StackTrace: missing_feature TestUnvalidatedRedirect: v2.44.0 - TestUnvalidatedRedirect_StackTrace: missing_feature TestUnvalidatedRedirect_ExtendedLocation: missing_feature + TestUnvalidatedRedirect_StackTrace: missing_feature test_unvalidated_redirect_forward.py: TestUnvalidatedForward: missing_feature - TestUnvalidatedForward_StackTrace: missing_feature TestUnvalidatedForward_ExtendedLocation: missing_feature + TestUnvalidatedForward_StackTrace: missing_feature test_weak_cipher.py: TestWeakCipher: v2.24.0 - TestWeakCipher_StackTrace: missing_feature TestWeakCipher_ExtendedLocation: missing_feature + TestWeakCipher_StackTrace: missing_feature test_weak_hash.py: TestDeduplication: v2.24.0 TestWeakHash: v2.24.0 - TestWeakHash_StackTrace: missing_feature TestWeakHash_ExtendedLocation: missing_feature + TestWeakHash_StackTrace: missing_feature test_weak_randomness.py: TestWeakRandomness: v2.39.0 - TestWeakRandomness_StackTrace: missing_feature TestWeakRandomness_ExtendedLocation: missing_feature + TestWeakRandomness_StackTrace: missing_feature test_xcontent_sniffing.py: Test_XContentSniffing: missing_feature - Test_XContentSniffing_StackTrace: missing_feature Test_XContentSniffing_ExtendedLocation: missing_feature + Test_XContentSniffing_StackTrace: missing_feature test_xpath_injection.py: TestXPathInjection: v2.47.0 - TestXPathInjection_StackTrace: missing_feature TestXPathInjection_ExtendedLocation: missing_feature + TestXPathInjection_StackTrace: missing_feature test_xss.py: TestXSS: missing_feature - TestXSS_StackTrace: missing_feature TestXSS_ExtendedLocation: missing_feature + TestXSS_StackTrace: missing_feature source/: test_body.py: TestRequestBody: v2.39.0 diff --git a/manifests/golang.yml b/manifests/golang.yml index db0df04d33f..6f5b3792ac0 100644 --- a/manifests/golang.yml +++ b/manifests/golang.yml @@ -42,127 +42,127 @@ tests/: sink/: test_code_injection.py: TestCodeInjection: missing_feature - TestCodeInjection_StackTrace: missing_feature TestCodeInjection_ExtendedLocation: missing_feature + TestCodeInjection_StackTrace: missing_feature test_command_injection.py: TestCommandInjection: missing_feature - TestCommandInjection_StackTrace: missing_feature TestCommandInjection_ExtendedLocation: missing_feature + TestCommandInjection_StackTrace: missing_feature test_email_html_injection.py: TestEmailHtmlInjection: missing_feature - TestEmailHtmlInjection_StackTrace: missing_feature TestEmailHtmlInjection_ExtendedLocation: missing_feature + TestEmailHtmlInjection_StackTrace: missing_feature test_hardcoded_passwords.py: Test_HardcodedPasswords: missing_feature - Test_HardcodedPasswords_StackTrace: missing_feature Test_HardcodedPasswords_ExtendedLocation: missing_feature + Test_HardcodedPasswords_StackTrace: missing_feature test_hardcoded_secrets.py: Test_HardcodedSecrets: missing_feature Test_HardcodedSecretsExtended: missing_feature - Test_HardcodedSecrets_StackTrace: missing_feature Test_HardcodedSecrets_ExtendedLocation: missing_feature + Test_HardcodedSecrets_StackTrace: missing_feature test_header_injection.py: TestHeaderInjection: missing_feature TestHeaderInjectionExclusionAccessControlAllow: missing_feature TestHeaderInjectionExclusionContentEncoding: missing_feature TestHeaderInjectionExclusionPragma: missing_feature TestHeaderInjectionExclusionTransferEncoding: missing_feature - TestHeaderInjection_StackTrace: missing_feature TestHeaderInjection_ExtendedLocation: missing_feature + TestHeaderInjection_StackTrace: missing_feature test_hsts_missing_header.py: Test_HstsMissingHeader: missing_feature - Test_HstsMissingHeader_StackTrace: missing_feature Test_HstsMissingHeader_ExtendedLocation: missing_feature + Test_HstsMissingHeader_StackTrace: missing_feature test_insecure_auth_protocol.py: Test_InsecureAuthProtocol: missing_feature - Test_InsecureAuthProtocol_StackTrace: missing_feature Test_InsecureAuthProtocol_ExtendedLocation: missing_feature + Test_InsecureAuthProtocol_StackTrace: missing_feature test_insecure_cookie.py: TestInsecureCookie: missing_feature TestInsecureCookieNameFilter: missing_feature - TestInsecureCookie_StackTrace: missing_feature TestInsecureCookie_ExtendedLocation: missing_feature + TestInsecureCookie_StackTrace: missing_feature test_ldap_injection.py: TestLDAPInjection: missing_feature - TestLDAPInjection_StackTrace: missing_feature TestLDAPInjection_ExtendedLocation: missing_feature + TestLDAPInjection_StackTrace: missing_feature test_no_httponly_cookie.py: TestNoHttponlyCookie: missing_feature TestNoHttponlyCookieNameFilter: missing_feature - TestNoHttponlyCookie_StackTrace: missing_feature TestNoHttponlyCookie_ExtendedLocation: missing_feature + TestNoHttponlyCookie_StackTrace: missing_feature test_no_samesite_cookie.py: TestNoSamesiteCookie: missing_feature TestNoSamesiteCookieNameFilter: missing_feature - TestNoSamesiteCookie_StackTrace: missing_feature TestNoSamesiteCookie_ExtendedLocation: missing_feature + TestNoSamesiteCookie_StackTrace: missing_feature test_nosql_mongodb_injection.py: TestNoSqlMongodbInjection: missing_feature - TestNoSqlMongodbInjection_StackTrace: missing_feature TestNoSqlMongodbInjection_ExtendedLocation: missing_feature + TestNoSqlMongodbInjection_StackTrace: missing_feature test_path_traversal.py: TestPathTraversal: missing_feature - TestPathTraversal_StackTrace: missing_feature TestPathTraversal_ExtendedLocation: missing_feature + TestPathTraversal_StackTrace: missing_feature test_reflection_injection.py: TestReflectionInjection: missing_feature - TestReflectionInjection_StackTrace: missing_feature TestReflectionInjection_ExtendedLocation: missing_feature + TestReflectionInjection_StackTrace: missing_feature test_sql_injection.py: TestSqlInjection: missing_feature - TestSqlInjection_StackTrace: missing_feature TestSqlInjection_ExtendedLocation: missing_feature + TestSqlInjection_StackTrace: missing_feature test_ssrf.py: TestSSRF: missing_feature - TestSSRF_StackTrace: missing_feature TestSSRF_ExtendedLocation: missing_feature + TestSSRF_StackTrace: missing_feature test_template_injection.py: TestTemplateInjection: missing_feature test_trust_boundary_violation.py: Test_TrustBoundaryViolation: missing_feature - Test_TrustBoundaryViolation_StackTrace: missing_feature Test_TrustBoundaryViolation_ExtendedLocation: missing_feature + Test_TrustBoundaryViolation_StackTrace: missing_feature test_untrusted_deserialization.py: TestUntrustedDeserialization: missing_feature - TestUntrustedDeserialization_StackTrace: missing_feature TestUntrustedDeserialization_ExtendedLocation: missing_feature + TestUntrustedDeserialization_StackTrace: missing_feature test_unvalidated_redirect.py: TestUnvalidatedHeader: missing_feature - TestUnvalidatedHeader_StackTrace: missing_feature TestUnvalidatedHeader_ExtendedLocation: missing_feature + TestUnvalidatedHeader_StackTrace: missing_feature TestUnvalidatedRedirect: missing_feature - TestUnvalidatedRedirect_StackTrace: missing_feature TestUnvalidatedRedirect_ExtendedLocation: missing_feature + TestUnvalidatedRedirect_StackTrace: missing_feature test_unvalidated_redirect_forward.py: TestUnvalidatedForward: missing_feature - TestUnvalidatedForward_StackTrace: missing_feature TestUnvalidatedForward_ExtendedLocation: missing_feature + TestUnvalidatedForward_StackTrace: missing_feature test_weak_cipher.py: TestWeakCipher: missing_feature - TestWeakCipher_StackTrace: missing_feature TestWeakCipher_ExtendedLocation: missing_feature + TestWeakCipher_StackTrace: missing_feature test_weak_hash.py: TestDeduplication: missing_feature TestWeakHash: missing_feature - TestWeakHash_StackTrace: missing_feature TestWeakHash_ExtendedLocation: missing_feature + TestWeakHash_StackTrace: missing_feature test_weak_randomness.py: TestWeakRandomness: missing_feature - TestWeakRandomness_StackTrace: missing_feature TestWeakRandomness_ExtendedLocation: missing_feature + TestWeakRandomness_StackTrace: missing_feature test_xcontent_sniffing.py: Test_XContentSniffing: missing_feature - Test_XContentSniffing_StackTrace: missing_feature Test_XContentSniffing_ExtendedLocation: missing_feature + Test_XContentSniffing_StackTrace: missing_feature test_xpath_injection.py: TestXPathInjection: missing_feature - TestXPathInjection_StackTrace: missing_feature TestXPathInjection_ExtendedLocation: missing_feature + TestXPathInjection_StackTrace: missing_feature test_xss.py: TestXSS: '*': missing_feature - TestXSS_StackTrace: missing_feature TestXSS_ExtendedLocation: missing_feature + TestXSS_StackTrace: missing_feature source/: test_body.py: TestRequestBody: missing_feature diff --git a/manifests/java.yml b/manifests/java.yml index c8d51bc3ecf..0199813c921 100644 --- a/manifests/java.yml +++ b/manifests/java.yml @@ -61,8 +61,8 @@ tests/: sink/: test_code_injection.py: TestCodeInjection: missing_feature - TestCodeInjection_StackTrace: missing_feature TestCodeInjection_ExtendedLocation: missing_feature + TestCodeInjection_StackTrace: missing_feature test_command_injection.py: TestCommandInjection: '*': v1.1.0 @@ -74,20 +74,20 @@ tests/: spring-boot-3-native: missing_feature (GraalVM. Tracing support only) vertx3: v1.12.0 vertx4: v1.12.0 + TestCommandInjection_ExtendedLocation: missing_feature TestCommandInjection_StackTrace: '*': v1.43.0 play: missing_feature ratpack: missing_feature spring-boot-3-native: missing_feature (GraalVM. Tracing support only) - TestCommandInjection_ExtendedLocation: missing_feature test_email_html_injection.py: TestEmailHtmlInjection: missing_feature - TestEmailHtmlInjection_StackTrace: missing_feature TestEmailHtmlInjection_ExtendedLocation: missing_feature + TestEmailHtmlInjection_StackTrace: missing_feature test_hardcoded_passwords.py: Test_HardcodedPasswords: missing_feature - Test_HardcodedPasswords_StackTrace: missing_feature Test_HardcodedPasswords_ExtendedLocation: missing_feature + Test_HardcodedPasswords_StackTrace: missing_feature test_hardcoded_secrets.py: Test_HardcodedSecrets: '*': missing_feature @@ -99,8 +99,8 @@ tests/: spring-boot-wildfly: v1.29.0 uds-spring-boot: v1.29.0 Test_HardcodedSecretsExtended: missing_feature - Test_HardcodedSecrets_StackTrace: irrelevant (not expected to have a stack