Merge branch 'main' into redsun82/python-match-fps

2026-04-26 17:25:19 +02:00 · 2024-11-07 09:46:32 +01:00
parent daea773fce 07bb60da92
commit 147d66b587
10547 changed files with 616588 additions and 200080 deletions
--- a/python/ql/test/query-tests/Imports/unused/UnusedImport.expected
+++ b/python/ql/test/query-tests/Imports/unused/UnusedImport.expected
@@ -5,3 +5,4 @@
 | imports_test.py:10:1:10:22 | Import | Import of 'top_level_cycle' is not used. |
 | imports_test.py:27:1:27:25 | Import | Import of 'func2' is not used. |
 | imports_test.py:34:1:34:14 | Import | Import of 'module2' is not used. |
+| imports_test.py:116:1:116:41 | Import | Import of 'not_a_fixture' is not used. |
--- a/python/ql/test/query-tests/Imports/unused/imports_test.py
+++ b/python/ql/test/query-tests/Imports/unused/imports_test.py
@@ -111,3 +111,8 @@ import subexpression_return_type

 def baz() -> Optional['subexpression_return_type']:
    pass
+
+
+from pytest_fixtures import not_a_fixture  # BAD
+from pytest_fixtures import fixture, wrapped_fixture  # GOOD (pytest fixtures are used implicitly by pytest)
+from pytest_fixtures import session_fixture, wrapped_autouse_fixture  # GOOD (pytest fixtures are used implicitly by pytest)
--- a/python/ql/test/query-tests/Imports/unused/pytest_fixtures.py
+++ b/python/ql/test/query-tests/Imports/unused/pytest_fixtures.py
@@ -0,0 +1,34 @@
+import pytest
+
+
+@pytest.fixture
+def fixture():
+    pass
+
+def fixture_wrapper():
+    @pytest.fixture
+    def delegate():
+        pass
+    return delegate
+
+@fixture_wrapper
+def wrapped_fixture():
+    pass
+
+
+@pytest.fixture(scope='session')
+def session_fixture():
+    pass
+
+def not_a_fixture():
+    pass
+
+def another_fixture_wrapper():
+    @pytest.fixture(autouse=True)
+    def delegate():
+        pass
+    return delegate
+
+@another_fixture_wrapper
+def wrapped_autouse_fixture():
+    pass
--- a/python/ql/test/query-tests/Numerics/Pythagorean.qlref
+++ b/python/ql/test/query-tests/Numerics/Pythagorean.qlref
@@ -1 +1,2 @@
-Numerics/Pythagorean.ql
+query: Numerics/Pythagorean.ql
+postprocess: TestUtilities/InlineExpectationsTestQuery.ql
--- a/python/ql/test/query-tests/Numerics/pythagorean_test.py
+++ b/python/ql/test/query-tests/Numerics/pythagorean_test.py
@@ -3,12 +3,12 @@
 from math import sqrt

 def withPow(a, b):
-    return sqrt(a**2 + b**2)
+    return sqrt(a**2 + b**2) # $ Alert

 def withMul(a, b):
-    return sqrt(a*a + b*b)
+    return sqrt(a*a + b*b) # $ Alert

