Python: django.http.response.HttpResponseRedirect

2026-05-05 05:35:13 +02:00 · 2020-10-30 01:29:49 +01:00
parent 52be896666
commit 08af839757
2 changed files with 76 additions and 6 deletions
--- a/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py
+++ b/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py
@@ -16,13 +16,14 @@ def safe__manual_content_type(request):
    return HttpResponse('<img src="0" onerror="alert(1)">', content_type="text/plain")  # $HttpResponse $mimetype=text/plain $responseBody='<img src="0" onerror="alert(1)">'

 # XSS FP reported in https://github.com/github/codeql/issues/3466
-# Note: This should be a open-redirect sink, but not a XSS sink.
+# Note: This should be an open-redirect sink, but not an XSS sink.
 def or__redirect(request):
-    return HttpResponseRedirect(request.GET.get("next"))  # f-:HttpResponse
+    return HttpResponseRedirect(request.GET.get("next"))  # $HttpResponse $mimetype=text/html; charset=utf-8 $responseBody=Attribute()
+
 # Ensure that simple subclasses are still vuln to XSS
 def xss__not_found(request):
-    return HttpResponseNotFound(request.GET.get("name"))  # f-:HttpResponse
+    return HttpResponseNotFound(request.GET.get("name"))  # $f-:HttpResponse

-# Ensure we still have a XSS sink when manually setting the content_type to HTML
+# Ensure we still have an XSS sink when manually setting the content_type to HTML
 def xss__manual_response_type(request):
    return HttpResponse(request.GET.get("name"), content_type="text/html; charset=utf-8")  # $HttpResponse $mimetype=text/html $responseBody=Attribute()