hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 04:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Add explicit tests for HttpSources and HttpSinks

Browse Source 
Some of the tests currently fail, since they can't reproduce the old tests
results (since the sinks/sources defined in the library code are not
HttpResponseTaintSink/HttpRequestTaintSource)
This commit is contained in:
Rasmus Wriedt Larsen
2020-01-07 13:26:22 +01:00
parent b36a6aa5b5
commit 6b87458c2e
54 changed files with 221 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
python/ql/test/library-tests/web/bottle/HttpSinks.expected Normal file
View File

@@ -0,0 +1,4 @@
| test.py:9:12:9:26 | bottle handler function result | externally controlled string |
| test.py:13:12:13:24 | bottle handler function result | externally controlled string |
| test.py:19:12:19:33 | bottle handler function result | externally controlled string |
| test.py:36:21:36:51 | Taint sink | externally controlled string |

7
python/ql/test/library-tests/web/bottle/HttpSinks.ql Normal file
View File

@@ -0,0 +1,7 @@
import python
import semmle.python.web.HttpResponse
import semmle.python.security.strings.Untrusted
from HttpResponseTaintSink sink, TaintKind kind
where sink.sinks(kind)
select sink, kind

1
python/ql/test/library-tests/web/bottle/HttpSources.expected Normal file
View File

@@ -0,0 +1 @@
FIXME

7
python/ql/test/library-tests/web/bottle/HttpSources.ql Normal file
View File

@@ -0,0 +1,7 @@
import python
import semmle.python.web.HttpRequest
import semmle.python.security.strings.Untrusted
from HttpRequestTaintSource source, TaintKind kind
where source.isSourceOf(kind)
select source.(ControlFlowNode).getNode(), kind

4
python/ql/test/library-tests/web/bottle/Sinks.expected
View File

@@ -1,4 +0,0 @@
| test.py:9 | BinaryExpr | externally controlled string |
| test.py:13 | BinaryExpr | externally controlled string |
| test.py:19 | BinaryExpr | externally controlled string |
| test.py:36 | BinaryExpr | externally controlled string |

8
python/ql/test/library-tests/web/bottle/Sinks.ql
View File

@@ -1,8 +0,0 @@
import python
import semmle.python.web.HttpRequest
import semmle.python.web.HttpResponse
import semmle.python.security.strings.Untrusted
from TaintSink sink, TaintKind kind
where sink.sinks(kind)
select sink.getLocation().toString(), sink.(ControlFlowNode).getNode().toString(), kind

3
python/ql/test/library-tests/web/cherrypy/HttpSinks.expected Normal file
View File

@@ -0,0 +1,3 @@
| red.py:8:16:8:20 | cherrypy handler function result | externally controlled string |
| test.py:11:16:11:29 | cherrypy handler function result | externally controlled string |
| test.py:17:16:17:27 | cherrypy handler function result | externally controlled string |

7
python/ql/test/library-tests/web/cherrypy/HttpSinks.ql Normal file
View File

@@ -0,0 +1,7 @@
import python
import semmle.python.web.HttpResponse
import semmle.python.security.strings.Untrusted
from HttpResponseTaintSink sink, TaintKind kind
where sink.sinks(kind)
select sink, kind

1
python/ql/test/library-tests/web/cherrypy/HttpSources.expected Normal file
View File

@@ -0,0 +1 @@
FIXME

7
python/ql/test/library-tests/web/cherrypy/HttpSources.ql Normal file
View File

@@ -0,0 +1,7 @@
import python
import semmle.python.web.HttpRequest
import semmle.python.security.strings.Untrusted
from HttpRequestTaintSource source, TaintKind kind
where source.isSourceOf(kind)
select source.(ControlFlowNode).getNode(), kind

3
python/ql/test/library-tests/web/cherrypy/Sinks.expected
View File

@@ -1,3 +0,0 @@
| red.py:8 | Str | externally controlled string |
| test.py:11 | BinaryExpr | externally controlled string |
| test.py:17 | BinaryExpr | externally controlled string |

