Merge pull request #3917 from RasmusWL/python-fix-experimental-tests

Python: Fix experimental tests
2026-01-14 06:54:48 +01:00 · 2020-07-07 22:05:47 +02:00
parent 1d5ef381ae 7306f58e57
commit 548fceb306
6 changed files with 10 additions and 8 deletions
--- a/python/ql/src/experimental/CWE-643/xpath.ql
+++ b/python/ql/src/experimental/CWE-643/xpath.ql
@@ -12,6 +12,7 @@

 import python
 import semmle.python.security.Paths
+import semmle.python.security.strings.Untrusted
 /* Sources */
 import semmle.python.web.HttpRequest
 /* Sinks */
--- a/python/ql/src/experimental/semmle/python/security/injection/Xpath.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/Xpath.qll
@@ -22,14 +22,14 @@ module XpathInjection {
  abstract class XpathInjectionSink extends TaintSink { }

  /**
-   * A Sink representing an argument to the `etree.Xpath` call.
+   * A Sink representing an argument to the `etree.XPath` call.
   *
   *    from lxml import etree
   *    root = etree.XML("<xmlContent>")
   *    find_text = etree.XPath("`sink`")
   */
  private class EtreeXpathArgument extends XpathInjectionSink {
-    override string toString() { result = "lxml.etree.Xpath" }
+    override string toString() { result = "lxml.etree.XPath" }

    EtreeXpathArgument() {
      exists(CallNode call | call.getFunction().(AttrNode).getObject("XPath").pointsTo(etree()) |
--- a/python/ql/test/experimental/CWE-091/Xslt.qlref
+++ b/python/ql/test/experimental/CWE-091/Xslt.qlref
@@ -1 +1 @@
-experimental/CWE-643/Xslt.ql
+experimental/CWE-091/Xslt.ql
--- a/python/ql/test/experimental/CWE-643/xpath.qlref
+++ b/python/ql/test/experimental/CWE-643/xpath.qlref
@@ -1 +1 @@
-experimental/CWE-643/xpath.ql
+experimental/CWE-643/xpath.ql
--- a/python/ql/test/experimental/CWE-643/xpathSinks.expected
+++ b/python/ql/test/experimental/CWE-643/xpathSinks.expected
@@ -1,12 +1,12 @@
 | xpath.py:8:20:8:29 | lxml.etree.parse.xpath | externally controlled string |
-| xpath.py:13:29:13:38 | lxml.etree.Xpath | externally controlled string |
-| xpath.py:19:29:19:38 | lxml.etree.Xpath | externally controlled string |
+| xpath.py:13:29:13:38 | lxml.etree.XPath | externally controlled string |
+| xpath.py:19:29:19:38 | lxml.etree.XPath | externally controlled string |
 | xpath.py:25:38:25:46 | lxml.etree.ETXpath | externally controlled string |
 | xpath.py:32:29:32:34 | libxml2.parseFile.xpathEval | externally controlled string |
 | xpathBad.py:13:20:13:43 | lxml.etree.parse.xpath | externally controlled string |
 | xpathFlow.py:14:20:14:29 | lxml.etree.parse.xpath | externally controlled string |
-| xpathFlow.py:23:29:23:38 | lxml.etree.Xpath | externally controlled string |
-| xpathFlow.py:32:29:32:38 | lxml.etree.Xpath | externally controlled string |
+| xpathFlow.py:23:29:23:38 | lxml.etree.XPath | externally controlled string |
+| xpathFlow.py:32:29:32:38 | lxml.etree.XPath | externally controlled string |
 | xpathFlow.py:41:31:41:40 | lxml.etree.ETXpath | externally controlled string |
 | xpathFlow.py:49:29:49:38 | libxml2.parseFile.xpathEval | externally controlled string |
 | xpathGood.py:13:20:13:37 | lxml.etree.parse.xpath | externally controlled string |
--- a/python/ql/test/experimental/CWE-643/xpathSinks.ql
+++ b/python/ql/test/experimental/CWE-643/xpathSinks.ql
@@ -1,5 +1,6 @@
 import python
 import experimental.semmle.python.security.injection.Xpath
+import semmle.python.security.strings.Untrusted

 from XpathInjection::XpathInjectionSink sink, TaintKind kind
 where sink.sinks(kind)