trace) Test_HardcodedSecrets_ExtendedLocation: missing_feature + Test_HardcodedSecrets_StackTrace: irrelevant (not expected to have a stack trace) test_header_injection.py: TestHeaderInjection: '*': missing_feature @@ -115,6 +115,7 @@ tests/: TestHeaderInjectionExclusionContentEncoding: missing_feature TestHeaderInjectionExclusionPragma: missing_feature TestHeaderInjectionExclusionTransferEncoding: missing_feature + TestHeaderInjection_ExtendedLocation: missing_feature TestHeaderInjection_StackTrace: '*': missing_feature spring-boot: v1.43.0 @@ -124,7 +125,6 @@ tests/: spring-boot-undertow: v1.43.0 spring-boot-wildfly: v1.43.0 uds-spring-boot: v1.43.0 - TestHeaderInjection_ExtendedLocation: missing_feature test_hsts_missing_header.py: Test_HstsMissingHeader: '*': v1.20.0 @@ -137,8 +137,8 @@ tests/: spring-boot-openliberty: bug (APPSEC-51483) vertx3: missing_feature vertx4: missing_feature - Test_HstsMissingHeader_StackTrace: irrelevant (not expected to have a stack trace) Test_HstsMissingHeader_ExtendedLocation: missing_feature + Test_HstsMissingHeader_StackTrace: irrelevant (not expected to have a stack trace) test_insecure_auth_protocol.py: Test_InsecureAuthProtocol: '*': v1.30.0 @@ -147,6 +147,7 @@ tests/: ratpack: missing_feature spring-boot-3-native: missing_feature (GraalVM. Tracing support only) spring-boot-openliberty: bug (APPSEC-54981) + Test_InsecureAuthProtocol_ExtendedLocation: missing_feature Test_InsecureAuthProtocol_StackTrace: '*': v1.43.0 akka-http: missing_feature @@ -154,7 +155,6 @@ tests/: ratpack: missing_feature spring-boot-3-native: missing_feature (GraalVM. Tracing support only) spring-boot-openliberty: bug (APPSEC-54981) - Test_InsecureAuthProtocol_ExtendedLocation: missing_feature test_insecure_cookie.py: TestInsecureCookie: '*': v1.18.0 @@ -163,13 +163,13 @@ tests/: ratpack: missing_feature spring-boot-3-native: missing_feature TestInsecureCookieNameFilter: missing_feature + TestInsecureCookie_ExtendedLocation: missing_feature TestInsecureCookie_StackTrace: '*': v1.43.0 akka-http: missing_feature play: missing_feature ratpack: missing_feature spring-boot-3-native: missing_feature - TestInsecureCookie_ExtendedLocation: missing_feature test_ldap_injection.py: TestLDAPInjection: '*': v1.3.0 @@ -181,12 +181,12 @@ tests/: spring-boot-3-native: missing_feature (GraalVM. Tracing support only) vertx3: v1.12.0 vertx4: v1.12.0 + TestLDAPInjection_ExtendedLocation: missing_feature TestLDAPInjection_StackTrace: '*': v1.43.0 play: missing_feature (endpoint not implemented) ratpack: missing_feature (endpoint not implemented) spring-boot-3-native: missing_feature (GraalVM. Tracing support only) - TestLDAPInjection_ExtendedLocation: missing_feature test_no_httponly_cookie.py: TestNoHttponlyCookie: '*': v1.18.0 @@ -195,13 +195,13 @@ tests/: ratpack: missing_feature spring-boot-3-native: missing_feature TestNoHttponlyCookieNameFilter: missing_feature + TestNoHttponlyCookie_ExtendedLocation: missing_feature TestNoHttponlyCookie_StackTrace: '*': v1.43.0 akka-http: missing_feature play: missing_feature ratpack: missing_feature spring-boot-3-native: missing_feature - TestNoHttponlyCookie_ExtendedLocation: missing_feature test_no_samesite_cookie.py: TestNoSamesiteCookie: '*': v1.18.0 @@ -210,17 +210,17 @@ tests/: ratpack: missing_feature spring-boot-3-native: missing_feature TestNoSamesiteCookieNameFilter: missing_feature + TestNoSamesiteCookie_ExtendedLocation: missing_feature TestNoSamesiteCookie_StackTrace: '*': v1.43.0 akka-http: missing_feature play: missing_feature ratpack: missing_feature spring-boot-3-native: missing_feature - TestNoSamesiteCookie_ExtendedLocation: missing_feature test_nosql_mongodb_injection.py: TestNoSqlMongodbInjection: missing_feature - TestNoSqlMongodbInjection_StackTrace: missing_feature TestNoSqlMongodbInjection_ExtendedLocation: missing_feature + TestNoSqlMongodbInjection_StackTrace: missing_feature test_path_traversal.py: TestPathTraversal: '*': v1.1.0 @@ -231,12 +231,12 @@ tests/: resteasy-netty3: v1.11.0 spring-boot-3-native: missing_feature (GraalVM. Tracing support only) vertx3: v1.12.0 + TestPathTraversal_ExtendedLocation: missing_feature TestPathTraversal_StackTrace: '*': v1.43.0 play: missing_feature ratpack: missing_feature spring-boot-3-native: missing_feature (GraalVM. Tracing support only) - TestPathTraversal_ExtendedLocation: missing_feature test_reflection_injection.py: TestReflectionInjection: '*': v1.31.0 @@ -244,13 +244,13 @@ tests/: play: missing_feature ratpack: missing_feature spring-boot-3-native: missing_feature (GraalVM. Tracing support only) + TestReflectionInjection_ExtendedLocation: missing_feature TestReflectionInjection_StackTrace: '*': v1.43.0 akka-http: missing_feature play: missing_feature ratpack: missing_feature spring-boot-3-native: missing_feature (GraalVM. Tracing support only) - TestReflectionInjection_ExtendedLocation: missing_feature test_sql_injection.py: TestSqlInjection: '*': v1.1.0 @@ -261,12 +261,12 @@ tests/: resteasy-netty3: v1.11.0 spring-boot-3-native: missing_feature (GraalVM. Tracing support only) vertx3: v1.12.0 + TestSqlInjection_ExtendedLocation: missing_feature TestSqlInjection_StackTrace: '*': v1.43.0 play: missing_feature ratpack: missing_feature spring-boot-3-native: missing_feature (GraalVM. Tracing support only) - TestSqlInjection_ExtendedLocation: missing_feature test_ssrf.py: TestSSRF: '*': v1.13.0 @@ -275,6 +275,7 @@ tests/: ratpack: missing_feature (No endpoint implemented) spring-boot-3-native: missing_feature (GraalVM. Tracing support only) vertx4: missing_feature (No endpoint implemented) + TestSSRF_ExtendedLocation: missing_feature TestSSRF_StackTrace: '*': v1.43.0 akka-http: missing_feature (No endpoint implemented) @@ -282,7 +283,6 @@ tests/: ratpack: missing_feature (No endpoint implemented) spring-boot-3-native: missing_feature (GraalVM. Tracing support only) vertx4: missing_feature (No endpoint implemented) - TestSSRF_ExtendedLocation: missing_feature test_template_injection.py: TestTemplateInjection: missing_feature test_trust_boundary_violation.py: @@ -296,6 +296,7 @@ tests/: spring-boot-3-native: missing_feature (GraalVM. Tracing support only) vertx3: missing_feature vertx4: missing_feature + Test_TrustBoundaryViolation_ExtendedLocation: missing_feature Test_TrustBoundaryViolation_StackTrace: '*': v1.43.0 akka-http: missing_feature @@ -306,7 +307,6 @@ tests/: spring-boot-3-native: missing_feature (GraalVM. Tracing support only) vertx3: missing_feature vertx4: missing_feature - Test_TrustBoundaryViolation_ExtendedLocation: missing_feature test_untrusted_deserialization.py: TestUntrustedDeserialization: '*': v1.38.0 @@ -318,6 +318,7 @@ tests/: spring-boot-3-native: missing_feature (No endpoint implemented) vertx3: missing_feature (No endpoint implemented) vertx4: missing_feature (No endpoint implemented) + TestUntrustedDeserialization_ExtendedLocation: missing_feature TestUntrustedDeserialization_StackTrace: '*': v1.43.0 akka-http: missing_feature (No endpoint implemented) @@ -328,7 +329,6 @@ tests/: spring-boot-3-native: missing_feature (No endpoint implemented) vertx3: missing_feature (No endpoint implemented) vertx4: missing_feature (No endpoint implemented) - TestUntrustedDeserialization_ExtendedLocation: missing_feature test_unvalidated_redirect.py: TestUnvalidatedHeader: '*': v1.15.0 @@ -339,13 +339,13 @@ tests/: spring-boot-jetty: v1.17.0 vertx3: v1.16.0 vertx4: v1.17.0 + TestUnvalidatedHeader_ExtendedLocation: missing_feature TestUnvalidatedHeader_StackTrace: '*': v1.43.0 akka-http: missing_feature play: missing_feature ratpack: missing_feature spring-boot-3-native: missing_feature (GraalVM. Tracing support only) - TestUnvalidatedHeader_ExtendedLocation: missing_feature TestUnvalidatedRedirect: '*': v1.15.0 akka-http: missing_feature @@ -354,13 +354,13 @@ tests/: spring-boot-3-native: missing_feature (GraalVM. Tracing support only) spring-boot-jetty: v1.17.0 vertx4: v1.17.0 + TestUnvalidatedRedirect_ExtendedLocation: missing_feature TestUnvalidatedRedirect_StackTrace: '*': v1.43.0 akka-http: missing_feature play: missing_feature ratpack: missing_feature spring-boot-3-native: missing_feature (GraalVM. Tracing support only) - TestUnvalidatedRedirect_ExtendedLocation: missing_feature test_unvalidated_redirect_forward.py: TestUnvalidatedForward: '*': v1.15.0 @@ -372,6 +372,7 @@ tests/: spring-boot-3-native: missing_feature (GraalVM. Tracing support only) vertx3: v1.16.0 vertx4: v1.17.0 + TestUnvalidatedForward_ExtendedLocation: missing_feature TestUnvalidatedForward_StackTrace: '*': v1.43.0 akka-http: irrelevant (No forward) @@ -380,17 +381,16 @@ tests/: ratpack: irrelevant (No forward) resteasy-netty3: irrelevant (No forward) spring-boot-3-native: missing_feature (GraalVM. Tracing support only) - TestUnvalidatedForward_ExtendedLocation: missing_feature test_weak_cipher.py: TestWeakCipher: '*': v0.108.0 play: missing_feature (no endpoint) spring-boot-3-native: missing_feature (GraalVM. Tracing support only) + TestWeakCipher_ExtendedLocation: missing_feature TestWeakCipher_StackTrace: '*': v1.43.0 play: missing_feature (no endpoint) spring-boot-3-native: missing_feature (GraalVM. Tracing support only) - TestWeakCipher_ExtendedLocation: missing_feature test_weak_hash.py: TestDeduplication: '*': v0.108.0 @@ -400,21 +400,21 @@ tests/: '*': v0.108.0 play: missing_feature (no endpoint) spring-boot-3-native: missing_feature (GraalVM. Tracing support only) + TestWeakHash_ExtendedLocation: missing_feature TestWeakHash_StackTrace: '*': v1.43.0 play: missing_feature (no endpoint) spring-boot-3-native: missing_feature (GraalVM. Tracing support only) - TestWeakHash_ExtendedLocation: missing_feature test_weak_randomness.py: TestWeakRandomness: '*': v1.15.0 play: missing_feature (no endpoint) spring-boot-3-native: missing_feature (GraalVM. Tracing support only) + TestWeakRandomness_ExtendedLocation: missing_feature TestWeakRandomness_StackTrace: '*': v1.43.0 play: missing_feature (no endpoint) spring-boot-3-native: missing_feature (GraalVM. Tracing support only) - TestWeakRandomness_ExtendedLocation: missing_feature test_xcontent_sniffing.py: Test_XContentSniffing: '*': v1.22.0 @@ -427,20 +427,20 @@ tests/: