Python: Address many review comments

still need to move concept tests
2026-05-04 05:05:12 +02:00 · 2020-10-13 12:03:23 +02:00
parent 433a36225b
commit 4685f2d5f2
16 changed files with 285 additions and 238 deletions
--- a/python/ql/test/experimental/meta/ConceptsTest.qll
+++ b/python/ql/test/experimental/meta/ConceptsTest.qll
@@ -33,19 +33,41 @@ class SystemCommandExecutionTest extends InlineExpectationsTest {
  }
 }

-class DeserializationSinkTest extends InlineExpectationsTest {
-  DeserializationSinkTest() { this = "DeserializationSinkTest" }
+class UnmarshalingFunctionTest extends InlineExpectationsTest {
+  UnmarshalingFunctionTest() { this = "UnmarshalingFunctionTest" }

  override string getARelevantTag() { result = "getData" }

  override predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(DeserializationSink ds, DataFlow::Node data |
-      exists(location.getFile().getRelativePath()) and
-      data = ds.getData() and
-      location = data.getLocation() and
-      element = data.toString() and
-      value = value_from_expr(data.asExpr()) and
-      tag = "getData"
+    exists(location.getFile().getRelativePath()) and
+    exists(UnmarshalingFunction ds, string unsafe |
+      (
+        ds.unsafe() and unsafe = "UNSAFE_"
+        or
+        not ds.unsafe() and unsafe = ""
+      ) and
+      (
+        exists(DataFlow::Node data |
+          location = data.getLocation() and
+          element = data.toString() and
+          value = value_from_expr(data.asExpr()) and
+          (
+            data = ds.getAnInput() and
+            tag = unsafe + "getAnInput"
+            or
+            data = ds.getOutput() and
+            tag = unsafe + "getOutput"
+          )
+        )
+        or
+        exists(string format |
+          location = ds.getLocation() and
+          element = format and
+          value = format and
+          format = ds.getFormat() and
+          tag = unsafe + "getFormat"
+        )
+      )
    )
  }
 }