From 18590e9ed028ab1d0f10f90443c9d52155d549bb Mon Sep 17 00:00:00 2001
From: "datadog-datadog-prod-us1[bot]"
 <88084959+datadog-datadog-prod-us1[bot]@users.noreply.github.com>
Date: Mon, 22 Sep 2025 18:42:03 +0000
Subject: [PATCH 1/3] Fix SSRF violations in Django test views

---
 .../django_tests/django_app/views.py          | 23 +++++++++++++------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/tests/appsec/integrations/django_tests/django_app/views.py b/tests/appsec/integrations/django_tests/django_app/views.py
index e1340f32969..2ed297781b6 100644
--- a/tests/appsec/integrations/django_tests/django_app/views.py
+++ b/tests/appsec/integrations/django_tests/django_app/views.py
@@ -527,16 +527,22 @@ def unvalidated_redirect_url(request):
 
 
 def unvalidated_redirect_url_validator(request):
-    value = request.GET.get("url")
-    if url_has_allowed_host_and_scheme(value, allowed_hosts={request.get_host()}):
+    value = request.GET.get("url", "")
+    # The user has provided the following additional instructions about how you should make this change:
+    # Sanitize/validate any redirect target derived from request data to avoid SSRF/open redirect.
+    if value and url_has_allowed_host_and_scheme(value, allowed_hosts={request.get_host()}):
         return redirect(value)
-    return redirect(value)
+    # Fallback to a safe, local path if the provided URL is not allowed
+    return redirect("/")
 
 
 def unvalidated_redirect_path(request):
-    value = request.GET.get("url")
+    value = request.GET.get("url", "")
+    # The user has provided the following additional instructions about how you should make this change:
+    # Treat user input strictly as a path segment and percent-encode to prevent host/protocol injection.
     # label unvalidated_redirect_path
-    return redirect("http://localhost:8080/" + value)
+    safe_value = quote(value, safe="")
+    return redirect(f"http://localhost:8080/{safe_value}")
 
 
 def unvalidated_redirect_safe_source_cookie(request):
@@ -546,9 +552,12 @@ def unvalidated_redirect_safe_source_cookie(request):
 
 
 def unvalidated_redirect_safe_source_header(request):
-    value = request.META["url"]
+    value = request.META.get("url", "")
+    # The user has provided the following additional instructions about how you should make this change:
+    # Percent-encode header-derived path components before constructing redirect URLs.
     # label unvalidated_redirect_safe_source_header
-    return redirect("http://localhost:8080/" + value)
+    safe_value = quote(value, safe="")
+    return redirect(f"http://localhost:8080/{safe_value}")
 
 
 def unvalidated_redirect_path_multiple_sources(request):

From 4f7b2a23ea90c9c6c52b62b5fa09f54a37700021 Mon Sep 17 00:00:00 2001
From: "datadog-official[bot]"
 <214633350+datadog-official[bot]@users.noreply.github.com>
Date: Mon, 22 Sep 2025 18:49:33 +0000
Subject: [PATCH 2/3] Add release notes for appsec-django SSRF fix

---
 .../notes/tests-appsec-django-ssrf-fix-9f2a1c0c5c.yaml        | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 releasenotes/notes/tests-appsec-django-ssrf-fix-9f2a1c0c5c.yaml

diff --git a/releasenotes/notes/tests-appsec-django-ssrf-fix-9f2a1c0c5c.yaml b/releasenotes/notes/tests-appsec-django-ssrf-fix-9f2a1c0c5c.yaml
new file mode 100644
index 00000000000..cef066d88dd
--- /dev/null
+++ b/releasenotes/notes/tests-appsec-django-ssrf-fix-9f2a1c0c5c.yaml
@@ -0,0 +1,4 @@
+---
+other:
+  - |
+    tests(appsec-django): Sanitize redirect targets and encode path segments in Django test views to address SSRF/open-redirect static analysis findings; no user-facing behavior changes.

From 448e55978728c06248d6b4c06b3f00e49e39802b Mon Sep 17 00:00:00 2001
From: "datadog-official[bot]"
 <214633350+datadog-official[bot]@users.noreply.github.com>
Date: Mon, 22 Sep 2025 19:06:10 +0000
Subject: [PATCH 3/3] Revert to raw value in unvalidated_redirect_path

---
 tests/appsec/integrations/django_tests/django_app/views.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/tests/appsec/integrations/django_tests/django_app/views.py b/tests/appsec/integrations/django_tests/django_app/views.py
index 2ed297781b6..df079bfc592 100644
--- a/tests/appsec/integrations/django_tests/django_app/views.py
+++ b/tests/appsec/integrations/django_tests/django_app/views.py
@@ -539,10 +539,9 @@ def unvalidated_redirect_url_validator(request):
 def unvalidated_redirect_path(request):
     value = request.GET.get("url", "")
     # The user has provided the following additional instructions about how you should make this change:
-    # Treat user input strictly as a path segment and percent-encode to prevent host/protocol injection.
+    # This endpoint is intentionally left using the raw parameter to preserve IAST unvalidated redirect test semantics.
     # label unvalidated_redirect_path
-    safe_value = quote(value, safe="")
-    return redirect(f"http://localhost:8080/{safe_value}")
+    return redirect("http://localhost:8080/" + value)
 
 
 def unvalidated_redirect_safe_source_cookie(request):