spring-boot-openliberty: bug (APPSEC-54981) vertx3: missing_feature vertx4: missing_feature - Test_XContentSniffing_StackTrace: irrelevant (not expected to have a stack trace) Test_XContentSniffing_ExtendedLocation: missing_feature + Test_XContentSniffing_StackTrace: irrelevant (not expected to have a stack trace) test_xpath_injection.py: TestXPathInjection: '*': v1.18.0 play: missing_feature ratpack: missing_feature spring-boot-3-native: missing_feature + TestXPathInjection_ExtendedLocation: missing_feature TestXPathInjection_StackTrace: '*': v1.43.0 play: missing_feature ratpack: missing_feature spring-boot-3-native: missing_feature - TestXPathInjection_ExtendedLocation: missing_feature test_xss.py: TestXSS: '*': v1.19.0 @@ -452,6 +452,7 @@ tests/: spring-boot-3-native: missing_feature (GraalVM. Tracing support only) vertx3: missing_feature vertx4: missing_feature + TestXSS_ExtendedLocation: missing_feature TestXSS_StackTrace: '*': v1.43.0 akka-http: missing_feature @@ -462,7 +463,6 @@ tests/: spring-boot-3-native: missing_feature (GraalVM. Tracing support only) vertx3: missing_feature vertx4: missing_feature - TestXSS_ExtendedLocation: missing_feature source/: test_body.py: TestRequestBody: diff --git a/manifests/nodejs.yml b/manifests/nodejs.yml index 97ee2af1a3c..8682e0f28a6 100644 --- a/manifests/nodejs.yml +++ b/manifests/nodejs.yml @@ -98,28 +98,28 @@ tests/: TestCodeInjection: '*': *ref_5_20_0 nextjs: missing_feature + TestCodeInjection_ExtendedLocation: missing_feature TestCodeInjection_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature - TestCodeInjection_ExtendedLocation: missing_feature test_command_injection.py: TestCommandInjection: '*': *ref_3_11_0 nextjs: missing_feature + TestCommandInjection_ExtendedLocation: missing_feature TestCommandInjection_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature - TestCommandInjection_ExtendedLocation: missing_feature test_email_html_injection.py: TestEmailHtmlInjection: missing_feature - TestEmailHtmlInjection_StackTrace: missing_feature TestEmailHtmlInjection_ExtendedLocation: missing_feature + TestEmailHtmlInjection_StackTrace: missing_feature test_hardcoded_passwords.py: Test_HardcodedPasswords: '*': *ref_5_13_0 nextjs: missing_feature - Test_HardcodedPasswords_StackTrace: missing_feature Test_HardcodedPasswords_ExtendedLocation: missing_feature + Test_HardcodedPasswords_StackTrace: missing_feature test_hardcoded_secrets.py: Test_HardcodedSecrets: '*': *ref_4_18_0 @@ -127,8 +127,8 @@ tests/: Test_HardcodedSecretsExtended: '*': *ref_5_11_0 nextjs: missing_feature - Test_HardcodedSecrets_StackTrace: missing_feature Test_HardcodedSecrets_ExtendedLocation: missing_feature + Test_HardcodedSecrets_StackTrace: missing_feature test_header_injection.py: TestHeaderInjection: '*': *ref_4_21_0 @@ -149,20 +149,20 @@ tests/: '*': *ref_5_26_0 express5: *ref_5_29_0 # test uses querystring nextjs: missing_feature + TestHeaderInjection_ExtendedLocation: missing_feature TestHeaderInjection_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature - TestHeaderInjection_ExtendedLocation: missing_feature test_hsts_missing_header.py: Test_HstsMissingHeader: '*': *ref_4_8_0 nextjs: missing_feature - Test_HstsMissingHeader_StackTrace: missing_feature Test_HstsMissingHeader_ExtendedLocation: missing_feature + Test_HstsMissingHeader_StackTrace: missing_feature test_insecure_auth_protocol.py: Test_InsecureAuthProtocol: missing_feature - Test_InsecureAuthProtocol_StackTrace: missing_feature Test_InsecureAuthProtocol_ExtendedLocation: missing_feature + Test_InsecureAuthProtocol_StackTrace: missing_feature test_insecure_cookie.py: TestInsecureCookie: '*': *ref_4_1_0 @@ -170,18 +170,18 @@ tests/: TestInsecureCookieNameFilter: '*': *ref_5_24_0 nextjs: missing_feature + TestInsecureCookie_ExtendedLocation: missing_feature TestInsecureCookie_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature - TestInsecureCookie_ExtendedLocation: missing_feature test_ldap_injection.py: TestLDAPInjection: '*': *ref_4_1_0 nextjs: missing_feature + TestLDAPInjection_ExtendedLocation: missing_feature TestLDAPInjection_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature - TestLDAPInjection_ExtendedLocation: missing_feature test_no_httponly_cookie.py: TestNoHttponlyCookie: '*': *ref_4_3_0 @@ -189,10 +189,10 @@ tests/: TestNoHttponlyCookieNameFilter: '*': *ref_5_24_0 nextjs: missing_feature + TestNoHttponlyCookie_ExtendedLocation: missing_feature TestNoHttponlyCookie_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature - TestNoHttponlyCookie_ExtendedLocation: missing_feature test_no_samesite_cookie.py: TestNoSamesiteCookie: '*': *ref_4_3_0 @@ -200,87 +200,88 @@ tests/: TestNoSamesiteCookieNameFilter: '*': *ref_5_24_0 nextjs: missing_feature + TestNoSamesiteCookie_ExtendedLocation: missing_feature TestNoSamesiteCookie_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature - TestNoSamesiteCookie_ExtendedLocation: missing_feature test_nosql_mongodb_injection.py: TestNoSqlMongodbInjection: '*': *ref_4_17_0 nextjs: missing_feature + TestNoSqlMongodbInjection_ExtendedLocation: missing_feature TestNoSqlMongodbInjection_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature - TestNoSqlMongodbInjection_ExtendedLocation: missing_feature test_path_traversal.py: TestPathTraversal: '*': *ref_3_19_0 nextjs: missing_feature + TestPathTraversal_ExtendedLocation: missing_feature TestPathTraversal_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature - TestPathTraversal_ExtendedLocation: missing_feature test_reflection_injection.py: TestReflectionInjection: missing_feature - TestReflectionInjection_StackTrace: missing_feature TestReflectionInjection_ExtendedLocation: missing_feature + TestReflectionInjection_StackTrace: missing_feature test_sql_injection.py: TestSqlInjection: '*': *ref_3_11_0 nextjs: missing_feature + TestSqlInjection_ExtendedLocation: missing_feature TestSqlInjection_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature - TestSqlInjection_ExtendedLocation: missing_feature test_ssrf.py: TestSSRF: '*': *ref_4_1_0 nextjs: missing_feature + TestSSRF_ExtendedLocation: missing_feature TestSSRF_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature - TestSSRF_ExtendedLocation: missing_feature test_template_injection.py: TestTemplateInjection: '*': *ref_5_26_0 nextjs: missing_feature + TestTemplateInjection_ExtendedLocation: missing_feature test_trust_boundary_violation.py: Test_TrustBoundaryViolation: missing_feature - Test_TrustBoundaryViolation_StackTrace: missing_feature Test_TrustBoundaryViolation_ExtendedLocation: missing_feature + Test_TrustBoundaryViolation_StackTrace: missing_feature test_untrusted_deserialization.py: TestUntrustedDeserialization: '*': *ref_5_32_0 nextjs: missing_feature - TestUntrustedDeserialization_StackTrace: missing_feature TestUntrustedDeserialization_ExtendedLocation: missing_feature + TestUntrustedDeserialization_StackTrace: missing_feature test_unvalidated_redirect.py: TestUnvalidatedHeader: '*': *ref_4_3_0 nextjs: missing_feature + TestUnvalidatedHeader_ExtendedLocation: missing_feature TestUnvalidatedHeader_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature - TestUnvalidatedHeader_ExtendedLocation: missing_feature TestUnvalidatedRedirect: '*': *ref_4_3_0 nextjs: missing_feature + TestUnvalidatedRedirect_ExtendedLocation: missing_feature TestUnvalidatedRedirect_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature - TestUnvalidatedRedirect_ExtendedLocation: missing_feature test_unvalidated_redirect_forward.py: TestUnvalidatedForward: missing_feature - TestUnvalidatedForward_StackTrace: missing_feature TestUnvalidatedForward_ExtendedLocation: missing_feature + TestUnvalidatedForward_StackTrace: missing_feature test_weak_cipher.py: TestWeakCipher: '*': *ref_3_6_0 nextjs: missing_feature + TestWeakCipher_ExtendedLocation: missing_feature TestWeakCipher_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature - TestWeakCipher_ExtendedLocation: missing_feature test_weak_hash.py: TestDeduplication: '*': *ref_3_11_0 @@ -288,32 +289,32 @@ tests/: TestWeakHash: '*': *ref_3_11_0 nextjs: missing_feature + TestWeakHash_ExtendedLocation: missing_feature TestWeakHash_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature - TestWeakHash_ExtendedLocation: missing_feature test_weak_randomness.py: TestWeakRandomness: '*': *ref_5_1_0 nextjs: missing_feature + TestWeakRandomness_ExtendedLocation: missing_feature TestWeakRandomness_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature - TestWeakRandomness_ExtendedLocation: missing_feature test_xcontent_sniffing.py: Test_XContentSniffing: '*': *ref_4_8_0 nextjs: missing_feature - Test_XContentSniffing_StackTrace: missing_feature Test_XContentSniffing_ExtendedLocation: missing_feature + Test_XContentSniffing_StackTrace: missing_feature test_xpath_injection.py: TestXPathInjection: missing_feature - TestXPathInjection_StackTrace: missing_feature TestXPathInjection_ExtendedLocation: missing_feature + TestXPathInjection_StackTrace: missing_feature test_xss.py: TestXSS: missing_feature - TestXSS_StackTrace: missing_feature TestXSS_ExtendedLocation: missing_feature + TestXSS_StackTrace: missing_feature source/: test_body.py: TestRequestBody: diff --git a/manifests/php.yml b/manifests/php.yml index 281a4d3bcdc..5d5ac6c6d28 100644 --- a/manifests/php.yml +++ b/manifests/php.yml @@ -26,127 +26,127 @@ tests/: sink/: test_code_injection.py: TestCodeInjection: missing_feature - TestCodeInjection_StackTrace: missing_feature TestCodeInjection_ExtendedLocation: missing_feature + TestCodeInjection_StackTrace: missing_feature test_command_injection.py: TestCommandInjection: missing_feature - TestCommandInjection_StackTrace: missing_feature TestCommandInjection_ExtendedLocation: missing_feature + TestCommandInjection_StackTrace: missing_feature test_email_html_injection.py: TestEmailHtmlInjection: missing_feature - TestEmailHtmlInjection_StackTrace: missing_feature TestEmailHtmlInjection_ExtendedLocation: missing_feature + TestEmailHtmlInjection_StackTrace: missing_feature test_hardcoded_passwords.py: Test_HardcodedPasswords: missing_feature - Test_HardcodedPasswords_StackTrace: missing_feature Test_HardcodedPasswords_ExtendedLocation: missing_feature + Test_HardcodedPasswords_StackTrace: missing_feature test_hardcoded_secrets.py: Test_HardcodedSecrets: missing_feature Test_HardcodedSecretsExtended: missing_feature - Test_HardcodedSecrets_StackTrace: missing_feature Test_HardcodedSecrets_ExtendedLocation: missing_feature + Test_HardcodedSecrets_StackTrace: missing_feature test_header_injection.py: TestHeaderInjection: missing_feature TestHeaderInjectionExclusionAccessControlAllow: missing_feature TestHeaderInjectionExclusionContentEncoding: missing_feature TestHeaderInjectionExclusionPragma: missing_feature TestHeaderInjectionExclusionTransferEncoding: missing_feature - TestHeaderInjection_StackTrace: missing_feature TestHeaderInjection_ExtendedLocation: missing_feature + TestHeaderInjection_StackTrace: missing_feature test_hsts_missing_header.py: Test_HstsMissingHeader: missing_feature - Test_HstsMissingHeader_StackTrace: missing_feature Test_HstsMissingHeader_ExtendedLocation: missing_feature + Test_HstsMissingHeader_StackTrace: missing_feature test_insecure_auth_protocol.py: Test_InsecureAuthProtocol: missing_feature - Test_InsecureAuthProtocol_StackTrace: missing_feature Test_InsecureAuthProtocol_ExtendedLocation: missing_feature + Test_InsecureAuthProtocol_StackTrace: missing_feature test_insecure_cookie.py: TestInsecureCookie: missing_feature TestInsecureCookieNameFilter: missing_feature - TestInsecureCookie_StackTrace: missing_feature TestInsecureCookie_ExtendedLocation: missing_feature + TestInsecureCookie_StackTrace: missing_feature test_ldap_injection.py: TestLDAPInjection: missing_feature - TestLDAPInjection_StackTrace: missing_feature TestLDAPInjection_ExtendedLocation: missing_feature + TestLDAPInjection_StackTrace: missing_feature test_no_httponly_cookie.py: TestNoHttponlyCookie: missing_feature TestNoHttponlyCookieNameFilter: missing_feature - TestNoHttponlyCookie_StackTrace: missing_feature TestNoHttponlyCookie_ExtendedLocation: missing_feature + TestNoHttponlyCookie_StackTrace: missing_feature test_no_samesite_cookie.py: TestNoSamesiteCookie: missing_feature TestNoSamesiteCookieNameFilter: missing_feature - TestNoSamesiteCookie_StackTrace: missing_feature TestNoSamesiteCookie_ExtendedLocation: missing_feature + TestNoSamesiteCookie_StackTrace: missing_feature test_nosql_mongodb_injection.py: TestNoSqlMongodbInjection: missing_feature - TestNoSqlMongodbInjection_StackTrace: missing_feature TestNoSqlMongodbInjection_ExtendedLocation: missing_feature + TestNoSqlMongodbInjection_StackTrace: missing_feature test_path_traversal.py: TestPathTraversal: missing_feature - TestPathTraversal_StackTrace: missing_feature TestPathTraversal_ExtendedLocation: missing_feature + TestPathTraversal_StackTrace: missing_feature test_reflection_injection.py: TestReflectionInjection: missing_feature - TestReflectionInjection_StackTrace: missing_feature TestReflectionInjection_ExtendedLocation: missing_feature + TestReflectionInjection_StackTrace: missing_feature test_sql_injection.py: TestSqlInjection: missing_feature - TestSqlInjection_StackTrace: missing_feature TestSqlInjection_ExtendedLocation: missing_feature + TestSqlInjection_StackTrace: missing_feature test_ssrf.py: TestSSRF: missing_feature - TestSSRF_StackTrace: missing_feature TestSSRF_ExtendedLocation: missing_feature + TestSSRF_StackTrace: missing_feature test_template_injection.py: TestTemplateInjection: missing_feature test_trust_boundary_violation.py: Test_TrustBoundaryViolation: missing_feature - Test_TrustBoundaryViolation_StackTrace: missing_feature Test_TrustBoundaryViolation_ExtendedLocation: missing_feature + Test_TrustBoundaryViolation_StackTrace: missing_feature test_untrusted_deserialization.py: TestUntrustedDeserialization: missing_feature - TestUntrustedDeserialization_StackTrace: missing_feature TestUntrustedDeserialization_ExtendedLocation: missing_feature + TestUntrustedDeserialization_StackTrace: missing_feature test_unvalidated_redirect.py: TestUnvalidatedHeader: missing_feature - TestUnvalidatedHeader_StackTrace: missing_feature TestUnvalidatedHeader_ExtendedLocation: missing_feature + TestUnvalidatedHeader_StackTrace: missing_feature TestUnvalidatedRedirect: missing_feature - TestUnvalidatedRedirect_StackTrace: missing_feature TestUnvalidatedRedirect_ExtendedLocation: missing_feature + TestUnvalidatedRedirect_StackTrace: missing_feature test_unvalidated_redirect_forward.py: TestUnvalidatedForward: missing_feature - TestUnvalidatedForward_StackTrace: missing_feature TestUnvalidatedForward_ExtendedLocation: missing_feature + TestUnvalidatedForward_StackTrace: missing_feature test_weak_cipher.py: TestWeakCipher: missing_feature - TestWeakCipher_StackTrace: missing_feature TestWeakCipher_ExtendedLocation: missing_feature + TestWeakCipher_StackTrace: missing_feature test_weak_hash.py: TestDeduplication: missing_feature TestWeakHash: missing_feature - TestWeakHash_StackTrace: missing_feature TestWeakHash_ExtendedLocation: missing_feature + TestWeakHash_StackTrace: missing_feature test_weak_randomness.py: TestWeakRandomness: missing_feature - TestWeakRandomness_StackTrace: missing_feature TestWeakRandomness_ExtendedLocation: missing_feature + TestWeakRandomness_StackTrace: missing_feature test_xcontent_sniffing.py: Test_XContentSniffing: missing_feature - Test_XContentSniffing_StackTrace: missing_feature Test_XContentSniffing_ExtendedLocation: missing_feature + Test_XContentSniffing_StackTrace: missing_feature test_xpath_injection.py: TestXPathInjection: missing_feature - TestXPathInjection_StackTrace: missing_feature TestXPathInjection_ExtendedLocation: missing_feature + TestXPathInjection_StackTrace: missing_feature test_xss.py: TestXSS: '*': missing_feature - TestXSS_StackTrace: missing_feature TestXSS_ExtendedLocation: missing_feature + TestXSS_StackTrace: missing_feature source/: test_body.py: TestRequestBody: missing_feature diff --git a/manifests/python.yml b/manifests/python.yml index 74564560608..48ae295ecb3 100644 --- a/manifests/python.yml +++ b/manifests/python.yml @@ -51,27 +51,27 @@ tests/: sink/: test_code_injection.py: TestCodeInjection: v2.20.0 - TestCodeInjection_StackTrace: v2.20.0 TestCodeInjection_ExtendedLocation: missing_feature + TestCodeInjection_StackTrace: v2.20.0 test_command_injection.py: TestCommandInjection: '*': v2.10.0 fastapi: v2.15.0 - TestCommandInjection_StackTrace: v2.19.0.dev TestCommandInjection_ExtendedLocation: missing_feature + TestCommandInjection_StackTrace: v2.19.0.dev test_email_html_injection.py: TestEmailHtmlInjection: missing_feature - TestEmailHtmlInjection_StackTrace: missing_feature TestEmailHtmlInjection_ExtendedLocation: missing_feature + TestEmailHtmlInjection_StackTrace: missing_feature test_hardcoded_passwords.py: Test_HardcodedPasswords: missing_feature - Test_HardcodedPasswords_StackTrace: missing_feature Test_HardcodedPasswords_ExtendedLocation: missing_feature + Test_HardcodedPasswords_StackTrace: missing_feature test_hardcoded_secrets.py: Test_HardcodedSecrets: missing_feature Test_HardcodedSecretsExtended: missing_feature - Test_HardcodedSecrets_StackTrace: missing_feature Test_HardcodedSecrets_ExtendedLocation: missing_feature + Test_HardcodedSecrets_StackTrace: missing_feature test_header_injection.py: TestHeaderInjection: '*': v2.10.0 @@ -80,57 +80,57 @@ tests/: TestHeaderInjectionExclusionContentEncoding: missing_feature TestHeaderInjectionExclusionPragma: missing_feature TestHeaderInjectionExclusionTransferEncoding: missing_feature + TestHeaderInjection_ExtendedLocation: missing_feature TestHeaderInjection_StackTrace: '*': v2.19.0.dev fastapi: v2.20.0.dev - TestHeaderInjection_ExtendedLocation: missing_feature test_hsts_missing_header.py: Test_HstsMissingHeader: missing_feature - Test_HstsMissingHeader_StackTrace: missing_feature Test_HstsMissingHeader_ExtendedLocation: missing_feature + Test_HstsMissingHeader_StackTrace: missing_feature test_insecure_auth_protocol.py: Test_InsecureAuthProtocol: missing_feature - Test_InsecureAuthProtocol_StackTrace: missing_feature Test_InsecureAuthProtocol_ExtendedLocation: missing_feature + Test_InsecureAuthProtocol_StackTrace: missing_feature test_insecure_cookie.py: TestInsecureCookie: '*': v1.19.0 fastapi: v2.16.0-dev TestInsecureCookieNameFilter: missing_feature - TestInsecureCookie_StackTrace: missing_feature TestInsecureCookie_ExtendedLocation: missing_feature + TestInsecureCookie_StackTrace: missing_feature test_ldap_injection.py: TestLDAPInjection: missing_feature - TestLDAPInjection_StackTrace: missing_feature TestLDAPInjection_ExtendedLocation: missing_feature + TestLDAPInjection_StackTrace: missing_feature test_no_httponly_cookie.py: TestNoHttponlyCookie: '*': v1.19.0 fastapi: v2.16.0-dev TestNoHttponlyCookieNameFilter: missing_feature - TestNoHttponlyCookie_StackTrace: missing_feature TestNoHttponlyCookie_ExtendedLocation: missing_feature + TestNoHttponlyCookie_StackTrace: missing_feature test_no_samesite_cookie.py: TestNoSamesiteCookie: '*': v1.19.0 fastapi: v2.16.0-dev TestNoSamesiteCookieNameFilter: missing_feature - TestNoSamesiteCookie_StackTrace: missing_feature TestNoSamesiteCookie_ExtendedLocation: missing_feature + TestNoSamesiteCookie_StackTrace: missing_feature test_nosql_mongodb_injection.py: TestNoSqlMongodbInjection: missing_feature - TestNoSqlMongodbInjection_StackTrace: missing_feature TestNoSqlMongodbInjection_ExtendedLocation: missing_feature + TestNoSqlMongodbInjection_StackTrace: missing_feature test_path_traversal.py: TestPathTraversal: '*': v2.10.0 fastapi: v2.15.0 - TestPathTraversal_StackTrace: v2.19.0.dev TestPathTraversal_ExtendedLocation: missing_feature + TestPathTraversal_StackTrace: v2.19.0.dev test_reflection_injection.py: TestReflectionInjection: missing_feature - TestReflectionInjection_StackTrace: missing_feature TestReflectionInjection_ExtendedLocation: missing_feature + TestReflectionInjection_StackTrace: missing_feature test_sql_injection.py: TestSqlInjection: django-poc: v1.18.0 @@ -138,65 +138,65 @@ tests/: flask-poc: v1.18.0 pylons: missing_feature python3.12: v1.18.0 - TestSqlInjection_StackTrace: v2.19.0.dev TestSqlInjection_ExtendedLocation: