python: add concept tests

2025-12-23 04:06:37 +01:00 · 2022-03-23 12:05:09 +01:00
parent 441e206cfa
commit 6c2449564a
3 changed files with 34 additions and 2 deletions
--- a/python/ql/test/experimental/meta/ConceptsTest.qll
+++ b/python/ql/test/experimental/meta/ConceptsTest.qll
@@ -503,3 +503,35 @@ class HttpClientRequestTest extends InlineExpectationsTest {
    )
  }
 }
+
+class CsrfProtectionSettingTest extends InlineExpectationsTest {
+  CsrfProtectionSettingTest() { this = "CsrfProtectionSettingTest" }
+
+  override string getARelevantTag() { result = "CsrfProtectionSetting" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(location.getFile().getRelativePath()) and
+    exists(CsrfProtectionSetting setting |
+      location = setting.getLocation() and
+      element = setting.toString() and
+      value = setting.getVerificationSetting().toString() and
+      tag = "CsrfProtectionSetting"
+    )
+  }
+}
+
+class CsrfLocalProtectionTest extends InlineExpectationsTest {
+  CsrfLocalProtectionTest() { this = "CsrfLocalProtectionTest" }
+
+  override string getARelevantTag() { result = "CsrfLocalProtection" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(location.getFile().getRelativePath()) and
+    exists(CsrfLocalProtection p |
+      location = p.getLocation() and
+      element = p.toString() and
+      value = p.getProtected().getName().toString() and
+      tag = "CsrfLocalProtection"
+    )
+  }
+}
--- a/python/ql/test/library-tests/frameworks/django-v2-v3/response_test.py
+++ b/python/ql/test/library-tests/frameworks/django-v2-v3/response_test.py
@@ -118,7 +118,7 @@ class CustomJsonResponse(JsonResponse):
    def __init__(self, banner, content, *args, **kwargs):
        super().__init__(content, *args, content_type="text/html", **kwargs)

-@csrf_protect
+@csrf_protect  # $CsrfLocalProtection=safe__custom_json_response
 def safe__custom_json_response(request):
    return CustomJsonResponse("ACME Responses", {"foo": request.GET.get("foo")})  # $HttpResponse mimetype=application/json MISSING: responseBody=Dict SPURIOUS: responseBody="ACME Responses"

--- a/python/ql/test/library-tests/frameworks/django-v2-v3/testproj/settings.py
+++ b/python/ql/test/library-tests/frameworks/django-v2-v3/testproj/settings.py
@@ -40,7 +40,7 @@ INSTALLED_APPS = [
    'django.contrib.staticfiles',
 ]

-MIDDLEWARE = [
+MIDDLEWARE = [  # $CsrfProtectionSetting=false
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',