Merge branch 'main' into iast-stack-trace-nodejs

IlyasShabi · web-flow · commit 1b3e6041e3a9 · 2025-01-20T14:46:35.000+01:00
diff --git a/manifests/php.yml b/manifests/php.yml
@@ -7,8 +7,8 @@ tests/:
   appsec/:
     api_security/:
       test_api_security_rc.py:
-        Test_API_Security_RC_ASM_DD_processors: missing_feature
-        Test_API_Security_RC_ASM_DD_scanners: missing_feature
+        Test_API_Security_RC_ASM_DD_processors: v1.6.2
+        Test_API_Security_RC_ASM_DD_scanners: v1.6.2
         Test_API_Security_RC_ASM_processor_overrides_and_custom_scanner: irrelevant (waf does not support it yet)
       test_apisec_sampling.py: missing_feature
       test_schemas.py:
@@ -20,7 +20,7 @@ tests/:
         Test_Schema_Request_Path_Parameters: missing_feature
         Test_Schema_Request_Query_Parameters: v0.94.0
         Test_Schema_Response_Body: v0.99.1
-        Test_Schema_Response_Body_env_var: missing_feature
+        Test_Schema_Response_Body_env_var: v1.6.2
         Test_Schema_Response_Headers: v0.94.0
     iast/:
       sink/:
@@ -150,11 +150,69 @@ tests/:
       test_security_controls.py:
         TestSecurityControls: missing_feature
     rasp/:
-      test_cmdi.py: missing_feature
-      test_lfi.py: missing_feature
-      test_shi.py: missing_feature
-      test_sqli.py: missing_feature
-      test_ssrf.py: missing_feature
+      test_cmdi.py:
+        Test_Cmdi_BodyJson: missing_feature
+        Test_Cmdi_BodyUrlEncoded: missing_feature
+        Test_Cmdi_BodyXml: missing_feature
+        Test_Cmdi_Capability: missing_feature
+        Test_Cmdi_Mandatory_SpanTags: missing_feature
+        Test_Cmdi_Optional_SpanTags: missing_feature
+        Test_Cmdi_Rules_Version: v1.6.2
+        Test_Cmdi_StackTrace: missing_feature
+        Test_Cmdi_Telemetry: missing_feature
+        Test_Cmdi_Telemetry_Variant_Tag: missing_feature
+        Test_Cmdi_UrlQuery: missing_feature
+        Test_Cmdi_Waf_Version: v1.6.2
+      test_lfi.py:
+        Test_Lfi_BodyJson: missing_feature
+        Test_Lfi_BodyUrlEncoded: missing_feature
+        Test_Lfi_BodyXml: missing_feature
+        Test_Lfi_Capability: missing_feature
+        Test_Lfi_Mandatory_SpanTags: missing_feature
+        Test_Lfi_Optional_SpanTags: missing_feature
+        Test_Lfi_RC_CustomAction: missing_feature
+        Test_Lfi_Rules_Version:  v1.6.2
+        Test_Lfi_StackTrace: missing_feature
+        Test_Lfi_Telemetry: missing_feature
+        Test_Lfi_UrlQuery: missing_feature
+        Test_Lfi_Waf_Version:  v1.6.2
+      test_shi.py:
+        Test_Shi_BodyJson: missing_feature
+        Test_Shi_BodyUrlEncoded: missing_feature
+        Test_Shi_BodyXml: missing_feature
+        Test_Shi_Capability: missing_feature
+        Test_Shi_Mandatory_SpanTags: missing_feature
+        Test_Shi_Optional_SpanTags: missing_feature
+        Test_Shi_Rules_Version:  v1.6.2
+        Test_Shi_StackTrace: missing_feature
+        Test_Shi_Telemetry: missing_feature
+        Test_Shi_Telemetry_Variant_Tag: missing_feature
+        Test_Shi_UrlQuery: missing_feature
+        Test_Shi_Waf_Version:  v1.6.2
+      test_sqli.py:
+        Test_Sqli_BodyJson: missing_feature
+        Test_Sqli_BodyUrlEncoded: missing_feature
+        Test_Sqli_BodyXml: missing_feature
+        Test_Sqli_Capability: missing_feature
+        Test_Sqli_Mandatory_SpanTags: missing_feature
+        Test_Sqli_Optional_SpanTags: missing_feature
+        Test_Sqli_Rules_Version:  v1.6.2
+        Test_Sqli_StackTrace: missing_feature
+        Test_Sqli_Telemetry: missing_feature
+        Test_Sqli_UrlQuery: missing_feature
+        Test_Sqli_Waf_Version:  v1.6.2
+      test_ssrf.py:
+        Test_Ssrf_BodyJson: missing_feature
+        Test_Ssrf_BodyUrlEncoded: missing_feature
+        Test_Ssrf_BodyXml: missing_feature
+        Test_Ssrf_Capability: missing_feature
+        Test_Ssrf_Mandatory_SpanTags: missing_feature
+        Test_Ssrf_Optional_SpanTags: missing_feature
+        Test_Ssrf_Rules_Version:  v1.6.2
+        Test_Ssrf_StackTrace: missing_feature
+        Test_Ssrf_Telemetry: missing_feature
+        Test_Ssrf_UrlQuery: missing_feature
+        Test_Ssrf_Waf_Version:  v1.6.2
     waf/:
       test_addresses.py:
         Test_BodyJson: v0.98.1 # TODO what is the earliest version?
@@ -223,16 +281,16 @@ tests/:
     test_blocking_addresses.py:
       Test_BlockingGraphqlResolvers: missing_feature
       Test_Blocking_request_body: irrelevant (Php does not accept url encoded entries without key)
-      Test_Blocking_request_body_multipart: missing_feature
+      Test_Blocking_request_body_multipart: v1.6.2
       Test_Blocking_response_headers: irrelevant (On php it is not possible change the status code once its header is sent)
       Test_Blocking_response_status: irrelevant (On php it is not possible change the status code once its header is sent)
-      Test_Suspicious_Request_Blocking: missing_feature (v0.86.0 but test is not implemented)
+      Test_Suspicious_Request_Blocking:  v1.6.2
     test_client_ip.py:
       Test_StandardTagsClientIp: v0.81.0
     test_fingerprinting.py:
-      Test_Fingerprinting_Endpoint: missing_feature
+      Test_Fingerprinting_Endpoint: v1.6.2
       Test_Fingerprinting_Endpoint_Capability: missing_feature
-      Test_Fingerprinting_Header_And_Network: missing_feature
+      Test_Fingerprinting_Header_And_Network: v1.6.2
       Test_Fingerprinting_Header_Capability: missing_feature
       Test_Fingerprinting_Network_Capability: missing_feature
       Test_Fingerprinting_Session: missing_feature
@@ -247,16 +305,16 @@ tests/:
       Test_SecurityEvents_Iast_Metastruct_Disabled: irrelevant (no fallback will be implemented)
       Test_SecurityEvents_Iast_Metastruct_Enabled: missing_feature
     test_remote_config_rule_changes.py:
-      Test_BlockingActionChangesWithRemoteConfig: missing_feature
-      Test_UpdateRuleFileWithRemoteConfig: missing_feature (v0.8.0 but lacks telemetry support)
+      Test_BlockingActionChangesWithRemoteConfig: v1.6.2
+      Test_UpdateRuleFileWithRemoteConfig: v1.6.2
     test_reports.py:
       Test_ExtraTagsFromRule: v0.88.0
       Test_Info: v0.68.3  # probably 0.68.2, but was flaky
     test_request_blocking.py:
-      Test_AppSecRequestBlocking: missing_feature # missing version
+      Test_AppSecRequestBlocking: v1.6.2
     test_runtime_activation.py:
-      Test_RuntimeActivation: missing_feature # missing version
-      Test_RuntimeDeactivation: missing_feature # missing version
+      Test_RuntimeActivation: v1.6.2
+      Test_RuntimeDeactivation: v1.6.2
     test_shell_execution.py:
       Test_ShellExecution: v0.95.0
     test_suspicious_attacker_blocking.py:
diff --git a/tests/appsec/test_automated_login_events.py b/tests/appsec/test_automated_login_events.py
@@ -1928,6 +1928,7 @@ def setup_login_event_blocking_auto_id(self):
         self.config_state_3 = rc.rc_state.set_config(*BLOCK_USER_ID).apply()
         self.r_login_blocked = weblog.post("/login?auth=local", data=login_data(context, USER, PASSWORD))
 