 def withRef(a, b):
    a2 = a**2
    b2 = b*b
-    return sqrt(a2 + b2)
+    return sqrt(a2 + b2) # $ Alert
--- a/python/ql/test/query-tests/Security/CWE-020-CookieInjection/CookieInjection.expected
+++ b/python/ql/test/query-tests/Security/CWE-020-CookieInjection/CookieInjection.expected
@@ -0,0 +1,28 @@
+edges
+| django_tests.py:4:25:4:31 | ControlFlowNode for request | django_tests.py:6:21:6:31 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
+| django_tests.py:4:25:4:31 | ControlFlowNode for request | django_tests.py:7:21:7:31 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
+| django_tests.py:6:21:6:31 | ControlFlowNode for Attribute | django_tests.py:6:21:6:43 | ControlFlowNode for Attribute() | provenance | dict.get |
+| django_tests.py:7:21:7:31 | ControlFlowNode for Attribute | django_tests.py:7:21:7:44 | ControlFlowNode for Attribute() | provenance | dict.get |
+| django_tests.py:11:26:11:32 | ControlFlowNode for request | django_tests.py:13:33:13:43 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
+| django_tests.py:11:26:11:32 | ControlFlowNode for request | django_tests.py:13:59:13:69 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
+| django_tests.py:13:33:13:43 | ControlFlowNode for Attribute | django_tests.py:13:33:13:55 | ControlFlowNode for Attribute() | provenance | dict.get |
+| django_tests.py:13:33:13:55 | ControlFlowNode for Attribute() | django_tests.py:13:30:13:100 | ControlFlowNode for Fstring | provenance |  |
+| django_tests.py:13:59:13:69 | ControlFlowNode for Attribute | django_tests.py:13:59:13:82 | ControlFlowNode for Attribute() | provenance | dict.get |
+| django_tests.py:13:59:13:82 | ControlFlowNode for Attribute() | django_tests.py:13:30:13:100 | ControlFlowNode for Fstring | provenance |  |
+nodes
+| django_tests.py:4:25:4:31 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| django_tests.py:6:21:6:31 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| django_tests.py:6:21:6:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| django_tests.py:7:21:7:31 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| django_tests.py:7:21:7:44 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| django_tests.py:11:26:11:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| django_tests.py:13:30:13:100 | ControlFlowNode for Fstring | semmle.label | ControlFlowNode for Fstring |
+| django_tests.py:13:33:13:43 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| django_tests.py:13:33:13:55 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| django_tests.py:13:59:13:69 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| django_tests.py:13:59:13:82 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+subpaths
+#select
+| django_tests.py:6:21:6:43 | ControlFlowNode for Attribute() | django_tests.py:4:25:4:31 | ControlFlowNode for request | django_tests.py:6:21:6:43 | ControlFlowNode for Attribute() | Cookie is constructed from a $@. | django_tests.py:4:25:4:31 | ControlFlowNode for request | user-supplied input |
+| django_tests.py:7:21:7:44 | ControlFlowNode for Attribute() | django_tests.py:4:25:4:31 | ControlFlowNode for request | django_tests.py:7:21:7:44 | ControlFlowNode for Attribute() | Cookie is constructed from a $@. | django_tests.py:4:25:4:31 | ControlFlowNode for request | user-supplied input |
+| django_tests.py:13:30:13:100 | ControlFlowNode for Fstring | django_tests.py:11:26:11:32 | ControlFlowNode for request | django_tests.py:13:30:13:100 | ControlFlowNode for Fstring | Cookie is constructed from a $@. | django_tests.py:11:26:11:32 | ControlFlowNode for request | user-supplied input |
--- a/python/ql/test/query-tests/Security/CWE-020-CookieInjection/CookieInjection.qlref
+++ b/python/ql/test/query-tests/Security/CWE-020-CookieInjection/CookieInjection.qlref
@@ -0,0 +1 @@
+Security/CWE-020/CookieInjection.ql
--- a/python/ql/test/query-tests/Security/CWE-020-CookieInjection/django_tests.py
+++ b/python/ql/test/query-tests/Security/CWE-020-CookieInjection/django_tests.py
@@ -0,0 +1,20 @@
+import django.http
+from django.urls import path
+
+def django_response_bad(request):
+    resp = django.http.HttpResponse()
+    resp.set_cookie(request.GET.get("name"), # BAD: Cookie is constructed from user input
+                    request.GET.get("value"))
+    return resp
+
+
+def django_response_bad2(request):
+    response = django.http.HttpResponse()
+    response['Set-Cookie'] = f"{request.GET.get('name')}={request.GET.get('value')}; SameSite=None;" # BAD: Cookie header is constructed from user input.
+    return response
+
+# fake setup, you can't actually run this
+urlpatterns = [
+    path("response_bad", django_response_bad),
+    path("response_bd2", django_response_bad2)
+]
--- a/python/ql/test/query-tests/Security/CWE-022-TarSlip/tarslip.py
+++ b/python/ql/test/query-tests/Security/CWE-022-TarSlip/tarslip.py
@@ -46,7 +46,7 @@ tar.extractall(members=tar)
 #Sanitize members
 def safemembers(members):
    for info in members:
-        if badpath(info):
+        if os.path.isabs(info.name) or ".." in info.name:
            raise
        yield info

