From 0d1d59b30bf30d0e7b1e04069d76a8e9d227aaca Mon Sep 17 00:00:00 2001
From: BitterPanda <bitterpanda@proton.me>
Date: Mon, 25 Aug 2025 13:52:06 +0200
Subject: [PATCH 01/24] Port e2e utils

---
 end2end/utils/__init__.py                     | 77 +++++++++++++++++++
 end2end/utils/assert_equals.py                |  4 +
 end2end/utils/event_handler.py                | 25 ++++++
 end2end/utils/request.py                      | 30 ++++++++
 end2end/utils/test_payloads_safe_vs_unsafe.py | 13 ++++
 5 files changed, 149 insertions(+)
 create mode 100644 end2end/utils/__init__.py
 create mode 100644 end2end/utils/assert_equals.py
 create mode 100644 end2end/utils/event_handler.py
 create mode 100644 end2end/utils/request.py
 create mode 100644 end2end/utils/test_payloads_safe_vs_unsafe.py

diff --git a/end2end/utils/__init__.py b/end2end/utils/__init__.py
new file mode 100644
index 000000000..c2b66abee
--- /dev/null
+++ b/end2end/utils/__init__.py
@@ -0,0 +1,77 @@
+import time
+import requests
+
+from .event_handler import EventHandler
+from .assert_equals import assert_eq
+from .request import Request
+from .test_payloads_safe_vs_unsafe import test_payloads_safe_vs_unsafe
+
+class App:
+    def __init__(self, port):
+        self.urls = {
+            "enabled": f"http://localhost:{port}",
+            "disabled": f"http://localhost:{port + 1}"
+        }
+        self.payloads = {}
+        self.event_handler = EventHandler()
+        if not wait_until_live(self.urls["enabled"]):
+            raise Exception(self.urls["enabled"] + " is not turning on.")
+        if not wait_until_live(self.urls["disabled"]):
+            raise Exception(self.urls["disabled"] + " is not turning on.")
+
+    def add_payload(self,key, safe_request, unsafe_request=None, test_event=None):
+        self.payloads[key] = {
+            "safe": safe_request,
+            "unsafe": unsafe_request,
+            "test_event": test_event
+        }
+
+    def test_payload(self, key):
+        if key not in self.payloads:
+            raise Exception("Payload " + key + " not found.")
+        payload = self.payloads.get(key)
+
+        self.event_handler.reset()
+        test_payloads_safe_vs_unsafe(payload, self.urls)
+        print("✅ Tested payload: " + key)
+
+        if not payload["test_event"]:
+            return # Finished tests.
+
+        time.sleep(5)
+        attacks = self.event_handler.fetch_attacks()
+        assert_eq(len(attacks), equals=1)
+        if isinstance(payload["test_event"], dict):
+            for k, v in payload["test_event"].items():
+                if k == "user_id":  # exemption rule for user ids
+                    assert_eq(attacks[0]["attack"]["user"]["id"], v)
+                else:
+                    assert_eq(attacks[0]["attack"][k], equals=v)
+            print("✅ Tested accurate event reporting for: " + key)
+
+    def test_all_payloads(self):
+        for key in self.payloads.keys():
+            self.test_payload(key)
+
+    def get_heartbeat(self):
+        print("↺ Fetching latest heartbeat")
+        heartbeats = self.event_handler.fetch_heartbeats()
+        while len(heartbeats) == 0:
+            heartbeats = self.event_handler.fetch_heartbeats()
+            time.sleep(5)
+        assert_eq(len(heartbeats), equals=1)
+        return heartbeats[0]
+
+def wait_until_live(url):
+    for i in range(10):
+        try:
+            res = requests.get(url, timeout=5)
+            if res.status_code == 200:
+                print("Server is live: " + url)
+                return True
+            else:
+                print("Status code " + str(res.status_code) + " for " + url)
+        except requests.RequestException as e:
+            print(f"Request failed: {e}")
+        time.sleep(5)
+    return False
diff --git a/end2end/utils/assert_equals.py b/end2end/utils/assert_equals.py
new file mode 100644
index 000000000..78fc82d7b
--- /dev/null
+++ b/end2end/utils/assert_equals.py
@@ -0,0 +1,4 @@
+def assert_eq(val1, equals, val2=None):
+    assert val1 == equals, f"Assertion failed: Expected {equals} != {val1}"
+    if val2 is not None:
+        assert val2 == equals, f"Assertion failed: Expected {equals} != {val2}"
diff --git a/end2end/utils/event_handler.py b/end2end/utils/event_handler.py
new file mode 100644
index 000000000..7f6832a8c
--- /dev/null
+++ b/end2end/utils/event_handler.py
@@ -0,0 +1,25 @@
+import time
+import requests
+import json
+
+class EventHandler:
+    def __init__(self, url="http://localhost:5000"):
+        self.url = url
+    def reset(self):
+        print("Resetting stored events on mock server")
+        res = requests.get(self.url + "/mock/reset", timeout=5)
+        time.sleep(1)
+    def fetch_events_from_mock(self):
+        res = requests.get(self.url + "/mock/events", timeout=5)
+        json_events = json.loads(res.content.decode("utf-8"))
+        return json_events
+
+    def fetch_attacks(self):
+        return filter_on_event_type(self.fetch_events_from_mock(), "detected_attack")
+
+    def fetch_heartbeats(self):
+        return filter_on_event_type(self.fetch_events_from_mock(), "heartbeat")
+
+
+def filter_on_event_type(events, type):
+    return [event for event in events if event["type"] == type]
diff --git a/end2end/utils/request.py b/end2end/utils/request.py
new file mode 100644
index 000000000..4a4eff6a8
--- /dev/null
+++ b/end2end/utils/request.py
@@ -0,0 +1,30 @@
+import requests
+
+class Request:
+    def __init__(self, route, method='POST', headers=None, data_type='json', body=None):
+        self.method = method
+        self.route = route
+        self.headers = headers if headers is not None else {}
+        self.data_type = data_type  # 'json' or 'form'
+        self.body = body
+
+    def execute(self, base_url):
+        """Execute the request and return the status code."""
+        url = f"{base_url}{self.route}"
+
+        if self.method.upper() == 'POST':
+            if self.data_type == 'json':
+                response = requests.post(url, json=self.body, headers=self.headers)
+            elif self.data_type == 'form':
+                response = requests.post(url, data=self.body, headers=self.headers)
+            else:
+                raise ValueError("Unsupported data type. Use 'json' or 'form'.")
+        elif self.method.upper() == 'GET':
+            response = requests.get(url, headers=self.headers)
+        else:
+            raise ValueError("Unsupported HTTP method. Use 'GET' or 'POST'.")
+
+        return response.status_code
+
+    def __str__(self):
+        return f"Request(method={self.method}, route={self.route}, headers={self.headers}, data_type={self.data_type}, body={self.body})"
diff --git a/end2end/utils/test_payloads_safe_vs_unsafe.py b/end2end/utils/test_payloads_safe_vs_unsafe.py
new file mode 100644
index 000000000..ca50c7949
--- /dev/null
+++ b/end2end/utils/test_payloads_safe_vs_unsafe.py
@@ -0,0 +1,13 @@
+from . import assert_eq
+
+def test_payloads_safe_vs_unsafe(payloads, urls):
+    if payloads["safe"]:
+        print("Safe req to : (1) " + urls["enabled"] + payloads["safe"].route)
+        assert_eq(val1=payloads["safe"].execute(urls["enabled"]), equals=200)
+        print("Safe req to : (0) " + urls["disabled"] + payloads["safe"].route)
+        assert_eq(val1=payloads["safe"].execute(urls["disabled"]), equals=200)
+    if payloads["unsafe"]:
+        print("Unsafe req to : (1) " + urls["enabled"] + payloads["unsafe"].route)
+        assert_eq(val1=payloads["unsafe"].execute(urls["enabled"]), equals=500)
+        print("Unsafe req to : (0) " + urls["disabled"] + payloads["unsafe"].route)
+        assert_eq(val1=payloads["unsafe"].execute(urls["disabled"]), equals=200)

From 448c4f5feadc696d6a86dbcde9f92ef63f618253 Mon Sep 17 00:00:00 2001
From: BitterPanda <bitterpanda@proton.me>
Date: Mon, 25 Aug 2025 14:04:20 +0200
Subject: [PATCH 02/24] Add django_mysql_gunicorn test cases

---
 .github/workflows/end2end.yml         |  6 +--
 end2end/django_mysql_gunicorn.py      | 23 ++++++++++
 end2end/django_mysql_gunicorn_test.py | 61 ---------------------------
 3 files changed, 26 insertions(+), 64 deletions(-)
 create mode 100644 end2end/django_mysql_gunicorn.py
 delete mode 100644 end2end/django_mysql_gunicorn_test.py

