-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathtest_nosql_mongodb_injection.py
53 lines (42 loc) · 2.15 KB
/
test_nosql_mongodb_injection.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# Unless explicitly stated otherwise all files in this repository are licensed under the the Apache License Version 2.0.
# This product includes software developed at Datadog (https://www.datadoghq.com/).
# Copyright 2021 Datadog, Inc.
from utils import context, missing_feature, scenarios, features, rfc, weblog
from ..utils import BaseSinkTest, validate_stack_traces
@scenarios.integrations
@features.iast_sink_mongodb_injection
class TestNoSqlMongodbInjection(BaseSinkTest):
"""Verify NoSQL injection detection in mongodb database."""
vulnerability_type = "NOSQL_MONGODB_INJECTION"
http_method = "POST"
insecure_endpoint = "/iast/mongodb-nosql-injection/test_insecure"
secure_endpoint = "/iast/mongodb-nosql-injection/test_secure"
data = {"key": "somevalue"}
location_map = {
"nodejs": {"express4": "iast/index.js", "express4-typescript": "iast.ts", "express5": "iast/index.js"}
}
@missing_feature(
context.weblog_variant == "express5", reason="express-mongo-sanitize is not yet compatible with express5"
)
def test_secure(self):
super().test_secure()
@missing_feature(context.library < "[email protected]", reason="Not implemented yet")
@missing_feature(library="python", reason="Not implemented yet")
@missing_feature(library="dotnet", reason="Not implemented yet")
def test_telemetry_metric_instrumented_sink(self):
super().test_telemetry_metric_instrumented_sink()
@missing_feature(context.library < "[email protected]", reason="Not implemented yet")
@missing_feature(library="python", reason="Not implemented yet")
def test_telemetry_metric_executed_sink(self):
super().test_telemetry_metric_executed_sink()
@rfc(
"https://docs.google.com/document/d/1ga7yCKq2htgcwgQsInYZKktV0hNlv4drY9XzSxT-o5U/edit?tab=t.0#heading=h.d0f5wzmlfhat"
)
@scenarios.integrations
@features.iast_stack_trace
class TestNoSqlMongodbInjection_StackTrace:
"""Validate stack trace generation"""
def setup_stack_trace(self):
self.r = weblog.post("/iast/mongodb-nosql-injection/test_insecure", data={"key": "somevalue"})
def test_stack_trace(self):
validate_stack_traces(self.r)