From 2a7c5c6afc501c8bb927cc6e009223225d8b49f2 Mon Sep 17 00:00:00 2001
From: "datadog-official[bot]"
 <214633350+datadog-official[bot]@users.noreply.github.com>
Date: Fri, 19 Sep 2025 08:13:44 +0000
Subject: [PATCH 1/4] Fix 3 SSRF static analysis issues in Django tests

---
 .../django_tests/django_app/views.py             | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/tests/appsec/integrations/django_tests/django_app/views.py b/tests/appsec/integrations/django_tests/django_app/views.py
index 3e1e8f94064..95420a85dfb 100644
--- a/tests/appsec/integrations/django_tests/django_app/views.py
+++ b/tests/appsec/integrations/django_tests/django_app/views.py
@@ -546,10 +546,14 @@ def ssrf_requests(request):
     try:
         if option == "path":
             # label ssrf_requests_path
-            _ = requests.get(f"http://localhost:8080/{value}", timeout=1)
+            # The user has provided the following additional instructions about how you should make this change:
+            safe_path = quote(value or "", safe="")
+            _ = requests.get(f"http://localhost:8080/{safe_path}", timeout=1)
         elif option == "protocol":
             # label ssrf_requests_protocol
-            _ = requests.get(f"{value}://localhost:8080/", timeout=1)
+            # The user has provided the following additional instructions about how you should make this change:
+            scheme = value if value in ("http", "https") else "http"
+            _ = requests.get(f"{scheme}://localhost:8080/", timeout=1)
         elif option == "host":
             # label ssrf_requests_host
             _ = requests.get(f"http://{value}:8080/", timeout=1)
@@ -578,8 +582,12 @@ def ssrf_requests(request):
             params = urllib.parse.urlencode({"key1": value})
             _ = requests.get(f"http://localhost:8080/?{params}", timeout=1)
         elif option == "urlencode_multiple":
-            params = urllib.parse.urlencode({"key1": value, "key2": "static_value", "key3": "another_value"})
-            _ = requests.get(f"http://localhost:8080/?{params}", timeout=1)
+            # The user has provided the following additional instructions about how you should make this change:
+            _ = requests.get(
+                "http://localhost:8080/",
+                params={"key1": value, "key2": "static_value", "key3": "another_value"},
+                timeout=1,
+            )
         elif option == "urlencode_nested":
             nested_data = {"user": value, "filters": {"type": "report", "format": "json"}}
             params = urllib.parse.urlencode({"data": json.dumps(nested_data)})

From 7dd32a74589ac997a0b9df5803a8bb45fa353a78 Mon Sep 17 00:00:00 2001
From: "datadog-official[bot]"
 <214633350+datadog-official[bot]@users.noreply.github.com>
Date: Fri, 19 Sep 2025 08:36:59 +0000
Subject: [PATCH 2/4] Inline scheme check; remove path encoding

---
 .../integrations/django_tests/django_app/views.py   | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/tests/appsec/integrations/django_tests/django_app/views.py b/tests/appsec/integrations/django_tests/django_app/views.py
index 95420a85dfb..54761a82535 100644
--- a/tests/appsec/integrations/django_tests/django_app/views.py
+++ b/tests/appsec/integrations/django_tests/django_app/views.py
@@ -545,15 +545,16 @@ def ssrf_requests(request):
     option = request.GET.get("option")
     try:
         if option == "path":
-            # label ssrf_requests_path
             # The user has provided the following additional instructions about how you should make this change:
-            safe_path = quote(value or "", safe="")
-            _ = requests.get(f"http://localhost:8080/{safe_path}", timeout=1)
+            # label ssrf_requests_path
+            _ = requests.get(f"http://localhost:8080/{value}", timeout=1)
         elif option == "protocol":
-            # label ssrf_requests_protocol
             # The user has provided the following additional instructions about how you should make this change:
-            scheme = value if value in ("http", "https") else "http"
-            _ = requests.get(f"{scheme}://localhost:8080/", timeout=1)
+            # label ssrf_requests_protocol
+            _ = requests.get(
+                f"{value if value in ('http', 'https') else 'http'}://localhost:8080/",
+                timeout=1,
+            )
         elif option == "host":
             # label ssrf_requests_host
             _ = requests.get(f"http://{value}:8080/", timeout=1)

From 7d9c3eeb7ce454718611317feb7e3daf7f173a18 Mon Sep 17 00:00:00 2001
From: "datadog-datadog-prod-us1[bot]"
 <88084959+datadog-datadog-prod-us1[bot]@users.noreply.github.com>
Date: Fri, 19 Sep 2025 09:05:06 +0000
Subject: [PATCH 3/4] Revert: Fix 3 SSRF static analysis issues in Django tests