diff --git a/.github/workflows/end2end.yml b/.github/workflows/end2end.yml
index b0aa349bb..8b770f27a 100644
--- a/.github/workflows/end2end.yml
+++ b/.github/workflows/end2end.yml
@@ -26,7 +26,7 @@ jobs:
       matrix:
         app:
           - { name: django-mysql, testfile: end2end/django_mysql_test.py }
-          - { name: django-mysql-gunicorn, testfile: end2end/django_mysql_gunicorn_test.py }
+          - { name: django-mysql-gunicorn, testfile: end2end/django_mysql_gunicorn.py }
           - { name: django-postgres-gunicorn, testfile: end2end/django_postgres_gunicorn_test.py }
           - { name: flask-mongo, testfile: end2end/flask_mongo_test.py }
           - { name: flask-mysql, testfile: end2end/flask_mysql_test.py }
@@ -65,7 +65,7 @@ jobs:
       - name: Start application
         working-directory: ./sample-apps/${{ matrix.app.name }}
         run: |
-          nohup make run > output.log & tail -f output.log & sleep 20
-          nohup make runZenDisabled & sleep 20
+          nohup make run > output.log & sleep 1
+          nohup make runZenDisabled & sleep 1
       - name: Run end2end tests for application
         run: tail -f  ./sample-apps/${{ matrix.app.name }}/output.log & poetry run pytest ./${{ matrix.app.testfile }}
diff --git a/end2end/django_mysql_gunicorn.py b/end2end/django_mysql_gunicorn.py
new file mode 100644
index 000000000..4bb38e1ae
--- /dev/null
+++ b/end2end/django_mysql_gunicorn.py
@@ -0,0 +1,23 @@
+from utils import App, Request
+
+django_mysql_gunicorn_app = App(8082)
+
+django_mysql_gunicorn_app.add_payload(
+    "test_sql_injection",
+    safe_request=Request("/app/create/", data_type="form", body={"dog_name": "Bobby Tables"}),
+    unsafe_request=Request("/app/create/", data_type="form", body={"dog_name": 'Dangerous bobby", 1); -- '}),
+    test_event={
+        "blocked": True,
+        "kind": "sql_injection",
+        'metadata': {
+            'dialect': 'mysql',
+            'sql': 'INSERT INTO sample_app_dogs (dog_name, dog_boss) VALUES ("Dangerous bobby", 1); -- ", "N/A")'
+        },
+        'operation': 'MySQLdb.Cursor.execute',
+        'pathToPayload': '.dog_name',
+        'payload': '"Dangerous bobby\\", 1); -- "',
+        'source': "body",
+    }
+)
+
+django_mysql_gunicorn_app.test_all_payloads()
diff --git a/end2end/django_mysql_gunicorn_test.py b/end2end/django_mysql_gunicorn_test.py
deleted file mode 100644
index 8b68f1978..000000000
--- a/end2end/django_mysql_gunicorn_test.py
+++ /dev/null
@@ -1,61 +0,0 @@
-import pytest
-import requests
-import time
-from .server.check_events_from_mock import fetch_events_from_mock, validate_started_event, filter_on_event_type
-
-# e2e tests for django_mysql_gunicorn sample app
-post_url_fw = "http://localhost:8082/app/create/"
-post_url_nofw = "http://localhost:8083/app/create/"
-
-def test_firewall_started_okay():
-    events = fetch_events_from_mock("http://localhost:5000")
-    started_events = filter_on_event_type(events, "started")
-    assert len(started_events) == 1
-    validate_started_event(started_events[0], ["gunicorn", "django"])
-
-def test_safe_response_with_firewall():
-    dog_name = "Bobby Tables"
-    res = requests.post(post_url_fw, data={'dog_name': dog_name})
-    assert res.status_code == 200
-
-
-def test_safe_response_without_firewall():
-    dog_name = "Bobby Tables"
-    res = requests.post(post_url_nofw, data={'dog_name': dog_name})
-    assert res.status_code == 200
-
-
-def test_dangerous_response_with_firewall():
-    dog_name = 'Dangerous bobby", 1); -- '
-    res = requests.post(post_url_fw, data={'dog_name': dog_name})
-    assert res.status_code == 500
-
-    time.sleep(5) # Wait for attack to be reported
-    events = fetch_events_from_mock("http://localhost:5000")
-    attacks = filter_on_event_type(events, "detected_attack")
-    
-    assert len(attacks) == 1
-    del attacks[0]["attack"]["stack"]
-    assert attacks[0]["attack"] == {
-        "blocked": True,
-        "kind": "sql_injection",
-        'metadata': {
-            'dialect': 'mysql',
-            'sql': 'INSERT INTO sample_app_dogs (dog_name, dog_boss) VALUES ("Dangerous bobby", 1); -- ", "N/A")'
-        },
-        'operation': 'MySQLdb.Cursor.execute',
-        'pathToPayload': '.dog_name.[0]',
-        'payload': '"Dangerous bobby\\", 1); -- "',
-        'source': "body",
-        'user': None
-    }
-
-    assert attacks[0]["request"]["source"] == "django"
-    assert attacks[0]["request"]["route"] == "/app/create"
-    assert attacks[0]["request"]["userAgent"] == "python-requests/2.32.3"
-
-def test_dangerous_response_without_firewall():
-    dog_name = 'Dangerous bobby", 1); -- '
-    res = requests.post(post_url_nofw, data={'dog_name': dog_name})
-    assert res.status_code == 200
-

From 560126f2f0a1c175f42f9e3ab2d1a1f33c176e6c Mon Sep 17 00:00:00 2001
From: BitterPanda <bitterpanda@proton.me>
Date: Mon, 25 Aug 2025 14:04:30 +0200
Subject: [PATCH 03/24] Fix utils bug for django

---
 end2end/utils/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/end2end/utils/__init__.py b/end2end/utils/__init__.py
index c2b66abee..fa052dd64 100644
--- a/end2end/utils/__init__.py
+++ b/end2end/utils/__init__.py
@@ -66,7 +66,7 @@ def wait_until_live(url):
     for i in range(10):
         try:
             res = requests.get(url, timeout=5)
-            if res.status_code == 200:
+            if res.status_code in [200, 404]:
                 print("Server is live: " + url)
                 return True
             else:

From c1bc3cf268842e6fffc02eee976d2b5b415acda9 Mon Sep 17 00:00:00 2001
From: BitterPanda <bitterpanda@proton.me>
Date: Mon, 25 Aug 2025 14:04:45 +0200
Subject: [PATCH 04/24] remove pytest for e2e

---
 .github/workflows/end2end.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/end2end.yml b/.github/workflows/end2end.yml
index 8b770f27a..5f4c3130f 100644
--- a/.github/workflows/end2end.yml
+++ b/.github/workflows/end2end.yml
@@ -68,4 +68,4 @@ jobs:
           nohup make run > output.log & sleep 1
           nohup make runZenDisabled & sleep 1
       - name: Run end2end tests for application
-        run: tail -f  ./sample-apps/${{ matrix.app.name }}/output.log & poetry run pytest ./${{ matrix.app.testfile }}
+        run: tail -f  ./sample-apps/${{ matrix.app.name }}/output.log & poetry run python ./${{ matrix.app.testfile }}

From 6d535d22f068edbc7b18f4b40dadd50b41f3729f Mon Sep 17 00:00:00 2001
From: BitterPanda <bitterpanda@proton.me>
Date: Mon, 25 Aug 2025 14:37:39 +0200
Subject: [PATCH 05/24] Refactor django_mysql e2e test

---
 .github/workflows/end2end.yml |   2 +-
 end2end/django_mysql.py       |  73 ++++++++++++++++++++++
 end2end/django_mysql_test.py  | 114 ----------------------------------
 3 files changed, 74 insertions(+), 115 deletions(-)
 create mode 100644 end2end/django_mysql.py
 delete mode 100644 end2end/django_mysql_test.py

