Skip to content

Commit

Permalink
Avoid false XPASS in test_reports.py (#2345)
Browse files Browse the repository at this point in the history 
* Avoid false XPASS in test_reports.py
* Fix for Nextjs (multiple appsec events)
  • Loading branch information
@smola
smola authored Apr 16, 2024
1 parent ee7a5e1 commit 9b7d972
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 23 deletions.
6 changes: 5 additions & 1 deletion manifests/java.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -733,7 +733,10 @@ tests/:
test_reports.py:
Test_AttackTimestamp:
akka-http: v1.22.0
Test_ExtraTagsFromRule: v1.22.0 # Supported since v1.22.0
spring-boot-3-native: missing_feature (GraalVM. Tracing support only)
Test_ExtraTagsFromRule:
'*': v1.22.0
spring-boot-3-native: missing_feature (GraalVM. Tracing support only)
Test_HttpClientIP:
'*': v0.98.1
akka-http: v1.22.0
Expand All @@ -752,6 +755,7 @@ tests/:
spring-boot-3-native: missing_feature (GraalVM. Tracing support only)
Test_TagsFromRule:
akka-http: v1.22.0
spring-boot-3-native: missing_feature (GraalVM. Tracing support only)
test_request_blocking.py:
Test_AppSecRequestBlocking:
'*': missing_feature
Expand Down
61 changes: 39 additions & 22 deletions tests/appsec/test_reports.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -146,36 +146,53 @@ def test_http_request_headers(self):

@features.security_events_metadata
class Test_TagsFromRule:
"""Tags (Category & event type) from the rule"""
"""Tags tags from the rule"""

def setup_basic(self):
self.r = weblog.get("/waf/", headers={"User-Agent": "Arachni/v1"})
def _setup(self):
if not hasattr(self, "r"):
self.r = weblog.get("/waf/", headers={"User-Agent": "Arachni/v1"})

@missing_feature(weblog_variant="spring-boot-3-native", reason="GraalVM. Tracing support only")
def test_basic(self):
"""attack timestamp is given by start property of span"""
def setup_type(self):
self._setup()

def test_type(self):
"""Type tag is set"""
for trigger in _get_appsec_triggers(self.r):
assert "type" in trigger["rule"]["tags"]

def setup_category(self):
self._setup()

for _, _, _, appsec_data in interfaces.library.get_appsec_events(request=self.r):
for trigger in appsec_data["triggers"]:
assert "rule" in trigger
assert "tags" in trigger["rule"]
assert "type" in trigger["rule"]["tags"]
assert "category" in trigger["rule"]["tags"]
def test_category(self):
"""Category tag is set"""
for trigger in _get_appsec_triggers(self.r):
assert "category" in trigger["rule"]["tags"]


@features.security_events_metadata
class Test_ExtraTagsFromRule:
"""Extra tags may be added to the rule match since libddwaf 1.10.0"""

def setup_basic(self):
def setup_tool_name(self):
self.r = weblog.get("/waf/", headers={"User-Agent": "Arachni/v1"})

def test_basic(self):
for _, _, _, appsec_data in interfaces.library.get_appsec_events(request=self.r):
for trigger in appsec_data["triggers"]:
assert "rule" in trigger
assert "tags" in trigger["rule"]
assert "tool_name" in trigger["rule"]["tags"]
def test_tool_name(self):
"""Tool name tag is set"""
for trigger in _get_appsec_triggers(self.r):
assert "tool_name" in trigger["rule"]["tags"]


def _get_appsec_triggers(request):
datas = [appsec_data for _, _, _, appsec_data in interfaces.library.get_appsec_events(request=request)]
assert datas, "No AppSec events found"
triggers = []
for data in datas:
triggers += data["triggers"]
assert triggers, "No triggers found"
for trigger in triggers:
assert "rule" in trigger
assert "tags" in trigger["rule"]
return triggers


@features.security_events_metadata
Expand All @@ -185,10 +202,10 @@ class Test_AttackTimestamp:
def setup_basic(self):
self.r = weblog.get("/waf/", headers={"User-Agent": "Arachni/v1"})

@missing_feature(weblog_variant="spring-boot-3-native", reason="GraalVM. Tracing support only")
def test_basic(self):
"""attack timestamp is given by start property of span"""

for _, _, span, _ in interfaces.library.get_appsec_events(request=self.r):
spans = [span for _, _, span, _ in interfaces.library.get_appsec_events(request=self.r)]
assert spans, "No AppSec events found"
for span in spans:
assert "start" in span, "span should contain start property"
assert isinstance(span["start"], int), f"start property should an int, not {repr(span['start'])}"

0 comments on commit 9b7d972

Please sign in to comment.