Python: Add requested test

2026-04-28 10:15:14 +02:00 · 2023-08-08 10:44:48 +02:00
parent 0db535bdd7
commit 4f47461f60
2 changed files with 35 additions and 3 deletions
--- a/python/ql/test/library-tests/frameworks/aiohttp/InlineTaintTest.ql
+++ b/python/ql/test/library-tests/frameworks/aiohttp/InlineTaintTest.ql
@@ -1,2 +1,19 @@
 import experimental.meta.InlineTaintTest
-import MakeInlineTaintTest<TestTaintTrackingConfig>
+
+predicate isSafe(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
+  g.(CallNode).getFunction().(NameNode).getId() = "is_safe" and
+  node = g.(CallNode).getArg(_) and
+  branch = true
+}
+
+module CustomSanitizerOverridesConfig implements DataFlow::ConfigSig {
+  predicate isSource = TestTaintTrackingConfig::isSource/1;
+
+  predicate isSink = TestTaintTrackingConfig::isSink/1;
+
+  predicate isBarrier(DataFlow::Node node) {
+    node = DataFlow::BarrierGuard<isSafe/3>::getABarrierNode()
+  }
+}
+
+import MakeInlineTaintTest<CustomSanitizerOverridesConfig>
--- a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
@@ -142,9 +142,9 @@ class TaintTestClass(web.View):
            self.request.url # $ tainted
        )

-# not a request handler, and not called, btu since we have type-annotation, should be a
+# not a request handler, and not called, but since we have type-annotation, should be a
 # remote-flow-source.
-async def test_heuristic_taint(request: web.Request):
+async def test_source_from_type_annotation(request: web.Request):
    # picking out just a few of the tests from `test_taint` above, to show that we have
    # the same taint-steps :)
    ensure_tainted(
@@ -153,10 +153,25 @@ async def test_heuristic_taint(request: web.Request):
        await request.content.read(), # $ tainted
    )

+# Test that since we can reach the `request` object in the helper function, we don't
+# introduce a new remote-flow-source, but instead use the one from the caller. (which is
+# checked to not be tainted)
+async def test_sanitizer(request): # $ requestHandler
+    ensure_tainted(request, request.url, await request.content.read()) # $ tainted
+
+    if (is_safe(request)):
+        ensure_not_tainted(request, request.url, await request.content.read())
+        test_safe_helper_function_no_route_with_type(request)
+
+
+async def test_safe_helper_function_no_route_with_type(request: web.Request):
+    ensure_not_tainted(request, request.url, await request.content.read()) # $ SPURIOUS: tainted
+

 app = web.Application()
 app.router.add_get(r"/test_taint/{name}/{number:\d+}", test_taint)  # $ routeSetup="/test_taint/{name}/{number:\d+}"
 app.router.add_view(r"/test_taint_class", TaintTestClass)  # $ routeSetup="/test_taint_class"
+app.router.add_view(r"/test_sanitizer", test_sanitizer)  # $ routeSetup="/test_sanitizer"


 if __name__ == "__main__":