diff --git a/.github/workflows/end2end.yml b/.github/workflows/end2end.yml
index 5f4c3130f..f09df0224 100644
--- a/.github/workflows/end2end.yml
+++ b/.github/workflows/end2end.yml
@@ -25,7 +25,7 @@ jobs:
     strategy:
       matrix:
         app:
-          - { name: django-mysql, testfile: end2end/django_mysql_test.py }
+          - { name: django-mysql, testfile: end2end/django_mysql.py }
           - { name: django-mysql-gunicorn, testfile: end2end/django_mysql_gunicorn.py }
           - { name: django-postgres-gunicorn, testfile: end2end/django_postgres_gunicorn_test.py }
           - { name: flask-mongo, testfile: end2end/flask_mongo_test.py }
diff --git a/end2end/django_mysql.py b/end2end/django_mysql.py
new file mode 100644
index 000000000..2ef39a593
--- /dev/null
+++ b/end2end/django_mysql.py
@@ -0,0 +1,73 @@
+from end2end.utils import assert_eq
+from utils import App, Request
+
+django_mysql_app = App(8080)
+
+django_mysql_app.add_payload(
+    "test_sql_injection",
+    safe_request=Request("/app/create", data_type="form", body={"dog_name": "Bobby Tables"}),
+    unsafe_request=Request("/app/create", data_type="form", body={"dog_name": 'Dangerous bobby", 1); -- '}),
+    test_event={
+        "blocked": True,
+        "kind": "sql_injection",
+        'metadata': {
+            'dialect': 'mysql',
+            'sql': 'INSERT INTO sample_app_dogs (dog_name, dog_boss) VALUES ("Dangerous bobby", 1); -- ", "N/A")'
+        },
+        'operation': 'MySQLdb.Cursor.execute',
+        'pathToPayload': '.dog_name',
+        'payload': '"Dangerous bobby\\", 1); -- "',
+        'source': "body",
+    }
+)
+
+django_mysql_app.add_payload(
+    "test_shell_injection",
+    safe_request=None, # Don't test safeness
+    unsafe_request=Request("/app/shell/ls -la", "GET"),
+    test_event={
+        "blocked": True,
+        "kind": "shell_injection",
+        'metadata': {'command': 'ls -la'},
+        'operation': 'subprocess.Popen',
+        'pathToPayload': '.[0]',
+        'payload': '"ls -la"',
+        'source': "route_params",
+    }
+)
+
+def test_heartbeat(app):
+    heartbeat = app.get_heartbeat()
+    route1 = heartbeat["routes"][0]
+    stats = heartbeat["stats"]
+    packages = set(map(lambda x: x["name"], heartbeat["packages"]))
+
+    # Validate routes
+    assert_eq(route1["path"], "/app/create")
+    assert_eq(route1["method"], "POST")
+    assert_eq(route1["hits"], 1)
+
+    assert_eq(route1["apispec"]["body"]["type"], "form-urlencoded")
+    assert_eq(route1["apispec"]["body"]["schema"], {
+        'type': 'object',
+        'properties': {
+            'dog_name': {
+                'items': {'type': 'string'},
+                'type': 'array'
+            }
+        }
+    })
+    assert_eq(route1["apispec"]["body"]["query"], None)
+    assert_eq(route1["apispec"]["body"]["auth"], None)
+
+    # Validate stats
+    assert_eq(stats["requests"]["attacksDetected"]["blocked"], 2)
+    assert_eq(stats["requests"]["attacksDetected"]["total"], 2)
+    assert_eq(stats["requests"]["total"], 3)
+
+    # Validate packages
+    assert_eq(packages, {'wrapt', 'asgiref', 'aikido_zen', 'django', 'sqlparse', 'regex', 'mysqlclient'})
+
+
+django_mysql_app.test_all_payloads()
+test_heartbeat(django_mysql_app)
diff --git a/end2end/django_mysql_test.py b/end2end/django_mysql_test.py
deleted file mode 100644
index 4dab9ec02..000000000
--- a/end2end/django_mysql_test.py
+++ /dev/null
@@ -1,114 +0,0 @@
-import time
-import pytest
-import requests
-from .server.check_events_from_mock import fetch_events_from_mock, validate_started_event, filter_on_event_type, validate_heartbeat
-
-# e2e tests for django_mysql sample app
-base_url_fw = "http://localhost:8080/app"
-base_url_nofw = "http://localhost:8081/app"
-
-def test_firewall_started_okay():
-    events = fetch_events_from_mock("http://localhost:5000")
-    started_events = filter_on_event_type(events, "started")
-    assert len(started_events) == 1
-    validate_started_event(started_events[0], ["django", "mysqlclient"])
-
-def test_safe_response_with_firewall():
-    dog_name = "Bobby Tables"
-    res = requests.post(base_url_fw + "/create", data={'dog_name': dog_name})
-    assert res.status_code == 200
-
-def test_safe_response_without_firewall():
-    dog_name = "Bobby Tables"
-    res = requests.post(base_url_nofw + "/create", data={'dog_name': dog_name})
-    assert res.status_code == 200
-
-
-def test_dangerous_response_with_firewall():
-    dog_name = 'Dangerous bobby", 1); -- '
-    res = requests.post(base_url_fw + "/create", data={'dog_name': dog_name})
-    assert res.status_code == 500
-    time.sleep(5) # Wait for attack to be reported
-    events = fetch_events_from_mock("http://localhost:5000")
-    attacks = filter_on_event_type(events, "detected_attack")
-    
-    assert len(attacks) == 1
-    del attacks[0]["attack"]["stack"]
-    assert attacks[0]["attack"] == {
-        "blocked": True,
-        "kind": "sql_injection",
-        'metadata': {
-            'dialect': 'mysql',
-            'sql': 'INSERT INTO sample_app_dogs (dog_name, dog_boss) VALUES ("Dangerous bobby", 1); -- ", "N/A")'
-        },
-        'operation': 'MySQLdb.Cursor.execute',
-        'pathToPayload': '.dog_name.[0]',
-        'payload': '"Dangerous bobby\\", 1); -- "',
-        'source': "body",
-        'user': None
-    }
-
-def test_dangerous_response_with_firewall_shell():
-    dog_name = 'Dangerous bobby", 1); -- '
-    res = requests.get(base_url_fw + "/shell/ls -la")
-    assert res.status_code == 500
-    time.sleep(5) # Wait for attack to be reported
-    events = fetch_events_from_mock("http://localhost:5000")
-    attacks = filter_on_event_type(events, "detected_attack")
-    
-    assert len(attacks) == 2
-    del attacks[0] # Previous attack
-    del attacks[0]["attack"]["stack"]
-    assert attacks[0]["attack"] == {
-        "blocked": True,
-        "kind": "shell_injection",
-        'metadata': {'command': 'ls -la'},
-        'operation': 'subprocess.Popen',
-        'pathToPayload': '.[0]',
-        'payload': '"ls -la"',
-        'source': "route_params",
-        'user': None
-    }
-
-def test_dangerous_response_without_firewall():
-    dog_name = 'Dangerous bobby", 1); -- '
-    res = requests.post(base_url_nofw + "/create", data={'dog_name': dog_name})
-    assert res.status_code == 200
-
-def test_initial_heartbeat():
-    time.sleep(55)  # Sleep 5 + 55 seconds for heartbeat
-    events = fetch_events_from_mock("http://localhost:5000")
-    heartbeat_events = filter_on_event_type(events, "heartbeat")
-    assert len(heartbeat_events) == 1
-    validate_heartbeat(
-        heartbeat_events[0],
-        [{
-            "apispec": {
-                'body': {
-                    'type': 'form-urlencoded',
-                    'schema': {
-                        'type': 'object',
-                        'properties': {
-                            'dog_name': {
-                                'items': {'type': 'string'},
-                                'type': 'array'
-                            }
-                        }
-                    }
-                },
-                'query': None,
-                'auth': None
-            },
-            "hits": 1,
-            "hits_delta_since_sync": 0,
-            "method": "POST",
-            "path": "/app/create"
-        }], 
-        {
-            "aborted": 0,
-            "attacksDetected": {"blocked": 2, "total": 2},
-            "total": 3,
-            'rateLimited': 0
-        },
-        {'wrapt', 'asgiref', 'aikido_zen', 'django', 'sqlparse', 'regex', 'mysqlclient'}
-    )

From 4d3323c9e0fa4705ba2cb99b948a1a4a2c4e5fee Mon Sep 17 00:00:00 2001
From: BitterPanda <bitterpanda@proton.me>
Date: Mon, 25 Aug 2025 14:39:25 +0200
Subject: [PATCH 06/24] format

---
 end2end/django_mysql.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/end2end/django_mysql.py b/end2end/django_mysql.py
index 2ef39a593..3cc4012b3 100644
--- a/end2end/django_mysql.py
+++ b/end2end/django_mysql.py
@@ -23,7 +23,7 @@
 
 django_mysql_app.add_payload(
     "test_shell_injection",
-    safe_request=None, # Don't test safeness
+    safe_request=None,  # Don't test safeness
     unsafe_request=Request("/app/shell/ls -la", "GET"),
     test_event={
         "blocked": True,
@@ -36,6 +36,7 @@
     }
 )
 
+
 def test_heartbeat(app):
     heartbeat = app.get_heartbeat()
     route1 = heartbeat["routes"][0]

From 3ad844323adc6e39c8c83c001121a3e7ccd88cc0 Mon Sep 17 00:00:00 2001
From: BitterPanda <bitterpanda@proton.me>
Date: Mon, 25 Aug 2025 14:40:09 +0200
Subject: [PATCH 07/24] Print time spent getting heartbeat, wait 2s before
 retry

---
 end2end/utils/__init__.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/end2end/utils/__init__.py b/end2end/utils/__init__.py
index fa052dd64..c32becde1 100644
--- a/end2end/utils/__init__.py
+++ b/end2end/utils/__init__.py
@@ -55,11 +55,18 @@ def test_all_payloads(self):
 
     def get_heartbeat(self):
         print("↺ Fetching latest heartbeat")
+
+        start_time = time.time()
+
         heartbeats = self.event_handler.fetch_heartbeats()
         while len(heartbeats) == 0:
             heartbeats = self.event_handler.fetch_heartbeats()
-            time.sleep(5)
+            time.sleep(2)
         assert_eq(len(heartbeats), equals=1)
+
+        delta = time.time() - start_time
+        print(f"✅ Fetched heartbeat, time spent: {delta:.2f}s")
+
         return heartbeats[0]
 
 def wait_until_live(url):

From c01d4ededa7ad27c96c505f8663e0a8802275c3b Mon Sep 17 00:00:00 2001
From: BitterPanda <bitterpanda@proton.me>
Date: Mon, 25 Aug 2025 15:10:57 +0200
Subject: [PATCH 08/24] payload & e2e fixes for django

---
 end2end/django_mysql.py          | 2 +-
 end2end/django_mysql_gunicorn.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/end2end/django_mysql.py b/end2end/django_mysql.py
index 3cc4012b3..1218a9d91 100644
--- a/end2end/django_mysql.py
+++ b/end2end/django_mysql.py
@@ -15,7 +15,7 @@
             'sql': 'INSERT INTO sample_app_dogs (dog_name, dog_boss) VALUES ("Dangerous bobby", 1); -- ", "N/A")'
         },
         'operation': 'MySQLdb.Cursor.execute',
-        'pathToPayload': '.dog_name',
+        'pathToPayload': '.dog_name.[0]',
         'payload': '"Dangerous bobby\\", 1); -- "',
         'source': "body",
     }
diff --git a/end2end/django_mysql_gunicorn.py b/end2end/django_mysql_gunicorn.py
index 4bb38e1ae..79f37557d 100644
--- a/end2end/django_mysql_gunicorn.py
+++ b/end2end/django_mysql_gunicorn.py
@@ -14,7 +14,7 @@
             'sql': 'INSERT INTO sample_app_dogs (dog_name, dog_boss) VALUES ("Dangerous bobby", 1); -- ", "N/A")'
         },
         'operation': 'MySQLdb.Cursor.execute',
-        'pathToPayload': '.dog_name',
+        'pathToPayload': '.dog_name.[0]',
         'payload': '"Dangerous bobby\\", 1); -- "',
         'source': "body",
     }

From 7b524cdcccb8c43a4ade50fbfeb83a7e07fdbe9a Mon Sep 17 00:00:00 2001
From: BitterPanda <bitterpanda@proton.me>
Date: Mon, 25 Aug 2025 15:21:13 +0200
Subject: [PATCH 09/24] django-mysql, fix apispec validation

---
 end2end/django_mysql.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/end2end/django_mysql.py b/end2end/django_mysql.py
index 1218a9d91..3ccd75bd3 100644
--- a/end2end/django_mysql.py
+++ b/end2end/django_mysql.py
@@ -58,8 +58,8 @@ def test_heartbeat(app):
             }
         }
     })
-    assert_eq(route1["apispec"]["body"]["query"], None)
-    assert_eq(route1["apispec"]["body"]["auth"], None)
+    assert_eq(route1["apispec"]["query"], None)
+    assert_eq(route1["apispec"]["auth"], None)
 
     # Validate stats
     assert_eq(stats["requests"]["attacksDetected"]["blocked"], 2)

From 83b60615e56d804ca25269e0924e31d22fbf1604 Mon Sep 17 00:00:00 2001
From: BitterPanda <bitterpanda@proton.me>
Date: Mon, 25 Aug 2025 15:34:49 +0200
Subject: [PATCH 10/24] total requests = 4 for django-mysql