--- a/python/ql/test/query-tests/Security/CWE-089-SqlInjection-local-threat-model/SqlInjection.expected
+++ b/python/ql/test/query-tests/Security/CWE-089-SqlInjection-local-threat-model/SqlInjection.expected
@@ -0,0 +1,8 @@
+edges
+| test.py:6:14:6:21 | ControlFlowNode for Attribute | test.py:6:14:6:24 | ControlFlowNode for Subscript | provenance | Src:MaD:17  |
+nodes
+| test.py:6:14:6:21 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| test.py:6:14:6:24 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+subpaths
+#select
+| test.py:6:14:6:24 | ControlFlowNode for Subscript | test.py:6:14:6:21 | ControlFlowNode for Attribute | test.py:6:14:6:24 | ControlFlowNode for Subscript | This SQL query depends on a $@. | test.py:6:14:6:21 | ControlFlowNode for Attribute | user-provided value |
--- a/python/ql/test/query-tests/Security/CWE-089-SqlInjection-local-threat-model/SqlInjection.ext.yml
+++ b/python/ql/test/query-tests/Security/CWE-089-SqlInjection-local-threat-model/SqlInjection.ext.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]
--- a/python/ql/test/query-tests/Security/CWE-089-SqlInjection-local-threat-model/SqlInjection.qlref
+++ b/python/ql/test/query-tests/Security/CWE-089-SqlInjection-local-threat-model/SqlInjection.qlref
@@ -0,0 +1 @@
+Security/CWE-089/SqlInjection.ql
--- a/python/ql/test/query-tests/Security/CWE-089-SqlInjection-local-threat-model/test.py
+++ b/python/ql/test/query-tests/Security/CWE-089-SqlInjection-local-threat-model/test.py
@@ -0,0 +1,6 @@
+# test that enabling local threat-model works end-to-end
+import sys
+import psycopg
+
+conn = psycopg.connect(...)
+conn.execute(sys.argv[1])
--- a/python/ql/test/query-tests/Security/CWE-094-CodeInjection/CodeInjection.qlref
+++ b/python/ql/test/query-tests/Security/CWE-094-CodeInjection/CodeInjection.qlref
@@ -1 +1,2 @@
-Security/CWE-094/CodeInjection.ql
+query: Security/CWE-094/CodeInjection.ql
+postprocess: TestUtilities/InlineExpectationsTestQuery.ql
--- a/python/ql/test/query-tests/Security/CWE-094-CodeInjection/code_injection.py
+++ b/python/ql/test/query-tests/Security/CWE-094-CodeInjection/code_injection.py
@@ -1,13 +1,13 @@
-from flask import Flask, request
+from flask import Flask, request # $ Source=flask
 app = Flask(__name__)

@app.route("/code-execution")
 def code_execution():
    code = request.args.get("code")
-    exec(code) # NOT OK
-    eval(code) # NOT OK
+    exec(code) # $ Alert=flask
+    eval(code) # $ Alert=flask
    cmd = compile(code, "<filename>", "exec")
-    exec(cmd) # NOT OK
+    exec(cmd) # $ Alert=flask


