Python: Add tests of requests

Also adjusts test slightly. Writing `clientRequestDisablesCertValidation=False` to mean that certificate validation was disabled by the `False` expression is just confusing, as it easily reads as _certificate validate was NOT disabled_ :| The new one ties to each request that is being made, which seems like the right setup.
2026-05-04 05:05:12 +02:00 · 2021-12-13 13:38:58 +01:00
parent 7bf285a52e
commit 1ff56d5143
6 changed files with 63 additions and 7 deletions
--- a/python/ql/test/experimental/meta/ConceptsTest.qll
+++ b/python/ql/test/experimental/meta/ConceptsTest.qll
@@ -480,7 +480,7 @@ class HttpClientRequestTest extends InlineExpectationsTest {
  HttpClientRequestTest() { this = "HttpClientRequestTest" }

  override string getARelevantTag() {
-    result in ["clientRequestUrl", "clientRequestDisablesCertValidation"]
+    result in ["clientRequestUrl", "clientRequestCertValidationDisabled"]
  }

  override predicate hasActualResult(Location location, string element, string tag, string value) {
@@ -494,12 +494,12 @@ class HttpClientRequestTest extends InlineExpectationsTest {
    )
    or
    exists(location.getFile().getRelativePath()) and
-    exists(HTTP::Client::Request req, DataFlow::Node disablingNode |
-      req.disablesCertificateValidation(disablingNode, _) and
-      location = disablingNode.getLocation() and
-      element = disablingNode.toString() and
-      value = prettyNodeForInlineTest(disablingNode) and
-      tag = "clientRequestDisablesCertValidation"
+    exists(HTTP::Client::Request req |
+      req.disablesCertificateValidation(_, _) and
+      location = req.getLocation() and
+      element = req.toString() and
+      value = "" and
+      tag = "clientRequestCertValidationDisabled"
    )
  }
 }
--- a/python/ql/test/library-tests/frameworks/requests/ConceptsTest.expected
+++ b/python/ql/test/library-tests/frameworks/requests/ConceptsTest.expected
--- a/python/ql/test/library-tests/frameworks/requests/ConceptsTest.ql
+++ b/python/ql/test/library-tests/frameworks/requests/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
--- a/python/ql/test/library-tests/frameworks/requests/InlineTaintTest.expected
+++ b/python/ql/test/library-tests/frameworks/requests/InlineTaintTest.expected
@@ -0,0 +1,3 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+failures
--- a/python/ql/test/library-tests/frameworks/requests/InlineTaintTest.ql
+++ b/python/ql/test/library-tests/frameworks/requests/InlineTaintTest.ql
@@ -0,0 +1 @@
+import experimental.meta.InlineTaintTest
--- a/python/ql/test/library-tests/frameworks/requests/test.py
+++ b/python/ql/test/library-tests/frameworks/requests/test.py
@@ -0,0 +1,50 @@
+import requests
+
+resp = requests.get("url") # $ MISSING: clientRequestUrl="url"
+resp = requests.get(url="url") # $ MISSING: clientRequestUrl="url"
+
+resp = requests.request("GET", "url") # $ MISSING: clientRequestUrl="url"
+
+with requests.Session() as session:
+    resp = session.get("url") # $ MISSING: clientRequestUrl="url"
+    resp = session.request(method="GET", url="url") # $ MISSING: clientRequestUrl="url"
+
+s = requests.Session()
+resp = s.get("url") # $ MISSING: clientRequestUrl="url"
+
+s = requests.session()
+resp = s.get("url") # $ MISSING: clientRequestUrl="url"
+
+# test full import path for Session
+with requests.sessions.Session() as session:
+    resp = session.get("url") # $ MISSING: clientRequestUrl="url"
+
+# Low level access
+req = requests.Request("GET", "url") # $ MISSING: clientRequestUrl="url"
+resp = s.send(req.prepare())
+
+# other methods than GET
+resp = requests.post("url") # $ MISSING: clientRequestUrl="url"
+resp = requests.patch("url") # $ MISSING: clientRequestUrl="url"
+resp = requests.options("url") # $ MISSING: clientRequestUrl="url"
+
+# ==============================================================================
+# Disabling certificate validation
+# ==============================================================================
+
+resp = requests.get("url", verify=False) # $ MISSING: clientRequestUrl="url" clientRequestCertValidationDisabled
+
+def make_get(verify_arg):
+    resp = requests.get("url", verify=verify_arg) # $ MISSING: clientRequestUrl="url" clientRequestCertValidationDisabled
+
+make_get(False)
+
+
+with requests.Session() as session:
+    # see https://github.com/psf/requests/blob/39d0fdd9096f7dceccbc8f82e1eda7dd64717a8e/requests/sessions.py#L621
+    session.verify = False
+    resp = session.get("url") # $ MISSING: clientRequestUrl="url" clientRequestCertValidationDisabled
+    resp = session.get("url", verify=True) # $ MISSING: clientRequestUrl="url"
+
+    req = requests.Request("GET", "url") # $ MISSING: clientRequestUrl="url"
+    resp = session.send(req.prepare()) # $ MISSING: clientRequestCertValidationDisabled