From 30091618aa84f09bd7f13e24a4f46504cf623d62 Mon Sep 17 00:00:00 2001 From: Juanjo Alvarez Date: Tue, 7 Jan 2025 17:26:43 +0100 Subject: [PATCH 1/4] Add tests for Python FastAPI header injection Signed-off-by: Juanjo Alvarez --- manifests/python.yml | 1 - utils/build/docker/python/fastapi/main.py | 19 +++++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/manifests/python.yml b/manifests/python.yml index 5b53d31be3..338d538afb 100644 --- a/manifests/python.yml +++ b/manifests/python.yml @@ -81,7 +81,6 @@ tests/: test_header_injection.py: TestHeaderInjection: '*': v2.10.0 - fastapi: missing_feature TestHeaderInjectionExclusionAccessControlAllow: missing_feature TestHeaderInjectionExclusionContentEncoding: missing_feature TestHeaderInjectionExclusionPragma: missing_feature diff --git a/utils/build/docker/python/fastapi/main.py b/utils/build/docker/python/fastapi/main.py index caf5ab65b5..9be5e9b4e9 100644 --- a/utils/build/docker/python/fastapi/main.py +++ b/utils/build/docker/python/fastapi/main.py @@ -87,6 +87,25 @@ async def set_cookie(request: Request): ) +@app.post("/iast/header_injection/test_insecure", response_class=PlainTextResponse) +async def iast_header_injection_insecure(request: Request): + form_data = await request.form() + header_value = form_data.get("test") + response = PlainTextResponse("OK") + # label iast_header_injection + response.headers["Header-Injection"] = header_value + return response + + +@app.post("/iast/header_injection/test_secure", response_class=PlainTextResponse) +async def iast_header_injection_secure(request: Request): + form_data = await request.form() + header_value = form_data.get("test") + response = PlainTextResponse("OK") + # label iast_header_injection + response.headers["Vary"] = header_value + return response + @app.get("/sample_rate_route/{i}", response_class=PlainTextResponse) async def sample_rate(i): return "OK" From 16255b50bb46a8fc5fac3cce55bbadf08401190c Mon Sep 17 00:00:00 2001 From: Juanjo Alvarez Date: Tue, 7 Jan 2025 17:28:49 +0100 Subject: [PATCH 2/4] Update manifest Signed-off-by: Juanjo Alvarez --- manifests/python.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/python.yml b/manifests/python.yml index 338d538afb..e694438e7f 100644 --- a/manifests/python.yml +++ b/manifests/python.yml @@ -81,6 +81,7 @@ tests/: test_header_injection.py: TestHeaderInjection: '*': v2.10.0 + fastapi: v2.20.0 TestHeaderInjectionExclusionAccessControlAllow: missing_feature TestHeaderInjectionExclusionContentEncoding: missing_feature TestHeaderInjectionExclusionPragma: missing_feature From 0be13be3acc62e017e49495603bc2ec08938e455 Mon Sep 17 00:00:00 2001 From: Juanjo Alvarez Date: Tue, 7 Jan 2025 17:44:33 +0100 Subject: [PATCH 3/4] fmt Signed-off-by: Juanjo Alvarez --- utils/build/docker/python/fastapi/main.py | 1 + 1 file changed, 1 insertion(+) diff --git a/utils/build/docker/python/fastapi/main.py b/utils/build/docker/python/fastapi/main.py index 9be5e9b4e9..f0ea0e281c 100644 --- a/utils/build/docker/python/fastapi/main.py +++ b/utils/build/docker/python/fastapi/main.py @@ -106,6 +106,7 @@ async def iast_header_injection_secure(request: Request): response.headers["Vary"] = header_value return response + @app.get("/sample_rate_route/{i}", response_class=PlainTextResponse) async def sample_rate(i): return "OK" From 41e829178ad52543d05446b960847146826973dc Mon Sep 17 00:00:00 2001 From: Juanjo Alvarez Date: Wed, 8 Jan 2025 10:33:52 +0100 Subject: [PATCH 4/4] Update manifest Signed-off-by: Juanjo Alvarez --- manifests/python.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/python.yml b/manifests/python.yml index e694438e7f..7ad6914095 100644 --- a/manifests/python.yml +++ b/manifests/python.yml @@ -81,7 +81,7 @@ tests/: test_header_injection.py: TestHeaderInjection: '*': v2.10.0 - fastapi: v2.20.0 + fastapi: v2.20.0.dev TestHeaderInjectionExclusionAccessControlAllow: missing_feature TestHeaderInjectionExclusionContentEncoding: missing_feature TestHeaderInjectionExclusionPragma: missing_feature