diff --git a/manifests/dotnet.yml b/manifests/dotnet.yml index 973eed9a75c..aa7174766b0 100644 --- a/manifests/dotnet.yml +++ b/manifests/dotnet.yml @@ -31,19 +31,24 @@ tests/: sink/: test_code_injection.py: TestCodeInjection: missing_feature + TestCodeInjection_ExtendedLocation: missing_feature TestCodeInjection_StackTrace: missing_feature test_command_injection.py: TestCommandInjection: v2.28.0 + TestCommandInjection_ExtendedLocation: missing_feature TestCommandInjection_StackTrace: missing_feature test_email_html_injection.py: TestEmailHtmlInjection: v3.2.0 + TestEmailHtmlInjection_ExtendedLocation: missing_feature TestEmailHtmlInjection_StackTrace: missing_feature test_hardcoded_passwords.py: Test_HardcodedPasswords: missing_feature + Test_HardcodedPasswords_ExtendedLocation: missing_feature Test_HardcodedPasswords_StackTrace: missing_feature test_hardcoded_secrets.py: Test_HardcodedSecrets: missing_feature Test_HardcodedSecretsExtended: missing_feature + Test_HardcodedSecrets_ExtendedLocation: missing_feature Test_HardcodedSecrets_StackTrace: missing_feature test_header_injection.py: TestHeaderInjection: v2.46.0 @@ -51,78 +56,102 @@ tests/: TestHeaderInjectionExclusionContentEncoding: missing_feature TestHeaderInjectionExclusionPragma: missing_feature TestHeaderInjectionExclusionTransferEncoding: missing_feature + TestHeaderInjection_ExtendedLocation: missing_feature TestHeaderInjection_StackTrace: missing_feature test_hsts_missing_header.py: Test_HstsMissingHeader: v2.44.0 + Test_HstsMissingHeader_ExtendedLocation: missing_feature Test_HstsMissingHeader_StackTrace: missing_feature test_insecure_auth_protocol.py: Test_InsecureAuthProtocol: v2.49.0 + Test_InsecureAuthProtocol_ExtendedLocation: missing_feature Test_InsecureAuthProtocol_StackTrace: missing_feature test_insecure_cookie.py: TestInsecureCookie: v2.39.0 TestInsecureCookieNameFilter: missing_feature + TestInsecureCookie_ExtendedLocation: missing_feature TestInsecureCookie_StackTrace: missing_feature test_ldap_injection.py: TestLDAPInjection: v2.36.0 + TestLDAPInjection_ExtendedLocation: missing_feature TestLDAPInjection_StackTrace: missing_feature test_no_httponly_cookie.py: TestNoHttponlyCookie: v2.39.0 TestNoHttponlyCookieNameFilter: missing_feature + TestNoHttponlyCookie_ExtendedLocation: missing_feature TestNoHttponlyCookie_StackTrace: missing_feature test_no_samesite_cookie.py: TestNoSamesiteCookie: v2.39.0 TestNoSamesiteCookieNameFilter: missing_feature + TestNoSamesiteCookie_ExtendedLocation: missing_feature TestNoSamesiteCookie_StackTrace: missing_feature test_nosql_mongodb_injection.py: TestNoSqlMongodbInjection: v2.47.0 + TestNoSqlMongodbInjection_ExtendedLocation: missing_feature TestNoSqlMongodbInjection_StackTrace: missing_feature test_path_traversal.py: TestPathTraversal: v2.31.0 + TestPathTraversal_ExtendedLocation: missing_feature TestPathTraversal_StackTrace: missing_feature test_reflection_injection.py: TestReflectionInjection: v2.48.0 + TestReflectionInjection_ExtendedLocation: missing_feature TestReflectionInjection_StackTrace: missing_feature test_sql_injection.py: TestSqlInjection: - '*': v2.23.0 + '*': v2.23.0 + TestSqlInjection_ExtendedLocation: missing_feature TestSqlInjection_StackTrace: missing_feature test_ssrf.py: TestSSRF: v2.36.0 + TestSSRF_ExtendedLocation: missing_feature TestSSRF_StackTrace: missing_feature test_template_injection.py: TestTemplateInjection: missing_feature + TestTemplateInjection_ExtendedLocation: missing_feature test_trust_boundary_violation.py: Test_TrustBoundaryViolation: v2.43.0 + Test_TrustBoundaryViolation_ExtendedLocation: missing_feature Test_TrustBoundaryViolation_StackTrace: missing_feature test_untrusted_deserialization.py: TestUntrustedDeserialization: missing_feature + TestUntrustedDeserialization_ExtendedLocation: missing_feature TestUntrustedDeserialization_StackTrace: missing_feature test_unvalidated_redirect.py: TestUnvalidatedHeader: v2.44.0 + TestUnvalidatedHeader_ExtendedLocation: missing_feature TestUnvalidatedHeader_StackTrace: missing_feature TestUnvalidatedRedirect: v2.44.0 + TestUnvalidatedRedirect_ExtendedLocation: missing_feature TestUnvalidatedRedirect_StackTrace: missing_feature test_unvalidated_redirect_forward.py: TestUnvalidatedForward: missing_feature + TestUnvalidatedForward_ExtendedLocation: missing_feature TestUnvalidatedForward_StackTrace: missing_feature test_weak_cipher.py: TestWeakCipher: v2.24.0 + TestWeakCipher_ExtendedLocation: missing_feature TestWeakCipher_StackTrace: missing_feature test_weak_hash.py: TestDeduplication: v2.24.0 TestWeakHash: v2.24.0 + TestWeakHash_ExtendedLocation: missing_feature TestWeakHash_StackTrace: missing_feature test_weak_randomness.py: TestWeakRandomness: v2.39.0 + TestWeakRandomness_ExtendedLocation: missing_feature TestWeakRandomness_StackTrace: missing_feature test_xcontent_sniffing.py: Test_XContentSniffing: missing_feature + Test_XContentSniffing_ExtendedLocation: missing_feature Test_XContentSniffing_StackTrace: missing_feature test_xpath_injection.py: TestXPathInjection: v2.47.0 + TestXPathInjection_ExtendedLocation: missing_feature TestXPathInjection_StackTrace: missing_feature test_xss.py: TestXSS: missing_feature + TestXSS_ExtendedLocation: missing_feature TestXSS_StackTrace: missing_feature source/: test_body.py: diff --git a/manifests/golang.yml b/manifests/golang.yml index c9eef846d1d..e81fd345bb3 100644 --- a/manifests/golang.yml +++ b/manifests/golang.yml @@ -42,19 +42,24 @@ tests/: sink/: test_code_injection.py: TestCodeInjection: missing_feature + TestCodeInjection_ExtendedLocation: missing_feature TestCodeInjection_StackTrace: missing_feature test_command_injection.py: TestCommandInjection: missing_feature + TestCommandInjection_ExtendedLocation: missing_feature TestCommandInjection_StackTrace: missing_feature test_email_html_injection.py: TestEmailHtmlInjection: missing_feature + TestEmailHtmlInjection_ExtendedLocation: missing_feature TestEmailHtmlInjection_StackTrace: missing_feature test_hardcoded_passwords.py: Test_HardcodedPasswords: missing_feature + Test_HardcodedPasswords_ExtendedLocation: missing_feature Test_HardcodedPasswords_StackTrace: missing_feature test_hardcoded_secrets.py: Test_HardcodedSecrets: missing_feature Test_HardcodedSecretsExtended: missing_feature + Test_HardcodedSecrets_ExtendedLocation: missing_feature Test_HardcodedSecrets_StackTrace: missing_feature test_header_injection.py: TestHeaderInjection: missing_feature @@ -62,78 +67,102 @@ tests/: TestHeaderInjectionExclusionContentEncoding: missing_feature TestHeaderInjectionExclusionPragma: missing_feature TestHeaderInjectionExclusionTransferEncoding: missing_feature + TestHeaderInjection_ExtendedLocation: missing_feature TestHeaderInjection_StackTrace: missing_feature test_hsts_missing_header.py: Test_HstsMissingHeader: missing_feature + Test_HstsMissingHeader_ExtendedLocation: missing_feature Test_HstsMissingHeader_StackTrace: missing_feature test_insecure_auth_protocol.py: Test_InsecureAuthProtocol: missing_feature + Test_InsecureAuthProtocol_ExtendedLocation: missing_feature Test_InsecureAuthProtocol_StackTrace: missing_feature test_insecure_cookie.py: TestInsecureCookie: missing_feature TestInsecureCookieNameFilter: missing_feature + TestInsecureCookie_ExtendedLocation: missing_feature TestInsecureCookie_StackTrace: missing_feature test_ldap_injection.py: TestLDAPInjection: missing_feature + TestLDAPInjection_ExtendedLocation: missing_feature TestLDAPInjection_StackTrace: missing_feature test_no_httponly_cookie.py: TestNoHttponlyCookie: missing_feature TestNoHttponlyCookieNameFilter: missing_feature + TestNoHttponlyCookie_ExtendedLocation: missing_feature TestNoHttponlyCookie_StackTrace: missing_feature test_no_samesite_cookie.py: TestNoSamesiteCookie: missing_feature TestNoSamesiteCookieNameFilter: missing_feature + TestNoSamesiteCookie_ExtendedLocation: missing_feature TestNoSamesiteCookie_StackTrace: missing_feature test_nosql_mongodb_injection.py: TestNoSqlMongodbInjection: missing_feature + TestNoSqlMongodbInjection_ExtendedLocation: missing_feature TestNoSqlMongodbInjection_StackTrace: missing_feature test_path_traversal.py: TestPathTraversal: missing_feature + TestPathTraversal_ExtendedLocation: missing_feature TestPathTraversal_StackTrace: missing_feature test_reflection_injection.py: TestReflectionInjection: missing_feature + TestReflectionInjection_ExtendedLocation: missing_feature TestReflectionInjection_StackTrace: missing_feature test_sql_injection.py: TestSqlInjection: missing_feature + TestSqlInjection_ExtendedLocation: missing_feature TestSqlInjection_StackTrace: missing_feature test_ssrf.py: TestSSRF: missing_feature + TestSSRF_ExtendedLocation: missing_feature TestSSRF_StackTrace: missing_feature test_template_injection.py: TestTemplateInjection: missing_feature + TestTemplateInjection_ExtendedLocation: missing_feature test_trust_boundary_violation.py: Test_TrustBoundaryViolation: missing_feature + Test_TrustBoundaryViolation_ExtendedLocation: missing_feature Test_TrustBoundaryViolation_StackTrace: missing_feature test_untrusted_deserialization.py: TestUntrustedDeserialization: missing_feature + TestUntrustedDeserialization_ExtendedLocation: missing_feature TestUntrustedDeserialization_StackTrace: missing_feature test_unvalidated_redirect.py: TestUnvalidatedHeader: missing_feature + TestUnvalidatedHeader_ExtendedLocation: missing_feature TestUnvalidatedHeader_StackTrace: missing_feature TestUnvalidatedRedirect: missing_feature + TestUnvalidatedRedirect_ExtendedLocation: missing_feature TestUnvalidatedRedirect_StackTrace: missing_feature test_unvalidated_redirect_forward.py: TestUnvalidatedForward: missing_feature + TestUnvalidatedForward_ExtendedLocation: missing_feature TestUnvalidatedForward_StackTrace: missing_feature test_weak_cipher.py: TestWeakCipher: missing_feature + TestWeakCipher_ExtendedLocation: missing_feature TestWeakCipher_StackTrace: missing_feature test_weak_hash.py: TestDeduplication: missing_feature TestWeakHash: missing_feature + TestWeakHash_ExtendedLocation: missing_feature TestWeakHash_StackTrace: missing_feature test_weak_randomness.py: TestWeakRandomness: missing_feature + TestWeakRandomness_ExtendedLocation: missing_feature TestWeakRandomness_StackTrace: missing_feature test_xcontent_sniffing.py: Test_XContentSniffing: missing_feature + Test_XContentSniffing_ExtendedLocation: missing_feature Test_XContentSniffing_StackTrace: missing_feature test_xpath_injection.py: TestXPathInjection: missing_feature + TestXPathInjection_ExtendedLocation: missing_feature TestXPathInjection_StackTrace: missing_feature test_xss.py: TestXSS: '*': missing_feature + TestXSS_ExtendedLocation: missing_feature TestXSS_StackTrace: missing_feature source/: test_body.py: diff --git a/manifests/java.yml b/manifests/java.yml index 0da8ae8e9e2..9e4944f7f35 100644 --- a/manifests/java.yml +++ b/manifests/java.yml @@ -61,6 +61,7 @@ tests/: sink/: test_code_injection.py: TestCodeInjection: missing_feature + TestCodeInjection_ExtendedLocation: missing_feature TestCodeInjection_StackTrace: missing_feature test_command_injection.py: TestCommandInjection: @@ -73,6 +74,7 @@ tests/: spring-boot-3-native: missing_feature (GraalVM. Tracing support only) vertx3: v1.12.0 vertx4: v1.12.0 + TestCommandInjection_ExtendedLocation: missing_feature TestCommandInjection_StackTrace: '*': v1.43.0 play: missing_feature @@ -89,6 +91,7 @@ tests/: spring-boot-3-native: missing_feature (No endpoint implemented) vertx3: missing_feature (No endpoint implemented) vertx4: missing_feature (No endpoint implemented) + TestEmailHtmlInjection_ExtendedLocation: missing_feature TestEmailHtmlInjection_StackTrace: '*': v1.47.0 akka-http: missing_feature (No endpoint implemented) @@ -101,6 +104,7 @@ tests/: vertx4: missing_feature (No endpoint implemented) test_hardcoded_passwords.py: Test_HardcodedPasswords: missing_feature + Test_HardcodedPasswords_ExtendedLocation: missing_feature Test_HardcodedPasswords_StackTrace: missing_feature test_hardcoded_secrets.py: Test_HardcodedSecrets: @@ -113,6 +117,7 @@ tests/: spring-boot-wildfly: v1.29.0 uds-spring-boot: v1.29.0 Test_HardcodedSecretsExtended: missing_feature + Test_HardcodedSecrets_ExtendedLocation: missing_feature Test_HardcodedSecrets_StackTrace: irrelevant (not expected to have a stack trace) test_header_injection.py: TestHeaderInjection: @@ -128,6 +133,7 @@ tests/: TestHeaderInjectionExclusionContentEncoding: missing_feature TestHeaderInjectionExclusionPragma: missing_feature TestHeaderInjectionExclusionTransferEncoding: missing_feature + TestHeaderInjection_ExtendedLocation: missing_feature TestHeaderInjection_StackTrace: '*': missing_feature spring-boot: v1.43.0 @@ -149,6 +155,7 @@ tests/: spring-boot-openliberty: bug (APPSEC-51483) vertx3: missing_feature vertx4: missing_feature + Test_HstsMissingHeader_ExtendedLocation: missing_feature Test_HstsMissingHeader_StackTrace: irrelevant (not expected to have a stack trace) test_insecure_auth_protocol.py: Test_InsecureAuthProtocol: @@ -158,6 +165,7 @@ tests/: ratpack: missing_feature spring-boot-3-native: missing_feature (GraalVM. Tracing support only) spring-boot-openliberty: bug (APPSEC-54981) + Test_InsecureAuthProtocol_ExtendedLocation: missing_feature Test_InsecureAuthProtocol_StackTrace: '*': v1.43.0 akka-http: missing_feature @@ -173,6 +181,7 @@ tests/: ratpack: missing_feature spring-boot-3-native: missing_feature TestInsecureCookieNameFilter: missing_feature + TestInsecureCookie_ExtendedLocation: missing_feature TestInsecureCookie_StackTrace: '*': v1.43.0 akka-http: missing_feature @@ -190,6 +199,7 @@ tests/: spring-boot-3-native: missing_feature (GraalVM. Tracing support only) vertx3: v1.12.0 vertx4: v1.12.0 + TestLDAPInjection_ExtendedLocation: missing_feature TestLDAPInjection_StackTrace: '*': v1.43.0 play: missing_feature (endpoint not implemented) @@ -203,6 +213,7 @@ tests/: ratpack: missing_feature spring-boot-3-native: missing_feature TestNoHttponlyCookieNameFilter: missing_feature + TestNoHttponlyCookie_ExtendedLocation: missing_feature TestNoHttponlyCookie_StackTrace: '*': v1.43.0 akka-http: missing_feature @@ -217,6 +228,7 @@ tests/: ratpack: missing_feature spring-boot-3-native: missing_feature TestNoSamesiteCookieNameFilter: missing_feature + TestNoSamesiteCookie_ExtendedLocation: missing_feature TestNoSamesiteCookie_StackTrace: '*': v1.43.0 akka-http: missing_feature @@ -225,6 +237,7 @@ tests/: spring-boot-3-native: missing_feature test_nosql_mongodb_injection.py: TestNoSqlMongodbInjection: missing_feature + TestNoSqlMongodbInjection_ExtendedLocation: missing_feature TestNoSqlMongodbInjection_StackTrace: missing_feature test_path_traversal.py: TestPathTraversal: @@ -236,6 +249,7 @@ tests/: resteasy-netty3: v1.11.0 spring-boot-3-native: missing_feature (GraalVM. Tracing support only) vertx3: v1.12.0 + TestPathTraversal_ExtendedLocation: missing_feature TestPathTraversal_StackTrace: '*': v1.43.0 play: missing_feature @@ -248,6 +262,7 @@ tests/: play: missing_feature ratpack: missing_feature spring-boot-3-native: missing_feature (GraalVM. Tracing support only) + TestReflectionInjection_ExtendedLocation: missing_feature TestReflectionInjection_StackTrace: '*': v1.43.0 akka-http: missing_feature @@ -264,6 +279,7 @@ tests/: resteasy-netty3: v1.11.0 spring-boot-3-native: missing_feature (GraalVM. Tracing support only) vertx3: v1.12.0 + TestSqlInjection_ExtendedLocation: missing_feature TestSqlInjection_StackTrace: '*': v1.43.0 play: missing_feature @@ -277,6 +293,7 @@ tests/: ratpack: missing_feature (No endpoint implemented) spring-boot-3-native: missing_feature (GraalVM. Tracing support only) vertx4: missing_feature (No endpoint implemented) + TestSSRF_ExtendedLocation: missing_feature TestSSRF_StackTrace: '*': v1.43.0 akka-http: missing_feature (No endpoint implemented) @@ -286,6 +303,7 @@ tests/: vertx4: missing_feature (No endpoint implemented) test_template_injection.py: TestTemplateInjection: missing_feature + TestTemplateInjection_ExtendedLocation: missing_feature test_trust_boundary_violation.py: Test_TrustBoundaryViolation: '*': v1.22.0 @@ -297,6 +315,7 @@ tests/: spring-boot-3-native: missing_feature (GraalVM. Tracing support only) vertx3: missing_feature vertx4: missing_feature + Test_TrustBoundaryViolation_ExtendedLocation: missing_feature Test_TrustBoundaryViolation_StackTrace: '*': v1.43.0 akka-http: missing_feature @@ -318,6 +337,7 @@ tests/: spring-boot-3-native: missing_feature (No endpoint implemented) vertx3: missing_feature (No endpoint implemented) vertx4: missing_feature (No endpoint implemented) + TestUntrustedDeserialization_ExtendedLocation: missing_feature TestUntrustedDeserialization_StackTrace: '*': v1.43.0 akka-http: missing_feature (No endpoint implemented) @@ -338,6 +358,7 @@ tests/: spring-boot-jetty: v1.17.0 vertx3: v1.16.0 vertx4: v1.17.0 + TestUnvalidatedHeader_ExtendedLocation: missing_feature TestUnvalidatedHeader_StackTrace: '*': v1.43.0 akka-http: missing_feature @@ -352,6 +373,7 @@ tests/: spring-boot-3-native: missing_feature (GraalVM. Tracing support only) spring-boot-jetty: v1.17.0 vertx4: v1.17.0 + TestUnvalidatedRedirect_ExtendedLocation: missing_feature TestUnvalidatedRedirect_StackTrace: '*': v1.43.0 akka-http: missing_feature @@ -369,6 +391,7 @@ tests/: spring-boot-3-native: missing_feature (GraalVM. Tracing support only) vertx3: v1.16.0 vertx4: v1.17.0 + TestUnvalidatedForward_ExtendedLocation: missing_feature TestUnvalidatedForward_StackTrace: '*': v1.43.0 akka-http: irrelevant (No forward) @@ -382,6 +405,7 @@ tests/: '*': v0.108.0 play: missing_feature (no endpoint) spring-boot-3-native: missing_feature (GraalVM. Tracing support only) + TestWeakCipher_ExtendedLocation: missing_feature TestWeakCipher_StackTrace: '*': v1.43.0 play: missing_feature (no endpoint) @@ -395,6 +419,7 @@ tests/: '*': v0.108.0 play: missing_feature (no endpoint) spring-boot-3-native: missing_feature (GraalVM. Tracing support only) + TestWeakHash_ExtendedLocation: missing_feature TestWeakHash_StackTrace: '*': v1.43.0 play: missing_feature (no endpoint) @@ -404,6 +429,7 @@ tests/: '*': v1.15.0 play: missing_feature (no endpoint) spring-boot-3-native: missing_feature (GraalVM. Tracing support only) + TestWeakRandomness_ExtendedLocation: missing_feature TestWeakRandomness_StackTrace: '*': v1.43.0 play: missing_feature (no endpoint) @@ -420,6 +446,7 @@ tests/: spring-boot-openliberty: bug (APPSEC-54981) vertx3: missing_feature vertx4: missing_feature + Test_XContentSniffing_ExtendedLocation: missing_feature Test_XContentSniffing_StackTrace: irrelevant (not expected to have a stack