Python: Basic support for falcon framework; routing and requests.

2026-04-30 11:15:13 +02:00 · 2019-02-07 14:46:11 +00:00
parent 742c1d0fa7
commit 6a48420191
11 changed files with 177 additions and 9 deletions
--- a/python/ql/test/library-tests/web/falcon/Routing.expected
+++ b/python/ql/test/library-tests/web/falcon/Routing.expected
@@ -1 +1,2 @@
-fail
+| /hello | get | test.py:9:5:9:32 | Function on_get |
+| /hello | post | test.py:12:5:12:33 | Function on_post |
--- a/python/ql/test/library-tests/web/falcon/Routing.ql
+++ b/python/ql/test/library-tests/web/falcon/Routing.ql
@@ -1,7 +1,8 @@
 import python

-import semmle.python.web.bottle.General
+import semmle.python.web.falcon.General

-from BottleRoute route
+from FalconRoute route, string method
+
+select route.getUrl(), method, route.getHandlerFunction(method)

-select route.getUrl(), route.getFunction()
--- a/python/ql/test/library-tests/web/falcon/Taint.expected
+++ b/python/ql/test/library-tests/web/falcon/Taint.expected
@@ -1 +1,14 @@
-fail
+| test.py:9 | req | falcon.request |
+| test.py:10 | Attribute | file[externally controlled string] |
+| test.py:10 | Attribute() | externally controlled string |
+| test.py:10 | req | falcon.request |
+| test.py:11 | Attribute() | externally controlled string |
+| test.py:11 | Attribute() | json[externally controlled string] |
+| test.py:11 | raw_json | externally controlled string |
+| test.py:13 | Dict | {externally controlled string} |
+| test.py:13 | Dict | {json[externally controlled string]} |
+| test.py:15 | result | externally controlled string |
+| test.py:15 | result | json[externally controlled string] |
+| test.py:17 | result | {externally controlled string} |
+| test.py:17 | result | {json[externally controlled string]} |
+| test.py:19 | req | falcon.request |
--- a/python/ql/test/library-tests/web/falcon/Taint.ql
+++ b/python/ql/test/library-tests/web/falcon/Taint.ql
@@ -8,6 +8,6 @@ import semmle.python.security.strings.Untrusted


 from TaintedNode node
-
+where node.getLocation().getFile().getName().matches("%falcon/test.py")
 select node.getLocation().toString(), node.getNode().getNode().toString(), node.getTaintKind()

--- a/python/ql/test/library-tests/web/falcon/test.py
+++ b/python/ql/test/library-tests/web/falcon/test.py
@@ -1,4 +1,4 @@
-
+import json

 from falcon import API

@@ -7,10 +7,17 @@ app = API()
 class Handler(object):

    def on_get(self, req, resp):
-        ...
+        raw_json = req.stream.read()
+        result = json.loads(raw_json)
+        resp.status = 200
+        result = {
+            'status': 'success',
+            'data': result
+        }
+        resp.body = json.dumps(result)

    def on_post(self, req, resp):
-        ...
+        pass

 app.add_route('/hello', Handler())