@app.route("/safe-code-execution")
@@ -18,5 +18,5 @@ def code_execution():
    obj_name = request.args.get("obj")
    if obj_name == "foo" or obj_name == "bar":
        # TODO: Should not alert on this
-        obj = eval(obj_name) # OK
+        obj = eval(obj_name) # $ SPURIOUS: Alert=flask
        print(obj, obj*10)
--- a/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/CleartextLogging.expected
+++ b/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/CleartextLogging.expected
@@ -30,7 +30,6 @@ nodes
 | test.py:23:58:23:65 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
 | test.py:27:40:27:47 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
 | test.py:30:58:30:65 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
-| test.py:34:30:34:39 | ControlFlowNode for get_cert() | semmle.label | ControlFlowNode for get_cert() |
 | test.py:37:11:37:24 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() |
 | test.py:39:22:39:35 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() |
 | test.py:40:22:40:35 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() |
@@ -73,7 +72,6 @@ subpaths
 | test.py:23:58:23:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:23:58:23:65 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) |
 | test.py:27:40:27:47 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:27:40:27:47 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) |
 | test.py:30:58:30:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:30:58:30:65 | ControlFlowNode for password | This expression logs $@ as clear text. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) |
-| test.py:34:30:34:39 | ControlFlowNode for get_cert() | test.py:34:30:34:39 | ControlFlowNode for get_cert() | test.py:34:30:34:39 | ControlFlowNode for get_cert() | This expression logs $@ as clear text. | test.py:34:30:34:39 | ControlFlowNode for get_cert() | sensitive data (certificate) |
 | test.py:37:11:37:24 | ControlFlowNode for get_password() | test.py:37:11:37:24 | ControlFlowNode for get_password() | test.py:37:11:37:24 | ControlFlowNode for get_password() | This expression logs $@ as clear text. | test.py:37:11:37:24 | ControlFlowNode for get_password() | sensitive data (password) |
 | test.py:39:22:39:35 | ControlFlowNode for get_password() | test.py:39:22:39:35 | ControlFlowNode for get_password() | test.py:39:22:39:35 | ControlFlowNode for get_password() | This expression logs $@ as clear text. | test.py:39:22:39:35 | ControlFlowNode for get_password() | sensitive data (password) |
 | test.py:40:22:40:35 | ControlFlowNode for get_password() | test.py:40:22:40:35 | ControlFlowNode for get_password() | test.py:40:22:40:35 | ControlFlowNode for get_password() | This expression logs $@ as clear text. | test.py:40:22:40:35 | ControlFlowNode for get_password() | sensitive data (password) |
--- a/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/test.py
+++ b/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/test.py
@@ -31,7 +31,7 @@ def log_password():


 def log_cert():
-    logging.debug("Cert=%s", get_cert()) # NOT OK
+    logging.debug("Cert=%s", get_cert()) # OK

 def print_password():
    print(get_password()) # NOT OK
@@ -52,8 +52,8 @@ def log_private():
        print(passportNo) # NOT OK

    def log2(post_code, zipCode, home_address):
-        print(post_code) # NOT OK, but NOT FOUND - "code" is treated as enxrypted and thus not sensitive
-        print(zipCode) # NOT OK, but NOT FOUND - "code" is treated as enxrypted and thus not sensitive
+        print(post_code) # NOT OK, but NOT FOUND - "code" is treated as encrypted and thus not sensitive
+        print(zipCode) # NOT OK, but NOT FOUND - "code" is treated as encrypted and thus not sensitive
        print(home_address) # NOT OK