trace) test_xpath_injection.py: TestXPathInjection: @@ -427,6 +454,7 @@ tests/: play: missing_feature ratpack: missing_feature spring-boot-3-native: missing_feature + TestXPathInjection_ExtendedLocation: missing_feature TestXPathInjection_StackTrace: '*': v1.43.0 play: missing_feature @@ -443,6 +471,7 @@ tests/: spring-boot-3-native: missing_feature (GraalVM. Tracing support only) vertx3: missing_feature vertx4: missing_feature + TestXSS_ExtendedLocation: missing_feature TestXSS_StackTrace: '*': v1.43.0 akka-http: missing_feature diff --git a/manifests/nodejs.yml b/manifests/nodejs.yml index 81ab624f949..04a517e2f95 100644 --- a/manifests/nodejs.yml +++ b/manifests/nodejs.yml @@ -98,6 +98,7 @@ tests/: TestCodeInjection: '*': *ref_5_20_0 nextjs: missing_feature + TestCodeInjection_ExtendedLocation: missing_feature TestCodeInjection_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature @@ -105,16 +106,19 @@ tests/: TestCommandInjection: '*': *ref_3_11_0 nextjs: missing_feature + TestCommandInjection_ExtendedLocation: missing_feature TestCommandInjection_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature test_email_html_injection.py: TestEmailHtmlInjection: missing_feature + TestEmailHtmlInjection_ExtendedLocation: missing_feature TestEmailHtmlInjection_StackTrace: missing_feature test_hardcoded_passwords.py: Test_HardcodedPasswords: '*': *ref_5_13_0 nextjs: missing_feature + Test_HardcodedPasswords_ExtendedLocation: missing_feature Test_HardcodedPasswords_StackTrace: missing_feature test_hardcoded_secrets.py: Test_HardcodedSecrets: @@ -123,6 +127,7 @@ tests/: Test_HardcodedSecretsExtended: '*': *ref_5_11_0 nextjs: missing_feature + Test_HardcodedSecrets_ExtendedLocation: missing_feature Test_HardcodedSecrets_StackTrace: missing_feature test_header_injection.py: TestHeaderInjection: @@ -144,6 +149,7 @@ tests/: '*': *ref_5_26_0 express5: *ref_5_29_0 # test uses querystring nextjs: missing_feature + TestHeaderInjection_ExtendedLocation: missing_feature TestHeaderInjection_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature @@ -151,9 +157,11 @@ tests/: Test_HstsMissingHeader: '*': *ref_4_8_0 nextjs: missing_feature + Test_HstsMissingHeader_ExtendedLocation: missing_feature Test_HstsMissingHeader_StackTrace: missing_feature test_insecure_auth_protocol.py: Test_InsecureAuthProtocol: missing_feature + Test_InsecureAuthProtocol_ExtendedLocation: missing_feature Test_InsecureAuthProtocol_StackTrace: missing_feature test_insecure_cookie.py: TestInsecureCookie: @@ -162,6 +170,7 @@ tests/: TestInsecureCookieNameFilter: '*': *ref_5_24_0 nextjs: missing_feature + TestInsecureCookie_ExtendedLocation: missing_feature TestInsecureCookie_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature @@ -169,6 +178,7 @@ tests/: TestLDAPInjection: '*': *ref_4_1_0 nextjs: missing_feature + TestLDAPInjection_ExtendedLocation: missing_feature TestLDAPInjection_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature @@ -179,6 +189,7 @@ tests/: TestNoHttponlyCookieNameFilter: '*': *ref_5_24_0 nextjs: missing_feature + TestNoHttponlyCookie_ExtendedLocation: missing_feature TestNoHttponlyCookie_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature @@ -189,6 +200,7 @@ tests/: TestNoSamesiteCookieNameFilter: '*': *ref_5_24_0 nextjs: missing_feature + TestNoSamesiteCookie_ExtendedLocation: missing_feature TestNoSamesiteCookie_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature @@ -196,6 +208,7 @@ tests/: TestNoSqlMongodbInjection: '*': *ref_4_17_0 nextjs: missing_feature + TestNoSqlMongodbInjection_ExtendedLocation: missing_feature TestNoSqlMongodbInjection_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature @@ -203,16 +216,19 @@ tests/: TestPathTraversal: '*': *ref_3_19_0 nextjs: missing_feature + TestPathTraversal_ExtendedLocation: missing_feature TestPathTraversal_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature test_reflection_injection.py: TestReflectionInjection: missing_feature + TestReflectionInjection_ExtendedLocation: missing_feature TestReflectionInjection_StackTrace: missing_feature test_sql_injection.py: TestSqlInjection: '*': *ref_3_11_0 nextjs: missing_feature + TestSqlInjection_ExtendedLocation: missing_feature TestSqlInjection_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature @@ -220,6 +236,7 @@ tests/: TestSSRF: '*': *ref_4_1_0 nextjs: missing_feature + TestSSRF_ExtendedLocation: missing_feature TestSSRF_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature @@ -227,13 +244,16 @@ tests/: TestTemplateInjection: '*': *ref_5_26_0 nextjs: missing_feature + TestTemplateInjection_ExtendedLocation: missing_feature test_trust_boundary_violation.py: Test_TrustBoundaryViolation: missing_feature + Test_TrustBoundaryViolation_ExtendedLocation: missing_feature Test_TrustBoundaryViolation_StackTrace: missing_feature test_untrusted_deserialization.py: TestUntrustedDeserialization: '*': *ref_5_32_0 nextjs: missing_feature + TestUntrustedDeserialization_ExtendedLocation: missing_feature TestUntrustedDeserialization_StackTrace: '*': *ref_5_32_0 nextjs: missing_feature @@ -241,22 +261,26 @@ tests/: TestUnvalidatedHeader: '*': *ref_4_3_0 nextjs: missing_feature + TestUnvalidatedHeader_ExtendedLocation: missing_feature TestUnvalidatedHeader_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature TestUnvalidatedRedirect: '*': *ref_4_3_0 nextjs: missing_feature + TestUnvalidatedRedirect_ExtendedLocation: missing_feature TestUnvalidatedRedirect_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature test_unvalidated_redirect_forward.py: TestUnvalidatedForward: missing_feature + TestUnvalidatedForward_ExtendedLocation: missing_feature TestUnvalidatedForward_StackTrace: missing_feature test_weak_cipher.py: TestWeakCipher: '*': *ref_3_6_0 nextjs: missing_feature + TestWeakCipher_ExtendedLocation: missing_feature TestWeakCipher_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature @@ -267,6 +291,7 @@ tests/: TestWeakHash: '*': *ref_3_11_0 nextjs: missing_feature + TestWeakHash_ExtendedLocation: missing_feature TestWeakHash_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature @@ -274,6 +299,7 @@ tests/: TestWeakRandomness: '*': *ref_5_1_0 nextjs: missing_feature + TestWeakRandomness_ExtendedLocation: missing_feature TestWeakRandomness_StackTrace: '*': *ref_5_33_0 nextjs: missing_feature @@ -281,12 +307,15 @@ tests/: Test_XContentSniffing: '*': *ref_4_8_0 nextjs: missing_feature + Test_XContentSniffing_ExtendedLocation: missing_feature Test_XContentSniffing_StackTrace: missing_feature test_xpath_injection.py: TestXPathInjection: missing_feature + TestXPathInjection_ExtendedLocation: missing_feature TestXPathInjection_StackTrace: missing_feature test_xss.py: TestXSS: missing_feature + TestXSS_ExtendedLocation: missing_feature TestXSS_StackTrace: missing_feature source/: test_body.py: diff --git a/manifests/php.yml b/manifests/php.yml index fd45bc8f330..d2c0516009b 100644 --- a/manifests/php.yml +++ b/manifests/php.yml @@ -26,19 +26,24 @@ tests/: sink/: test_code_injection.py: TestCodeInjection: missing_feature + TestCodeInjection_ExtendedLocation: missing_feature TestCodeInjection_StackTrace: missing_feature test_command_injection.py: TestCommandInjection: missing_feature + TestCommandInjection_ExtendedLocation: missing_feature TestCommandInjection_StackTrace: missing_feature test_email_html_injection.py: TestEmailHtmlInjection: missing_feature + TestEmailHtmlInjection_ExtendedLocation: missing_feature TestEmailHtmlInjection_StackTrace: missing_feature test_hardcoded_passwords.py: Test_HardcodedPasswords: missing_feature + Test_HardcodedPasswords_ExtendedLocation: missing_feature Test_HardcodedPasswords_StackTrace: missing_feature test_hardcoded_secrets.py: Test_HardcodedSecrets: missing_feature Test_HardcodedSecretsExtended: missing_feature + Test_HardcodedSecrets_ExtendedLocation: missing_feature Test_HardcodedSecrets_StackTrace: missing_feature test_header_injection.py: TestHeaderInjection: missing_feature @@ -46,78 +51,102 @@ tests/: TestHeaderInjectionExclusionContentEncoding: missing_feature TestHeaderInjectionExclusionPragma: missing_feature TestHeaderInjectionExclusionTransferEncoding: missing_feature + TestHeaderInjection_ExtendedLocation: missing_feature TestHeaderInjection_StackTrace: missing_feature test_hsts_missing_header.py: Test_HstsMissingHeader: missing_feature + Test_HstsMissingHeader_ExtendedLocation: missing_feature Test_HstsMissingHeader_StackTrace: missing_feature test_insecure_auth_protocol.py: Test_InsecureAuthProtocol: missing_feature + Test_InsecureAuthProtocol_ExtendedLocation: missing_feature Test_InsecureAuthProtocol_StackTrace: missing_feature test_insecure_cookie.py: TestInsecureCookie: missing_feature TestInsecureCookieNameFilter: missing_feature + TestInsecureCookie_ExtendedLocation: missing_feature TestInsecureCookie_StackTrace: missing_feature test_ldap_injection.py: TestLDAPInjection: missing_feature + TestLDAPInjection_ExtendedLocation: missing_feature TestLDAPInjection_StackTrace: missing_feature test_no_httponly_cookie.py: TestNoHttponlyCookie: missing_feature TestNoHttponlyCookieNameFilter: missing_feature + TestNoHttponlyCookie_ExtendedLocation: missing_feature TestNoHttponlyCookie_StackTrace: missing_feature test_no_samesite_cookie.py: TestNoSamesiteCookie: missing_feature