---
 end2end/django_mysql.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/end2end/django_mysql.py b/end2end/django_mysql.py
index 3ccd75bd3..ac9cc5798 100644
--- a/end2end/django_mysql.py
+++ b/end2end/django_mysql.py
@@ -64,7 +64,7 @@ def test_heartbeat(app):
     # Validate stats
     assert_eq(stats["requests"]["attacksDetected"]["blocked"], 2)
     assert_eq(stats["requests"]["attacksDetected"]["total"], 2)
-    assert_eq(stats["requests"]["total"], 3)
+    assert_eq(stats["requests"]["total"], 4)
 
     # Validate packages
     assert_eq(packages, {'wrapt', 'asgiref', 'aikido_zen', 'django', 'sqlparse', 'regex', 'mysqlclient'})

From c11c3f6554393756bc7e9e202d886c281f73036c Mon Sep 17 00:00:00 2001
From: BitterPanda <bitterpanda@proton.me>
Date: Mon, 25 Aug 2025 15:51:06 +0200
Subject: [PATCH 11/24] Update django-myqsl test case to explain

---
 end2end/django_mysql.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/end2end/django_mysql.py b/end2end/django_mysql.py
index ac9cc5798..05ace97b5 100644
--- a/end2end/django_mysql.py
+++ b/end2end/django_mysql.py
@@ -64,7 +64,13 @@ def test_heartbeat(app):
     # Validate stats
     assert_eq(stats["requests"]["attacksDetected"]["blocked"], 2)
     assert_eq(stats["requests"]["attacksDetected"]["total"], 2)
-    assert_eq(stats["requests"]["total"], 4)
+    # There are 3-4 requests :
+    # 1. is website live request, first request not always counted
+    # 2. /app/create safe
+    # 3. /app/create sql inj
+    # 4. /app/shell/ls -la shell inj
+    total = stats["requests"]["total"]
+    assert 3 <= total <= 4, f"Unexpected amount of total requests {total}"
 
     # Validate packages
     assert_eq(packages, {'wrapt', 'asgiref', 'aikido_zen', 'django', 'sqlparse', 'regex', 'mysqlclient'})

From e4587dc6c192302c4306c23b2fa38222925d5458 Mon Sep 17 00:00:00 2001
From: BitterPanda <bitterpanda@proton.me>
Date: Mon, 25 Aug 2025 16:14:47 +0200
Subject: [PATCH 12/24] Update django_postgres_gunicorn e2e test cases

---
 .github/workflows/end2end.yml            |  2 +-
 end2end/django_postgres_gunicorn.py      | 45 +++++++++++++
 end2end/django_postgres_gunicorn_test.py | 84 ------------------------
 3 files changed, 46 insertions(+), 85 deletions(-)
 create mode 100644 end2end/django_postgres_gunicorn.py
 delete mode 100644 end2end/django_postgres_gunicorn_test.py

diff --git a/.github/workflows/end2end.yml b/.github/workflows/end2end.yml
index f09df0224..5321202c2 100644
--- a/.github/workflows/end2end.yml
+++ b/.github/workflows/end2end.yml
@@ -27,7 +27,7 @@ jobs:
         app:
           - { name: django-mysql, testfile: end2end/django_mysql.py }
           - { name: django-mysql-gunicorn, testfile: end2end/django_mysql_gunicorn.py }
-          - { name: django-postgres-gunicorn, testfile: end2end/django_postgres_gunicorn_test.py }
+          - { name: django-postgres-gunicorn, testfile: end2end/django_postgres_gunicorn.py }
           - { name: flask-mongo, testfile: end2end/flask_mongo_test.py }
           - { name: flask-mysql, testfile: end2end/flask_mysql_test.py }
           - { name: flask-mysql-uwsgi, testfile: end2end/flask_mysql_uwsgi_test.py }
diff --git a/end2end/django_postgres_gunicorn.py b/end2end/django_postgres_gunicorn.py
new file mode 100644
index 000000000..88f423814
--- /dev/null
+++ b/end2end/django_postgres_gunicorn.py
@@ -0,0 +1,45 @@
+from utils import App, Request
+
+django_postgres_gunicorn_app = App(8100)
+
+django_postgres_gunicorn_app.add_payload(
+    "test_sql_injection",
+    safe_request=Request("/app/create", data_type="form", body={"dog_name": "Bobby Tables"}),
+    unsafe_request=Request("/app/create", data_type="form", body={"dog_name": "Dangerous bobby', TRUE); -- "}),
+    test_event={
+        "blocked": True,
+        "kind": "sql_injection",
+        'metadata': {
+            'dialect': "postgres",
+            'sql': "INSERT INTO sample_app_Dogs (dog_name, is_admin) VALUES ('Dangerous bobby', TRUE); -- ', FALSE)"
+        },
+        'operation': "psycopg2.Connection.Cursor.execute",
+        'pathToPayload': '.dog_name.[0]',
+        'payload': "\"Dangerous bobby', TRUE); -- \"",
+        'source': "body",
+    }
+)
+
+django_postgres_gunicorn_app.add_payload(
+    "test_sql_injection_via_cookies",
+    safe_request=Request("/app/create/via_cookies", "GET", headers={
+        "Cookie": "dog_name=Safe Dog"
+    }),
+    unsafe_request=Request("/app/create/via_cookies", "GET", headers={
+        "Cookie": "dog_name=Dangerous bobby', TRUE) --; ,2=2"
+    }),
+    test_event={
+        "blocked": True,
+        "kind": "sql_injection",
+        'metadata': {
+            'dialect': "postgres",
+            'sql': "INSERT INTO sample_app_Dogs (dog_name, is_admin) VALUES ('Dangerous bobby', TRUE) --', FALSE)"
+        },
+        'operation': "psycopg2.Connection.Cursor.execute",
+        'pathToPayload': '.dog_name',
+        'payload': "\"Dangerous bobby', TRUE) --\"",
+        'source': "cookies",
+    }
+)
+
+django_postgres_gunicorn_app.test_all_payloads()
diff --git a/end2end/django_postgres_gunicorn_test.py b/end2end/django_postgres_gunicorn_test.py
deleted file mode 100644
index 9317775c0..000000000
--- a/end2end/django_postgres_gunicorn_test.py
+++ /dev/null
@@ -1,84 +0,0 @@
-import pytest
-import requests
-import time
-from .server.check_events_from_mock import fetch_events_from_mock, validate_started_event, filter_on_event_type, \
-    clear_events_from_mock
-
-# e2e tests for django_postgres_gunicorn sample app
-post_url_fw = "http://localhost:8100/app/create"
-post_url_nofw = "http://localhost:8101/app/create"
-
-def test_firewall_started_okay():
-    events = fetch_events_from_mock("http://localhost:5000")
-    started_events = filter_on_event_type(events, "started")
-    assert len(started_events) == 1
-    validate_started_event(started_events[0], ["gunicorn", "django", "psycopg2-binary"])
-
-def test_safe_response_with_firewall():
-    dog_name = "Bobby Tables"
-    res = requests.post(post_url_fw, data={'dog_name': dog_name})
-    assert res.status_code == 200
-
-
-def test_safe_response_without_firewall():
-    dog_name = "Bobby Tables"
-    res = requests.post(post_url_nofw, data={'dog_name': dog_name})
-    assert res.status_code == 200
-
-
-def test_dangerous_response_with_firewall():
-    clear_events_from_mock("http://localhost:5000")
-    dog_name = "Dangerous bobby', TRUE); -- "
-    res = requests.post(post_url_fw, data={'dog_name': dog_name})
-    assert res.status_code == 500
-
-    time.sleep(5) # Wait for attack to be reported
-    events = fetch_events_from_mock("http://localhost:5000")
-    attacks = filter_on_event_type(events, "detected_attack")
-    
-    assert len(attacks) == 1
-    del attacks[0]["attack"]["stack"]
-    assert attacks[0]["attack"] == {
-        "blocked": True,
-        "kind": "sql_injection",
-        'metadata': {
-            'dialect': "postgres",
-            'sql': "INSERT INTO sample_app_Dogs (dog_name, is_admin) VALUES ('Dangerous bobby', TRUE); -- ', FALSE)"
-        },
-        'operation': "psycopg2.Connection.Cursor.execute",
-        'pathToPayload': '.dog_name.[0]',
-        'payload': "\"Dangerous bobby', TRUE); -- \"",
-        'source': "body",
-        'user': None
-    }
-
-
-def test_dangerous_response_with_firewall():
-    clear_events_from_mock("http://localhost:5000")
-    cookie_header = "dog_name=Dangerous bobby', TRUE) --; ,2=2"
-    res = requests.get(f"{post_url_fw}/via_cookies", headers={
-        "Cookie": cookie_header
-    })
-    assert res.status_code == 500
-
-    time.sleep(5)  # Wait for attack to be reported
-    events = fetch_events_from_mock("http://localhost:5000")
-    attacks = filter_on_event_type(events, "detected_attack")
-
-    assert len(attacks) == 1
-    assert attacks[0]["attack"]["blocked"]
-    assert attacks[0]["attack"]["kind"] == "sql_injection"
-    assert attacks[0]["attack"]["metadata"] == {
-        'dialect': "postgres",
-        'sql': "INSERT INTO sample_app_Dogs (dog_name, is_admin) VALUES ('Dangerous bobby', TRUE) --', FALSE)"
-    }
-    assert attacks[0]["attack"]["pathToPayload"] == ".dog_name"
-    assert attacks[0]["attack"]["source"] == "cookies"
-    assert attacks[0]["attack"]["payload"] == "\"Dangerous bobby', TRUE) --\""
-
-
-def test_dangerous_response_without_firewall():
-    dog_name = "Dangerous bobby', TRUE); -- "
-    res = requests.post(post_url_nofw, data={'dog_name': dog_name})
-    assert res.status_code == 200
-

From e34236d2afe68108168db53ff3c78132a959552f Mon Sep 17 00:00:00 2001
From: BitterPanda <bitterpanda@proton.me>
Date: Mon, 25 Aug 2025 16:25:36 +0200
Subject: [PATCH 13/24] Create new reformed flask_mongo test cases

