Add basic blocking tests #510
Conversation
cataphract
force-pushed
the
glopes/blocking
branch
from
9a74050 to
71d12c8
Compare
|
Changing it as a draft, as we are spammed by PR on slack. Please set it back to nroaml once it's ready |
|
I've updated your branch, there were an issue fixed by #519 |
|
There is now an IP_BLOCKIG_SCENARIO, can I close this PR @cataphract ? |
This one mainly tests that the response respects the Accept headers, so they're mostly orthogonal. |
|
ok, so what can I do to help moving forward on this one ? |
cataphract
force-pushed
the
glopes/blocking
branch
2 times, most recently
from
62adc71 to
6de9f33
Compare
cataphract
force-pushed
the
glopes/blocking
branch
4 times, most recently
from
b015f2c to
9980198
Compare
| def test_blocking_appsec_blocked_tag(self): | ||
| """Tag ddappsec.blocked is set when blocking""" | ||
| r = self.weblog_get("/waf/", headers={"User-Agent": "Arachni/v1", "Accept": "*/*"}) | ||
| assert r.status_code == 403 |
There was a problem hiding this comment.
| assert r.status_code == 403 | |
| interfaces.library.add_assertion(r.status_code == 403) |
And same for all others synchronous assertions
cataphract
force-pushed
the
glopes/blocking
branch
from
9980198 to
1e532cc
Compare
|
checking the failure |
|
I've added a small fix that prevent synchronous failures |
|
Seems to be good, just need to skiping open liberty |
|
@cataphract does this PR still relevant ? |
cataphract
force-pushed
the
glopes/blocking
branch
from
fe35b12 to
4160505
Compare
cataphract
force-pushed
the
glopes/blocking
branch
2 times, most recently
from
0221f88 to
a202c08
Compare
@cbeauchesne Sure. I've updated it. Can you approve and merge? |
tests/appsec/waf/test_blocking.py
Outdated
| @bug(context.library < "java@0.115.0" and context.weblog_variant == "spring-boot-undertow", reason="npe") | ||
| def test_no_accept(self): | ||
| """Blocking without an accept header""" | ||
| r = weblog.get("/waf/", headers={"User-Agent": "Arachni/v1"}) |
There was a problem hiding this comment.
can you add a method setup_no_accept and send the request in it (save it as self.r_not_accept) ?
tests/appsec/waf/test_blocking.py
Outdated
|
|
||
| def test_accept_all(self): | ||
| """Blocking with Accept: */*""" | ||
| r = weblog.get("/waf/", headers={"User-Agent": "Arachni/v1", "Accept": "*/*"}) |
There was a problem hiding this comment.
Same comment, add a metohd setup_accept_all and send request inside it.
tests/appsec/waf/test_blocking.py
Outdated
| def test_accept_partial_json(self): | ||
| """Blocking with Accept: application/*""" | ||
| # */* should be ignored because there are more specific matches for text/html and application/json | ||
| r = weblog.get( |
tests/appsec/waf/test_blocking.py
Outdated
|
|
||
| def test_accept_partial_html(self): | ||
| """Blocking with Accept: text/*""" | ||
| r = weblog.get( |
tests/appsec/waf/test_blocking.py
Outdated
|
|
||
| def test_accept_full_json(self): | ||
| """Blocking with Accept: application/json""" | ||
| r = weblog.get( |
tests/appsec/waf/test_blocking.py
Outdated
|
|
||
| def test_accept_full_html(self): | ||
| """Blocking with Accept: text/html""" | ||
| r = weblog.get( |
|
I've converted the PR as a draft (we ares spammed on slack by PR to be reviwed. Please set it back to ready once comment are fixed :) |
cataphract
force-pushed
the
glopes/blocking
branch
2 times, most recently
from
ad23db8 to
6222ed0
Compare
cataphract
force-pushed
the
glopes/blocking
branch
from
6222ed0 to
53afa31
Compare
tests/test_standard_tags.py
Outdated
| @@ -38,7 +38,6 @@ def test_method_trace(self): | |||
| @released(dotnet="2.13.0", golang="1.40.0", java="0.107.1", nodejs="3.0.0") | |||
| @released(php="0.76.0", python="1.6.0rc1.dev", ruby="?") | |||
| @rfc("https://datadoghq.atlassian.net/wiki/spaces/APS/pages/2490990623/QueryString+-+Sensitive+Data+Obfuscation") | |||
| @bug(weblog_variant="spring-boot-undertow", reason="APMJAVA-877") | |||
There was a problem hiding this comment.
MMh, now it's removed? I may have added a dummy comment, or is it some merge issue ?
| @@ -216,6 +217,8 @@ def add_main_job(i, workflow, needs, scenarios): | |||
|
|
|||
| if scenario == "TRACE_PROPAGATION_STYLE_W3C": # TODO: fix weblog to allow this value for old tracer | |||
| step["if"] = "${{ matrix.variant.library != 'python' }}" # TODO | |||
| elif scenario == "APPSEC_BLOCKING": | |||
| step["if"] = "${{ matrix.library == 'java' }}" | |||
There was a problem hiding this comment.
Why? if the test if flagged as fail, it's ok to run it.
There was a problem hiding this comment.
We can run it, but we're gonna waste CPU because it won't pass outside java
cataphract
force-pushed
the
glopes/blocking
branch
from
53afa31 to
0c10fbf
Compare
|
@CharlesMasson this should be ready now. Failures seem are unrelated. |
No description provided.