TestNoSamesiteCookieNameFilter: missing_feature + TestNoSamesiteCookie_ExtendedLocation: missing_feature TestNoSamesiteCookie_StackTrace: missing_feature test_nosql_mongodb_injection.py: TestNoSqlMongodbInjection: missing_feature + TestNoSqlMongodbInjection_ExtendedLocation: missing_feature TestNoSqlMongodbInjection_StackTrace: missing_feature test_path_traversal.py: TestPathTraversal: missing_feature + TestPathTraversal_ExtendedLocation: missing_feature TestPathTraversal_StackTrace: missing_feature test_reflection_injection.py: TestReflectionInjection: missing_feature + TestReflectionInjection_ExtendedLocation: missing_feature TestReflectionInjection_StackTrace: missing_feature test_sql_injection.py: TestSqlInjection: missing_feature + TestSqlInjection_ExtendedLocation: missing_feature TestSqlInjection_StackTrace: missing_feature test_ssrf.py: TestSSRF: missing_feature + TestSSRF_ExtendedLocation: missing_feature TestSSRF_StackTrace: missing_feature test_template_injection.py: TestTemplateInjection: missing_feature + TestTemplateInjection_ExtendedLocation: missing_feature test_trust_boundary_violation.py: Test_TrustBoundaryViolation: missing_feature + Test_TrustBoundaryViolation_ExtendedLocation: missing_feature Test_TrustBoundaryViolation_StackTrace: missing_feature test_untrusted_deserialization.py: TestUntrustedDeserialization: missing_feature + TestUntrustedDeserialization_ExtendedLocation: missing_feature TestUntrustedDeserialization_StackTrace: missing_feature test_unvalidated_redirect.py: TestUnvalidatedHeader: missing_feature + TestUnvalidatedHeader_ExtendedLocation: missing_feature TestUnvalidatedHeader_StackTrace: missing_feature TestUnvalidatedRedirect: missing_feature + TestUnvalidatedRedirect_ExtendedLocation: missing_feature TestUnvalidatedRedirect_StackTrace: missing_feature test_unvalidated_redirect_forward.py: TestUnvalidatedForward: missing_feature + TestUnvalidatedForward_ExtendedLocation: missing_feature TestUnvalidatedForward_StackTrace: missing_feature test_weak_cipher.py: TestWeakCipher: missing_feature + TestWeakCipher_ExtendedLocation: missing_feature TestWeakCipher_StackTrace: missing_feature test_weak_hash.py: TestDeduplication: missing_feature TestWeakHash: missing_feature + TestWeakHash_ExtendedLocation: missing_feature TestWeakHash_StackTrace: missing_feature test_weak_randomness.py: TestWeakRandomness: missing_feature + TestWeakRandomness_ExtendedLocation: missing_feature TestWeakRandomness_StackTrace: missing_feature test_xcontent_sniffing.py: Test_XContentSniffing: missing_feature + Test_XContentSniffing_ExtendedLocation: missing_feature Test_XContentSniffing_StackTrace: missing_feature test_xpath_injection.py: TestXPathInjection: missing_feature + TestXPathInjection_ExtendedLocation: missing_feature TestXPathInjection_StackTrace: missing_feature test_xss.py: TestXSS: '*': missing_feature + TestXSS_ExtendedLocation: missing_feature TestXSS_StackTrace: missing_feature source/: test_body.py: diff --git a/manifests/python.yml b/manifests/python.yml index f303b2e3e90..6e06954f818 100644 --- a/manifests/python.yml +++ b/manifests/python.yml @@ -51,21 +51,26 @@ tests/: sink/: test_code_injection.py: TestCodeInjection: v2.20.0 + TestCodeInjection_ExtendedLocation: missing_feature TestCodeInjection_StackTrace: v2.20.0 test_command_injection.py: TestCommandInjection: '*': v2.10.0 fastapi: v2.15.0 + TestCommandInjection_ExtendedLocation: missing_feature TestCommandInjection_StackTrace: v2.19.0.dev test_email_html_injection.py: TestEmailHtmlInjection: missing_feature + TestEmailHtmlInjection_ExtendedLocation: missing_feature TestEmailHtmlInjection_StackTrace: missing_feature test_hardcoded_passwords.py: Test_HardcodedPasswords: missing_feature + Test_HardcodedPasswords_ExtendedLocation: missing_feature Test_HardcodedPasswords_StackTrace: missing_feature test_hardcoded_secrets.py: Test_HardcodedSecrets: missing_feature Test_HardcodedSecretsExtended: missing_feature + Test_HardcodedSecrets_ExtendedLocation: missing_feature Test_HardcodedSecrets_StackTrace: missing_feature test_header_injection.py: TestHeaderInjection: @@ -75,46 +80,56 @@ tests/: TestHeaderInjectionExclusionContentEncoding: missing_feature TestHeaderInjectionExclusionPragma: missing_feature TestHeaderInjectionExclusionTransferEncoding: missing_feature + TestHeaderInjection_ExtendedLocation: missing_feature TestHeaderInjection_StackTrace: '*': v2.19.0.dev fastapi: v2.20.0.dev test_hsts_missing_header.py: Test_HstsMissingHeader: missing_feature + Test_HstsMissingHeader_ExtendedLocation: missing_feature Test_HstsMissingHeader_StackTrace: missing_feature test_insecure_auth_protocol.py: Test_InsecureAuthProtocol: missing_feature + Test_InsecureAuthProtocol_ExtendedLocation: missing_feature Test_InsecureAuthProtocol_StackTrace: missing_feature test_insecure_cookie.py: TestInsecureCookie: '*': v1.19.0 fastapi: v2.16.0-dev TestInsecureCookieNameFilter: missing_feature + TestInsecureCookie_ExtendedLocation: missing_feature TestInsecureCookie_StackTrace: missing_feature test_ldap_injection.py: TestLDAPInjection: missing_feature + TestLDAPInjection_ExtendedLocation: missing_feature TestLDAPInjection_StackTrace: missing_feature test_no_httponly_cookie.py: TestNoHttponlyCookie: '*': v1.19.0 fastapi: v2.16.0-dev TestNoHttponlyCookieNameFilter: missing_feature + TestNoHttponlyCookie_ExtendedLocation: missing_feature TestNoHttponlyCookie_StackTrace: missing_feature test_no_samesite_cookie.py: TestNoSamesiteCookie: '*': v1.19.0 fastapi: v2.16.0-dev TestNoSamesiteCookieNameFilter: missing_feature + TestNoSamesiteCookie_ExtendedLocation: missing_feature TestNoSamesiteCookie_StackTrace: missing_feature test_nosql_mongodb_injection.py: TestNoSqlMongodbInjection: missing_feature + TestNoSqlMongodbInjection_ExtendedLocation: missing_feature TestNoSqlMongodbInjection_StackTrace: missing_feature test_path_traversal.py: TestPathTraversal: '*': v2.10.0 fastapi: v2.15.0 + TestPathTraversal_ExtendedLocation: missing_feature TestPathTraversal_StackTrace: v2.19.0.dev test_reflection_injection.py: TestReflectionInjection: missing_feature + TestReflectionInjection_ExtendedLocation: missing_feature TestReflectionInjection_StackTrace: missing_feature test_sql_injection.py: TestSqlInjection: @@ -123,51 +138,65 @@ tests/: flask-poc: v1.18.0 pylons: missing_feature python3.12: v1.18.0 + TestSqlInjection_ExtendedLocation: missing_feature TestSqlInjection_StackTrace: v2.19.0.dev test_ssrf.py: TestSSRF: '*': v2.10.0 fastapi: v2.15.0 + TestSSRF_ExtendedLocation: missing_feature TestSSRF_StackTrace: v2.19.0.dev test_template_injection.py: TestTemplateInjection: missing_feature + TestTemplateInjection_ExtendedLocation: missing_feature test_trust_boundary_violation.py: Test_TrustBoundaryViolation: missing_feature + Test_TrustBoundaryViolation_ExtendedLocation: missing_feature Test_TrustBoundaryViolation_StackTrace: missing_feature test_untrusted_deserialization.py: TestUntrustedDeserialization: missing_feature + TestUntrustedDeserialization_ExtendedLocation: missing_feature TestUntrustedDeserialization_StackTrace: missing_feature test_unvalidated_redirect.py: TestUnvalidatedHeader: missing_feature + TestUnvalidatedHeader_ExtendedLocation: missing_feature TestUnvalidatedHeader_StackTrace: missing_feature TestUnvalidatedRedirect: missing_feature + TestUnvalidatedRedirect_ExtendedLocation: missing_feature TestUnvalidatedRedirect_StackTrace: missing_feature test_unvalidated_redirect_forward.py: TestUnvalidatedForward: missing_feature + TestUnvalidatedForward_ExtendedLocation: missing_feature TestUnvalidatedForward_StackTrace: missing_feature test_weak_cipher.py: TestWeakCipher: '*': v1.18.0 fastapi: v2.15.0 + TestWeakCipher_ExtendedLocation: missing_feature TestWeakCipher_StackTrace: v2.19.0.dev test_weak_hash.py: TestDeduplication: '*': v1.18.0 TestWeakHash: '*': v1.18.0 + TestWeakHash_ExtendedLocation: missing_feature TestWeakHash_StackTrace: v2.19.0.dev test_weak_randomness.py: TestWeakRandomness: '*': v2.0.0 + TestWeakRandomness_ExtendedLocation: missing_feature TestWeakRandomness_StackTrace: v2.19.0.dev test_xcontent_sniffing.py: Test_XContentSniffing: missing_feature + Test_XContentSniffing_ExtendedLocation: missing_feature Test_XContentSniffing_StackTrace: missing_feature test_xpath_injection.py: TestXPathInjection: missing_feature + TestXPathInjection_ExtendedLocation: missing_feature TestXPathInjection_StackTrace: missing_feature test_xss.py: TestXSS: missing_feature + TestXSS_ExtendedLocation: missing_feature TestXSS_StackTrace: missing_feature source/: test_body.py: diff --git a/manifests/ruby.yml b/manifests/ruby.yml index 53157f3558a..61f662fcc48 100644 --- a/manifests/ruby.yml +++ b/manifests/ruby.yml @@ -28,19 +28,24 @@ tests/: sink/: test_code_injection.py: TestCodeInjection: missing_feature + TestCodeInjection_ExtendedLocation: missing_feature TestCodeInjection_StackTrace: missing_feature test_command_injection.py: TestCommandInjection: missing_feature + TestCommandInjection_ExtendedLocation: missing_feature TestCommandInjection_StackTrace: missing_feature test_email_html_injection.py: TestEmailHtmlInjection: missing_feature + TestEmailHtmlInjection_ExtendedLocation: missing_feature TestEmailHtmlInjection_StackTrace: missing_feature test_hardcoded_passwords.py: Test_HardcodedPasswords: missing_feature + Test_HardcodedPasswords_ExtendedLocation: missing_feature Test_HardcodedPasswords_StackTrace: missing_feature test_hardcoded_secrets.py: Test_HardcodedSecrets: missing_feature Test_HardcodedSecretsExtended: missing_feature + Test_HardcodedSecrets_ExtendedLocation: missing_feature Test_HardcodedSecrets_StackTrace: missing_feature test_header_injection.py: TestHeaderInjection: missing_feature @@ -48,77 +53,101 @@ tests/: TestHeaderInjectionExclusionContentEncoding: missing_feature TestHeaderInjectionExclusionPragma: missing_feature TestHeaderInjectionExclusionTransferEncoding: missing_feature + TestHeaderInjection_ExtendedLocation: missing_feature TestHeaderInjection_StackTrace: missing_feature test_hsts_missing_header.py: Test_HstsMissingHeader: missing_feature + Test_HstsMissingHeader_ExtendedLocation: missing_feature Test_HstsMissingHeader_StackTrace: missing_feature test_insecure_auth_protocol.py: Test_InsecureAuthProtocol: missing_feature + Test_InsecureAuthProtocol_ExtendedLocation: missing_feature Test_InsecureAuthProtocol_StackTrace: missing_feature test_insecure_cookie.py: TestInsecureCookie: missing_feature TestInsecureCookieNameFilter: missing_feature + TestInsecureCookie_ExtendedLocation: missing_feature TestInsecureCookie_StackTrace: missing_feature test_ldap_injection.py: TestLDAPInjection: missing_feature + TestLDAPInjection_ExtendedLocation: missing_feature TestLDAPInjection_StackTrace: missing_feature test_no_httponly_cookie.py: TestNoHttponlyCookie: missing_feature TestNoHttponlyCookieNameFilter: missing_feature + TestNoHttponlyCookie_ExtendedLocation: missing_feature TestNoHttponlyCookie_StackTrace: missing_feature test_no_samesite_cookie.py: TestNoSamesiteCookie: missing_feature TestNoSamesiteCookieNameFilter: missing_feature + TestNoSamesiteCookie_ExtendedLocation: missing_feature TestNoSamesiteCookie_StackTrace: missing_feature test_nosql_mongodb_injection.py: TestNoSqlMongodbInjection: missing_feature + TestNoSqlMongodbInjection_ExtendedLocation: missing_feature TestNoSqlMongodbInjection_StackTrace: missing_feature test_path_traversal.py: TestPathTraversal: missing_feature + TestPathTraversal_ExtendedLocation: missing_feature TestPathTraversal_StackTrace: missing_feature test_reflection_injection.py: TestReflectionInjection: missing_feature + TestReflectionInjection_ExtendedLocation: missing_feature TestReflectionInjection_StackTrace: missing_feature test_sql_injection.py: TestSqlInjection: missing_feature + TestSqlInjection_ExtendedLocation: missing_feature TestSqlInjection_StackTrace: missing_feature test_ssrf.py: TestSSRF: missing_feature + TestSSRF_ExtendedLocation: missing_feature TestSSRF_StackTrace: missing_feature test_template_injection.py: TestTemplateInjection: missing_feature + TestTemplateInjection_ExtendedLocation: missing_feature test_trust_boundary_violation.py: Test_TrustBoundaryViolation: missing_feature + Test_TrustBoundaryViolation_ExtendedLocation: missing_feature Test_TrustBoundaryViolation_StackTrace: missing_feature test_untrusted_deserialization.py: TestUntrustedDeserialization: missing_feature + TestUntrustedDeserialization_ExtendedLocation: missing_feature TestUntrustedDeserialization_StackTrace: missing_feature test_unvalidated_redirect.py: TestUnvalidatedHeader: missing_feature + TestUnvalidatedHeader_ExtendedLocation: missing_feature TestUnvalidatedHeader_StackTrace: missing_feature TestUnvalidatedRedirect: missing_feature + TestUnvalidatedRedirect_ExtendedLocation: missing_feature TestUnvalidatedRedirect_StackTrace: missing_feature test_unvalidated_redirect_forward.py: TestUnvalidatedForward: missing_feature + TestUnvalidatedForward_ExtendedLocation: missing_feature TestUnvalidatedForward_StackTrace: missing_feature test_weak_cipher.py: TestWeakCipher: missing_feature + TestWeakCipher_ExtendedLocation: missing_feature TestWeakCipher_StackTrace: missing_feature test_weak_hash.py: TestDeduplication: missing_feature TestWeakHash: missing_feature + TestWeakHash_ExtendedLocation: missing_feature TestWeakHash_StackTrace: missing_feature test_weak_randomness.py: TestWeakRandomness: missing_feature + TestWeakRandomness_ExtendedLocation: missing_feature TestWeakRandomness_StackTrace: missing_feature test_xcontent_sniffing.py: Test_XContentSniffing: missing_feature + Test_XContentSniffing_ExtendedLocation: missing_feature Test_XContentSniffing_StackTrace: missing_feature test_xpath_injection.py: TestXPathInjection: missing_feature + TestXPathInjection_ExtendedLocation: missing_feature TestXPathInjection_StackTrace: missing_feature test_xss.py: TestXSS: missing_feature + TestXSS_ExtendedLocation: missing_feature TestXSS_StackTrace: missing_feature source/: test_body.py: diff --git a/tests/appsec/iast/sink/test_code_injection.py b/tests/appsec/iast/sink/test_code_injection.py index c2af5823bcb..f92ce45b38c 100644 --- a/tests/appsec/iast/sink/test_code_injection.py +++ b/tests/appsec/iast/sink/test_code_injection.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, features, rfc, weblog -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_stack_traces, validate_extended_location_data @features.iast_sink_code_injection @@ -36,3 +36,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCodeInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "CODE_INJECTION" + + def setup_extended_location_data(self): + self.r = weblog.post("/iast/code_injection/test_insecure", data={"code": "1+2"}) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_command_injection.py b/tests/appsec/iast/sink/test_command_injection.py index 317367cb28a..3c124fb7583 100644 --- a/tests/appsec/iast/sink/test_command_injection.py +++ b/tests/appsec/iast/sink/test_command_injection.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, features, rfc, weblog -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @features.iast_sink_command_injection @@ -48,3 +48,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestCommandInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "COMMAND_INJECTION" + + def setup_extended_location_data(self): + self.r = weblog.post("/iast/cmdi/test_insecure", data={"cmd": "ls"}) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_email_html_injection.py b/tests/appsec/iast/sink/test_email_html_injection.py index c1ec145a05c..752be776623 100644 --- a/tests/appsec/iast/sink/test_email_html_injection.py +++ b/tests/appsec/iast/sink/test_email_html_injection.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import missing_feature, features, weblog, rfc -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @features.iast_sink_email_html_injection @@ -36,3 +36,19 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestEmailHtmlInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "EMAIL_HTML_INJECTION" + + def setup_extended_location_data(self): + self.r = weblog.post( + "/iast/email_html_injection/test_insecure", data={"username": "Josh", "email": "fakeemail@localhost"} + ) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_hardcoded_passwords.py b/tests/appsec/iast/sink/test_hardcoded_passwords.py index 669521027f2..bb76545fa42 100644 --- a/tests/appsec/iast/sink/test_hardcoded_passwords.py +++ b/tests/appsec/iast/sink/test_hardcoded_passwords.py @@ -2,8 +2,8 @@ # This product includes software developed at Datadog (https://www.datadoghq.com/). # Copyright 2021 Datadog, Inc. -from utils import interfaces, weblog, features, context, rfc -from ..utils import validate_stack_traces +from utils import weblog, features, context, rfc +from ..utils import get_hardcoded_vulnerabilities, validate_stack_traces # Test_HardcodedPasswords doesn't inherit from BaseSinkTest # Hardcode passwords detection implementation change a lot between different languages @@ -32,30 +32,12 @@ def setup_hardcoded_passwords_exec(self): def test_hardcoded_passwords_exec(self): assert self.r_hardcoded_passwords_exec.status_code == 200 - hardcoded_passwords = self.get_hardcoded_password_vulnerabilities() + hardcoded_passwords = get_hardcoded_vulnerabilities("HARDCODED_PASSWORD") hardcoded_passwords = [v for v in hardcoded_passwords if v["evidence"]["value"] == "hashpwd"] assert len(hardcoded_passwords) == 1 vuln = hardcoded_passwords[0] assert vuln["location"]["path"] == self._get_expectation(self.location_map) - def get_hardcoded_password_vulnerabilities(self): - spans = [s for _, s in interfaces.library.get_root_spans()] - assert spans, "No spans found" - spans_meta = [span.get("meta") for span in spans] - assert spans_meta, "No spans meta found" - iast_events = [meta.get("_dd.iast.json") for meta in spans_meta if meta.get("_dd.iast.json")] - assert iast_events, "No iast events found" - - vulnerabilities: list = [] - for event in iast_events: - vulnerabilities.extend(event.get("vulnerabilities", [])) - - assert vulnerabilities, "No vulnerabilities found" - - hardcoded_passwords = [vuln for vuln in vulnerabilities if vuln.get("type") == "HARDCODED_PASSWORD"] - assert hardcoded_passwords, "No hardcoded passwords found" - return hardcoded_passwords - def _get_expectation(self, d): expected = d.get(context.library.library) if isinstance(expected, dict): @@ -75,3 +57,23 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class Test_HardcodedPasswords_ExtendedLocation: + """Test extended location data""" + + def