    def log3(user_latitude, user_longitude):
--- a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.expected
+++ b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.expected
@@ -1,16 +1,16 @@
 edges
-| test.py:9:5:9:8 | ControlFlowNode for cert | test.py:12:21:12:24 | ControlFlowNode for cert | provenance |  |
-| test.py:9:5:9:8 | ControlFlowNode for cert | test.py:13:22:13:41 | ControlFlowNode for Attribute() | provenance |  |
-| test.py:9:5:9:8 | ControlFlowNode for cert | test.py:15:26:15:29 | ControlFlowNode for cert | provenance |  |
-| test.py:9:12:9:21 | ControlFlowNode for get_cert() | test.py:9:5:9:8 | ControlFlowNode for cert | provenance |  |
+| test.py:9:5:9:12 | ControlFlowNode for password | test.py:12:21:12:28 | ControlFlowNode for password | provenance |  |
+| test.py:9:5:9:12 | ControlFlowNode for password | test.py:13:22:13:45 | ControlFlowNode for Attribute() | provenance |  |
+| test.py:9:5:9:12 | ControlFlowNode for password | test.py:15:26:15:33 | ControlFlowNode for password | provenance |  |
+| test.py:9:16:9:29 | ControlFlowNode for get_password() | test.py:9:5:9:12 | ControlFlowNode for password | provenance |  |
 nodes
-| test.py:9:5:9:8 | ControlFlowNode for cert | semmle.label | ControlFlowNode for cert |
-| test.py:9:12:9:21 | ControlFlowNode for get_cert() | semmle.label | ControlFlowNode for get_cert() |
-| test.py:12:21:12:24 | ControlFlowNode for cert | semmle.label | ControlFlowNode for cert |
-| test.py:13:22:13:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| test.py:15:26:15:29 | ControlFlowNode for cert | semmle.label | ControlFlowNode for cert |
+| test.py:9:5:9:12 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
+| test.py:9:16:9:29 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() |
+| test.py:12:21:12:28 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
+| test.py:13:22:13:45 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| test.py:15:26:15:33 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
 subpaths
 #select
-| test.py:12:21:12:24 | ControlFlowNode for cert | test.py:9:12:9:21 | ControlFlowNode for get_cert() | test.py:12:21:12:24 | ControlFlowNode for cert | This expression stores $@ as clear text. | test.py:9:12:9:21 | ControlFlowNode for get_cert() | sensitive data (certificate) |
-| test.py:13:22:13:41 | ControlFlowNode for Attribute() | test.py:9:12:9:21 | ControlFlowNode for get_cert() | test.py:13:22:13:41 | ControlFlowNode for Attribute() | This expression stores $@ as clear text. | test.py:9:12:9:21 | ControlFlowNode for get_cert() | sensitive data (certificate) |
-| test.py:15:26:15:29 | ControlFlowNode for cert | test.py:9:12:9:21 | ControlFlowNode for get_cert() | test.py:15:26:15:29 | ControlFlowNode for cert | This expression stores $@ as clear text. | test.py:9:12:9:21 | ControlFlowNode for get_cert() | sensitive data (certificate) |
+| test.py:12:21:12:28 | ControlFlowNode for password | test.py:9:16:9:29 | ControlFlowNode for get_password() | test.py:12:21:12:28 | ControlFlowNode for password | This expression stores $@ as clear text. | test.py:9:16:9:29 | ControlFlowNode for get_password() | sensitive data (password) |
+| test.py:13:22:13:45 | ControlFlowNode for Attribute() | test.py:9:16:9:29 | ControlFlowNode for get_password() | test.py:13:22:13:45 | ControlFlowNode for Attribute() | This expression stores $@ as clear text. | test.py:9:16:9:29 | ControlFlowNode for get_password() | sensitive data (password) |
+| test.py:15:26:15:33 | ControlFlowNode for password | test.py:9:16:9:29 | ControlFlowNode for get_password() | test.py:15:26:15:33 | ControlFlowNode for password | This expression stores $@ as clear text. | test.py:9:16:9:29 | ControlFlowNode for get_password() | sensitive data (password) |
--- a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/test.py
+++ b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/test.py
@@ -1,15 +1,15 @@
 import pathlib


-def get_cert():
-    return "<CERT>"
+def get_password():
+    return "password"


 def write_password(filename):
-    cert = get_cert()
+    password = get_password()

    path = pathlib.Path(filename)
-    path.write_text(cert) # NOT OK
-    path.write_bytes(cert.encode("utf-8")) # NOT OK
+    path.write_text(password) # NOT OK
+    path.write_bytes(password.encode("utf-8")) # NOT OK

