feat(iast): xss vulnerability for jinja2

DataDog · Feb 4, 2025 · 1777ed4 · 1777ed4
1 parent ef31ae7
commit 1777ed4
Showing 1 changed file with 0 additions and 32 deletions.
diff --git a/tests/appsec/integrations/flask_tests/test_iast_flask.py b/tests/appsec/integrations/flask_tests/test_iast_flask.py
@@ -65,7 +65,6 @@ def test_flask_full_sqli_iast_http_request_path_parameter(self):
         def sqli_1(param_str):
             import sqlite3
 
-            from ddtrace.appsec._iast._taint_tracking._taint_objects import is_pyobject_tainted
             from ddtrace.appsec._iast._taint_tracking.aspects import add_aspect
 
             assert is_pyobject_tainted(param_str)
@@ -280,7 +279,6 @@ def sqli_5(param_str, param_int):
 
             from ddtrace.appsec._iast._taint_tracking import OriginType
             from ddtrace.appsec._iast._taint_tracking._taint_objects import get_tainted_ranges
-            from ddtrace.appsec._iast._taint_tracking._taint_objects import is_pyobject_tainted
 
             header_ranges = get_tainted_ranges(request.headers["User-Agent"])
             assert header_ranges
@@ -330,8 +328,6 @@ def test_flask_simple_iast_path_header_and_querystring_tainted_request_sampling_
         def sqli_6(param_str):
             from flask import request
 
-            from ddtrace.appsec._iast._taint_tracking._taint_objects import is_pyobject_tainted
-
             # Note: these are not tainted because of request sampling at 0%
             assert not is_pyobject_tainted(request.headers["User-Agent"])
             assert not is_pyobject_tainted(request.query_string)
@@ -541,7 +537,6 @@ def test_flask_full_sqli_iast_http_request_parameter_name_post(self):
         def sqli_13():
             import sqlite3
 
-            from ddtrace.appsec._iast._taint_tracking._taint_objects import is_pyobject_tainted
             from ddtrace.appsec._iast._taint_tracking.aspects import add_aspect
 
             for i in request.form.keys():
@@ -599,7 +594,6 @@ def test_flask_full_sqli_iast_http_request_parameter_name_get(self):
         def sqli_14():
             import sqlite3
 
-            from ddtrace.appsec._iast._taint_tracking._taint_objects import is_pyobject_tainted
             from ddtrace.appsec._iast._taint_tracking.aspects import add_aspect
 
             for i in request.args.keys():
@@ -660,7 +654,6 @@ def sqli_10():
 
             from flask import request
 
-            from ddtrace.appsec._iast._taint_tracking._taint_objects import is_pyobject_tainted
             from ddtrace.appsec._iast._taint_tracking.aspects import add_aspect
 
             con = sqlite3.connect(":memory:")
@@ -725,7 +718,6 @@ def sqli_11():
 
             from flask import request
 
-            from ddtrace.appsec._iast._taint_tracking._taint_objects import is_pyobject_tainted
             from ddtrace.appsec._iast._taint_tracking.aspects import add_aspect
 
             con = sqlite3.connect(":memory:")
@@ -790,7 +782,6 @@ def sqli_11():
 
             from flask import request
 
-            from ddtrace.appsec._iast._taint_tracking._taint_objects import is_pyobject_tainted
             from ddtrace.appsec._iast._taint_tracking.aspects import add_aspect
 
             con = sqlite3.connect(":memory:")
@@ -855,7 +846,6 @@ def sqli_11():
 
             from flask import request
 
-            from ddtrace.appsec._iast._taint_tracking._taint_objects import is_pyobject_tainted
             from ddtrace.appsec._iast._taint_tracking.aspects import add_aspect
 
             con = sqlite3.connect(":memory:")
@@ -922,7 +912,6 @@ def sqli_11():
 