---
 .github/workflows/end2end.yml |  2 +-
 end2end/flask_mongo.py        | 26 ++++++++++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 end2end/flask_mongo.py

diff --git a/.github/workflows/end2end.yml b/.github/workflows/end2end.yml
index 5321202c2..f843d50d1 100644
--- a/.github/workflows/end2end.yml
+++ b/.github/workflows/end2end.yml
@@ -28,7 +28,7 @@ jobs:
           - { name: django-mysql, testfile: end2end/django_mysql.py }
           - { name: django-mysql-gunicorn, testfile: end2end/django_mysql_gunicorn.py }
           - { name: django-postgres-gunicorn, testfile: end2end/django_postgres_gunicorn.py }
-          - { name: flask-mongo, testfile: end2end/flask_mongo_test.py }
+          - { name: flask-mongo, testfile: end2end/flask_mongo.py }
           - { name: flask-mysql, testfile: end2end/flask_mysql_test.py }
           - { name: flask-mysql-uwsgi, testfile: end2end/flask_mysql_uwsgi_test.py }
           - { name: flask-postgres, testfile: end2end/flask_postgres_test.py }
diff --git a/end2end/flask_mongo.py b/end2end/flask_mongo.py
new file mode 100644
index 000000000..829c2d72b
--- /dev/null
+++ b/end2end/flask_mongo.py
@@ -0,0 +1,26 @@
+from .utils import App, Request
+
+flask_mongo_app = App(8094)
+
+def create_test_dog():
+    Request("/create", data_type="form", body={
+        {"dog_name": "bobby", "pswd": "1234"}
+    }).execute(flask_mongo_app.urls["enabled"])
+
+flask_mongo_app.add_payload(
+    "test_nosql_injection",
+    safe_request=Request("/auth", body={"dog_name": "bobby", "pswd": "1234"}),
+    unsafe_request=Request("/auth", body={"dog_name": "bobby", "pswd": { "$ne": ""}}),
+    test_event={
+        "blocked": True,
+        "kind": "nosql_injection",
+        'metadata': {'filter': '{"dog_name": "bobby_tables", "pswd": {"$ne": ""}}'},
+        'operation': "pymongo.collection.Collection.find",
+        'pathToPayload': ".pswd",
+        'payload': '{"$ne": ""}',
+        'source': "body",
+    }
+)
+
+create_test_dog()
+flask_mongo_app.test_all_payloads()

From 9c156ab6ab9008d717736da57b68aa291bc51d56 Mon Sep 17 00:00:00 2001
From: BitterPanda <bitterpanda@proton.me>
Date: Mon, 25 Aug 2025 16:45:14 +0200
Subject: [PATCH 14/24] Fix flask_mongo imports

---
 end2end/flask_mongo.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/end2end/flask_mongo.py b/end2end/flask_mongo.py
index 829c2d72b..78244ee88 100644
--- a/end2end/flask_mongo.py
+++ b/end2end/flask_mongo.py
@@ -1,4 +1,4 @@
-from .utils import App, Request
+from utils import App, Request
 
 flask_mongo_app = App(8094)
 

From 8c213c81784b348e36137e67b64a3ce53fe05dfe Mon Sep 17 00:00:00 2001
From: BitterPanda <bitterpanda@proton.me>
Date: Mon, 25 Aug 2025 16:45:28 +0200
Subject: [PATCH 15/24] Fix quart_postgres_uvicorn e2e test cases

---
 .github/workflows/end2end.yml          |  2 +-
 end2end/quart_postgres_uvicorn.py      | 25 +++++++++++
 end2end/quart_postgres_uvicorn_test.py | 58 --------------------------
 3 files changed, 26 insertions(+), 59 deletions(-)
 create mode 100644 end2end/quart_postgres_uvicorn.py
 delete mode 100644 end2end/quart_postgres_uvicorn_test.py

diff --git a/.github/workflows/end2end.yml b/.github/workflows/end2end.yml
index f843d50d1..51022b64f 100644
--- a/.github/workflows/end2end.yml
+++ b/.github/workflows/end2end.yml
@@ -34,7 +34,7 @@ jobs:
           - { name: flask-postgres, testfile: end2end/flask_postgres_test.py }
           - { name: flask-postgres-xml, testfile: end2end/flask_postgres_xml_test.py }
           - { name: flask-postgres-xml, testfile: end2end/flask_postgres_xml_lxml_test.py }
-          - { name: quart-postgres-uvicorn, testfile: end2end/quart_postgres_uvicorn_test.py }
+          - { name: quart-postgres-uvicorn, testfile: end2end/quart_postgres_uvicorn.py }
           - { name: starlette-postgres-uvicorn, testfile: end2end/starlette_postgres_uvicorn_test.py }
         python-version: ["3.10", "3.11", "3.12", "3.13"]
     steps:
diff --git a/end2end/quart_postgres_uvicorn.py b/end2end/quart_postgres_uvicorn.py
new file mode 100644
index 000000000..50ce604c6
--- /dev/null
+++ b/end2end/quart_postgres_uvicorn.py
@@ -0,0 +1,25 @@
+from end2end.utils import assert_eq
+from utils import App, Request
+
+quart_postgres_uvicorn_app = App(8096)
+
+quart_postgres_uvicorn_app.add_payload(
+    "test_sql_injection",
+    safe_request=Request("/app/create", data_type="form", body={"dog_name": "Bobby Tables"}),
+    unsafe_request=Request("/app/create", data_type="form", body={"dog_name": "Dangerous Bobby', TRUE); -- "}),
+    test_event={
+        "blocked": True,
+        "kind": "sql_injection",
+        "metadata": {
+            'dialect': "postgres",
+            'sql': "INSERT INTO dogs (dog_name, isAdmin) VALUES ('Dangerous Bobby', TRUE); -- ', FALSE)"
+        },
+        "operation": "asyncpg.connection.Connection.execute",
+        "pathToPayload": ".dog_name",
+        "payload": "\"Dangerous Bobby', TRUE); -- \"",
+        "source": "body",
+        "user_id": "user123"
+    }
+)
+
+quart_postgres_uvicorn_app.test_all_payloads()
diff --git a/end2end/quart_postgres_uvicorn_test.py b/end2end/quart_postgres_uvicorn_test.py
deleted file mode 100644
index cef39f695..000000000
--- a/end2end/quart_postgres_uvicorn_test.py
+++ /dev/null
@@ -1,58 +0,0 @@
-import time
-import pytest
-import requests
-from .server.check_events_from_mock import fetch_events_from_mock, validate_started_event, filter_on_event_type
-
-# e2e tests for flask_postgres sample app
-post_url_fw = "http://localhost:8096/create"
-post_url_nofw = "http://localhost:8097/create"
-
-def test_firewall_started_okay():
-    events = fetch_events_from_mock("http://localhost:5000")
-    started_events = filter_on_event_type(events, "started")
-    assert len(started_events) == 1
-    validate_started_event(started_events[0], None)
-
-def test_safe_response_with_firewall():
-    dog_name = "Bobby Tables"
-    res = requests.post(post_url_fw, data={'dog_name': dog_name})
-    assert res.status_code == 201
-
-def test_safe_response_without_firewall():
-    dog_name = "Bobby Tables"
-    res = requests.post(post_url_nofw, data={'dog_name': dog_name})
-    assert res.status_code == 201
-
-
-def test_dangerous_response_with_firewall():
-    dog_name = "Dangerous Bobby', TRUE); -- "
-    res = requests.post(post_url_fw, data={'dog_name': dog_name})
-    assert res.status_code == 500
-    
-    time.sleep(5) # Wait for attack to be reported
-    events = fetch_events_from_mock("http://localhost:5000")
-    attacks = filter_on_event_type(events, "detected_attack")
-    
-    assert len(attacks) == 1
-    del attacks[0]["attack"]["stack"]
-    assert attacks[0]["attack"]["blocked"] == True
-    assert attacks[0]["attack"]["kind"] == "sql_injection"
-    assert attacks[0]["attack"]["metadata"]["sql"] == "INSERT INTO dogs (dog_name, isAdmin) VALUES ('Dangerous Bobby', TRUE); -- ', FALSE)"
-    assert attacks[0]["attack"]["metadata"]["dialect"] == "postgres"
-    assert attacks[0]["attack"]["operation"] == "asyncpg.connection.Connection.execute"
-    assert attacks[0]["attack"]["pathToPayload"] == '.dog_name'
-    assert attacks[0]["attack"]["payload"] == "\"Dangerous Bobby', TRUE); -- \""
-    assert attacks[0]["attack"]["source"] == "body"
-    assert attacks[0]["attack"]["user"]["id"] == "user123"
-    assert attacks[0]["attack"]["user"]["name"] == "John Doe"
-
-    assert attacks[0]["request"]["source"] == "quart"
-    assert attacks[0]["request"]["route"] == "/create"
-    assert attacks[0]["request"]["userAgent"] == "python-requests/2.32.3"
-
-
-def test_dangerous_response_without_firewall():
-    dog_name = "Dangerous Bobby', TRUE); -- "
-    res = requests.post(post_url_nofw, data={'dog_name': dog_name})
-    assert res.status_code == 201
-

From d16b4af46a3384a77e13cd42f12421641df2ff3a Mon Sep 17 00:00:00 2001
From: BitterPanda <bitterpanda@proton.me>
Date: Mon, 25 Aug 2025 16:51:07 +0200
Subject: [PATCH 16/24] Update flask_postgres_xml e2e test cases to new system