8
python/ql/test/library-tests/web/cherrypy/Sinks.ql
View File

@@ -1,8 +0,0 @@
import python
import semmle.python.web.HttpRequest
import semmle.python.web.HttpResponse
import semmle.python.security.strings.Untrusted
from TaintSink sink, TaintKind kind
where sink.sinks(kind)
select sink.getLocation().toString(), sink.(ControlFlowNode).getNode().toString(), kind

7
python/ql/test/library-tests/web/django/HttpSinks.expected Normal file
View File

@@ -0,0 +1,7 @@
| views.py:7:25:7:63 | django.Response(...) | externally controlled string |
| views.py:11:25:11:52 | django.Response(...) | externally controlled string |
| views.py:15:25:15:53 | django.Response(...) | externally controlled string |
| views.py:23:29:23:60 | django.Response(...) | externally controlled string |
| views.py:29:29:29:65 | django.Response(...) | externally controlled string |
| views.py:34:25:34:63 | django.Response(...) | externally controlled string |
| views.py:38:25:38:70 | django.Response(...) | externally controlled string |

7
python/ql/test/library-tests/web/django/HttpSinks.ql Normal file
View File

@@ -0,0 +1,7 @@
import python
import semmle.python.web.HttpResponse
import semmle.python.security.strings.Untrusted
from HttpResponseTaintSink sink, TaintKind kind
where sink.sinks(kind)
select sink, kind

19
python/ql/test/library-tests/web/django/HttpSources.expected Normal file
View File

@@ -0,0 +1,19 @@
| test.py:5:19:5:25 | request | django.request.HttpRequest |
| test.py:5:28:5:31 | path | externally controlled string |
| test.py:11:19:11:25 | request | django.request.HttpRequest |
| test.py:11:28:11:31 | path | externally controlled string |
| views.py:6:19:6:25 | request | django.request.HttpRequest |
| views.py:6:28:6:30 | foo | externally controlled string |
| views.py:6:33:6:35 | bar | externally controlled string |
| views.py:10:20:10:26 | request | django.request.HttpRequest |
| views.py:14:21:14:27 | request | django.request.HttpRequest |
| views.py:22:20:22:26 | request | django.request.HttpRequest |
| views.py:28:19:28:25 | request | django.request.HttpRequest |
| views.py:32:19:32:25 | request | django.request.HttpRequest |
| views.py:32:28:32:38 | page_number | externally controlled string |
| views.py:37:24:37:30 | request | django.request.HttpRequest |
| views.py:37:33:37:36 | arg0 | externally controlled string |
| views.py:37:39:37:42 | arg1 | externally controlled string |
| views.py:57:15:57:21 | request | django.request.HttpRequest |
| views.py:57:24:57:31 | username | externally controlled string |
| views.py:66:30:66:36 | request | django.request.HttpRequest |

7
python/ql/test/library-tests/web/django/HttpSources.ql Normal file
View File

@@ -0,0 +1,7 @@
import python
import semmle.python.web.HttpRequest
import semmle.python.security.strings.Untrusted
from HttpRequestTaintSource source, TaintKind kind
where source.isSourceOf(kind)
select source.(ControlFlowNode).getNode(), kind

16
python/ql/test/library-tests/web/django/Sinks.expected
View File

@@ -1,16 +0,0 @@
| sql.py:13 | Str | externally controlled string |
| sql.py:14 | Str | externally controlled string |
| sql.py:17 | BinaryExpr | externally controlled string |
| sql.py:20 | BinaryExpr | externally controlled string |
| sql.py:21 | BinaryExpr | externally controlled string |
| sql.py:22 | BinaryExpr | externally controlled string |
| sql.py:36 | Str | externally controlled string |
| sql.py:42 | BinaryExpr | externally controlled string |
| sql.py:47 | BinaryExpr | externally controlled string |
| views.py:7 | Attribute() | externally controlled string |
| views.py:11 | Attribute() | externally controlled string |
| views.py:15 | Attribute() | externally controlled string |
| views.py:23 | Attribute() | externally controlled string |
| views.py:29 | Attribute() | externally controlled string |
| views.py:34 | Attribute() | externally controlled string |
| views.py:38 | Attribute() | externally controlled string |

