Python: Add tests for re.escape FP

2026-05-04 13:15:21 +02:00 · 2020-06-15 11:34:05 +02:00
parent 0d1fb0f248
commit 7601bd497e
6 changed files with 94 additions and 0 deletions
--- a/python/ql/test/library-tests/regex/Characters.expected
+++ b/python/ql/test/library-tests/regex/Characters.expected
@@ -118,6 +118,47 @@
 | ax{,3} | 3 | 4 |
 | ax{,3} | 4 | 5 |
 | ax{,3} | 5 | 6 |
+| https://www.humblebundle.com/home/library | 0 | 1 |
+| https://www.humblebundle.com/home/library | 1 | 2 |
+| https://www.humblebundle.com/home/library | 2 | 3 |
+| https://www.humblebundle.com/home/library | 3 | 4 |
+| https://www.humblebundle.com/home/library | 4 | 5 |
+| https://www.humblebundle.com/home/library | 5 | 6 |
+| https://www.humblebundle.com/home/library | 6 | 7 |
+| https://www.humblebundle.com/home/library | 7 | 8 |
+| https://www.humblebundle.com/home/library | 8 | 9 |
+| https://www.humblebundle.com/home/library | 9 | 10 |
+| https://www.humblebundle.com/home/library | 10 | 11 |
+| https://www.humblebundle.com/home/library | 11 | 12 |
+| https://www.humblebundle.com/home/library | 12 | 13 |
+| https://www.humblebundle.com/home/library | 13 | 14 |
+| https://www.humblebundle.com/home/library | 14 | 15 |
+| https://www.humblebundle.com/home/library | 15 | 16 |
+| https://www.humblebundle.com/home/library | 16 | 17 |
+| https://www.humblebundle.com/home/library | 17 | 18 |
+| https://www.humblebundle.com/home/library | 18 | 19 |
+| https://www.humblebundle.com/home/library | 19 | 20 |
+| https://www.humblebundle.com/home/library | 20 | 21 |
+| https://www.humblebundle.com/home/library | 21 | 22 |
+| https://www.humblebundle.com/home/library | 22 | 23 |
+| https://www.humblebundle.com/home/library | 23 | 24 |
+| https://www.humblebundle.com/home/library | 24 | 25 |
+| https://www.humblebundle.com/home/library | 25 | 26 |
+| https://www.humblebundle.com/home/library | 26 | 27 |
+| https://www.humblebundle.com/home/library | 27 | 28 |
+| https://www.humblebundle.com/home/library | 28 | 29 |
+| https://www.humblebundle.com/home/library | 29 | 30 |
+| https://www.humblebundle.com/home/library | 30 | 31 |
+| https://www.humblebundle.com/home/library | 31 | 32 |
+| https://www.humblebundle.com/home/library | 32 | 33 |
+| https://www.humblebundle.com/home/library | 33 | 34 |
+| https://www.humblebundle.com/home/library | 34 | 35 |
+| https://www.humblebundle.com/home/library | 35 | 36 |
+| https://www.humblebundle.com/home/library | 36 | 37 |
+| https://www.humblebundle.com/home/library | 37 | 38 |
+| https://www.humblebundle.com/home/library | 38 | 39 |
+| https://www.humblebundle.com/home/library | 39 | 40 |
+| https://www.humblebundle.com/home/library | 40 | 41 |
 | x\| | 0 | 1 |
 | x\|(?<!\\w)l | 0 | 1 |
 | x\|(?<!\\w)l | 6 | 8 |
--- a/python/ql/test/library-tests/regex/FirstLast.expected
+++ b/python/ql/test/library-tests/regex/FirstLast.expected
@@ -90,6 +90,8 @@
 | ax{,3} | last | 1 | 2 |
 | ax{,3} | last | 1 | 6 |
 | ax{,3} | last | 5 | 6 |
+| https://www.humblebundle.com/home/library | first | 0 | 1 |
+| https://www.humblebundle.com/home/library | last | 40 | 41 |
 | x\| | first | 0 | 1 |
 | x\| | last | 0 | 1 |
 | x\|(?<!\\w)l | first | 0 | 1 |
--- a/python/ql/test/library-tests/regex/Regex.expected
+++ b/python/ql/test/library-tests/regex/Regex.expected
@@ -218,6 +218,48 @@
 | ax{,3} | char | 5 | 6 |
 | ax{,3} | qualified | 1 | 6 |
 | ax{,3} | sequence | 0 | 6 |
+| https://www.humblebundle.com/home/library | . | 11 | 12 |
+| https://www.humblebundle.com/home/library | . | 24 | 25 |
+| https://www.humblebundle.com/home/library | char | 0 | 1 |
+| https://www.humblebundle.com/home/library | char | 1 | 2 |
+| https://www.humblebundle.com/home/library | char | 2 | 3 |