---
 .github/workflows/end2end.yml           |  3 +-
 end2end/flask_postgres_xml.py           | 32 ++++++++++++++
 end2end/flask_postgres_xml_lxml_test.py | 51 ----------------------
 end2end/flask_postgres_xml_test.py      | 56 -------------------------
 4 files changed, 33 insertions(+), 109 deletions(-)
 create mode 100644 end2end/flask_postgres_xml.py
 delete mode 100644 end2end/flask_postgres_xml_lxml_test.py
 delete mode 100644 end2end/flask_postgres_xml_test.py

diff --git a/.github/workflows/end2end.yml b/.github/workflows/end2end.yml
index 51022b64f..a60cb4fad 100644
--- a/.github/workflows/end2end.yml
+++ b/.github/workflows/end2end.yml
@@ -32,8 +32,7 @@ jobs:
           - { name: flask-mysql, testfile: end2end/flask_mysql_test.py }
           - { name: flask-mysql-uwsgi, testfile: end2end/flask_mysql_uwsgi_test.py }
           - { name: flask-postgres, testfile: end2end/flask_postgres_test.py }
-          - { name: flask-postgres-xml, testfile: end2end/flask_postgres_xml_test.py }
-          - { name: flask-postgres-xml, testfile: end2end/flask_postgres_xml_lxml_test.py }
+          - { name: flask-postgres-xml, testfile: end2end/flask_postgres_xml.py }
           - { name: quart-postgres-uvicorn, testfile: end2end/quart_postgres_uvicorn.py }
           - { name: starlette-postgres-uvicorn, testfile: end2end/starlette_postgres_uvicorn_test.py }
         python-version: ["3.10", "3.11", "3.12", "3.13"]
diff --git a/end2end/flask_postgres_xml.py b/end2end/flask_postgres_xml.py
new file mode 100644
index 000000000..f902422cb
--- /dev/null
+++ b/end2end/flask_postgres_xml.py
@@ -0,0 +1,32 @@
+from utils import App, Request
+
+flask_postgres_xml_app = App(8092)
+
+SQL_INJ_ATTACK_EVENT = {
+    "blocked": True,
+    "kind": "sql_injection",
+    "metadata": {
+        "dialect": "postgres",
+        "sql": "INSERT INTO dogs (dog_name, isAdmin) VALUES ('Malicious dog', TRUE); -- ', FALSE)"
+    },
+    "operation": "psycopg2.Connection.Cursor.execute",
+    "pathToPayload": ".dog_name.[0]",
+    "payload": "\"Malicious dog', TRUE); -- \"",
+    "source": "xml",
+}
+
+# Test both xml and lxml
+flask_postgres_xml_app.add_payload(
+    "test_xml_sql_inj",
+    safe_request=Request("/xml_post", data_type="form", body='<dogs><dog dog_name="Bobby" /></dogs>'),
+    unsafe_request=Request("/xml_post", data_type="form", body='<dogs><dog dog_name="Malicious dog\', TRUE); -- " /></dogs>'),
+    test_event=SQL_INJ_ATTACK_EVENT
+)
+flask_postgres_xml_app.add_payload(
+    "test_xml_sql_inj_(lxml)",
+    safe_request=Request("/xml_post_lxml", data_type="form", body='<dogs><dog dog_name="Bobby" /></dogs>'),
+    unsafe_request=Request("/xml_post_lxml", data_type="form", body='<dogs><dog dog_name="Malicious dog\', TRUE); -- " /></dogs>'),
+    test_event=SQL_INJ_ATTACK_EVENT
+)
+
+flask_postgres_xml_app.test_all_payloads()
diff --git a/end2end/flask_postgres_xml_lxml_test.py b/end2end/flask_postgres_xml_lxml_test.py
deleted file mode 100644
index 4f471b86e..000000000
--- a/end2end/flask_postgres_xml_lxml_test.py
+++ /dev/null
@@ -1,51 +0,0 @@
-import time
-import pytest
-import requests
-from .server.check_events_from_mock import fetch_events_from_mock, validate_started_event, filter_on_event_type
-
-# e2e tests for flask_postgres sample app
-post_url_fw = "http://localhost:8092/xml_post_lxml"
-post_url_nofw = "http://localhost:8093/xml_post_lxml"
-
-def test_safe_response_with_firewall():
-    xml_data = '<dogs><dog dog_name="Bobby" /></dogs>'
-    res = requests.post(post_url_fw, data=xml_data)
-    assert res.status_code == 200
-
-def test_safe_response_without_firewall():
-    xml_data = '<dogs><dog dog_name="Bobby" /></dogs>'
-    res = requests.post(post_url_nofw, data=xml_data)
-    assert res.status_code == 200
-
-
-def test_dangerous_response_with_firewall():
-    xml_data = '<dogs><dog dog_name="Malicious dog\', TRUE); -- " /></dogs>'
-    res = requests.post(post_url_fw, data=xml_data)
-    assert res.status_code == 500
-    
-    time.sleep(5) # Wait for attack to be reported
-    events = fetch_events_from_mock("http://localhost:5000")
-    attacks = filter_on_event_type(events, "detected_attack")
-    
-    assert len(attacks) == 1
-    del attacks[0]["attack"]["stack"]
-
-    assert attacks[0]["attack"] == {
-        "blocked": True,
-        "kind": "sql_injection",
-        'metadata': {
-            'dialect': "postgres",
-            'sql': "INSERT INTO dogs (dog_name, isAdmin) VALUES ('Malicious dog', TRUE); -- ', FALSE)"
-        },
-        'operation': "psycopg2.Connection.Cursor.execute",
-        'pathToPayload': ".dog_name.[0]",
-        'payload': "\"Malicious dog', TRUE); -- \"",
-        'source': "xml",
-        'user': None
-    }
-
-def test_dangerous_response_without_firewall():
-    xml_data = '<dogs><dog dog_name="Malicious dog\', TRUE); -- " /></dogs>'
-    res = requests.post(post_url_nofw, data=xml_data)
-    assert res.status_code == 200
-
diff --git a/end2end/flask_postgres_xml_test.py b/end2end/flask_postgres_xml_test.py
deleted file mode 100644
index 1fceb92fe..000000000
--- a/end2end/flask_postgres_xml_test.py
+++ /dev/null
@@ -1,56 +0,0 @@
-import time
-import pytest
-import requests
-from .server.check_events_from_mock import fetch_events_from_mock, validate_started_event, filter_on_event_type
-
-# e2e tests for flask_postgres sample app
-post_url_fw = "http://localhost:8092/xml_post"
-post_url_nofw = "http://localhost:8093/xml_post"
-
-def test_firewall_started_okay():
-    events = fetch_events_from_mock("http://localhost:5000")
-    started_events = filter_on_event_type(events, "started")
-    assert len(started_events) == 1
-    validate_started_event(started_events[0], ["flask", "psycopg2-binary", "lxml"])
-
-def test_safe_response_with_firewall():
-    xml_data = '<dogs><dog dog_name="Bobby" /></dogs>'
-    res = requests.post(post_url_fw, data=xml_data)
-    assert res.status_code == 200
-
-def test_safe_response_without_firewall():
-    xml_data = '<dogs><dog dog_name="Bobby" /></dogs>'
-    res = requests.post(post_url_nofw, data=xml_data)
-    assert res.status_code == 200
-
-
-def test_dangerous_response_with_firewall():
-    xml_data = '<dogs><dog dog_name="Malicious dog\', TRUE); -- " /></dogs>'
-    res = requests.post(post_url_fw, data=xml_data)
-    assert res.status_code == 500
-    
-    time.sleep(5) # Wait for attack to be reported
-    events = fetch_events_from_mock("http://localhost:5000")
-    attacks = filter_on_event_type(events, "detected_attack")
-    
-    assert len(attacks) == 1
-    del attacks[0]["attack"]["stack"]
-
-    assert attacks[0]["attack"] == {
-        "blocked": True,
-        "kind": "sql_injection",
-        'metadata': {
-            'dialect': "postgres",
-            'sql': "INSERT INTO dogs (dog_name, isAdmin) VALUES ('Malicious dog', TRUE); -- ', FALSE)"
-        },
-        'operation': "psycopg2.Connection.Cursor.execute",
-        'pathToPayload': ".dog_name.[0]",
-        'payload': "\"Malicious dog', TRUE); -- \"",
-        'source': "xml",
-        'user': None
-    }
-def test_dangerous_response_without_firewall():
-    xml_data = '<dogs><dog dog_name="Malicious dog\', TRUE); -- " /></dogs>'
-    res = requests.post(post_url_nofw, data=xml_data)
-    assert res.status_code == 200
-

From 39e53a3d9e249b9999dbe721c30a72a9b7a3d357 Mon Sep 17 00:00:00 2001
From: BitterPanda <bitterpanda@proton.me>
Date: Mon, 25 Aug 2025 16:58:44 +0200
Subject: [PATCH 17/24] cleanup of unused import in end2end tests

---
 end2end/quart_postgres_uvicorn.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/end2end/quart_postgres_uvicorn.py b/end2end/quart_postgres_uvicorn.py
index 50ce604c6..415d0fca1 100644
--- a/end2end/quart_postgres_uvicorn.py
+++ b/end2end/quart_postgres_uvicorn.py
@@ -1,4 +1,3 @@
-from end2end.utils import assert_eq
 from utils import App, Request
 
 quart_postgres_uvicorn_app = App(8096)

From 4bee965eb94ce4d29f6b235b86e05abaf00d3333 Mon Sep 17 00:00:00 2001
From: BitterPanda <bitterpanda@proton.me>
Date: Mon, 25 Aug 2025 16:59:04 +0200
Subject: [PATCH 18/24] Update flask-postgres & flask-mysql-uwsgi test cases to
 new test system