10
python/ql/test/library-tests/web/django/Sinks.ql
View File

@@ -1,10 +0,0 @@
import python
import semmle.python.web.HttpRequest
import semmle.python.web.HttpResponse
import semmle.python.web.django.Db
import semmle.python.web.django.Model
import semmle.python.security.strings.Untrusted
from TaintSink sink, TaintKind kind
where sink.sinks(kind)
select sink.getLocation().toString(), sink.(ControlFlowNode).getNode().toString(), kind

19
python/ql/test/library-tests/web/django/Sources.expected
View File

@@ -1,19 +0,0 @@
| test.py:5 | path | externally controlled string |
| test.py:5 | request | django.request.HttpRequest |
| test.py:11 | path | externally controlled string |
| test.py:11 | request | django.request.HttpRequest |
| views.py:6 | bar | externally controlled string |
| views.py:6 | foo | externally controlled string |
| views.py:6 | request | django.request.HttpRequest |
| views.py:10 | request | django.request.HttpRequest |
| views.py:14 | request | django.request.HttpRequest |
| views.py:22 | request | django.request.HttpRequest |
| views.py:28 | request | django.request.HttpRequest |
| views.py:32 | page_number | externally controlled string |
| views.py:32 | request | django.request.HttpRequest |
| views.py:37 | arg0 | externally controlled string |
| views.py:37 | arg1 | externally controlled string |
| views.py:37 | request | django.request.HttpRequest |
| views.py:57 | request | django.request.HttpRequest |
| views.py:57 | username | externally controlled string |
| views.py:66 | request | django.request.HttpRequest |

7
python/ql/test/library-tests/web/django/Sources.ql
View File

@@ -1,7 +0,0 @@
import python
import semmle.python.web.HttpRequest
import semmle.python.security.strings.Untrusted
from TaintSource src, TaintKind kind
where src.isSourceOf(kind)
select src.getLocation().toString(), src.(ControlFlowNode).getNode().toString(), kind

9
python/ql/test/library-tests/web/django/SqlInjectionSinks.expected Normal file
View File

@@ -0,0 +1,9 @@
| sql.py:13:24:13:64 | db.connection.execute | externally controlled string |
| sql.py:14:26:14:66 | django.models.QuerySet.raw(sink,...) | externally controlled string |
| sql.py:17:24:17:77 | db.connection.execute | externally controlled string |
| sql.py:20:38:20:95 | django.db.models.expressions.RawSQL(sink,...) | externally controlled string |
| sql.py:21:26:21:83 | django.models.QuerySet.raw(sink,...) | externally controlled string |
| sql.py:22:28:22:85 | django.models.QuerySet.extra(sink,...) | externally controlled string |
| sql.py:36:26:36:68 | django.models.QuerySet.raw(sink,...) | externally controlled string |
| sql.py:42:11:42:52 | django.models.QuerySet.raw(sink,...) | externally controlled string |
| sql.py:47:13:47:54 | django.models.QuerySet.extra(sink,...) | externally controlled string |

9
python/ql/test/library-tests/web/django/SqlInjectionSinks.ql Normal file
View File

@@ -0,0 +1,9 @@
import python
import semmle.python.security.injection.Sql
import semmle.python.web.django.Db
import semmle.python.web.django.Model
import semmle.python.security.strings.Untrusted
from SqlInjectionSink sink, TaintKind kind
where sink.sinks(kind)
select sink, kind

1
python/ql/test/library-tests/web/falcon/HttpSinks.expected Normal file
View File

