hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 21:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' of github.com:github/codeql into python/promote-xpath-injection

Browse Source
This commit is contained in:
Rasmus Lerchedahl Petersen
2022-03-02 13:14:08 +01:00
parent ee45e79948 3681a1b736
commit 143e9ee954
1234 changed files with 113662 additions and 51952 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
python/ql/test/library-tests/frameworks/simplejson/taint_test.py
View File

@@ -17,22 +17,22 @@ def test():
# load/dump with file-like
tainted_filelike = StringIO()
simplejson.dump(tainted_obj, tainted_filelike) # $ encodeFormat=JSON encodeInput=tainted_obj
simplejson.dump(tainted_obj, tainted_filelike) # $ encodeFormat=JSON encodeInput=tainted_obj encodeOutput=[post]tainted_filelike
tainted_filelike.seek(0)
ensure_tainted(
tainted_filelike, # $ MISSING: tainted
simplejson.load(tainted_filelike), # $ decodeOutput=simplejson.load(..) decodeFormat=JSON decodeInput=tainted_filelike MISSING: tainted
tainted_filelike, # $ tainted
simplejson.load(tainted_filelike), # $ tainted decodeOutput=simplejson.load(..) decodeFormat=JSON decodeInput=tainted_filelike
)
# load/dump with file-like using keyword-args
tainted_filelike = StringIO()
simplejson.dump(obj=tainted_obj, fp=tainted_filelike) # $ encodeFormat=JSON encodeInput=tainted_obj
simplejson.dump(obj=tainted_obj, fp=tainted_filelike) # $ encodeFormat=JSON encodeInput=tainted_obj encodeOutput=[post]tainted_filelike
tainted_filelike.seek(0)
ensure_tainted(
tainted_filelike, # $ MISSING: tainted
simplejson.load(fp=tainted_filelike), # $ decodeOutput=simplejson.load(..) decodeFormat=JSON decodeInput=tainted_filelike MISSING: tainted
tainted_filelike, # $ tainted
simplejson.load(fp=tainted_filelike), # $ tainted decodeOutput=simplejson.load(..) decodeFormat=JSON decodeInput=tainted_filelike
)
# To make things runable

6
python/ql/test/library-tests/frameworks/ujson/taint_test.py
View File

@@ -22,12 +22,12 @@ def test():
# load/dump with file-like
tainted_filelike = StringIO()
ujson.dump(tainted_obj, tainted_filelike) # $ encodeFormat=JSON encodeInput=tainted_obj
ujson.dump(tainted_obj, tainted_filelike) # $ encodeFormat=JSON encodeInput=tainted_obj encodeOutput=[post]tainted_filelike
tainted_filelike.seek(0)
ensure_tainted(
tainted_filelike, # $ MISSING: tainted
ujson.load(tainted_filelike), # $ decodeOutput=ujson.load(..) decodeFormat=JSON decodeInput=tainted_filelike MISSING: tainted
tainted_filelike, # $ tainted
ujson.load(tainted_filelike), # $ tainted decodeOutput=ujson.load(..) decodeFormat=JSON decodeInput=tainted_filelike
)
# load/dump with file-like using keyword-args does not work in `ujson`