hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-24 00:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Add FastAPI request test

Browse Source 
Co-authored-by: Joe Farebrother <joefarebrother@github.com>
This commit is contained in:
Rasmus Wriedt Larsen
2024-12-18 15:28:29 +01:00
parent 508c7e6e85
commit 79dfbf7b21
1 changed files with 35 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
python/ql/test/library-tests/frameworks/fastapi/taint_test.py
View File

@@ -187,3 +187,38 @@ async def websocket_test(websocket: WebSocket): # $ requestHandler routedParamet
async for data in websocket.iter_json():
ensure_tainted(data) # $ tainted
# --- Request ---
import starlette.requests
from fastapi import Request
assert Request == starlette.requests.Request
@app.websocket("/req") # $ routeSetup="/req"
async def request_test(request: Request): # $ requestHandler routedParameter=request
ensure_tainted(
request, # $ tainted
await request.body(), # $ MISSING: tainted
await request.json(), # $ MISSING: tainted
await request.json()["key"], # $ MISSING: tainted
# form() returns a FormDat (which is a starlette ImmutableMultiDict)
await request.form(), # $ MISSING: tainted
await request.form()["key"], # $ MISSING: tainted
await request.form().getlist("key"), # $ MISSING: tainted
await request.form().getlist("key")[0], # $ MISSING: tainted
# data in the form could be an starlette.datastructures.UploadFile
await request.form()["file"].filename, # $ MISSING: tainted
await request.form().getlist("file")[0].filename, # $ MISSING: tainted
request.cookies, # $ MISSING: tainted
request.cookies["key"], # $ MISSING: tainted
)
async for chunk in request.stream():
ensure_tainted(chunk) # $ MISSING: tainted