@@ -0,0 +1 @@
FIXME

7
python/ql/test/library-tests/web/falcon/HttpSinks.ql Normal file
View File

@@ -0,0 +1,7 @@
import python
import semmle.python.web.HttpResponse
import semmle.python.security.strings.Untrusted
from HttpResponseTaintSink sink, TaintKind kind
where sink.sinks(kind)
select sink, kind

1
python/ql/test/library-tests/web/falcon/HttpSources.expected Normal file
View File

@@ -0,0 +1 @@
FIXME

7
python/ql/test/library-tests/web/falcon/HttpSources.ql Normal file
View File

@@ -0,0 +1,7 @@
import python
import semmle.python.web.HttpRequest
import semmle.python.security.strings.Untrusted
from HttpRequestTaintSource source, TaintKind kind
where source.isSourceOf(kind)
select source.(ControlFlowNode).getNode(), kind

8
python/ql/test/library-tests/web/flask/HttpSinks.expected Normal file
View File

@@ -0,0 +1,8 @@
| test.py:8:12:8:25 | flask.routed.response | externally controlled string |
| test.py:29:12:29:38 | flask.routed.response | externally controlled string |
| test.py:35:16:35:37 | flask.routed.response | externally controlled string |
| test.py:36:12:36:15 | flask.routed.response | externally controlled string |
| test.py:41:12:41:54 | flask.routed.response | externally controlled string |
| test.py:41:26:41:53 | flask.response.argument | externally controlled string |
| test.py:46:12:46:62 | flask.routed.response | externally controlled string |
| test.py:46:26:46:61 | flask.response.argument | externally controlled string |

7
python/ql/test/library-tests/web/flask/HttpSinks.ql Normal file
View File

@@ -0,0 +1,7 @@
import python
import semmle.python.web.HttpResponse
import semmle.python.security.strings.Untrusted
from HttpResponseTaintSink sink, TaintKind kind
where sink.sinks(kind)
select sink, kind

5
python/ql/test/library-tests/web/flask/HttpSources.expected Normal file
View File

@@ -0,0 +1,5 @@
| test.py:29:12:29:23 | Attribute | {externally controlled string} |
| test.py:33:9:33:20 | Attribute | {externally controlled string} |
| test.py:35:16:35:27 | Attribute | {externally controlled string} |
| test.py:40:18:40:29 | Attribute | {externally controlled string} |
| test.py:45:18:45:29 | Attribute | {externally controlled string} |

7
python/ql/test/library-tests/web/flask/HttpSources.ql Normal file
View File

@@ -0,0 +1,7 @@
import python
import semmle.python.web.HttpRequest
import semmle.python.security.strings.Untrusted
from HttpRequestTaintSource source, TaintKind kind
where source.isSourceOf(kind)
select source.(ControlFlowNode).getNode(), kind

8
python/ql/test/library-tests/web/flask/Sinks.expected
View File

@@ -1,8 +0,0 @@
| test.py:8 | Str | externally controlled string |
| test.py:29 | Attribute() | externally controlled string |
| test.py:35 | Subscript | externally controlled string |
| test.py:36 | None | externally controlled string |
| test.py:41 | BinaryExpr | externally controlled string |
| test.py:41 | make_response() | externally controlled string |
| test.py:46 | BinaryExpr | externally controlled string |
| test.py:46 | make_response() | externally controlled string |

8
python/ql/test/library-tests/web/flask/Sinks.ql
View File

@@ -1,8 +0,0 @@
import python
import semmle.python.web.HttpRequest
import semmle.python.web.HttpResponse
import semmle.python.security.strings.Untrusted
from TaintSink sink, TaintKind kind
where sink.sinks(kind)
select sink.getLocation().toString(), sink.(ControlFlowNode).getNode().toString(), kind