---
 .github/workflows/end2end.yml     |   4 +-
 end2end/flask_mysql_uwsgi.py      |  23 +++++++
 end2end/flask_mysql_uwsgi_test.py |  61 -----------------
 end2end/flask_postgres.py         |  45 ++++++++++++
 end2end/flask_postgres_test.py    | 110 ------------------------------
 5 files changed, 70 insertions(+), 173 deletions(-)
 create mode 100644 end2end/flask_mysql_uwsgi.py
 delete mode 100644 end2end/flask_mysql_uwsgi_test.py
 create mode 100644 end2end/flask_postgres.py
 delete mode 100644 end2end/flask_postgres_test.py

diff --git a/.github/workflows/end2end.yml b/.github/workflows/end2end.yml
index a60cb4fad..da9c0fb22 100644
--- a/.github/workflows/end2end.yml
+++ b/.github/workflows/end2end.yml
@@ -30,8 +30,8 @@ jobs:
           - { name: django-postgres-gunicorn, testfile: end2end/django_postgres_gunicorn.py }
           - { name: flask-mongo, testfile: end2end/flask_mongo.py }
           - { name: flask-mysql, testfile: end2end/flask_mysql_test.py }
-          - { name: flask-mysql-uwsgi, testfile: end2end/flask_mysql_uwsgi_test.py }
-          - { name: flask-postgres, testfile: end2end/flask_postgres_test.py }
+          - { name: flask-mysql-uwsgi, testfile: end2end/flask_mysql_uwsgi.py }
+          - { name: flask-postgres, testfile: end2end/flask_postgres.py }
           - { name: flask-postgres-xml, testfile: end2end/flask_postgres_xml.py }
           - { name: quart-postgres-uvicorn, testfile: end2end/quart_postgres_uvicorn.py }
           - { name: starlette-postgres-uvicorn, testfile: end2end/starlette_postgres_uvicorn_test.py }
diff --git a/end2end/flask_mysql_uwsgi.py b/end2end/flask_mysql_uwsgi.py
new file mode 100644
index 000000000..c8171c32b
--- /dev/null
+++ b/end2end/flask_mysql_uwsgi.py
@@ -0,0 +1,23 @@
+from utils import App, Request
+
+flask_mysql_uwsgi_app = App(8088)
+
+flask_mysql_uwsgi_app.add_payload(
+    "test_sql_injection",
+    safe_request=Request("/create", data_type="form", body={"dog_name": "Bobby Tables"}),
+    unsafe_request=Request("/create", data_type="form", body={"dog_name": 'Dangerous bobby", 1); -- '}),
+    test_event={
+        "blocked": True,
+        "kind": "sql_injection",
+        'metadata': {
+            'dialect': 'mysql',
+            'sql': 'INSERT INTO sample_app_dogs (dog_name, dog_boss) VALUES ("Dangerous bobby", 1); -- ", "N/A")'
+        },
+        'operation': 'MySQLdb.Cursor.execute',
+        'pathToPayload': '.dog_name',
+        'payload': '"Dangerous bobby\\", 1); -- "',
+        'source': "body",
+    }
+)
+
+flask_mysql_uwsgi_app.test_all_payloads()
diff --git a/end2end/flask_mysql_uwsgi_test.py b/end2end/flask_mysql_uwsgi_test.py
deleted file mode 100644
index c3ce0c1ae..000000000
--- a/end2end/flask_mysql_uwsgi_test.py
+++ /dev/null
@@ -1,61 +0,0 @@
-import time
-import pytest
-import requests
-from .server.check_events_from_mock import fetch_events_from_mock, validate_started_event, filter_on_event_type
-
-# e2e tests for flask_mysql_uwsgi sample app
-post_url_fw = "http://localhost:8088/create"
-post_url_nofw = "http://localhost:8089/create"
-
-def test_firewall_started_okay():
-    events = fetch_events_from_mock("http://localhost:5000")
-    started_events = filter_on_event_type(events, "started")
-    assert len(started_events) == 1
-    validate_started_event(started_events[0], ["flask", "pymysql", "uwsgi"])
-
-def test_safe_response_with_firewall():
-    dog_name = "Bobby Tables"
-    res = requests.post(post_url_fw, data={'dog_name': dog_name})
-    assert res.status_code == 200
-
-
-def test_safe_response_without_firewall():
-    dog_name = "Bobby Tables"
-    res = requests.post(post_url_nofw, data={'dog_name': dog_name})
-    assert res.status_code == 200
-
-
-def test_dangerous_response_with_firewall():
-    dog_name = 'Dangerous bobby", 1); -- '
-    res = requests.post(post_url_fw, data={'dog_name': dog_name})
-    assert res.status_code == 500
-
-    time.sleep(5) # Wait for attack to be reported
-    events = fetch_events_from_mock("http://localhost:5000")
-    attacks = filter_on_event_type(events, "detected_attack")
-    
-    assert len(attacks) == 1
-    del attacks[0]["attack"]["stack"]
-    assert attacks[0]["attack"] == {
-        "blocked": True,
-        "kind": "sql_injection",
-        'metadata': {
-            'dialect': 'mysql',
-            'sql': 'INSERT INTO dogs (dog_name, isAdmin) VALUES ("Dangerous bobby", 1); -- ", 0)'
-        },
-        'operation': 'pymysql.Cursor.execute',
-        'pathToPayload': '.dog_name',
-        'payload': '"Dangerous bobby\\", 1); -- "',
-        'source': "body",
-        'user': None
-    }
-
-    assert attacks[0]["request"]["source"] == "flask"
-    assert attacks[0]["request"]["route"] == "/create"
-    assert attacks[0]["request"]["userAgent"] == "python-requests/2.32.3"
-
-def test_dangerous_response_without_firewall():
-    dog_name = 'Dangerous bobby", 1); -- '
-    res = requests.post(post_url_nofw, data={'dog_name': dog_name})
-    assert res.status_code == 200
-
diff --git a/end2end/flask_postgres.py b/end2end/flask_postgres.py
new file mode 100644
index 000000000..f63bbaa22
--- /dev/null
+++ b/end2end/flask_postgres.py
@@ -0,0 +1,45 @@
+from utils import App, Request
+
+flask_postgres_app = App(8090)
+
+flask_postgres_app.add_payload(
+    "test_sql_injection",
+    safe_request=Request("/create", data_type="form", body={"dog_name": "Bobby Tables"}),
+    unsafe_request=Request("/create", data_type="form", body={"dog_name": "Dangerous Bobby', TRUE); -- "}),
+    test_event={
+        "blocked": True,
+        "kind": "sql_injection",
+        "metadata": {
+            "dialect": "postgres",
+            "sql": "INSERT INTO dogs (dog_name, isAdmin) VALUES ('Dangerous Bobby', TRUE); -- ', FALSE)"
+        },
+        "operation": "psycopg2.Connection.Cursor.execute",
+        "pathToPayload": '.dog_name.[0]',
+        "payload": '"Dangerous Bobby\', TRUE); -- "',
+        "source": "body",
+    }
+)
+
+flask_postgres_app.add_payload(
+    "test_sql_injection_via_cookies",
+    safe_request=Request("/create_with_cookie", "GET", headers={
+        "Cookie": "dog_name=Safe Dog; ,2=2"
+    }),
+    unsafe_request=Request("/create_with_cookie", "GET", headers={
+        "Cookie": "dog_name=Dangerous bobby', TRUE) --; ,2=2"
+    }),
+    test_event={
+        "blocked": True,
+        "kind": "sql_injection",
+        'metadata': {
+            'dialect': "postgres",
+            'sql': "INSERT INTO sample_app_Dogs (dog_name, is_admin) VALUES ('Dangerous bobby', TRUE) --', FALSE)"
+        },
+        'operation': "psycopg2.Connection.Cursor.execute",
+        'pathToPayload': '.dog_name',
+        'payload': "\"Dangerous bobby', TRUE) --\"",
+        'source': "cookies",
+    }
+)
+
+flask_postgres_app.test_all_payloads()
diff --git a/end2end/flask_postgres_test.py b/end2end/flask_postgres_test.py
deleted file mode 100644
index 72d668da3..000000000
--- a/end2end/flask_postgres_test.py
+++ /dev/null
@@ -1,110 +0,0 @@
-import time
-import pytest
-import json
-import requests
-from .server.check_events_from_mock import fetch_events_from_mock, validate_started_event, filter_on_event_type
-
-# e2e tests for flask_postgres sample app
-post_url_fw = "http://localhost:8090/create"
-post_url_nofw = "http://localhost:8091/create"
-get_url_cookie_fw = "http://localhost:8090/create_with_cookie"
-get_url_cookie_nofw = "http://localhost:8091/create_with_cookie"
-
-def test_firewall_started_okay():
-    events = fetch_events_from_mock("http://localhost:5000")
-    started_events = filter_on_event_type(events, "started")
-    assert len(started_events) == 1
-    validate_started_event(started_events[0], ["flask", "psycopg2-binary"])
-
-def test_safe_response_with_firewall():
-    dog_name = "Bobby Tables"
-    res = requests.post(post_url_fw, data={'dog_name': dog_name})
-    assert res.status_code == 200
-
-
-def test_safe_response_without_firewall():
-    dog_name = "Bobby Tables"
-    res = requests.post(post_url_nofw, data={'dog_name': dog_name})
-    assert res.status_code == 200
-
-
-def test_dangerous_response_with_firewall():
-    dog_name = "Dangerous Bobby', TRUE); -- "
-    res = requests.post(post_url_fw, data={'dog_name': dog_name})
-    assert res.status_code == 500
-
-def test_dangerous_response_without_firewall():
-    dog_name = "Dangerous Bobby', TRUE); -- "
-    res = requests.post(post_url_nofw, data={'dog_name': dog_name})
-    assert res.status_code == 200
-
-
-def test_safe_cookie_creation_with_firewall():
-    cookies = {
-        "dog_name": "Bobby Tables",
-        "corrupt_data": ";;;;;;;;;;;;;"
-    }
-    res = requests.get(get_url_cookie_fw, cookies=cookies)
-    assert res.status_code == 200
-
-def test_safe_cookie_creation_without_firewall():
-    cookies = {
-        "dog_name": "Bobby Tables",
-        "corrupt_data": ";;;;;;;;;;;;;"
-
-    }
-    res = requests.get(get_url_cookie_nofw, cookies=cookies)
-    assert res.status_code == 200
-
-
-def test_dangerous_cookie_creation_with_firewall():
-    cookies = {
-        "dog_name": "Bobby', TRUE) -- ",
-        "corrupt_data": ";;;;;;;;;;;;;"
-    }
-    res = requests.get(get_url_cookie_fw, cookies=cookies)
-    assert res.status_code == 500
-
-def test_dangerous_cookie_creation_without_firewall():
-    cookies = {
-        "dog_name": "Bobby', TRUE) -- ",
-        "corrupt_data": ";;;;;;;;;;;;;"
-    }
-    res = requests.get(get_url_cookie_nofw, cookies=cookies)
-    assert res.status_code == 200
-
-def test_attacks_detected():
-    time.sleep(5) # Wait for attack to be reported
-    events = fetch_events_from_mock("http://localhost:5000")
-    attacks = filter_on_event_type(events, "detected_attack")
-    
-    assert len(attacks) == 2
-    del attacks[0]["attack"]["stack"]
-    del attacks[1]["attack"]["stack"]
-
-    assert attacks[0]["attack"] == {
-        "blocked": True,
-        "kind": "sql_injection",
-        'metadata': {
-            'dialect': "postgres",
-            'sql': "INSERT INTO dogs (dog_name, isAdmin) VALUES ('Dangerous Bobby', TRUE); -- ', FALSE)"
-        },
-        'operation': "psycopg2.Connection.Cursor.execute",
-        'pathToPayload': '.dog_name',
-        'payload':  '"Dangerous Bobby\', TRUE); -- "',
-        'source': "body",
-        'user': None
-    }
-    assert attacks[1]["attack"] == {
-        "blocked": True,
-        "kind": "sql_injection",
-        'metadata': {
-            'dialect': "postgres",
-            'sql': "INSERT INTO dogs (dog_name, isAdmin) VALUES ('Bobby', TRUE) --', FALSE)"
-        },
-        'operation': "psycopg2.Connection.Cursor.execute",
-        'pathToPayload': '.dog_name',
-        'payload': "\"Bobby', TRUE) --\"",
-        'source': "cookies",
-        'user': None
-    }