setup_extended_location_data(self): + self.r = weblog.get("/iast/hardcoded_passwords/test_insecure") + + def test_extended_location_data(self): + hardcoded_passwords = get_hardcoded_vulnerabilities("HARDCODED_PASSWORD") + hardcoded_passwords = [v for v in hardcoded_passwords if v["evidence"]["value"] == "hashpwd"] + assert len(hardcoded_passwords) == 1 + location = hardcoded_passwords[0]["location"] + + assert all(field in location for field in ["path", "line"]) + + if context.library.library not in ("python", "nodejs"): + assert all(field in location for field in ["class", "method"]) diff --git a/tests/appsec/iast/sink/test_hardcoded_secrets.py b/tests/appsec/iast/sink/test_hardcoded_secrets.py index 97ff62a75e0..748c22056c2 100644 --- a/tests/appsec/iast/sink/test_hardcoded_secrets.py +++ b/tests/appsec/iast/sink/test_hardcoded_secrets.py @@ -2,8 +2,8 @@ # This product includes software developed at Datadog (https://www.datadoghq.com/). # Copyright 2021 Datadog, Inc. -from utils import interfaces, features, context, rfc, weblog -from ..utils import validate_stack_traces +from utils import features, context, rfc, weblog +from ..utils import get_hardcoded_vulnerabilities, validate_stack_traces # Test_HardcodedSecrets and Test_HardcodedSecretsExtended don't inherit from BaseSinkTest # Hardcode secrets detection implementation change a lot between different languages @@ -11,25 +11,6 @@ # as the vulnerability is not always set in the current request span. -def get_hardcoded_secret_vulnerabilities(): - spans = [s for _, s in interfaces.library.get_root_spans()] - assert spans, "No spans found" - spans_meta = [span.get("meta") for span in spans] - assert spans_meta, "No spans meta found" - iast_events = [meta.get("_dd.iast.json") for meta in spans_meta if meta.get("_dd.iast.json")] - assert iast_events, "No iast events found" - - vulnerabilities: list = [] - for event in iast_events: - vulnerabilities.extend(event.get("vulnerabilities", [])) - - assert vulnerabilities, "No vulnerabilities found" - - hardcoded_secrets = [vuln for vuln in vulnerabilities if vuln.get("type") == "HARDCODED_SECRET"] - assert hardcoded_secrets, "No hardcoded secrets found" - return hardcoded_secrets - - def get_expectation(d): expected = d.get(context.library.library) if isinstance(expected, dict): @@ -59,7 +40,7 @@ def setup_hardcoded_secrets_exec(self): def test_hardcoded_secrets_exec(self): assert self.r_hardcoded_secrets_exec.status_code == 200 - hardcode_secrets = get_hardcoded_secret_vulnerabilities() + hardcode_secrets = get_hardcoded_vulnerabilities("HARDCODED_SECRET") hardcode_secrets = [v for v in hardcode_secrets if v["evidence"]["value"] == "aws-access-token"] assert len(hardcode_secrets) == 1 vuln = hardcode_secrets[0] @@ -84,7 +65,7 @@ def setup_hardcoded_secrets_extended_exec(self): def test_hardcoded_secrets_extended_exec(self): assert self.r_hardcoded_secrets_exec.status_code == 200 - hardcoded_secrets = get_hardcoded_secret_vulnerabilities() + hardcoded_secrets = get_hardcoded_vulnerabilities("HARDCODED_SECRET") hardcoded_secrets = [v for v in hardcoded_secrets if v["evidence"]["value"] == "datadog-access-token"] assert len(hardcoded_secrets) == 1 vuln = hardcoded_secrets[0] @@ -103,3 +84,23 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class Test_HardcodedSecrets_ExtendedLocation: + """Test extended location data""" + + def setup_extended_location_data(self): + self.r = weblog.get("/iast/hardcoded_secrets/test_insecure") + + def test_extended_location_data(self): + hardcode_secrets = get_hardcoded_vulnerabilities("HARDCODED_SECRET") + hardcode_secrets = [v for v in hardcode_secrets if v["evidence"]["value"] == "aws-access-token"] + assert len(hardcode_secrets) == 1 + location = hardcode_secrets[0]["location"] + + assert all(field in location for field in ["path", "line"]) + + if context.library.library not in ("python", "nodejs"): + assert all(field in location for field in ["class", "method"]) diff --git a/tests/appsec/iast/sink/test_header_injection.py b/tests/appsec/iast/sink/test_header_injection.py index 0804d74fd18..14550ab6def 100644 --- a/tests/appsec/iast/sink/test_header_injection.py +++ b/tests/appsec/iast/sink/test_header_injection.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, features, missing_feature, rfc, weblog -from ..utils import BaseSinkTest, validate_stack_traces, assert_iast_vulnerability +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces, assert_iast_vulnerability class _BaseTestHeaderInjectionReflectedExclusion: @@ -117,3 +117,17 @@ class TestHeaderInjectionExclusionTransferEncoding(_BaseTestHeaderInjectionRefle origin_header = "accept-encoding" reflected_header = "transfer-encoding" headers = {"accept-encoding": "foo, bar"} + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestHeaderInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "HEADER_INJECTION" + + def setup_extended_location_data(self): + self.r = weblog.post("/iast/header_injection/test_insecure", data={"test": "dummyvalue"}) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_hsts_missing_header.py b/tests/appsec/iast/sink/test_hsts_missing_header.py index 1b372e52f52..910e34a8cb2 100644 --- a/tests/appsec/iast/sink/test_hsts_missing_header.py +++ b/tests/appsec/iast/sink/test_hsts_missing_header.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, features, rfc, weblog -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @features.iast_sink_hsts_missing_header @@ -39,3 +39,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class Test_HstsMissingHeader_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "HSTS_HEADER_MISSING" + + def setup_extended_location_data(self): + self.r = weblog.get("/iast/hstsmissing/test_insecure", headers={"X-Forwarded-Proto": "https"}) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type, False) diff --git a/tests/appsec/iast/sink/test_insecure_auth_protocol.py b/tests/appsec/iast/sink/test_insecure_auth_protocol.py index f205bce447a..a158be70123 100644 --- a/tests/appsec/iast/sink/test_insecure_auth_protocol.py +++ b/tests/appsec/iast/sink/test_insecure_auth_protocol.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import missing_feature, features, rfc, weblog -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @features.iast_sink_insecure_auth_protocol @@ -47,3 +47,22 @@ def setup_stack_trace(self): @missing_feature(library="java", reason="Not implemented yet") def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class Test_InsecureAuthProtocol_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "INSECURE_AUTH_PROTOCOL" + + def setup_extended_location_data(self): + self.r = weblog.get( + "/iast/insecure-auth-protocol/test_insecure", + headers={ + "Authorization": 'Digest username="WATERFORD", realm="Users", nonce="c5rcvu346qavqf3hnmsrnqj5up", uri="/api/partner/validate", response="57c8d9f11ec7a2f1ab13c5e166b2c505"' + }, + ) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_insecure_cookie.py b/tests/appsec/iast/sink/test_insecure_cookie.py index 09f750aff7b..722d08ba105 100644 --- a/tests/appsec/iast/sink/test_insecure_cookie.py +++ b/tests/appsec/iast/sink/test_insecure_cookie.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, bug, weblog, features, rfc, scenarios, flaky -from ..utils import BaseSinkTest, BaseTestCookieNameFilter, validate_stack_traces +from ..utils import BaseSinkTest, BaseTestCookieNameFilter, validate_extended_location_data, validate_stack_traces @features.iast_sink_insecure_cookie @@ -62,3 +62,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestInsecureCookie_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "INSECURE_COOKIE" + + def setup_extended_location_data(self): + self.r = weblog.get("/iast/insecure-cookie/test_insecure") + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_ldap_injection.py b/tests/appsec/iast/sink/test_ldap_injection.py index 527fac132b4..6124fee4ba0 100644 --- a/tests/appsec/iast/sink/test_ldap_injection.py +++ b/tests/appsec/iast/sink/test_ldap_injection.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, features, rfc, weblog -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @features.iast_sink_ldap_injection @@ -42,3 +42,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestLDAPInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "LDAP_INJECTION" + + def setup_extended_location_data(self): + self.r = weblog.post("/iast/ldapi/test_insecure", data={"username": "ssam", "password": "sammy"}) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_no_httponly_cookie.py b/tests/appsec/iast/sink/test_no_httponly_cookie.py index 819c921e370..5d759513f6a 100644 --- a/tests/appsec/iast/sink/test_no_httponly_cookie.py +++ b/tests/appsec/iast/sink/test_no_httponly_cookie.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, bug, weblog, features, rfc, scenarios, flaky -from ..utils import BaseSinkTest, BaseTestCookieNameFilter, validate_stack_traces +from ..utils import BaseSinkTest, BaseTestCookieNameFilter, validate_extended_location_data, validate_stack_traces @features.iast_sink_http_only_cookie @@ -62,3 +62,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestNoHttponlyCookie_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "NO_HTTPONLY_COOKIE" + + def setup_extended_location_data(self): + self.r = weblog.get("/iast/no-httponly-cookie/test_insecure") + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_no_samesite_cookie.py b/tests/appsec/iast/sink/test_no_samesite_cookie.py index 28ccd6387cf..4f7cd104afb 100644 --- a/tests/appsec/iast/sink/test_no_samesite_cookie.py +++ b/tests/appsec/iast/sink/test_no_samesite_cookie.