-    path.open("w").write(cert) # NOT OK
+    path.open("w").write(password) # NOT OK
--- a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/CleartextStorage.expected
+++ b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/CleartextStorage.expected
@@ -3,10 +3,10 @@ edges
 | password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | password_in_cookie.py:7:5:7:12 | ControlFlowNode for password | provenance |  |
 | password_in_cookie.py:14:5:14:12 | ControlFlowNode for password | password_in_cookie.py:16:33:16:40 | ControlFlowNode for password | provenance |  |
 | password_in_cookie.py:14:16:14:43 | ControlFlowNode for Attribute() | password_in_cookie.py:14:5:14:12 | ControlFlowNode for password | provenance |  |
-| test.py:6:5:6:8 | ControlFlowNode for cert | test.py:8:20:8:23 | ControlFlowNode for cert | provenance |  |
-| test.py:6:5:6:8 | ControlFlowNode for cert | test.py:9:9:9:13 | ControlFlowNode for lines | provenance |  |
-| test.py:6:12:6:21 | ControlFlowNode for get_cert() | test.py:6:5:6:8 | ControlFlowNode for cert | provenance |  |
-| test.py:9:9:9:13 | ControlFlowNode for lines | test.py:10:25:10:29 | ControlFlowNode for lines | provenance |  |
+| test.py:15:5:15:12 | ControlFlowNode for password | test.py:17:20:17:27 | ControlFlowNode for password | provenance |  |
+| test.py:15:5:15:12 | ControlFlowNode for password | test.py:18:9:18:13 | ControlFlowNode for lines | provenance |  |
+| test.py:15:16:15:29 | ControlFlowNode for get_password() | test.py:15:5:15:12 | ControlFlowNode for password | provenance |  |
+| test.py:18:9:18:13 | ControlFlowNode for lines | test.py:19:25:19:29 | ControlFlowNode for lines | provenance |  |
 nodes
 | password_in_cookie.py:7:5:7:12 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
 | password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
@@ -14,14 +14,14 @@ nodes
 | password_in_cookie.py:14:5:14:12 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
 | password_in_cookie.py:14:16:14:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | password_in_cookie.py:16:33:16:40 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
-| test.py:6:5:6:8 | ControlFlowNode for cert | semmle.label | ControlFlowNode for cert |
-| test.py:6:12:6:21 | ControlFlowNode for get_cert() | semmle.label | ControlFlowNode for get_cert() |
-| test.py:8:20:8:23 | ControlFlowNode for cert | semmle.label | ControlFlowNode for cert |
-| test.py:9:9:9:13 | ControlFlowNode for lines | semmle.label | ControlFlowNode for lines |
-| test.py:10:25:10:29 | ControlFlowNode for lines | semmle.label | ControlFlowNode for lines |
+| test.py:15:5:15:12 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
+| test.py:15:16:15:29 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() |
+| test.py:17:20:17:27 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
+| test.py:18:9:18:13 | ControlFlowNode for lines | semmle.label | ControlFlowNode for lines |
+| test.py:19:25:19:29 | ControlFlowNode for lines | semmle.label | ControlFlowNode for lines |
 subpaths
 #select
 | password_in_cookie.py:9:33:9:40 | ControlFlowNode for password | password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | password_in_cookie.py:9:33:9:40 | ControlFlowNode for password | This expression stores $@ as clear text. | password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | sensitive data (password) |
 | password_in_cookie.py:16:33:16:40 | ControlFlowNode for password | password_in_cookie.py:14:16:14:43 | ControlFlowNode for Attribute() | password_in_cookie.py:16:33:16:40 | ControlFlowNode for password | This expression stores $@ as clear text. | password_in_cookie.py:14:16:14:43 | ControlFlowNode for Attribute() | sensitive data (password) |
-| test.py:8:20:8:23 | ControlFlowNode for cert | test.py:6:12:6:21 | ControlFlowNode for get_cert() | test.py:8:20:8:23 | ControlFlowNode for cert | This expression stores $@ as clear text. | test.py:6:12:6:21 | ControlFlowNode for get_cert() | sensitive data (certificate) |
-| test.py:10:25:10:29 | ControlFlowNode for lines | test.py:6:12:6:21 | ControlFlowNode for get_cert() | test.py:10:25:10:29 | ControlFlowNode for lines | This expression stores $@ as clear text. | test.py:6:12:6:21 | ControlFlowNode for get_cert() | sensitive data (certificate) |
+| test.py:17:20:17:27 | ControlFlowNode for password | test.py:15:16:15:29 | ControlFlowNode for get_password() | test.py:17:20:17:27 | ControlFlowNode for password | This expression stores $@ as clear text. | test.py:15:16:15:29 | ControlFlowNode for get_password() | sensitive data (password) |
+| test.py:19:25:19:29 | ControlFlowNode for lines | test.py:15:16:15:29 | ControlFlowNode for get_password() | test.py:19:25:19:29 | ControlFlowNode for lines | This expression stores $@ as clear text. | test.py:15:16:15:29 | ControlFlowNode for get_password() | sensitive data (password) |
--- a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/test.py
+++ b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/test.py
@@ -1,12 +1,21 @@
 def get_cert():
    return "<CERT>"