missing_feature + TestSqlInjection_StackTrace: v2.19.0.dev test_ssrf.py: TestSSRF: '*': v2.10.0 fastapi: v2.15.0 - TestSSRF_StackTrace: v2.19.0.dev TestSSRF_ExtendedLocation: missing_feature + TestSSRF_StackTrace: v2.19.0.dev test_template_injection.py: TestTemplateInjection: missing_feature test_trust_boundary_violation.py: Test_TrustBoundaryViolation: missing_feature - Test_TrustBoundaryViolation_StackTrace: missing_feature Test_TrustBoundaryViolation_ExtendedLocation: missing_feature + Test_TrustBoundaryViolation_StackTrace: missing_feature test_untrusted_deserialization.py: TestUntrustedDeserialization: missing_feature - TestUntrustedDeserialization_StackTrace: missing_feature TestUntrustedDeserialization_ExtendedLocation: missing_feature + TestUntrustedDeserialization_StackTrace: missing_feature test_unvalidated_redirect.py: TestUnvalidatedHeader: missing_feature - TestUnvalidatedHeader_StackTrace: missing_feature TestUnvalidatedHeader_ExtendedLocation: missing_feature + TestUnvalidatedHeader_StackTrace: missing_feature TestUnvalidatedRedirect: missing_feature - TestUnvalidatedRedirect_StackTrace: missing_feature TestUnvalidatedRedirect_ExtendedLocation: missing_feature + TestUnvalidatedRedirect_StackTrace: missing_feature test_unvalidated_redirect_forward.py: TestUnvalidatedForward: missing_feature - TestUnvalidatedForward_StackTrace: missing_feature TestUnvalidatedForward_ExtendedLocation: missing_feature + TestUnvalidatedForward_StackTrace: missing_feature test_weak_cipher.py: TestWeakCipher: '*': v1.18.0 fastapi: v2.15.0 - TestWeakCipher_StackTrace: v2.19.0.dev TestWeakCipher_ExtendedLocation: missing_feature + TestWeakCipher_StackTrace: v2.19.0.dev test_weak_hash.py: TestDeduplication: '*': v1.18.0 TestWeakHash: '*': v1.18.0 - TestWeakHash_StackTrace: v2.19.0.dev TestWeakHash_ExtendedLocation: missing_feature + TestWeakHash_StackTrace: v2.19.0.dev test_weak_randomness.py: TestWeakRandomness: '*': v2.0.0 - TestWeakRandomness_StackTrace: v2.19.0.dev TestWeakRandomness_ExtendedLocation: missing_feature + TestWeakRandomness_StackTrace: v2.19.0.dev test_xcontent_sniffing.py: Test_XContentSniffing: missing_feature - Test_XContentSniffing_StackTrace: missing_feature Test_XContentSniffing_ExtendedLocation: missing_feature + Test_XContentSniffing_StackTrace: missing_feature test_xpath_injection.py: TestXPathInjection: missing_feature - TestXPathInjection_StackTrace: missing_feature TestXPathInjection_ExtendedLocation: missing_feature + TestXPathInjection_StackTrace: missing_feature test_xss.py: TestXSS: missing_feature - TestXSS_StackTrace: missing_feature TestXSS_ExtendedLocation: missing_feature + TestXSS_StackTrace: missing_feature source/: test_body.py: TestRequestBody: diff --git a/manifests/ruby.yml b/manifests/ruby.yml index 7fdf540ebed..ed7a7575eba 100644 --- a/manifests/ruby.yml +++ b/manifests/ruby.yml @@ -28,126 +28,126 @@ tests/: sink/: test_code_injection.py: TestCodeInjection: missing_feature - TestCodeInjection_StackTrace: missing_feature TestCodeInjection_ExtendedLocation: missing_feature + TestCodeInjection_StackTrace: missing_feature test_command_injection.py: TestCommandInjection: missing_feature - TestCommandInjection_StackTrace: missing_feature TestCommandInjection_ExtendedLocation: missing_feature + TestCommandInjection_StackTrace: missing_feature test_email_html_injection.py: TestEmailHtmlInjection: missing_feature - TestEmailHtmlInjection_StackTrace: missing_feature TestEmailHtmlInjection_ExtendedLocation: missing_feature + TestEmailHtmlInjection_StackTrace: missing_feature test_hardcoded_passwords.py: Test_HardcodedPasswords: missing_feature - Test_HardcodedPasswords_StackTrace: missing_feature Test_HardcodedPasswords_ExtendedLocation: missing_feature + Test_HardcodedPasswords_StackTrace: missing_feature test_hardcoded_secrets.py: Test_HardcodedSecrets: missing_feature Test_HardcodedSecretsExtended: missing_feature - Test_HardcodedSecrets_StackTrace: missing_feature Test_HardcodedSecrets_ExtendedLocation: missing_feature + Test_HardcodedSecrets_StackTrace: missing_feature test_header_injection.py: TestHeaderInjection: missing_feature TestHeaderInjectionExclusionAccessControlAllow: missing_feature TestHeaderInjectionExclusionContentEncoding: missing_feature TestHeaderInjectionExclusionPragma: missing_feature TestHeaderInjectionExclusionTransferEncoding: missing_feature - TestHeaderInjection_StackTrace: missing_feature TestHeaderInjection_ExtendedLocation: missing_feature + TestHeaderInjection_StackTrace: missing_feature test_hsts_missing_header.py: Test_HstsMissingHeader: missing_feature - Test_HstsMissingHeader_StackTrace: missing_feature Test_HstsMissingHeader_ExtendedLocation: missing_feature + Test_HstsMissingHeader_StackTrace: missing_feature test_insecure_auth_protocol.py: Test_InsecureAuthProtocol: missing_feature - Test_InsecureAuthProtocol_StackTrace: missing_feature Test_InsecureAuthProtocol_ExtendedLocation: missing_feature + Test_InsecureAuthProtocol_StackTrace: missing_feature test_insecure_cookie.py: TestInsecureCookie: missing_feature TestInsecureCookieNameFilter: missing_feature - TestInsecureCookie_StackTrace: missing_feature TestInsecureCookie_ExtendedLocation: missing_feature + TestInsecureCookie_StackTrace: missing_feature test_ldap_injection.py: TestLDAPInjection: missing_feature - TestLDAPInjection_StackTrace: missing_feature TestLDAPInjection_ExtendedLocation: missing_feature + TestLDAPInjection_StackTrace: missing_feature test_no_httponly_cookie.py: TestNoHttponlyCookie: missing_feature TestNoHttponlyCookieNameFilter: missing_feature - TestNoHttponlyCookie_StackTrace: missing_feature TestNoHttponlyCookie_ExtendedLocation: missing_feature + TestNoHttponlyCookie_StackTrace: missing_feature test_no_samesite_cookie.py: TestNoSamesiteCookie: missing_feature TestNoSamesiteCookieNameFilter: missing_feature - TestNoSamesiteCookie_StackTrace: missing_feature TestNoSamesiteCookie_ExtendedLocation: missing_feature + TestNoSamesiteCookie_StackTrace: missing_feature test_nosql_mongodb_injection.py: TestNoSqlMongodbInjection: missing_feature - TestNoSqlMongodbInjection_StackTrace: missing_feature TestNoSqlMongodbInjection_ExtendedLocation: missing_feature + TestNoSqlMongodbInjection_StackTrace: missing_feature test_path_traversal.py: TestPathTraversal: missing_feature - TestPathTraversal_StackTrace: missing_feature TestPathTraversal_ExtendedLocation: missing_feature + TestPathTraversal_StackTrace: missing_feature test_reflection_injection.py: TestReflectionInjection: missing_feature - TestReflectionInjection_StackTrace: missing_feature TestReflectionInjection_ExtendedLocation: missing_feature + TestReflectionInjection_StackTrace: missing_feature test_sql_injection.py: TestSqlInjection: missing_feature - TestSqlInjection_StackTrace: missing_feature TestSqlInjection_ExtendedLocation: missing_feature + TestSqlInjection_StackTrace: missing_feature test_ssrf.py: TestSSRF: missing_feature - TestSSRF_StackTrace: missing_feature TestSSRF_ExtendedLocation: missing_feature + TestSSRF_StackTrace: missing_feature test_template_injection.py: TestTemplateInjection: missing_feature test_trust_boundary_violation.py: Test_TrustBoundaryViolation: missing_feature - Test_TrustBoundaryViolation_StackTrace: missing_feature Test_TrustBoundaryViolation_ExtendedLocation: missing_feature + Test_TrustBoundaryViolation_StackTrace: missing_feature test_untrusted_deserialization.py: TestUntrustedDeserialization: missing_feature - TestUntrustedDeserialization_StackTrace: missing_feature TestUntrustedDeserialization_ExtendedLocation: missing_feature + TestUntrustedDeserialization_StackTrace: missing_feature test_unvalidated_redirect.py: TestUnvalidatedHeader: missing_feature - TestUnvalidatedHeader_StackTrace: missing_feature TestUnvalidatedHeader_ExtendedLocation: missing_feature + TestUnvalidatedHeader_StackTrace: missing_feature TestUnvalidatedRedirect: missing_feature - TestUnvalidatedRedirect_StackTrace: missing_feature TestUnvalidatedRedirect_ExtendedLocation: missing_feature + TestUnvalidatedRedirect_StackTrace: missing_feature test_unvalidated_redirect_forward.py: TestUnvalidatedForward: missing_feature - TestUnvalidatedForward_StackTrace: missing_feature TestUnvalidatedForward_ExtendedLocation: missing_feature + TestUnvalidatedForward_StackTrace: missing_feature test_weak_cipher.py: TestWeakCipher: missing_feature - TestWeakCipher_StackTrace: missing_feature TestWeakCipher_ExtendedLocation: missing_feature + TestWeakCipher_StackTrace: missing_feature test_weak_hash.py: TestDeduplication: missing_feature TestWeakHash: missing_feature - TestWeakHash_StackTrace: missing_feature TestWeakHash_ExtendedLocation: missing_feature + TestWeakHash_StackTrace: missing_feature test_weak_randomness.py: TestWeakRandomness: missing_feature - TestWeakRandomness_StackTrace: missing_feature TestWeakRandomness_ExtendedLocation: missing_feature + TestWeakRandomness_StackTrace: missing_feature test_xcontent_sniffing.py: Test_XContentSniffing: missing_feature - Test_XContentSniffing_StackTrace: missing_feature Test_XContentSniffing_ExtendedLocation: missing_feature + Test_XContentSniffing_StackTrace: missing_feature test_xpath_injection.py: TestXPathInjection: missing_feature - TestXPathInjection_StackTrace: missing_feature TestXPathInjection_ExtendedLocation: missing_feature + TestXPathInjection_StackTrace: missing_feature test_xss.py: TestXSS: missing_feature - TestXSS_StackTrace: missing_feature TestXSS_ExtendedLocation: missing_feature + TestXSS_StackTrace: missing_feature source/: test_body.py: TestRequestBody: missing_feature diff --git a/tests/appsec/iast/sink/test_command_injection.py b/tests/appsec/iast/sink/test_command_injection.py index 171c2fa7cfc..3c124fb7583 100644 --- a/tests/appsec/iast/sink/test_command_injection.py +++ b/tests/appsec/iast/sink/test_command_injection.py @@ -52,7 +52,7 @@ def test_stack_trace(self): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class TestCommandInjection_ExtendedLocation: """Test extended location data""" vulnerability_type = "COMMAND_INJECTION" diff --git a/tests/appsec/iast/sink/test_email_html_injection.py b/tests/appsec/iast/sink/test_email_html_injection.py