From 00a3cce23b013af97dbcfd57d18a19f86a18e673 Mon Sep 17 00:00:00 2001
From: BitterPanda <bitterpanda@proton.me>
Date: Mon, 25 Aug 2025 17:12:54 +0200
Subject: [PATCH 19/24] Fix flask-mongo e2e test cases

---
 end2end/flask_mongo.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/end2end/flask_mongo.py b/end2end/flask_mongo.py
index 78244ee88..07a6bc630 100644
--- a/end2end/flask_mongo.py
+++ b/end2end/flask_mongo.py
@@ -1,3 +1,5 @@
+import json
+
 from utils import App, Request
 
 flask_mongo_app = App(8094)
@@ -9,8 +11,12 @@ def create_test_dog():
 
 flask_mongo_app.add_payload(
     "test_nosql_injection",
-    safe_request=Request("/auth", body={"dog_name": "bobby", "pswd": "1234"}),
-    unsafe_request=Request("/auth", body={"dog_name": "bobby", "pswd": { "$ne": ""}}),
+    safe_request=Request("/auth", data_type="form", body=json.dumps(
+        {"dog_name": "bobby", "pswd": "1234"}
+    )),
+    unsafe_request=Request("/auth", data_type="form", body=json.dumps(
+        {"dog_name": "bobby", "pswd": { "$ne": ""}}
+    )),
     test_event={
         "blocked": True,
         "kind": "nosql_injection",

From f6cf87f312eeeecc26c4f121996e17db58ae77e2 Mon Sep 17 00:00:00 2001
From: BitterPanda <bitterpanda@proton.me>
Date: Mon, 25 Aug 2025 17:14:02 +0200
Subject: [PATCH 20/24] fix wrong url in quart-postgres-uvicorn e2e test cases

---
 end2end/quart_postgres_uvicorn.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/end2end/quart_postgres_uvicorn.py b/end2end/quart_postgres_uvicorn.py
index 415d0fca1..1263f0348 100644
--- a/end2end/quart_postgres_uvicorn.py
+++ b/end2end/quart_postgres_uvicorn.py
@@ -4,8 +4,8 @@
 
 quart_postgres_uvicorn_app.add_payload(
     "test_sql_injection",
-    safe_request=Request("/app/create", data_type="form", body={"dog_name": "Bobby Tables"}),
-    unsafe_request=Request("/app/create", data_type="form", body={"dog_name": "Dangerous Bobby', TRUE); -- "}),
+    safe_request=Request("/create", data_type="form", body={"dog_name": "Bobby Tables"}),
+    unsafe_request=Request("/create", data_type="form", body={"dog_name": "Dangerous Bobby', TRUE); -- "}),
     test_event={
         "blocked": True,
         "kind": "sql_injection",

From 810a7936df11a9cc5b0ce8f66d676bb35f46df27 Mon Sep 17 00:00:00 2001
From: BitterPanda <bitterpanda@proton.me>
Date: Mon, 25 Aug 2025 17:14:54 +0200
Subject: [PATCH 21/24] flask_mysql_uwsgi fix wrong query

---
 end2end/flask_mysql_uwsgi.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/end2end/flask_mysql_uwsgi.py b/end2end/flask_mysql_uwsgi.py
index c8171c32b..45e2c0a06 100644
--- a/end2end/flask_mysql_uwsgi.py
+++ b/end2end/flask_mysql_uwsgi.py
@@ -11,7 +11,7 @@
         "kind": "sql_injection",
         'metadata': {
             'dialect': 'mysql',
-            'sql': 'INSERT INTO sample_app_dogs (dog_name, dog_boss) VALUES ("Dangerous bobby", 1); -- ", "N/A")'
+            'sql': 'INSERT INTO dogs (dog_name, isAdmin) VALUES ("Dangerous bobby", 1); -- ", 0)',
         },
         'operation': 'MySQLdb.Cursor.execute',
         'pathToPayload': '.dog_name',

From 90f6c3a9c7ce57164dcc01230492fa9d1ebe7ab2 Mon Sep 17 00:00:00 2001
From: BitterPanda <bitterpanda@proton.me>
Date: Mon, 25 Aug 2025 17:21:19 +0200
Subject: [PATCH 22/24] Update assert_equals and test_payloads_safe_vs_unsafe
 to allow 201

---
 end2end/utils/assert_equals.py                | 10 +++++++---
 end2end/utils/test_payloads_safe_vs_unsafe.py |  8 ++++----
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/end2end/utils/assert_equals.py b/end2end/utils/assert_equals.py
index 78fc82d7b..b9cc41ad9 100644
--- a/end2end/utils/assert_equals.py
+++ b/end2end/utils/assert_equals.py
@@ -1,4 +1,8 @@
-def assert_eq(val1, equals, val2=None):
-    assert val1 == equals, f"Assertion failed: Expected {equals} != {val1}"
+def assert_eq(val1, equals=None, val2=None, inside=None):
+    if inside:
+        assert val1 in inside, f"Assertion failed: Expected {val1} in {inside}"
+    else:
+        assert val1 == equals, f"Assertion failed: Expected {equals} != {val1}"
     if val2 is not None:
-        assert val2 == equals, f"Assertion failed: Expected {equals} != {val2}"
+        # Pass along val2 as a val1
+        assert_eq(val2, equals=equals, inside=inside)
diff --git a/end2end/utils/test_payloads_safe_vs_unsafe.py b/end2end/utils/test_payloads_safe_vs_unsafe.py
index ca50c7949..aaa497db7 100644
--- a/end2end/utils/test_payloads_safe_vs_unsafe.py
+++ b/end2end/utils/test_payloads_safe_vs_unsafe.py
@@ -3,11 +3,11 @@
 def test_payloads_safe_vs_unsafe(payloads, urls):
     if payloads["safe"]:
         print("Safe req to : (1) " + urls["enabled"] + payloads["safe"].route)
-        assert_eq(val1=payloads["safe"].execute(urls["enabled"]), equals=200)
+        assert_eq(val1=payloads["safe"].execute(urls["enabled"]), inside=[200, 201])
         print("Safe req to : (0) " + urls["disabled"] + payloads["safe"].route)
-        assert_eq(val1=payloads["safe"].execute(urls["disabled"]), equals=200)
+        assert_eq(val1=payloads["safe"].execute(urls["disabled"]), inside=[200, 201])
     if payloads["unsafe"]:
         print("Unsafe req to : (1) " + urls["enabled"] + payloads["unsafe"].route)
-        assert_eq(val1=payloads["unsafe"].execute(urls["enabled"]), equals=500)
+        assert_eq(val1=payloads["unsafe"].execute(urls["enabled"]), inside=[200, 201])
         print("Unsafe req to : (0) " + urls["disabled"] + payloads["unsafe"].route)
-        assert_eq(val1=payloads["unsafe"].execute(urls["disabled"]), equals=200)
+        assert_eq(val1=payloads["unsafe"].execute(urls["disabled"]), inside=[200, 201])

From afe4ca40fc0336c121e784d2edafa556a00155cc Mon Sep 17 00:00:00 2001
From: BitterPanda <bitterpanda@proton.me>
Date: Mon, 25 Aug 2025 17:22:16 +0200
Subject: [PATCH 23/24] Flask-postgres: fix e2e apps, flaks has .dog_name !=
 .dog_name[0]

---
 end2end/flask_postgres.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/end2end/flask_postgres.py b/end2end/flask_postgres.py
index f63bbaa22..24175af94 100644
--- a/end2end/flask_postgres.py
+++ b/end2end/flask_postgres.py
@@ -14,7 +14,7 @@
             "sql": "INSERT INTO dogs (dog_name, isAdmin) VALUES ('Dangerous Bobby', TRUE); -- ', FALSE)"
         },
         "operation": "psycopg2.Connection.Cursor.execute",
-        "pathToPayload": '.dog_name.[0]',
+        "pathToPayload": '.dog_name',
         "payload": '"Dangerous Bobby\', TRUE); -- "',
         "source": "body",
     }

From 9e59090c8a42b9424c65dfd559bd0f0b6c7d5f62 Mon Sep 17 00:00:00 2001
From: BitterPanda <bitterpanda@proton.me>
Date: Mon, 25 Aug 2025 17:23:00 +0200
Subject: [PATCH 24/24] flask-mongo e2e test case fix: add json.dumps for
 /create

---
 end2end/flask_mongo.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/end2end/flask_mongo.py b/end2end/flask_mongo.py
index 07a6bc630..8669b955a 100644
--- a/end2end/flask_mongo.py
+++ b/end2end/flask_mongo.py
@@ -5,9 +5,9 @@
 flask_mongo_app = App(8094)
 
 def create_test_dog():
-    Request("/create", data_type="form", body={
+    Request("/create", data_type="form", body=json.dumps({
         {"dog_name": "bobby", "pswd": "1234"}
-    }).execute(flask_mongo_app.urls["enabled"])
+    })).execute(flask_mongo_app.urls["enabled"])
 
 flask_mongo_app.add_payload(
     "test_nosql_injection",