6
python/ql/test/library-tests/web/flask/Sources.expected
View File

@@ -1,6 +0,0 @@
| test.py:22 | Attribute() | flask/MyView.as.view |
| test.py:29 | Attribute | {externally controlled string} |
| test.py:33 | Attribute | {externally controlled string} |
| test.py:35 | Attribute | {externally controlled string} |
| test.py:40 | Attribute | {externally controlled string} |
| test.py:45 | Attribute | {externally controlled string} |

8
python/ql/test/library-tests/web/flask/Sources.ql
View File

@@ -1,8 +0,0 @@
import python
import semmle.python.web.HttpRequest
import semmle.python.web.HttpResponse
import semmle.python.security.strings.Untrusted
from TaintSource src, TaintKind kind
where src.isSourceOf(kind)
select src.getLocation().toString(), src.(ControlFlowNode).getNode().toString(), kind

3
python/ql/test/library-tests/web/pyramid/HttpSinks.expected Normal file
View File

@@ -0,0 +1,3 @@
| test.py:8:12:8:31 | pyramid.routed.response | externally controlled string |
| test.py:17:12:17:41 | pyramid.routed.response | externally controlled string |
| test.py:25:12:25:43 | pyramid.routed.response | externally controlled string |

7
python/ql/test/library-tests/web/pyramid/HttpSinks.ql Normal file
View File

@@ -0,0 +1,7 @@
import python
import semmle.python.web.HttpResponse
import semmle.python.security.strings.Untrusted
from HttpResponseTaintSink sink, TaintKind kind
where sink.sinks(kind)
select sink, kind

1
python/ql/test/library-tests/web/pyramid/HttpSources.expected Normal file
View File

@@ -0,0 +1 @@
FIXME

7
python/ql/test/library-tests/web/pyramid/HttpSources.ql Normal file
View File

@@ -0,0 +1,7 @@
import python
import semmle.python.web.HttpRequest
import semmle.python.security.strings.Untrusted
from HttpRequestTaintSource source, TaintKind kind
where source.isSourceOf(kind)
select source.(ControlFlowNode).getNode(), kind

3
python/ql/test/library-tests/web/pyramid/Sinks.expected
View File

@@ -1,3 +0,0 @@
| test.py:8 | Response() | externally controlled string |
| test.py:17 | Response() | externally controlled string |
| test.py:25 | Dict | externally controlled string |

8
python/ql/test/library-tests/web/pyramid/Sinks.ql
View File

@@ -1,8 +0,0 @@
import python
import semmle.python.web.HttpRequest
import semmle.python.web.HttpResponse
import semmle.python.security.strings.Untrusted
from TaintSink sink, TaintKind kind
where sink.sinks(kind) and sink.getLocation().getFile().getShortName() = "test.py"
select sink.getLocation().toString(), sink.(ControlFlowNode).getNode().toString(), kind

8
python/ql/test/library-tests/web/tornado/HttpSinks.expected Normal file
View File

@@ -0,0 +1,8 @@
| test.py:6:20:6:43 | tornado.HttpRequesHandler.write | externally controlled string |
| test.py:6:20:6:43 | tornado.connection.write | externally controlled string |
| test.py:12:20:12:23 | tornado.HttpRequesHandler.write | externally controlled string |
| test.py:12:20:12:23 | tornado.connection.write | externally controlled string |
| test.py:20:23:20:25 | tornado.HttpRequesHandler.redirect | externally controlled string |
| test.py:26:20:26:48 | tornado.HttpRequesHandler.write | externally controlled string |
| test.py:26:20:26:48 | tornado.connection.write | externally controlled string |
FIXME

7
python/ql/test/library-tests/web/tornado/HttpSinks.ql Normal file
View File

@@ -0,0 +1,7 @@
import python
import semmle.python.web.HttpResponse
import semmle.python.security.strings.Untrusted
from HttpResponseTaintSink sink, TaintKind kind
where sink.sinks(kind)
select sink, kind

1
python/ql/test/library-tests/web/tornado/HttpSources.expected Normal file
View File