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, bug, weblog, features, rfc, scenarios, flaky -from ..utils import BaseSinkTest, BaseTestCookieNameFilter, validate_stack_traces +from ..utils import BaseSinkTest, BaseTestCookieNameFilter, validate_extended_location_data, validate_stack_traces @features.iast_sink_samesite_cookie @@ -62,3 +62,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestNoSamesiteCookie_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "NO_SAMESITE_COOKIE" + + def setup_extended_location_data(self): + self.r = weblog.get("/iast/no-samesite-cookie/test_insecure") + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_nosql_mongodb_injection.py b/tests/appsec/iast/sink/test_nosql_mongodb_injection.py index 419df3636e8..e3941402835 100644 --- a/tests/appsec/iast/sink/test_nosql_mongodb_injection.py +++ b/tests/appsec/iast/sink/test_nosql_mongodb_injection.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, scenarios, features, rfc, weblog -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @scenarios.integrations @@ -51,3 +51,18 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@scenarios.integrations +@features.iast_extended_location +class TestNoSqlMongodbInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "NOSQL_MONGODB_INJECTION" + + def setup_extended_location_data(self): + self.r = weblog.post("/iast/mongodb-nosql-injection/test_insecure", data={"key": "somevalue"}) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_path_traversal.py b/tests/appsec/iast/sink/test_path_traversal.py index fd66fb82179..a42fd92633d 100644 --- a/tests/appsec/iast/sink/test_path_traversal.py +++ b/tests/appsec/iast/sink/test_path_traversal.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, features, weblog, rfc -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @features.iast_sink_path_traversal @@ -48,3 +48,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestPathTraversal_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "PATH_TRAVERSAL" + + def setup_extended_location_data(self): + self.r = weblog.post("/iast/path_traversal/test_insecure", data={"path": "/var/log"}) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_reflection_injection.py b/tests/appsec/iast/sink/test_reflection_injection.py index 4c32f4a2b9b..a1093091655 100644 --- a/tests/appsec/iast/sink/test_reflection_injection.py +++ b/tests/appsec/iast/sink/test_reflection_injection.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import missing_feature, features, rfc, weblog -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @features.iast_sink_reflection_injection @@ -40,3 +40,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestReflectionInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "REFLECTION_INJECTION" + + def setup_extended_location_data(self): + self.r = weblog.post("/iast/reflection_injection/test_insecure", data={"param": "ReflectionInjection"}) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_sql_injection.py b/tests/appsec/iast/sink/test_sql_injection.py index c2ab0fb75c4..ffd01f314dc 100644 --- a/tests/appsec/iast/sink/test_sql_injection.py +++ b/tests/appsec/iast/sink/test_sql_injection.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, features, bug, rfc, weblog -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @features.iast_sink_sql_injection @@ -54,3 +54,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestSqlInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "SQL_INJECTION" + + def setup_extended_location_data(self): + self.r = weblog.post("/iast/sqli/test_insecure", data={"username": "shaquille_oatmeal", "password": "123456"}) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_ssrf.py b/tests/appsec/iast/sink/test_ssrf.py index 940870fff26..c8088bf92c8 100644 --- a/tests/appsec/iast/sink/test_ssrf.py +++ b/tests/appsec/iast/sink/test_ssrf.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import bug, context, missing_feature, features, rfc, weblog -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @features.iast_sink_ssrf @@ -47,3 +47,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestSSRF_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "SSRF" + + def setup_extended_location_data(self): + self.r = weblog.post("/iast/ssrf/test_insecure", data={"url": "https://www.datadoghq.com"}) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_template_injection.py b/tests/appsec/iast/sink/test_template_injection.py index b54dea2d1d8..2062f5e47eb 100644 --- a/tests/appsec/iast/sink/test_template_injection.py +++ b/tests/appsec/iast/sink/test_template_injection.py @@ -2,8 +2,8 @@ # This product includes software developed at Datadog (https://www.datadoghq.com/). # Copyright 2021 Datadog, Inc. -from utils import features -from ..utils import BaseSinkTest +from utils import features, weblog, rfc +from ..utils import BaseSinkTest, validate_extended_location_data @features.iast_sink_template_injection @@ -16,3 +16,17 @@ class TestTemplateInjection(BaseSinkTest): secure_endpoint = "/iast/template_injection/test_secure" data = {"template": "Hello"} + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestTemplateInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "TEMPLATE_INJECTION" + + def setup_extended_location_data(self): + self.r = weblog.post("/iast/template_injection/test_insecure", data={"template": "Hello"}) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_trust_boundary_violation.py b/tests/appsec/iast/sink/test_trust_boundary_violation.py index ede2601f657..b58543b7382 100644 --- a/tests/appsec/iast/sink/test_trust_boundary_violation.py +++ b/tests/appsec/iast/sink/test_trust_boundary_violation.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, features, rfc, weblog -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @features.iast_sink_trustboundaryviolation @@ -43,3 +43,20 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class Test_TrustBoundaryViolation_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "TRUST_BOUNDARY_VIOLATION" + + def setup_extended_location_data(self): + self.r = weblog.get( + "/iast/trust-boundary-violation/test_insecure", + params={"username": "shaquille_oatmeal", "password": "123456"}, + ) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type, False) diff --git a/tests/appsec/iast/sink/test_untrusted_deserialization.py b/tests/appsec/iast/sink/test_untrusted_deserialization.py index 8fa655d948c..cd168fae321 100644 --- a/tests/appsec/iast/sink/test_untrusted_deserialization.py +++ b/tests/appsec/iast/sink/test_untrusted_deserialization.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import features, weblog, rfc -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @features.iast_sink_untrusted_deserialization @@ -32,3 +32,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestUntrustedDeserialization_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "UNTRUSTED_DESERIALIZATION" + + def setup_extended_location_data(self): + self.r = weblog.get("/iast/untrusted_deserialization/test_insecure?name=example") + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_unvalidated_redirect.py b/tests/appsec/iast/sink/test_unvalidated_redirect.py index 6caff555643..d758ffde4df 100644 --- a/tests/appsec/iast/sink/test_unvalidated_redirect.py +++ b/tests/appsec/iast/sink/test_unvalidated_redirect.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, irrelevant, features, missing_feature, rfc, weblog -from ..utils import BaseSinkTestWithoutTelemetry, validate_stack_traces +from ..utils import BaseSinkTestWithoutTelemetry, validate_extended_location_data, validate_stack_traces def _expected_location(): @@ -99,3 +99,35 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestUnvalidatedRedirect_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "UNVALIDATED_REDIRECT" + + def setup_extended_location_data(self): + self.r = weblog.post( + "/iast/unvalidated_redirect/test_insecure_redirect", data={"location": "http://dummy.location.com"} + ) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestUnvalidatedHeader_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "UNVALIDATED_REDIRECT" + + def setup_extended_location_data(self): + self.r = weblog.post( + "/iast/unvalidated_redirect/test_insecure_header", data={"location": "http://dummy.location.com"} + ) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_unvalidated_redirect_forward.py b/tests/appsec/iast/sink/test_unvalidated_redirect_forward.py index ca85e9cf69b..2950a1e3406 100644 --- a/tests/appsec/iast/sink/test_unvalidated_redirect_forward.py +++ b/tests/appsec/iast/sink/test_unvalidated_redirect_forward.