+    @irrelevant(context.library == "java", reason="Blocking by user ID not available in java")
     def test_login_event_blocking_auto_id(self):
         assert self.config_state_1[rc.RC_STATE] == rc.ApplyState.ACKNOWLEDGED
         assert self.r_login.status_code == 200
diff --git a/utils/proxy/_deserializer.py b/utils/proxy/_deserializer.py
@@ -247,15 +247,27 @@ def _deserialize_file_in_multipart_form_data(
             item["system-tests-error"] = "Filename not found in content-disposition, please contact #apm-shared-testing"
         else:
             filename = meta_data["filename"].strip('"')
+            item["system-tests-filename"] = filename
+
             if filename.lower().endswith(".gz"):
                 filename = filename[:-3]
-            file_path = f"{export_content_files_to}/{md5(content).hexdigest()}_{filename}"
 
-            with open(file_path, "wb") as f:
-                f.write(content)
+            content_is_deserialized = False
+            if filename.lower().endswith(".json"):
+                try:
+                    item["content"] = json.loads(content)
+                    content_is_deserialized = True
+                except json.JSONDecodeError:
+                    item["system-tests-error"] = "Can't decode json file"
+
+            if not content_is_deserialized:
+                file_path = f"{export_content_files_to}/{md5(content).hexdigest()}_{filename}"
+
+                item["system-tests-information"] = "File exported to a separated file"
+                item["system-tests-file-path"] = file_path
 
-            item["system-tests-information"] = "File exported to a separated file"
-            item["system-tests-file-path"] = file_path
+                with open(file_path, "wb") as f:
+                    f.write(content)
 
 
 def _deserialized_nested_json_from_trace_payloads(content, interface):
