[python] Code security standalone tests (#3506)

DataDog · Nov 22, 2024 · 833f54c · 833f54c
1 parent 33a2345
commit 833f54c
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 1 deletion.
diff --git a/manifests/python.yml b/manifests/python.yml
@@ -423,6 +423,8 @@ tests/:
       Test_AppSecStandalone_UpstreamPropagation:
         '*': v2.12.3
         uwsgi-poc: v2.17.1
+      Test_IastStandalone_UpstreamPropagation:
+        '*': v2.17.0.dev
       Test_IastStandalone_UpstreamPropagation: missing_feature
       Test_SCAStandalone_Telemetry: missing_feature
     test_automated_login_events.py:

diff --git a/utils/build/docker/python/django/app/urls.py b/utils/build/docker/python/django/app/urls.py
@@ -111,6 +111,16 @@ def request_downstream(request, *args, **kwargs):
     return HttpResponse(response.data)
 
 
+@csrf_exempt
+def vulnerable_request_downstream(request, *args, **kwargs):
+    weak_hash()
+    # Propagate the received headers to the downstream service
+    http = urllib3.PoolManager()
+    # Sending a GET request and getting back response as HTTPResponse object.
+    response = http.request("GET", "http://localhost:7777/returnheaders")
+    return HttpResponse(response.data)
+
+
 @csrf_exempt
 def set_cookie(request):
     res = HttpResponse("OK")

diff --git a/utils/build/docker/python/fastapi/main.py b/utils/build/docker/python/fastapi/main.py
@@ -789,6 +789,20 @@ def request_downstream():
     return response.data
 
 
+@app.get("/vulnerablerequestdownstream", response_class=PlainTextResponse)
+@app.post("/vulnerablerequestdownstream", response_class=PlainTextResponse)
+@app.options("/vulnerablerequestdownstream", response_class=PlainTextResponse)
+@app.get("/vulnerablerequestdownstream/", response_class=PlainTextResponse)
+@app.post("/vulnerablerequestdownstream/", response_class=PlainTextResponse)
+@app.options("/vulnerablerequestdownstream/", response_class=PlainTextResponse)
+def vulnerable_request_downstream():
+    weak_hash()
+    http_ = urllib3.PoolManager()
+    # Sending a GET request and getting back response as HTTPResponse object.
+    response = http_.request("GET", "http://localhost:7777/returnheaders")
+    return response.data
+
+
 @app.get("/returnheaders", response_class=PlainTextResponse)
 @app.post("/returnheaders", response_class=PlainTextResponse)
 @app.options("/returnheaders", response_class=PlainTextResponse)

diff --git a/utils/build/docker/python/flask/app.py b/utils/build/docker/python/flask/app.py
@@ -1322,9 +1322,19 @@ def return_headers(*args, **kwargs):
     return jsonify(headers)
 
 
+@app.route("/vulnerablerequestdownstream", methods=["GET", "POST", "OPTIONS"])
+@app.route("/vulnerablerequestdownstream/", methods=["GET", "POST", "OPTIONS"])
+def vulnerable_request_downstream():
+    weak_hash()
+    # Propagate the received headers to the downstream service
+    http = urllib3.PoolManager()
+    # Sending a GET request and getting back response as HTTPResponse object.
+    response = http.request("GET", "http://localhost:7777/returnheaders")
+    return Response(response.data)
+
+
 @app.route("/mock_s3/put_object", methods=["GET", "POST", "OPTIONS"])
 def s3_put_object():
-
     bucket = flask_request.args.get("bucket")
     key = flask_request.args.get("key")
     body: str = flask_request.args.get("key")