chore(asm): add pygoat integration test for SSRF (#9401)

## Description Adds an integration test for pygoat + SSRF. It also adds a disabled second one that currently won't work because we don't implement SSRF for open (and for implementing it we need to fix other issues or go back to AST-paching open, which in any case will be separate PRs). ## Checklist - [X] Change(s) are motivated and described in the PR description - [X] Testing strategy is described if automated tests are not included in the PR - [X] Risks are described (performance impact, potential for breakage, maintainability) - [X] Change is maintainable (easy to change, telemetry, documentation) - [X] [Library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) are followed or label `changelog/no-changelog` is set - [X] Documentation is included (in-code, generated user docs, [public corp docs](https://github.com/DataDog/documentation/)) - [X] Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) - [X] If this PR changes the public interface, I've notified `@DataDog/apm-tees`. ## Reviewer Checklist - [x] Title is accurate - [x] All changes are related to the pull request's stated goal - [x] Description motivates each change - [x] Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - [x] Testing strategy adequately addresses listed risks - [x] Change is maintainable (easy to change, telemetry, documentation) - [x] Release note makes sense to a user of the library - [x] Author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - [x] Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) --------- Signed-off-by: Juanjo Alvarez <[email protected]> Co-authored-by: Christophe Papazian <[email protected]>
DataDog · May 29, 2024 · c7679df · c7679df
1 parent 538a024
commit c7679df
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 0 deletions.
diff --git a/tests/appsec/integrations/pygoat_tests/Dockerfile.pygoat.2.0.1 b/tests/appsec/integrations/pygoat_tests/Dockerfile.pygoat.2.0.1
@@ -35,6 +35,7 @@ RUN pip install --no-cache-dir -r requirements.txt
 # install pygoat
 EXPOSE 8321
 
+# Note: admin login from the fixtures is "admin/adminpassword"
 RUN python3 manage.py migrate
 RUN python3 manage.py loaddata ../fixtures/*
 CMD ["ddtrace-run", "python", "manage.py", "runserver", "0.0.0.0:8321"]
diff --git a/tests/appsec/integrations/pygoat_tests/test_pygoat.py b/tests/appsec/integrations/pygoat_tests/test_pygoat.py
@@ -4,6 +4,11 @@
 import pytest
 import requests
 
+from tests.appsec.iast.conftest import iast_span_defaults
+
+
+span_defaults = iast_span_defaults  # So ruff does not remove it
+
 
 # Note: these tests require the testagent and pygoat images to be up from the docker-compose file
 # dc up -d pygoat testagent
@@ -128,3 +133,38 @@ def test_sqli(client):
     reply = client.pygoat_session.post(PYGOAT_URL + "/sql_lab", data=payload, headers=TESTAGENT_HEADERS)
     assert reply.status_code == 200
     assert vulnerability_in_traces("SQL_INJECTION", client.agent_session)
+
+
+@pytest.mark.skip("TODO: SSRF is not implemented for open()")
+def test_ssrf1(client, tracer, iast_span_defaults):
+    from ddtrace.appsec._iast._taint_tracking import OriginType
+    from ddtrace.appsec._iast._taint_tracking import taint_pyobject
+
+    s = "templates/Lab/ssrf/blogs/blog2.txt"
+    tainted_path = taint_pyobject(
+        pyobject=s,
+        source_name="test_ssrf",
+        source_value=s,
+        source_origin=OriginType.PARAMETER,
+    )
+    payload = {"blog": tainted_path, "csrfmiddlewaretoken": client.csrftoken}
+    reply = client.pygoat_session.post(PYGOAT_URL + "/ssrf_lab", data=payload, headers=TESTAGENT_HEADERS)
+    assert reply.status_code == 200
+    assert vulnerability_in_traces("SSRF", client.agent_session)
+
+
+def test_ssrf2(client, tracer, span_defaults):
+    from ddtrace.appsec._iast._taint_tracking import OriginType
+    from ddtrace.appsec._iast._taint_tracking import taint_pyobject
+
+    s = "http://example.com"
+    tainted_path = taint_pyobject(
+        pyobject=s,
+        source_name="test_ssrf",
+        source_value=s,
+        source_origin=OriginType.PARAMETER,
+    )
+    payload = {"url": tainted_path, "csrfmiddlewaretoken": client.csrftoken}
+    reply = client.pygoat_session.post(PYGOAT_URL + "/ssrf_lab2", data=payload, headers=TESTAGENT_HEADERS)
+    assert reply.status_code == 200
+    assert vulnerability_in_traces("SSRF", client.agent_session)