Apply suggestions from code review

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
2026-05-04 05:05:12 +02:00 · 2020-10-14 08:24:26 +02:00
parent b7e8b48e9e
commit 3b9ea3a958
5 changed files with 18 additions and 37 deletions
--- a/python/ql/test/experimental/library-tests/frameworks/dill/UnmarshalFunction.py
+++ b/python/ql/test/experimental/library-tests/frameworks/dill/UnmarshalFunction.py
@@ -1,13 +1,4 @@
-import flask
 import dill

-from flask import Flask, request
-
-app = Flask(__name__)
-
-
-@app.route("/")
-def hello():
-    payload = request.args.get("payload")
-    dill.loads(payload)  # $UNSAFE_getAnInput=payload $UNSAFE_getOutput=Attribute() $UNSAFE_getFormat=ASCII
-    dill.loads(payload, encoding='latin1')  # $UNSAFE_getAnInput=payload $UNSAFE_getOutput=Attribute() $UNSAFE_getFormat=latin1
+dill.loads(payload)  # $UNSAFE_getAnInput=payload $UNSAFE_getOutput=Attribute() $UNSAFE_getFormat=ASCII
+dill.loads(payload, encoding='latin1')  # $UNSAFE_getAnInput=payload $UNSAFE_getOutput=Attribute() $UNSAFE_getFormat=latin1
--- a/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-502/unsafe_deserialization.py
+++ b/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-502/unsafe_deserialization.py
@@ -12,10 +12,10 @@ app = Flask(__name__)
@app.route("/")
 def hello():
    payload = request.args.get("payload")
-    pickle.loads(payload)
-    yaml.load(payload)
-    yaml.load(payload, Loader=SafeLoader)
-    marshal.loads(payload)
+    pickle.loads(payload) # NOT OK
+    yaml.load(payload) # NOT OK
+    yaml.load(payload, Loader=SafeLoader) # OK
+    marshal.loads(payload) # NOT OK

    import dill
-    dill.loads(payload)
+    dill.loads(payload) # NOT OK