+| https://www.humblebundle.com/home/library | char | 3 | 4 |
+| https://www.humblebundle.com/home/library | char | 4 | 5 |
+| https://www.humblebundle.com/home/library | char | 5 | 6 |
+| https://www.humblebundle.com/home/library | char | 6 | 7 |
+| https://www.humblebundle.com/home/library | char | 7 | 8 |
+| https://www.humblebundle.com/home/library | char | 8 | 9 |
+| https://www.humblebundle.com/home/library | char | 9 | 10 |
+| https://www.humblebundle.com/home/library | char | 10 | 11 |
+| https://www.humblebundle.com/home/library | char | 12 | 13 |
+| https://www.humblebundle.com/home/library | char | 13 | 14 |
+| https://www.humblebundle.com/home/library | char | 14 | 15 |
+| https://www.humblebundle.com/home/library | char | 15 | 16 |
+| https://www.humblebundle.com/home/library | char | 16 | 17 |
+| https://www.humblebundle.com/home/library | char | 17 | 18 |
+| https://www.humblebundle.com/home/library | char | 18 | 19 |
+| https://www.humblebundle.com/home/library | char | 19 | 20 |
+| https://www.humblebundle.com/home/library | char | 20 | 21 |
+| https://www.humblebundle.com/home/library | char | 21 | 22 |
+| https://www.humblebundle.com/home/library | char | 22 | 23 |
+| https://www.humblebundle.com/home/library | char | 23 | 24 |
+| https://www.humblebundle.com/home/library | char | 25 | 26 |
+| https://www.humblebundle.com/home/library | char | 26 | 27 |
+| https://www.humblebundle.com/home/library | char | 27 | 28 |
+| https://www.humblebundle.com/home/library | char | 28 | 29 |
+| https://www.humblebundle.com/home/library | char | 29 | 30 |
+| https://www.humblebundle.com/home/library | char | 30 | 31 |
+| https://www.humblebundle.com/home/library | char | 31 | 32 |
+| https://www.humblebundle.com/home/library | char | 32 | 33 |
+| https://www.humblebundle.com/home/library | char | 33 | 34 |
+| https://www.humblebundle.com/home/library | char | 34 | 35 |
+| https://www.humblebundle.com/home/library | char | 35 | 36 |
+| https://www.humblebundle.com/home/library | char | 36 | 37 |
+| https://www.humblebundle.com/home/library | char | 37 | 38 |
+| https://www.humblebundle.com/home/library | char | 38 | 39 |
+| https://www.humblebundle.com/home/library | char | 39 | 40 |
+| https://www.humblebundle.com/home/library | char | 40 | 41 |
+| https://www.humblebundle.com/home/library | sequence | 0 | 41 |
 | x\| | char | 0 | 1 |
 | x\| | choice | 0 | 2 |
 | x\| | sequence | 0 | 1 |
--- a/python/ql/test/library-tests/regex/test.py
+++ b/python/ql/test/library-tests/regex/test.py
@@ -62,3 +62,7 @@ re.compile(r'(?:(?P<n1>^(?:|x)))')
 re.compile(r"\[(?P<txt>[^[]*)\]\((?P<uri>[^)]*)")

 re.compile("", re.M) # ODASA-8056
+
+# FP reported in https://github.com/github/codeql/issues/3712
+# This does not define a regex (but could be used by other code to do so)
+escaped = re.escape("https://www.humblebundle.com/home/library")
--- a/python/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp.expected
+++ b/python/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp.expected
@@ -1 +1,2 @@
 | hosttest.py:6:27:6:51 | Str | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. |
+| hosttest.py:23:21:23:63 | Str | This regular expression has an unescaped '.' before 'humblebundle.com', so it might match more hosts than expected. |
--- a/python/ql/test/query-tests/Security/CWE-020/hosttest.py
+++ b/python/ql/test/query-tests/Security/CWE-020/hosttest.py
@@ -17,3 +17,7 @@ def safe(request):
    target = request.args.get('target', '')
    if SAFE_REGEX.match(target):
        return redirect(target)
+
+# FP reported in https://github.com/github/codeql/issues/3712
+# This does not define a regex (but could be used by other code to do so)
+escaped = re.escape("https://www.humblebundle.com/home/library")