+def get_password():
+    return "password"

 def write_cert(filename):
    cert = get_cert()
    with open(filename, "w") as file:
-        file.write(cert) # NOT OK
+        file.write(cert) # OK
        lines = [cert + "\n"]
+        file.writelines(lines) # OK
+
+def write_password(filename):
+    password = get_password()
+    with open(filename, "w") as file:
+        file.write(password) # NOT OK
+        lines = [password + "\n"]
        file.writelines(lines) # NOT OK

 def FPs():
--- a/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/InsecureCookie.expected
+++ b/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/InsecureCookie.expected
@@ -0,0 +1,10 @@
+| test.py:10:5:10:37 | ControlFlowNode for Attribute() | Cookie is added without the Secure and HttpOnly attributes properly set. |
+| test.py:11:5:11:50 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
+| test.py:12:5:12:52 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
+| test.py:13:5:13:56 | ControlFlowNode for Attribute() | Cookie is added without the Secure and HttpOnly attributes properly set. |
+| test.py:14:5:14:53 | ControlFlowNode for Attribute() | Cookie is added without the Secure and HttpOnly attributes properly set. |
+| test.py:15:5:15:54 | ControlFlowNode for Attribute() | Cookie is added without the Secure, HttpOnly, and SameSite attributes properly set. |
+| test.py:16:5:16:69 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly attribute properly set. |
+| test.py:17:5:17:71 | ControlFlowNode for Attribute() | Cookie is added without the Secure attribute properly set. |
+| test.py:18:5:18:67 | ControlFlowNode for Attribute() | Cookie is added without the HttpOnly and SameSite attributes properly set. |
+| test.py:19:5:19:69 | ControlFlowNode for Attribute() | Cookie is added without the Secure and SameSite attributes properly set. |
--- a/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/InsecureCookie.qlref
+++ b/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/InsecureCookie.qlref
@@ -0,0 +1 @@
+Security/CWE-614/InsecureCookie.ql
--- a/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/test.py
+++ b/python/ql/test/query-tests/Security/CWE-614-InsecureCookie/test.py
@@ -0,0 +1,20 @@
+from flask import Flask, request, make_response
+import lxml.etree
+import markupsafe
+
+app = Flask(__name__)
+
+@app.route("/test")
+def test():
+    resp = make_response()
+    resp.set_cookie("key1", "value1")
+    resp.set_cookie("key2", "value2", secure=True)
+    resp.set_cookie("key2", "value2", httponly=True)
+    resp.set_cookie("key2", "value2", samesite="Strict")
+    resp.set_cookie("key2", "value2", samesite="Lax")
+    resp.set_cookie("key2", "value2", samesite="None")
+    resp.set_cookie("key2", "value2", secure=True, samesite="Strict")
+    resp.set_cookie("key2", "value2", httponly=True, samesite="Strict")
+    resp.set_cookie("key2", "value2", secure=True, samesite="None")
+    resp.set_cookie("key2", "value2", httponly=True, samesite="None")
+    resp.set_cookie("key2", "value2", secure=True, httponly=True, samesite="Strict")
--- a/python/ql/test/query-tests/Security/CWE-732-WeakFilePermissions/WeakFilePermissions.expected
+++ b/python/ql/test/query-tests/Security/CWE-732-WeakFilePermissions/WeakFilePermissions.expected