             from flask import request
 
-            from ddtrace.appsec._iast._taint_tracking._taint_objects import is_pyobject_tainted
             from ddtrace.appsec._iast._taint_tracking.aspects import add_aspect
 
             def iterate_json(data, parent_key=""):
@@ -1063,7 +1052,6 @@ def sqli_10():
 
             from flask import request
 
-            from ddtrace.appsec._iast._taint_tracking._taint_objects import is_pyobject_tainted
             from ddtrace.appsec._iast._taint_tracking.aspects import add_aspect
 
             con = sqlite3.connect(":memory:")
@@ -1166,8 +1154,6 @@ def header_injection():
             from flask import Response
             from flask import request
 
-            from ddtrace.appsec._iast._taint_tracking._taint_objects import is_pyobject_tainted
-
             tainted_string = request.form.get("name")
             assert is_pyobject_tainted(tainted_string)
             resp = Response("OK")
@@ -1206,8 +1192,6 @@ def header_injection():
             from flask import Response
             from flask import request
 
-            from ddtrace.appsec._iast._taint_tracking._taint_objects import is_pyobject_tainted
-
             tainted_string = request.form.get("name")
             assert is_pyobject_tainted(tainted_string)
             resp = Response("OK")
@@ -1235,8 +1219,6 @@ def header_injection():
             from flask import Response
             from flask import request
 
-            from ddtrace.appsec._iast._taint_tracking._taint_objects import is_pyobject_tainted
-
             tainted_string = request.form.get("name")
             assert is_pyobject_tainted(tainted_string)
             resp = Response("OK")
@@ -1264,8 +1246,6 @@ def insecure_cookie():
             from flask import Response
             from flask import request
 
-            from ddtrace.appsec._iast._taint_tracking._taint_objects import is_pyobject_tainted
-
             tainted_string = request.form.get("name")
             assert is_pyobject_tainted(tainted_string)
             resp = Response("OK")
@@ -1302,8 +1282,6 @@ def insecure_cookie_empty():
             from flask import Response
             from flask import request
 
-            from ddtrace.appsec._iast._taint_tracking._taint_objects import is_pyobject_tainted
-
             tainted_string = request.form.get("name")
             assert is_pyobject_tainted(tainted_string)
             resp = Response("OK")
@@ -1332,8 +1310,6 @@ def no_http_only_cookie():
             from flask import Response
             from flask import request
 
-            from ddtrace.appsec._iast._taint_tracking._taint_objects import is_pyobject_tainted
-
             tainted_string = request.form.get("name")
             assert is_pyobject_tainted(tainted_string)
             resp = Response("OK")
@@ -1370,8 +1346,6 @@ def no_http_only_cookie_empty():
             from flask import Response
             from flask import request
 
-            from ddtrace.appsec._iast._taint_tracking._taint_objects import is_pyobject_tainted
-
             tainted_string = request.form.get("name")
             assert is_pyobject_tainted(tainted_string)
             resp = Response("OK")
@@ -1401,8 +1375,6 @@ def no_samesite_cookie():
             from flask import Response
             from flask import request
 
-            from ddtrace.appsec._iast._taint_tracking._taint_objects import is_pyobject_tainted
-
             tainted_string = request.form.get("name")
             assert is_pyobject_tainted(tainted_string)
             resp = Response("OK")
@@ -1439,8 +1411,6 @@ def no_samesite_cookie_empty():
             from flask import Response
             from flask import request
 
-            from ddtrace.appsec._iast._taint_tracking._taint_objects import is_pyobject_tainted
-
             tainted_string = request.form.get("name")
             assert is_pyobject_tainted(tainted_string)
             resp = Response("OK")
@@ -1467,8 +1437,6 @@ def cookie_secure():
             from flask import Response
             from flask import request
 
-            from ddtrace.appsec._iast._taint_tracking._taint_objects import is_pyobject_tainted
-
             tainted_string = request.form.get("name")
             assert is_pyobject_tainted(tainted_string)
             resp = Response("OK")