index cb673057280..cf6fd1457e8 100644 --- a/tests/appsec/iast/sink/test_email_html_injection.py +++ b/tests/appsec/iast/sink/test_email_html_injection.py @@ -40,7 +40,7 @@ def test_stack_trace(self): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class TestEmailHtmlInjection_ExtendedLocation: """Test extended location data""" vulnerability_type = "EMAIL_HTML_INJECTION" diff --git a/tests/appsec/iast/sink/test_hardcoded_passwords.py b/tests/appsec/iast/sink/test_hardcoded_passwords.py index d3c6a30ec3e..41ca0c0305c 100644 --- a/tests/appsec/iast/sink/test_hardcoded_passwords.py +++ b/tests/appsec/iast/sink/test_hardcoded_passwords.py @@ -75,7 +75,7 @@ def test_stack_trace(self): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class Test_HardcodedPasswords_ExtendedLocation: """Test extended location data""" vulnerability_type = "HARDCODED_PASSWORD" diff --git a/tests/appsec/iast/sink/test_hardcoded_secrets.py b/tests/appsec/iast/sink/test_hardcoded_secrets.py index fa9b0f643ac..d55c5796b57 100644 --- a/tests/appsec/iast/sink/test_hardcoded_secrets.py +++ b/tests/appsec/iast/sink/test_hardcoded_secrets.py @@ -103,7 +103,7 @@ def test_stack_trace(self): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class Test_HardcodedSecrets_ExtendedLocation: """Test extended location data""" vulnerability_type = "HARDCODED_SECRET" diff --git a/tests/appsec/iast/sink/test_header_injection.py b/tests/appsec/iast/sink/test_header_injection.py index de857a167f3..14550ab6def 100644 --- a/tests/appsec/iast/sink/test_header_injection.py +++ b/tests/appsec/iast/sink/test_header_injection.py @@ -121,7 +121,7 @@ class TestHeaderInjectionExclusionTransferEncoding(_BaseTestHeaderInjectionRefle @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class TestHeaderInjection_ExtendedLocation: """Test extended location data""" vulnerability_type = "HEADER_INJECTION" diff --git a/tests/appsec/iast/sink/test_hsts_missing_header.py b/tests/appsec/iast/sink/test_hsts_missing_header.py index f2030d79a8e..54ab8706a57 100644 --- a/tests/appsec/iast/sink/test_hsts_missing_header.py +++ b/tests/appsec/iast/sink/test_hsts_missing_header.py @@ -43,7 +43,7 @@ def test_stack_trace(self): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class Test_HstsMissingHeader_ExtendedLocation: """Test extended location data""" vulnerability_type = "HSTS_HEADER_MISSING" diff --git a/tests/appsec/iast/sink/test_insecure_auth_protocol.py b/tests/appsec/iast/sink/test_insecure_auth_protocol.py index 195114edeef..b3d04811272 100644 --- a/tests/appsec/iast/sink/test_insecure_auth_protocol.py +++ b/tests/appsec/iast/sink/test_insecure_auth_protocol.py @@ -51,7 +51,7 @@ def test_stack_trace(self): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class Test_InsecureAuthProtocol_ExtendedLocation: """Test extended location data""" vulnerability_type = "INSECURE_AUTH_PROTOCOL" diff --git a/tests/appsec/iast/sink/test_insecure_cookie.py b/tests/appsec/iast/sink/test_insecure_cookie.py index bb483db3e84..722d08ba105 100644 --- a/tests/appsec/iast/sink/test_insecure_cookie.py +++ b/tests/appsec/iast/sink/test_insecure_cookie.py @@ -66,7 +66,7 @@ def test_stack_trace(self): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class TestInsecureCookie_ExtendedLocation: """Test extended location data""" vulnerability_type = "INSECURE_COOKIE" diff --git a/tests/appsec/iast/sink/test_ldap_injection.py b/tests/appsec/iast/sink/test_ldap_injection.py index 6c3ced0b599..6124fee4ba0 100644 --- a/tests/appsec/iast/sink/test_ldap_injection.py +++ b/tests/appsec/iast/sink/test_ldap_injection.py @@ -46,7 +46,7 @@ def test_stack_trace(self): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class TestLDAPInjection_ExtendedLocation: """Test extended location data""" vulnerability_type = "LDAP_INJECTION" diff --git a/tests/appsec/iast/sink/test_no_httponly_cookie.py b/tests/appsec/iast/sink/test_no_httponly_cookie.py index 54b10427858..5d759513f6a 100644 --- a/tests/appsec/iast/sink/test_no_httponly_cookie.py +++ b/tests/appsec/iast/sink/test_no_httponly_cookie.py @@ -66,7 +66,7 @@ def test_stack_trace(self): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class TestNoHttponlyCookie_ExtendedLocation: """Test extended location data""" vulnerability_type = "NO_HTTPONLY_COOKIE" diff --git a/tests/appsec/iast/sink/test_no_samesite_cookie.py b/tests/appsec/iast/sink/test_no_samesite_cookie.py index 6ae149cc2d5..4f7cd104afb 100644 --- a/tests/appsec/iast/sink/test_no_samesite_cookie.py +++ b/tests/appsec/iast/sink/test_no_samesite_cookie.py @@ -66,7 +66,7 @@ def test_stack_trace(self): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class TestNoSamesiteCookie_ExtendedLocation: """Test extended location data""" vulnerability_type = "NO_SAMESITE_COOKIE" diff --git a/tests/appsec/iast/sink/test_nosql_mongodb_injection.py b/tests/appsec/iast/sink/test_nosql_mongodb_injection.py index dcdda8302eb..7468c0b6907 100644 --- a/tests/appsec/iast/sink/test_nosql_mongodb_injection.py +++ b/tests/appsec/iast/sink/test_nosql_mongodb_injection.py @@ -55,7 +55,7 @@ def test_stack_trace(self): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class TestNoSqlMongodbInjection_ExtendedLocation: """Test extended location data""" vulnerability_type = "NOSQL_MONGODB_INJECTION" diff --git a/tests/appsec/iast/sink/test_path_traversal.py b/tests/appsec/iast/sink/test_path_traversal.py index a1beb4d3067..a42fd92633d 100644 --- a/tests/appsec/iast/sink/test_path_traversal.py +++ b/tests/appsec/iast/sink/test_path_traversal.py @@ -52,7 +52,7 @@ def test_stack_trace(self): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class TestPathTraversal_ExtendedLocation: """Test extended location data""" vulnerability_type = "PATH_TRAVERSAL" diff --git a/tests/appsec/iast/sink/test_reflection_injection.py b/tests/appsec/iast/sink/test_reflection_injection.py index 5504c7c3f9c..a1093091655 100644 --- a/tests/appsec/iast/sink/test_reflection_injection.py +++ b/tests/appsec/iast/sink/test_reflection_injection.py @@ -44,7 +44,7 @@ def test_stack_trace(self): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class TestReflectionInjection_ExtendedLocation: """Test extended location data""" vulnerability_type = "REFLECTION_INJECTION" diff --git a/tests/appsec/iast/sink/test_sql_injection.py b/tests/appsec/iast/sink/test_sql_injection.py index 29bf6aa37f8..b736e338fdd 100644 --- a/tests/appsec/iast/sink/test_sql_injection.py +++ b/tests/appsec/iast/sink/test_sql_injection.py @@ -57,7 +57,7 @@ def test_stack_trace(self): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class TestSqlInjection_ExtendedLocation: """Test extended location data""" vulnerability_type = "SQL_INJECTION" diff --git a/tests/appsec/iast/sink/test_ssrf.py b/tests/appsec/iast/sink/test_ssrf.py index 07fd6bee7a1..39503a34be5 100644 --- a/tests/appsec/iast/sink/test_ssrf.py +++ b/tests/appsec/iast/sink/test_ssrf.py @@ -52,7 +52,7 @@ def test_stack_trace(self): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class TestSSRF_ExtendedLocation: """Test extended location data""" vulnerability_type = "SSRF" diff --git a/tests/appsec/iast/sink/test_template_injection.py b/tests/appsec/iast/sink/test_template_injection.py index 1485e3df162..2062f5e47eb 100644 --- a/tests/appsec/iast/sink/test_template_injection.py +++ b/tests/appsec/iast/sink/test_template_injection.py @@ -20,7 +20,7 @@ class TestTemplateInjection(BaseSinkTest): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class TestTemplateInjection_ExtendedLocation: """Test extended location data""" vulnerability_type = "TEMPLATE_INJECTION" diff --git a/tests/appsec/iast/sink/test_trust_boundary_violation.py b/tests/appsec/iast/sink/test_trust_boundary_violation.py index 6cf9292ea6e..71e33f0d3fd 100644 --- a/tests/appsec/iast/sink/test_trust_boundary_violation.py +++ b/tests/appsec/iast/sink/test_trust_boundary_violation.py @@ -47,7 +47,7 @@ def test_stack_trace(self): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class Test_TrustBoundaryViolation_ExtendedLocation: """Test extended location data""" vulnerability_type = "TRUST_BOUNDARY_VIOLATION" diff --git a/tests/appsec/iast/sink/test_untrusted_deserialization.py b/tests/appsec/iast/sink/test_untrusted_deserialization.py index 2e1f52ed2e3..37cdfea6330 100644 --- a/tests/appsec/iast/sink/test_untrusted_deserialization.py +++ b/tests/appsec/iast/sink/test_untrusted_deserialization.py @@ -36,7 +36,7 @@ def test_stack_trace(self): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class TestUntrustedDeserialization_ExtendedLocation: """Test extended location data""" vulnerability_type = "UNTRUSTED_DESERIALIZATION" diff --git a/tests/appsec/iast/sink/test_unvalidated_redirect.py b/tests/appsec/iast/sink/test_unvalidated_redirect.py index 14092d378e5..d758ffde4df 100644 --- a/tests/appsec/iast/sink/test_unvalidated_redirect.py +++ b/tests/appsec/iast/sink/test_unvalidated_redirect.py @@ -103,7 +103,23 @@ def test_stack_trace(self): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class TestUnvalidatedRedirect_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "UNVALIDATED_REDIRECT" + + def setup_extended_location_data(self): + self.r = weblog.post( + "/iast/unvalidated_redirect/test_insecure_redirect", data={"location": "http://dummy.location.com"} + ) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestUnvalidatedHeader_ExtendedLocation: """Test extended location data""" vulnerability_type = "UNVALIDATED_REDIRECT" diff --git a/tests/appsec/iast/sink/test_unvalidated_redirect_forward.py b/tests/appsec/iast/sink/test_unvalidated_redirect_forward.py index 8ae41e4424e..2950a1e3406 100644 --- a/tests/appsec/iast/sink/test_unvalidated_redirect_forward.py +++ b/tests/appsec/iast/sink/test_unvalidated_redirect_forward.py @@ -50,7 +50,7 @@ def test_stack_trace(self): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class TestUnvalidatedForward_ExtendedLocation: """Test extended location data""" vulnerability_type = "UNVALIDATED_REDIRECT" diff --git a/tests/appsec/iast/sink/test_weak_cipher.py b/tests/appsec/iast/sink/test_weak_cipher.py index 0ed70daed61..c65fa962594 100644 --- a/tests/appsec/iast/sink/test_weak_cipher.py +++ b/tests/appsec/iast/sink/test_weak_cipher.py @@ -50,7 +50,7 @@ def test_stack_trace(self): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class TestWeakCipher_ExtendedLocation: """Test extended location data""" vulnerability_type = "WEAK_CIPHER" diff --git a/tests/appsec/iast/sink/test_weak_hash.py b/tests/appsec/iast/sink/test_weak_hash.py index 981e7da72d5..07adde3f508 100644 --- a/tests/appsec/iast/sink/test_weak_hash.py +++ b/tests/appsec/iast/sink/test_weak_hash.py @@ -107,7 +107,7 @@ def test_insecure_hash_multiple(self): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class TestWeakHash_ExtendedLocation: """Test extended location data""" vulnerability_type = "WEAK_HASH" diff --git a/tests/appsec/iast/sink/test_weak_randomness.py b/tests/appsec/iast/sink/test_weak_randomness.py index d6f238a544e..f6de93ac95b 100644 --- a/tests/appsec/iast/sink/test_weak_randomness.py +++ b/tests/appsec/iast/sink/test_weak_randomness.py @@ -38,7 +38,7 @@ def test_stack_trace(self): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class TestWeakRandomness_ExtendedLocation: """Test extended location data""" vulnerability_type = "WEAK_RANDOMNESS" diff --git a/tests/appsec/iast/sink/test_xcontent_sniffing.py b/tests/appsec/iast/sink/test_xcontent_sniffing.py index 23188f5a0bb..d971bd62613 100644 --- a/tests/appsec/iast/sink/test_xcontent_sniffing.py +++ b/tests/appsec/iast/sink/test_xcontent_sniffing.py @@ -41,7 +41,7 @@ def test_stack_trace(self): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class Test_XContentSniffing_ExtendedLocation: """Test extended location data""" vulnerability_type = "XCONTENTTYPE_HEADER_MISSING" diff --git a/tests/appsec/iast/sink/test_xpath_injection.py b/tests/appsec/iast/sink/test_xpath_injection.py index b8f37e7588f..481f0f9a1cc 100644 --- a/tests/appsec/iast/sink/test_xpath_injection.py +++ b/tests/appsec/iast/sink/test_xpath_injection.py @@ -34,7 +34,7 @@ def test_stack_trace(self): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class TestXPathInjection_ExtendedLocation: """Test extended location data""" vulnerability_type = "XPATH_INJECTION" diff --git a/tests/appsec/iast/sink/test_xss.py b/tests/appsec/iast/sink/test_xss.py index a353d1e37a7..d2735032c77 100644 --- a/tests/appsec/iast/sink/test_xss.py +++ b/tests/appsec/iast/sink/test_xss.py @@ -34,7 +34,7 @@ def test_stack_trace(self): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") @features.iast_extended_location -class TestCodeInjection_ExtendedLocation: +class TestXSS_ExtendedLocation: """Test extended location data""" vulnerability_type = "XSS" From 4d7ec0036832d04415a3aeff0dbf0cfb7579bc39 Mon Sep 17 00:00:00 2001 From: ishabi Date: Wed, 5 Feb 2025 13:02:48 +0100 Subject: [PATCH 5/8] Avoid checking vulnerabilities without expected location --- .../iast/sink/test_hardcoded_passwords.py | 32 +++++++---------- .../iast/sink/test_hardcoded_secrets.py | 35 +++++++------------ .../iast/sink/test_hsts_missing_header.py | 2 +- .../iast/sink/test_nosql_mongodb_injection.py | 1 + .../sink/test_trust_boundary_violation.py | 2 +- .../sink/test_untrusted_deserialization.py | 4 +-- .../iast/sink/test_xcontent_sniffing.py | 2 +- tests/appsec/iast/utils.py | 19 +++++++++- 8 files changed, 49 insertions(+), 48 deletions(-) diff --git a/tests/appsec/iast/sink/test_hardcoded_passwords.py b/tests/appsec/iast/sink/test_hardcoded_passwords.py index 41ca0c0305c..a026c72d08b 100644 --- a/tests/appsec/iast/sink/test_hardcoded_passwords.py +++ b/tests/appsec/iast/sink/test_hardcoded_passwords.py @@ -2,8 +2,8 @@ # This product includes software developed at Datadog (https://www.datadoghq.com/). # Copyright 2021 Datadog, Inc. -from utils import interfaces, weblog, features, context, rfc -from ..utils import validate_extended_location_data, validate_stack_traces +from utils import weblog, features, context, rfc +from ..utils import get_hardcoded_vulnerabilities, validate_stack_traces # Test_HardcodedPasswords doesn't inherit from BaseSinkTest # Hardcode passwords detection implementation change a lot between different languages @@ -32,26 +32,12 @@ def setup_hardcoded_passwords_exec(self): def test_hardcoded_passwords_exec(self): assert self.r_hardcoded_passwords_exec.status_code == 200 - hardcoded_passwords = self.get_hardcoded_password_vulnerabilities() + hardcoded_passwords = get_hardcoded_vulnerabilities("HARDCODED_PASSWORD") hardcoded_passwords = [v for v in hardcoded_passwords if v["evidence"]["value"] == "hashpwd"] assert len(hardcoded_passwords) == 1 vuln = hardcoded_passwords[0] assert vuln["location"]["path"] == self._get_expectation(self.location_map) - def get_hardcoded_password_vulnerabilities(self): - spans = [s for _, s in interfaces.library.get_root_spans()] - assert spans, "No spans found" - spans_meta = [span.get("meta") for span in spans] - assert spans_meta, "No spans meta found" - iast_events = [meta.get("_dd.iast.json") for meta in spans_meta if meta.get("_dd.iast.json")] - assert iast_events, "No iast events found" - vulnerabilities = [event.get("vulnerabilities") for event in iast_events if event.get("vulnerabilities")] - assert vulnerabilities, "No vulnerabilities found" - vulnerabilities = sum(vulnerabilities, []) # set all the vulnerabilities in a single list - hardcoded_passwords = [vuln for vuln in vulnerabilities if vuln.get("type") == "HARDCODED_PASSWORD"] - assert hardcoded_passwords, "No hardcoded passwords found" - return hardcoded_passwords - def _get_expectation(self, d): expected = d.get(context.library.library) if isinstance(expected, dict): @@ -78,10 +64,16 @@ def test_stack_trace(self): class Test_HardcodedPasswords_ExtendedLocation: """Test extended location data""" - vulnerability_type = "HARDCODED_PASSWORD" - def setup_extended_location_data(self): self.r = weblog.get("/iast/hardcoded_passwords/test_insecure") def test_extended_location_data(self): - validate_extended_location_data(self.r, self.vulnerability_type) + hardcoded_passwords = get_hardcoded_vulnerabilities("HARDCODED_PASSWORD") + hardcoded_passwords = [v for v in hardcoded_passwords if v["evidence"]["value"] == "hashpwd"] + assert len(hardcoded_passwords) == 1 + location = hardcoded_passwords[0]["location"] + + assert all(field in location for field in ["path", "line"]) + + if context.library.library not in ("python", "nodejs"): + assert all(field in location for field in ["class", "method"]) diff --git a/tests/appsec/iast/sink/test_hardcoded_secrets.py b/tests/appsec/iast/sink/test_hardcoded_secrets.py index d55c5796b57..748c22056c2 100644 --- a/tests/appsec/iast/sink/test_hardcoded_secrets.py +++ b/tests/appsec/iast/sink/test_hardcoded_secrets.py @@ -2,8 +2,8 @@ # This product includes software developed at Datadog (https://www.datadoghq.com/). # Copyright 2021 Datadog, Inc. -from utils import interfaces, features, context, rfc, weblog -from ..utils import validate_extended_location_data, validate_stack_traces +from utils import features, context, rfc, weblog +from ..utils import get_hardcoded_vulnerabilities, validate_stack_traces # Test_HardcodedSecrets and Test_HardcodedSecretsExtended don't inherit from BaseSinkTest # Hardcode secrets detection implementation change a lot between different languages @@ -11,21 +11,6 @@ # as the vulnerability is not always set in the current request span. -def get_hardcoded_secret_vulnerabilities(): - spans = [s for _, s in interfaces.library.get_root_spans()] - assert spans, "No spans found" - spans_meta = [span.get("meta") for span in spans] - assert spans_meta, "No spans meta found" - iast_events = [meta.get("_dd.iast.json") for meta in spans_meta if meta.get("_dd.iast.json")] - assert iast_events, "No iast events found" - vulnerabilities = [event.get("vulnerabilities") for event in iast_events if event.get("vulnerabilities")] - assert vulnerabilities, "No vulnerabilities found" - vulnerabilities = sum(vulnerabilities, []) # set all the vulnerabilities in a single list - hardcoded_secrets = [vuln for vuln in vulnerabilities if vuln.get("type") == "HARDCODED_SECRET"] - assert hardcoded_secrets, "No hardcoded secrets found" - return hardcoded_secrets - - def get_expectation(d): expected = d.get(context.library.library) if isinstance(expected, dict): @@ -55,7 +40,7 @@ def setup_hardcoded_secrets_exec(self): def test_hardcoded_secrets_exec(self): assert self.r_hardcoded_secrets_exec.status_code == 200 - hardcode_secrets = get_hardcoded_secret_vulnerabilities() + hardcode_secrets = get_hardcoded_vulnerabilities("HARDCODED_SECRET") hardcode_secrets = [v for v in hardcode_secrets if v["evidence"]["value"] == "aws-access-token"] assert len(hardcode_secrets) == 1 vuln = hardcode_secrets[0] @@ -80,7 +65,7 @@ def setup_hardcoded_secrets_extended_exec(self): def test_hardcoded_secrets_extended_exec(self): assert self.r_hardcoded_secrets_exec.status_code == 200 - hardcoded_secrets = get_hardcoded_secret_vulnerabilities() + hardcoded_secrets = get_hardcoded_vulnerabilities("HARDCODED_SECRET") hardcoded_secrets = [v for v in hardcoded_secrets if v["evidence"]["value"] == "datadog-access-token"] assert len(hardcoded_secrets) == 1 vuln = hardcoded_secrets[0] @@ -106,10 +91,16 @@ def test_stack_trace(self): class Test_HardcodedSecrets_ExtendedLocation: """Test extended location data""" - vulnerability_type = "HARDCODED_SECRET" - def setup_extended_location_data(self): self.r = weblog.get("/iast/hardcoded_secrets/test_insecure") def test_extended_location_data(self): - validate_extended_location_data(self.r, self.vulnerability_type) + hardcode_secrets = get_hardcoded_vulnerabilities("HARDCODED_SECRET") + hardcode_secrets = [v for v in hardcode_secrets if v["evidence"]["value"] == "aws-access-token"] + assert len(hardcode_secrets) == 1 + location = hardcode_secrets[0]["location"] + + assert all(field in location for field in ["path", "line"]) + + if context.library.library not in ("python", "nodejs"): + assert all(field in location for field in ["class", "method"]) diff --git a/tests/appsec/iast/sink/test_hsts_missing_header.py b/tests/appsec/iast/sink/test_hsts_missing_header.py index 54ab8706a57..910e34a8cb2 100644 --- a/tests/appsec/iast/sink/test_hsts_missing_header.py +++ b/tests/appsec/iast/sink/test_hsts_missing_header.py @@ -52,4 +52,4 @@ def setup_extended_location_data(self): self.r = weblog.get("/iast/hstsmissing/test_insecure", headers={"X-Forwarded-Proto": "https"}) def test_extended_location_data(self): - validate_extended_location_data(self.r, self.vulnerability_type) + validate_extended_location_data(self.r, self.vulnerability_type, False) diff --git a/tests/appsec/iast/sink/test_nosql_mongodb_injection.py b/tests/appsec/iast/sink/test_nosql_mongodb_injection.py index 7468c0b6907..e3941402835 100644 --- a/tests/appsec/iast/sink/test_nosql_mongodb_injection.py +++ b/tests/appsec/iast/sink/test_nosql_mongodb_injection.py @@ -54,6 +54,7 @@ def test_stack_trace(self): @rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@scenarios.integrations @features.iast_extended_location class TestNoSqlMongodbInjection_ExtendedLocation: """Test extended location data""" diff --git a/tests/appsec/iast/sink/test_trust_boundary_violation.py b/tests/appsec/iast/sink/test_trust_boundary_violation.py index 71e33f0d3fd..b58543b7382 100644 --- a/tests/appsec/iast/sink/test_trust_boundary_violation.py +++ b/tests/appsec/iast/sink/test_trust_boundary_violation.py @@ -59,4 +59,4 @@ def setup_extended_location_data(self): ) def test_extended_location_data(self): - validate_extended_location_data(self.r, self.vulnerability_type) + validate_extended_location_data(self.r, self.vulnerability_type, False) diff --git a/tests/appsec/iast/sink/test_untrusted_deserialization.py b/tests/appsec/iast/sink/test_untrusted_deserialization.py index 37cdfea6330..cd168fae321 100644 --- a/tests/appsec/iast/sink/test_untrusted_deserialization.py +++ b/tests/appsec/iast/sink/test_untrusted_deserialization.py @@ -28,7 +28,7 @@ class TestUntrustedDeserialization_StackTrace: """Validate stack trace generation""" def setup_stack_trace(self): - self.r = weblog.get("/iast/untrusted_deserialization/test_insecure") + self.r = weblog.get("/iast/untrusted_deserialization/test_insecure?name=example") def test_stack_trace(self): validate_stack_traces(self.r) @@ -42,7 +42,7 @@ class TestUntrustedDeserialization_ExtendedLocation: vulnerability_type = "UNTRUSTED_DESERIALIZATION" def setup_extended_location_data(self): - self.r = weblog.get("/iast/untrusted_deserialization/test_insecure") + self.r = weblog.get("/iast/untrusted_deserialization/test_insecure?name=example") def test_extended_location_data(self): validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_xcontent_sniffing.py b/tests/appsec/iast/sink/test_xcontent_sniffing.py index d971bd62613..8a9ae376e58 100644 --- a/tests/appsec/iast/sink/test_xcontent_sniffing.py +++ b/tests/appsec/iast/sink/test_xcontent_sniffing.py @@ -50,4 +50,4 @@ def setup_extended_location_data(self): self.r = weblog.get("/iast/xcontent-missing-header/test_insecure") def test_extended_location_data(self): - validate_extended_location_data(self.r, self.vulnerability_type) + validate_extended_location_data(self.r, self.vulnerability_type, False) diff --git a/tests/appsec/iast/utils.py b/tests/appsec/iast/utils.py index a0f0a4a9c68..67f8095871c 100644 --- a/tests/appsec/iast/utils.py +++ b/tests/appsec/iast/utils.py @@ -250,7 +250,7 @@ def validate_stack_traces(request): assert locationFrame is not None, "location not found in stack trace" -def validate_extended_location_data(request, vulnerability_type): +def validate_extended_location_data(request, vulnerability_type, is_expected_location_required=True): spans = [span for _, span in interfaces.library.get_root_spans(request=request)] assert spans, "No root span found" span = spans[0] @@ -263,6 +263,9 @@ def validate_extended_location_data(request, vulnerability_type): vulns = [v for v in iast["vulnerabilities"] if not vulnerability_type or v["type"] == vulnerability_type] assert vulns, f"No vulnerability of type {vulnerability_type}" + if not is_expected_location_required: + return + vuln = vulns[0] location = vuln["location"] @@ -305,6 +308,20 @@ def validate_extended_location_data(request, vulnerability_type): assert all(field in location for field in ["class", "method"]) +def get_hardcoded_vulnerabilities(vulnerability_type): + spans = [s for _, s in interfaces.library.get_root_spans()] + assert spans, "No spans found" + spans_meta = [span.get("meta") for span in spans] + assert spans_meta, "No spans meta found" + iast_events = [meta.get("_dd.iast.json") for meta in spans_meta if meta.get("_dd.iast.json")] + assert iast_events, "No iast events found" + vulnerabilities = [event.get("vulnerabilities") for event in iast_events if event.get("vulnerabilities")] + assert vulnerabilities, "No vulnerabilities found" + vulnerabilities = sum(vulnerabilities, []) # set all the vulnerabilities in a single list + hardcoded_vulns = [vuln for vuln in vulnerabilities if vuln.get("type") == vulnerability_type] + assert hardcoded_vulns, "No hardcoded vulnerabilities found" + return hardcoded_vulns + class BaseSinkTest(BaseSinkTestWithoutTelemetry): def setup_telemetry_metric_instrumented_sink(self): self.setup_insecure() From a41b87a0e0d5367fa1043641792f71bf1d8582b6 Mon Sep 17 00:00:00 2001 From: ishabi Date: Wed, 5 Feb 2025 14:12:53 +0100 Subject: [PATCH 6/8] add TestTemplateInjection_ExtendedLocation to yaml files --- manifests/dotnet.yml | 1 + manifests/golang.yml | 1 + manifests/java.yml | 1 + manifests/php.yml | 1 + manifests/python.yml | 1 + manifests/ruby.yml | 1 + 6 files changed, 6 insertions(+) diff --git a/manifests/dotnet.yml b/manifests/dotnet.yml index 95d711e6dfb..c56ac08c792 100644 --- a/manifests/dotnet.yml +++ b/manifests/dotnet.yml @@ -108,6 +108,7 @@ tests/: TestSSRF_StackTrace: missing_feature test_template_injection.py: TestTemplateInjection: missing_feature + TestTemplateInjection_ExtendedLocation: missing_feature test_trust_boundary_violation.py: Test_TrustBoundaryViolation: v2.43.0 Test_TrustBoundaryViolation_ExtendedLocation: missing_feature diff --git a/manifests/golang.yml b/manifests/golang.yml index 6f5b3792ac0..128e8d85bde 100644 --- a/manifests/golang.yml +++ b/manifests/golang.yml @@ -118,6 +118,7 @@ tests/: TestSSRF_StackTrace: missing_feature test_template_injection.py: TestTemplateInjection: missing_feature + TestTemplateInjection_ExtendedLocation: missing_feature test_trust_boundary_violation.py: Test_TrustBoundaryViolation: missing_feature Test_TrustBoundaryViolation_ExtendedLocation: missing_feature diff --git a/manifests/java.yml b/manifests/java.yml index 443c3a89ed5..e63f392f5ef 100644 --- a/manifests/java.yml +++ b/manifests/java.yml @@ -285,6 +285,7 @@ tests/: vertx4: missing_feature (No endpoint implemented) test_template_injection.py: TestTemplateInjection: missing_feature + TestTemplateInjection_ExtendedLocation: missing_feature test_trust_boundary_violation.py: Test_TrustBoundaryViolation: '*': v1.22.0 diff --git a/manifests/php.yml b/manifests/php.yml index 5d5ac6c6d28..9b121492ed9 100644 --- a/manifests/php.yml +++ b/manifests/php.yml @@ -102,6 +102,7 @@ tests/: TestSSRF_StackTrace: missing_feature test_template_injection.py: TestTemplateInjection: missing_feature + TestTemplateInjection_ExtendedLocation: missing_feature test_trust_boundary_violation.py: Test_TrustBoundaryViolation: missing_feature Test_TrustBoundaryViolation_ExtendedLocation: missing_feature diff --git a/manifests/python.yml b/manifests/python.yml index b8163105d70..2ffd2a037db 100644 --- a/manifests/python.yml +++ b/manifests/python.yml @@ -148,6 +148,7 @@ tests/: TestSSRF_StackTrace: v2.19.0.dev test_template_injection.py: TestTemplateInjection: missing_feature + TestTemplateInjection_ExtendedLocation: missing_feature test_trust_boundary_violation.py: Test_TrustBoundaryViolation: missing_feature Test_TrustBoundaryViolation_ExtendedLocation: missing_feature diff --git a/manifests/ruby.yml b/manifests/ruby.yml index ed7a7575eba..c6d9b9ee31d 100644 --- a/manifests/ruby.yml +++ b/manifests/ruby.yml @@ -104,6 +104,7 @@ tests/: TestSSRF_StackTrace: missing_feature test_template_injection.py: TestTemplateInjection: missing_feature + TestTemplateInjection_ExtendedLocation: missing_feature test_trust_boundary_violation.py: Test_TrustBoundaryViolation: missing_feature Test_TrustBoundaryViolation_ExtendedLocation: missing_feature From 1dee46b0c327dd99a5fe5f7039b8f139e42616cc Mon Sep 17 00:00:00 2001 From: ishabi Date: Wed, 5 Feb 2025 17:24:20 +0100 Subject: [PATCH 7/8] define a default check for all languages --- tests/appsec/iast/utils.py | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/tests/appsec/iast/utils.py b/tests/appsec/iast/utils.py index a82bd79a20c..7bc24702de0 100644 --- a/tests/appsec/iast/utils.py +++ b/tests/appsec/iast/utils.py @@ -289,15 +289,14 @@ def validate_extended_location_data(request, vulnerability_type, is_expected_loc # Verify frame matches location location_match = False for frame in stack_trace["frames"]: - if stack_trace["language"] in ("nodejs"): - if ( - frame.get("file", "").endswith(location["path"]) - and location["line"] == frame["line"] - and location.get("class", "") == frame.get("class_name", "") - and location.get("method", "") == frame.get("function", "") - ): - location_match = True - break + if ( + frame.get("file", "").endswith(location["path"]) + and location["line"] == frame["line"] + and location.get("class", "") == frame.get("class_name", "") + and location.get("method", "") == frame.get("function", "") + ): + location_match = True + break assert location_match, "location not found in stack trace" # Check extended data if on location if stack trace do not exists From a34997b6e9eb8217de2b1d7f8a743d33c047580c Mon Sep 17 00:00:00 2001 From: ishabi Date: Fri, 7 Feb 2025 10:47:45 +0100 Subject: [PATCH 8/8] fix lint --- tests/appsec/iast/utils.py | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/appsec/iast/utils.py b/tests/appsec/iast/utils.py index 326feb245ef..1eeeb31aee8 100644 --- a/tests/appsec/iast/utils.py +++ b/tests/appsec/iast/utils.py @@ -330,7 +330,6 @@ def get_hardcoded_vulnerabilities(vulnerability_type): hardcoded_vulns = [vuln for vuln in vulnerabilities if vuln.get("type") == vulnerability_type] assert hardcoded_vulns, "No hardcoded vulnerabilities found" - return hardcoded_vulns