@@ -2,6 +2,5 @@
 | test.py:8:1:8:20 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to world writable. |
 | test.py:9:1:9:21 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to world writable. |
 | test.py:11:1:11:21 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to group readable. |
-| test.py:13:1:13:28 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to group writable. |
 | test.py:14:1:14:19 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to group writable. |
 | test.py:16:1:16:25 | ControlFlowNode for Attribute() | Overly permissive mask in open sets file to world readable. |
--- a/python/ql/test/query-tests/Security/CWE-942-CorsMisconfigurationMiddleware/CorsMisconfigurationMiddleware.expected
+++ b/python/ql/test/query-tests/Security/CWE-942-CorsMisconfigurationMiddleware/CorsMisconfigurationMiddleware.expected
@@ -0,0 +1,2 @@
+| fastapi.py:10:1:16:1 | ControlFlowNode for Attribute() | This CORS middleware uses a vulnerable configuration that allows arbitrary websites to make authenticated cross-site requests |
+| starlette.py:8:5:8:75 | ControlFlowNode for Middleware() | This CORS middleware uses a vulnerable configuration that allows arbitrary websites to make authenticated cross-site requests |
--- a/python/ql/test/query-tests/Security/CWE-942-CorsMisconfigurationMiddleware/CorsMisconfigurationMiddleware.qlref
+++ b/python/ql/test/query-tests/Security/CWE-942-CorsMisconfigurationMiddleware/CorsMisconfigurationMiddleware.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-942/CorsMisconfigurationMiddleware.ql
--- a/python/ql/test/query-tests/Security/CWE-942-CorsMisconfigurationMiddleware/fastapi.py
+++ b/python/ql/test/query-tests/Security/CWE-942-CorsMisconfigurationMiddleware/fastapi.py
@@ -0,0 +1,21 @@
+from fastapi import FastAPI
+from fastapi.middleware.cors import CORSMiddleware
+
+app = FastAPI()
+
+origins = [
+    "*"
+]
+
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=origins,
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
+
+@app.get("/")
+async def main():
+    return {"message": "Hello World"}
--- a/python/ql/test/query-tests/Security/CWE-942-CorsMisconfigurationMiddleware/starlette.py
+++ b/python/ql/test/query-tests/Security/CWE-942-CorsMisconfigurationMiddleware/starlette.py
@@ -0,0 +1,11 @@
+from starlette.applications import Starlette
+from starlette.middleware import Middleware
+from starlette.middleware.cors import CORSMiddleware
+
+routes = ...
+
+middleware = [
+    Middleware(CORSMiddleware, allow_origins=['*'], allow_credentials=True)
+]
+
+app = Starlette(routes=routes, middleware=middleware)
--- a/python/ql/test/query-tests/Statements/no_effect/StatementNoEffect.expected
+++ b/python/ql/test/query-tests/Statements/no_effect/StatementNoEffect.expected
@@ -1,3 +1,5 @@
+| assert_raises.py:9:13:9:19 | ExprStmt | This statement has no effect. |
+| assert_raises.py:11:13:11:16 | ExprStmt | This statement has no effect. |
 | test.py:24:1:24:3 | ExprStmt | This statement has no effect. |
 | test.py:25:1:25:13 | ExprStmt | This statement has no effect. |
 | test.py:26:1:26:6 | ExprStmt | This statement has no effect. |
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE-942/CorsMisconfigurationMiddleware.ql`