hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 18:10:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

Python: Add django test of RedirectView subclass

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2021-02-11 15:40:06 +01:00
parent 79855157b3
commit 6934d5e642
3 changed files with 25 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
python/ql/test/experimental/library-tests/frameworks/django-v2-v3/response_test.py
View File

@@ -1,4 +1,5 @@
from django.http.response import HttpResponse, HttpResponseRedirect, HttpResponsePermanentRedirect, JsonResponse, HttpResponseNotFound
from django.views.generic import RedirectView
import django.shortcuts
# Not an XSS sink, since the Content-Type is not "text/html"
@@ -54,6 +55,13 @@ def redirect_shortcut(request):
return django.shortcuts.redirect(next) # $ HttpResponse HttpRedirectResponse redirectLocation=next
class CustomRedirectView(RedirectView):
def get_redirect_url(self, foo): # $ MISSING: routedParameter=foo
next = "https://example.com/{}".format(foo)
return next # $ MISSING: HttpResponse HttpRedirectResponse redirectLocation=next
# Ensure that simple subclasses are still vuln to XSS
def xss__not_found(request):
return HttpResponseNotFound(request.GET.get("name")) # $HttpResponse mimetype=text/html responseBody=Attribute()

3
python/ql/test/experimental/library-tests/frameworks/django-v2-v3/testapp/urls.py
View File

@@ -15,4 +15,7 @@ urlpatterns = [
path("basic-view-handler/", views.MyBasicViewHandler.as_view()), # $routeSetup="basic-view-handler/"
path("custom-inheritance-view-handler/", views.MyViewHandlerWithCustomInheritance.as_view()), # $routeSetup="custom-inheritance-view-handler/"
path("CustomRedirectView/<foo>", views.CustomRedirectView.as_view()), # $routeSetup="CustomRedirectView/<foo>"
path("CustomRedirectView2/<foo>", views.CustomRedirectView2.as_view()), # $routeSetup="CustomRedirectView2/<foo>"
]

15
python/ql/test/experimental/library-tests/frameworks/django-v2-v3/testapp/views.py
View File

@@ -1,5 +1,5 @@
from django.http import HttpRequest, HttpResponse
from django.views import View
from django.views.generic import View, RedirectView
from django.views.decorators.csrf import csrf_exempt
@@ -32,3 +32,16 @@ class MyViewHandlerWithCustomInheritance(MyCustomViewBaseClass):
def get(self, request: HttpRequest): # $ requestHandler
print(self.request.GET)
return HttpResponse("MyViewHandlerWithCustomInheritance: GET") # $ HttpResponse
# RedirectView
# See docs at https://docs.djangoproject.com/en/3.1/ref/class-based-views/base/#redirectview
class CustomRedirectView(RedirectView):
def get_redirect_url(self, foo): # $ MISSING: routedParameter=foo
next = "https://example.com/{}".format(foo)
return next # $ MISSING: HttpResponse HttpRedirectResponse redirectLocation=next
class CustomRedirectView2(RedirectView):
url = "https://example.com/%(foo)s"