@@ -0,0 +1 @@
FIXME

7
python/ql/test/library-tests/web/tornado/HttpSources.ql Normal file
View File

@@ -0,0 +1,7 @@
import python
import semmle.python.web.HttpRequest
import semmle.python.security.strings.Untrusted
from HttpRequestTaintSource source, TaintKind kind
where source.isSourceOf(kind)
select source.(ControlFlowNode).getNode(), kind

4
python/ql/test/library-tests/web/tornado/Sinks.expected
View File

@@ -1,4 +0,0 @@
| test.py:6 | Attribute() | externally controlled string |
| test.py:12 | name | externally controlled string |
| test.py:20 | url | externally controlled string |
| test.py:26 | Attribute() | externally controlled string |

9
python/ql/test/library-tests/web/tornado/Sinks.ql
View File

@@ -1,9 +0,0 @@
import python
import semmle.python.web.HttpRequest
import semmle.python.web.HttpResponse
import semmle.python.security.strings.Untrusted
import semmle.python.TestUtils
from TaintSink sink, TaintKind kind
where sink.sinks(kind)
select remove_library_prefix(sink.getLocation()), sink.(ControlFlowNode).getNode().toString(), kind

6
python/ql/test/library-tests/web/turbogears/HttpSinks.expected Normal file
View File

@@ -0,0 +1,6 @@
| test.py:8:16:8:69 | Taint sink | externally controlled string |
| test.py:14:16:14:50 | Taint sink | externally controlled string |
| test.py:19:16:19:50 | Taint sink | externally controlled string |
| test.py:23:16:23:50 | Taint sink | externally controlled string |
| test.py:27:16:27:38 | Taint sink | {externally controlled string} |
FIXME

7
python/ql/test/library-tests/web/turbogears/HttpSinks.ql Normal file
View File

@@ -0,0 +1,7 @@
import python
import semmle.python.web.HttpResponse
import semmle.python.security.strings.Untrusted
from HttpResponseTaintSink sink, TaintKind kind
where sink.sinks(kind)
select sink, kind

1
python/ql/test/library-tests/web/turbogears/HttpSources.expected Normal file
View File

@@ -0,0 +1 @@
FIXME

7
python/ql/test/library-tests/web/turbogears/HttpSources.ql Normal file
View File

@@ -0,0 +1,7 @@
import python
import semmle.python.web.HttpRequest
import semmle.python.security.strings.Untrusted
from HttpRequestTaintSource source, TaintKind kind
where source.isSourceOf(kind)
select source.(ControlFlowNode).getNode(), kind

6
python/ql/test/library-tests/web/twisted/HttpSinks.expected Normal file
View File

@@ -0,0 +1,6 @@
FIXME: WHERE ARE THE FIRST ONES?
| test.py:40:23:40:30 | Twisted request setter | externally controlled string |
| test.py:44:27:44:31 | Twisted request setter | externally controlled string |
| test.py:44:34:44:38 | Twisted request setter | externally controlled string |
| test.py:45:27:45:31 | Twisted request setter | externally controlled string |
| test.py:45:34:45:40 | Twisted request setter | externally controlled string |

7
python/ql/test/library-tests/web/twisted/HttpSinks.ql Normal file
View File

@@ -0,0 +1,7 @@
import python
import semmle.python.web.HttpResponse
import semmle.python.security.strings.Untrusted
from HttpResponseTaintSink sink, TaintKind kind
where sink.sinks(kind)
select sink, kind

1
python/ql/test/library-tests/web/twisted/HttpSources.expected Normal file
View File

@@ -0,0 +1 @@
FIXME

7
python/ql/test/library-tests/web/twisted/HttpSources.ql Normal file
View File

@@ -0,0 +1,7 @@
import python
import semmle.python.web.HttpRequest
import semmle.python.security.strings.Untrusted
from HttpRequestTaintSource source, TaintKind kind
where source.isSourceOf(kind)
select source.(ControlFlowNode).getNode(), kind