switch view to post

DataDog · Jan 16, 2025 · d826eab · d826eab
1 parent 2136e60
commit d826eab
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 7 deletions.
diff --git a/tests/contrib/django/django_app/appsec_urls.py b/tests/contrib/django/django_app/appsec_urls.py
@@ -108,15 +108,24 @@ def sqli_http_request_parameter(request):
     return HttpResponse(request.META["HTTP_USER_AGENT"], status=200)
 
 
-def sqli_http_request_parameter_name(request):
+def sqli_http_request_parameter_name_get(request):
     obj = " 1"
     with connection.cursor() as cursor:
-        # label iast_enabled_sqli_http_request_parameter_name
+        # label iast_enabled_sqli_http_request_parameter_name_get
         cursor.execute(add_aspect(list(request.GET.keys())[0], obj))
 
     return HttpResponse(request.META["HTTP_USER_AGENT"], status=200)
 
 
+def sqli_http_request_parameter_name_post(request):
+    obj = " 1"
+    with connection.cursor() as cursor:
+        # label iast_enabled_sqli_http_request_parameter_name_post
+        cursor.execute(add_aspect(list(request.POST.keys())[0], obj))
+
+    return HttpResponse(request.META["HTTP_USER_AGENT"], status=200)
+
+
 def sqli_http_request_header_name(request):
     key = [x for x in request.META.keys() if x == "master"][0]
 
@@ -316,7 +325,14 @@ def validate_querydict(request):
     handler("taint-checking-disabled/$", taint_checking_disabled_view, name="taint_checking_disabled_view"),
     handler("sqli_http_request_parameter/$", sqli_http_request_parameter, name="sqli_http_request_parameter"),
     handler(
-        "sqli_http_request_parameter_name/$", sqli_http_request_parameter_name, name="sqli_http_request_parameter_name"
+        "sqli_http_request_parameter_name_get/$",
+        sqli_http_request_parameter_name_get,
+        name="sqli_http_request_parameter_name_get",
+    ),
+    handler(
+        "sqli_http_request_parameter_name_post/$",
+        sqli_http_request_parameter_name_post,
+        name="sqli_http_request_parameter_name_post",
     ),
     handler("sqli_http_request_header_name/$", sqli_http_request_header_name, name="sqli_http_request_header_name"),
     handler("sqli_http_request_header_value/$", sqli_http_request_header_value, name="sqli_http_request_header_value"),

diff --git a/tests/contrib/django/test_django_appsec_iast.py b/tests/contrib/django/test_django_appsec_iast.py
@@ -247,15 +247,15 @@ def test_django_tainted_user_agent_iast_enabled_sqli_http_request_parameter(clie
 
 @pytest.mark.django_db()
 @pytest.mark.skipif(not python_supported_by_iast(), reason="Python version not supported by IAST")
-def test_django_tainted_user_agent_iast_enabled_sqli_http_request_parameter_name(client, test_spans, tracer):
+def test_django_tainted_user_agent_iast_enabled_sqli_http_request_parameter_name_post(client, test_spans, tracer):
     with override_global_config(dict(_iast_enabled=True, _deduplication_enabled=False, _iast_request_sampling=100.0)):
         root_span, response = _aux_appsec_get_root_span(
             client,
             test_spans,
             tracer,
-            payload=urlencode({"mytestingbody_key": "mytestingbody_value"}),
+            payload=urlencode({"SELECT": "unused"}),
             content_type="application/x-www-form-urlencoded",
-            url="/appsec/sqli_http_request_parameter_name/?SELECT=unused",
+            url="/appsec/sqli_http_request_parameter_name_post/",
             headers={"HTTP_USER_AGENT": "test/1.2.3"},
         )
 
@@ -267,7 +267,7 @@ def test_django_tainted_user_agent_iast_enabled_sqli_http_request_parameter_name
         loaded = json.loads(root_span.get_tag(IAST.JSON))
 
         line, hash_value = get_line_and_hash(
-            "iast_enabled_sqli_http_request_parameter_name", vuln_type, filename=TEST_FILE
+            "iast_enabled_sqli_http_request_parameter_name_post", vuln_type, filename=TEST_FILE
         )
 
         assert loaded["sources"] == [