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, features, missing_feature, rfc, weblog -from ..utils import BaseSinkTestWithoutTelemetry, validate_stack_traces +from ..utils import BaseSinkTestWithoutTelemetry, validate_extended_location_data, validate_stack_traces def _expected_location(): @@ -46,3 +46,19 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestUnvalidatedForward_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "UNVALIDATED_REDIRECT" + + def setup_extended_location_data(self): + self.r = weblog.post( + "/iast/unvalidated_redirect/test_insecure_forward", data={"location": "http://dummy.location.com"} + ) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_weak_cipher.py b/tests/appsec/iast/sink/test_weak_cipher.py index b2604f18abf..c65fa962594 100644 --- a/tests/appsec/iast/sink/test_weak_cipher.py +++ b/tests/appsec/iast/sink/test_weak_cipher.py @@ -2,7 +2,7 @@ # This product includes software developed at Datadog (https://www.datadoghq.com/). # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, flaky, features, weblog, rfc -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @features.weak_cipher_detection @@ -46,3 +46,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestWeakCipher_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "WEAK_CIPHER" + + def setup_extended_location_data(self): + self.r = weblog.get("/iast/insecure_cipher/test_insecure_algorithm") + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_weak_hash.py b/tests/appsec/iast/sink/test_weak_hash.py index 4e5a803ef39..2c9c30ae734 100644 --- a/tests/appsec/iast/sink/test_weak_hash.py +++ b/tests/appsec/iast/sink/test_weak_hash.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import weblog, context, missing_feature, features, rfc, scenarios -from ..utils import BaseSinkTest, assert_iast_vulnerability, validate_stack_traces +from ..utils import BaseSinkTest, assert_iast_vulnerability, validate_extended_location_data, validate_stack_traces def _expected_location(): @@ -104,3 +104,17 @@ def test_insecure_hash_multiple(self): vulnerability_type="WEAK_HASH", expected_location=_expected_location(), ) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestWeakHash_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "WEAK_HASH" + + def setup_extended_location_data(self): + self.r = weblog.get("/iast/insecure_hashing/test_md5_algorithm") + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_weak_randomness.py b/tests/appsec/iast/sink/test_weak_randomness.py index 893441b4088..f6de93ac95b 100644 --- a/tests/appsec/iast/sink/test_weak_randomness.py +++ b/tests/appsec/iast/sink/test_weak_randomness.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import features, weblog, rfc -from ..utils import BaseSinkTestWithoutTelemetry, validate_stack_traces +from ..utils import BaseSinkTestWithoutTelemetry, validate_extended_location_data, validate_stack_traces @features.iast_sink_weakrandomness @@ -34,3 +34,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestWeakRandomness_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "WEAK_RANDOMNESS" + + def setup_extended_location_data(self): + self.r = weblog.get("/iast/weak_randomness/test_insecure") + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_xcontent_sniffing.py b/tests/appsec/iast/sink/test_xcontent_sniffing.py index 77e996ca0d7..8a9ae376e58 100644 --- a/tests/appsec/iast/sink/test_xcontent_sniffing.py +++ b/tests/appsec/iast/sink/test_xcontent_sniffing.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import context, missing_feature, features, rfc, weblog -from ..utils import BaseSinkTest, validate_stack_traces +from ..utils import BaseSinkTest, validate_extended_location_data, validate_stack_traces @features.iast_sink_xcontentsniffing @@ -37,3 +37,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class Test_XContentSniffing_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "XCONTENTTYPE_HEADER_MISSING" + + def setup_extended_location_data(self): + self.r = weblog.get("/iast/xcontent-missing-header/test_insecure") + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type, False) diff --git a/tests/appsec/iast/sink/test_xpath_injection.py b/tests/appsec/iast/sink/test_xpath_injection.py index 3add0f480b6..481f0f9a1cc 100644 --- a/tests/appsec/iast/sink/test_xpath_injection.py +++ b/tests/appsec/iast/sink/test_xpath_injection.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import features, weblog, rfc -from ..utils import BaseSinkTestWithoutTelemetry, validate_stack_traces +from ..utils import BaseSinkTestWithoutTelemetry, validate_extended_location_data, validate_stack_traces @features.iast_sink_xpathinjection @@ -30,3 +30,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestXPathInjection_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "XPATH_INJECTION" + + def setup_extended_location_data(self): + self.r = weblog.post("/iast/xpathi/test_insecure", data={"expression": "expression"}) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/sink/test_xss.py b/tests/appsec/iast/sink/test_xss.py index 74449793c7c..d2735032c77 100644 --- a/tests/appsec/iast/sink/test_xss.py +++ b/tests/appsec/iast/sink/test_xss.py @@ -3,7 +3,7 @@ # Copyright 2021 Datadog, Inc. from utils import features, weblog, rfc -from ..utils import BaseSinkTestWithoutTelemetry, validate_stack_traces +from ..utils import BaseSinkTestWithoutTelemetry, validate_extended_location_data, validate_stack_traces @features.iast_sink_xss @@ -30,3 +30,17 @@ def setup_stack_trace(self): def test_stack_trace(self): validate_stack_traces(self.r) + + +@rfc("https://docs.google.com/document/d/1R8AIuQ9_rMHBPdChCb5jRwPrg1WvIz96c_WQ3y8DWk4") +@features.iast_extended_location +class TestXSS_ExtendedLocation: + """Test extended location data""" + + vulnerability_type = "XSS" + + def setup_extended_location_data(self): + self.r = weblog.post("/iast/xss/test_insecure", data={"param": "param"}) + + def test_extended_location_data(self): + validate_extended_location_data(self.r, self.vulnerability_type) diff --git a/tests/appsec/iast/utils.py b/tests/appsec/iast/utils.py index 7f670777b20..1eeeb31aee8 100644 --- a/tests/appsec/iast/utils.py +++ b/tests/appsec/iast/utils.py @@ -257,6 +257,82 @@ def validate_stack_traces(request): assert locationFrame is not None, "location not found in stack trace" +def validate_extended_location_data(request, vulnerability_type, is_expected_location_required=True): + spans = [span for _, span in interfaces.library.get_root_spans(request=request)] + assert spans, "No root span found" + span = spans[0] + + iast = span.get("meta", {}).get("_dd.iast.json") + assert iast and iast["vulnerabilities"], "Expected at least one vulnerability" + + # Filter by vulnerability + if vulnerability_type: + vulns = [v for v in iast["vulnerabilities"] if not vulnerability_type or v["type"] == vulnerability_type] + assert vulns, f"No vulnerability of type {vulnerability_type}" + + if not is_expected_location_required: + return + + vuln = vulns[0] + location = vuln["location"] + + # Check extended data if stack trace exists + if "meta_struct" in span and "_dd.stack" in span["meta_struct"]: + assert "vulnerability" in span["meta_struct"]["_dd.stack"], "'exploit' not found in '_dd.stack'" + stack_trace = span["meta_struct"]["_dd.stack"]["vulnerability"][0] + + assert "language" in stack_trace + assert stack_trace["language"] in ( + "php", + "python", + "nodejs", + "java", + "dotnet", + "go", + "ruby", + ), "unexpected language" + assert "frames" in stack_trace + + # Verify frame matches location + location_match = False + for frame in stack_trace["frames"]: + if ( + frame.get("file", "").endswith(location["path"]) + and location["line"] == frame["line"] + and location.get("class", "") == frame.get("class_name", "") + and location.get("method", "") == frame.get("function", "") + ): + location_match = True + break + + assert location_match, "location not found in stack trace" + # Check extended data if on location if stack trace do not exists + else: + assert all(field in location for field in ["path", "line"]) + + if context.library.library not in ("python", "nodejs"): + assert all(field in location for field in ["class", "method"]) + + +def get_hardcoded_vulnerabilities(vulnerability_type): + spans = [s for _, s in interfaces.library.get_root_spans()] + assert spans, "No spans found" + spans_meta = [span.get("meta") for span in spans] + assert spans_meta, "No spans meta found" + iast_events = [meta.get("_dd.iast.json") for meta in spans_meta if meta.get("_dd.iast.json")] + assert iast_events, "No iast events found" + + vulnerabilities: list = [] + for event in iast_events: + vulnerabilities.extend(event.get("vulnerabilities", [])) + + assert vulnerabilities, "No vulnerabilities found" + + hardcoded_vulns = [vuln for vuln in vulnerabilities if vuln.get("type") == vulnerability_type] + assert hardcoded_vulns, "No hardcoded vulnerabilities found" + return hardcoded_vulns + + class BaseSinkTest(BaseSinkTestWithoutTelemetry): def setup_telemetry_metric_instrumented_sink(self): self.setup_insecure() diff --git a/utils/_features.py b/utils/_features.py index a8a766cb057..17f42f55a71 100644 --- a/utils/_features.py +++ b/utils/_features.py @@ -2291,6 +2291,15 @@ def iast_stack_trace(test_object): pytest.mark.features(feature_id=329)(test_object) return test_object + @staticmethod + def iast_extended_location(test_object): + """IAST: Extended location data + + https://feature-parity.us1.prod.dog/#/?feature=364 + """ + pytest.mark.features(feature_id=364)(test_object) + return test_object + @staticmethod def djm_ssi_k8s(test_object): """Data Jobs Monitoring: Java lib auto instrumentation for Spark applications on K8s.