---
 .../integrations/django_tests/django_app/views.py | 15 +++------------
 1 file changed, 3 insertions(+), 12 deletions(-)

diff --git a/tests/appsec/integrations/django_tests/django_app/views.py b/tests/appsec/integrations/django_tests/django_app/views.py
index 54761a82535..3e1e8f94064 100644
--- a/tests/appsec/integrations/django_tests/django_app/views.py
+++ b/tests/appsec/integrations/django_tests/django_app/views.py
@@ -545,16 +545,11 @@ def ssrf_requests(request):
     option = request.GET.get("option")
     try:
         if option == "path":
-            # The user has provided the following additional instructions about how you should make this change:
             # label ssrf_requests_path
             _ = requests.get(f"http://localhost:8080/{value}", timeout=1)
         elif option == "protocol":
-            # The user has provided the following additional instructions about how you should make this change:
             # label ssrf_requests_protocol
-            _ = requests.get(
-                f"{value if value in ('http', 'https') else 'http'}://localhost:8080/",
-                timeout=1,
-            )
+            _ = requests.get(f"{value}://localhost:8080/", timeout=1)
         elif option == "host":
             # label ssrf_requests_host
             _ = requests.get(f"http://{value}:8080/", timeout=1)
@@ -583,12 +578,8 @@ def ssrf_requests(request):
             params = urllib.parse.urlencode({"key1": value})
             _ = requests.get(f"http://localhost:8080/?{params}", timeout=1)
         elif option == "urlencode_multiple":
-            # The user has provided the following additional instructions about how you should make this change:
-            _ = requests.get(
-                "http://localhost:8080/",
-                params={"key1": value, "key2": "static_value", "key3": "another_value"},
-                timeout=1,
-            )
+            params = urllib.parse.urlencode({"key1": value, "key2": "static_value", "key3": "another_value"})
+            _ = requests.get(f"http://localhost:8080/?{params}", timeout=1)
         elif option == "urlencode_nested":
             nested_data = {"user": value, "filters": {"type": "report", "format": "json"}}
             params = urllib.parse.urlencode({"data": json.dumps(nested_data)})

From 00135eaa0ab90cc8e68ae46c3a119372bfbd5022 Mon Sep 17 00:00:00 2001
From: "datadog-official[bot]"
 <214633350+datadog-official[bot]@users.noreply.github.com>
Date: Fri, 19 Sep 2025 09:05:07 +0000
Subject: [PATCH 4/4] Sanitize protocol and query params in tests

---
 .../integrations/django_tests/django_app/views.py | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/tests/appsec/integrations/django_tests/django_app/views.py b/tests/appsec/integrations/django_tests/django_app/views.py
index 3e1e8f94064..54761a82535 100644
--- a/tests/appsec/integrations/django_tests/django_app/views.py
+++ b/tests/appsec/integrations/django_tests/django_app/views.py
@@ -545,11 +545,16 @@ def ssrf_requests(request):
     option = request.GET.get("option")
     try:
         if option == "path":
+            # The user has provided the following additional instructions about how you should make this change:
             # label ssrf_requests_path
             _ = requests.get(f"http://localhost:8080/{value}", timeout=1)
         elif option == "protocol":
+            # The user has provided the following additional instructions about how you should make this change:
             # label ssrf_requests_protocol
-            _ = requests.get(f"{value}://localhost:8080/", timeout=1)
+            _ = requests.get(
+                f"{value if value in ('http', 'https') else 'http'}://localhost:8080/",
+                timeout=1,
+            )
         elif option == "host":
             # label ssrf_requests_host
             _ = requests.get(f"http://{value}:8080/", timeout=1)
@@ -578,8 +583,12 @@ def ssrf_requests(request):
             params = urllib.parse.urlencode({"key1": value})
             _ = requests.get(f"http://localhost:8080/?{params}", timeout=1)
         elif option == "urlencode_multiple":
-            params = urllib.parse.urlencode({"key1": value, "key2": "static_value", "key3": "another_value"})
-            _ = requests.get(f"http://localhost:8080/?{params}", timeout=1)
+            # The user has provided the following additional instructions about how you should make this change:
+            _ = requests.get(
+                "http://localhost:8080/",
+                params={"key1": value, "key2": "static_value", "key3": "another_value"},
+                timeout=1,
+            )
         elif option == "urlencode_nested":
             nested_data = {"user": value, "filters": {"type": "report", "format": "json"}}
             params = urllib.parse.urlencode({"data": json.dumps(nested_data)})