Python: Add tests for turbogears.

2026-05-05 13:45:19 +02:00 · 2019-02-25 15:04:44 +00:00
parent 26c5ebde54
commit 7d0943f30d
10 changed files with 90 additions and 0 deletions
--- a/python/ql/test/library-tests/web/turbogears/Controller.expected
+++ b/python/ql/test/library-tests/web/turbogears/Controller.expected
@@ -0,0 +1,4 @@
+| test.py:7:5:7:32 | Function onerror |
+| test.py:13:5:13:50 | Function ok_validated |
+| test.py:18:5:18:57 | Function partially_validated |
+| test.py:22:5:22:51 | Function not_validated |
--- a/python/ql/test/library-tests/web/turbogears/Controller.ql
+++ b/python/ql/test/library-tests/web/turbogears/Controller.ql
@@ -0,0 +1,9 @@
+
+
+import python
+
+import semmle.python.web.turbogears.TurboGears
+
+from TurboGearsControllerMethod m
+select m
+
--- a/python/ql/test/library-tests/web/turbogears/Sinks.expected
+++ b/python/ql/test/library-tests/web/turbogears/Sinks.expected
@@ -0,0 +1,4 @@
+| test.py:8 | BinaryExpr | externally controlled string |
+| test.py:14 | BinaryExpr | externally controlled string |
+| test.py:19 | BinaryExpr | externally controlled string |
+| test.py:23 | BinaryExpr | externally controlled string |
--- a/python/ql/test/library-tests/web/turbogears/Sinks.ql
+++ b/python/ql/test/library-tests/web/turbogears/Sinks.ql
@@ -0,0 +1,10 @@
+
+import python
+
+import semmle.python.web.HttpRequest
+import semmle.python.web.HttpResponse
+import semmle.python.security.strings.Untrusted
+
+from TaintSink sink, TaintKind kind
+where sink.sinks(kind)
+select sink.getLocation().toString(), sink.(ControlFlowNode).getNode().toString(), kind
--- a/python/ql/test/library-tests/web/turbogears/Sources.expected
+++ b/python/ql/test/library-tests/web/turbogears/Sources.expected
@@ -0,0 +1,3 @@
+| test.py:18 | b | externally controlled string |
+| test.py:22 | a | externally controlled string |
+| test.py:22 | b | externally controlled string |
--- a/python/ql/test/library-tests/web/turbogears/Sources.ql
+++ b/python/ql/test/library-tests/web/turbogears/Sources.ql
@@ -0,0 +1,10 @@
+
+import python
+
+import semmle.python.web.HttpRequest
+import semmle.python.security.strings.Untrusted
+
+
+from TaintSource src, TaintKind kind
+where src.isSourceOf(kind)
+select src.getLocation().toString(), src.(ControlFlowNode).getNode().toString(), kind
--- a/python/ql/test/library-tests/web/turbogears/Taint.expected
+++ b/python/ql/test/library-tests/web/turbogears/Taint.expected
@@ -0,0 +1,12 @@
+| test.py:18 | b | externally controlled string |
+| test.py:19 | BinaryExpr | [externally controlled string] |
+| test.py:19 | BinaryExpr | externally controlled string |
+| test.py:19 | Tuple | [externally controlled string] |
+| test.py:19 | b | externally controlled string |
+| test.py:22 | a | externally controlled string |
+| test.py:22 | b | externally controlled string |
+| test.py:23 | BinaryExpr | [externally controlled string] |
+| test.py:23 | BinaryExpr | externally controlled string |
+| test.py:23 | Tuple | [externally controlled string] |
+| test.py:23 | a | externally controlled string |
+| test.py:23 | b | externally controlled string |
--- a/python/ql/test/library-tests/web/turbogears/Taint.ql
+++ b/python/ql/test/library-tests/web/turbogears/Taint.ql
@@ -0,0 +1,13 @@
+
+import python
+
+
+import semmle.python.web.HttpRequest
+import semmle.python.web.HttpResponse
+import semmle.python.security.strings.Untrusted
+
+
+from TaintedNode node
+
+select node.getLocation().toString(), node.getNode().getNode().toString(), node.getTaintKind()
+
--- a/python/ql/test/library-tests/web/turbogears/options
+++ b/python/ql/test/library-tests/web/turbogears/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: --max-import-depth=3 --lang=3 -p ../../../query-tests/Security/lib/
+optimize: true
--- a/python/ql/test/library-tests/web/turbogears/test.py
+++ b/python/ql/test/library-tests/web/turbogears/test.py
@@ -0,0 +1,23 @@
+
+from tg import request, validate, expose, TGController
+from formencode import validators
+
+class RootController(TGController):
+    @expose()
+    def onerror(self, **kwargs):
+        return 'An error occurred: %s' % request.validation['errors']
+
+    @expose()
+    @validate({"a": validators.Int(not_empty=True), "b": validators.Email},
+              error_handler=onerror)
+    def ok_validated(self, a=None, b=None, *args):
+        return 'Values: %s, %s, %s' % (a, b, args)
+
+    @expose()
+    @validate({"a": validators.Int(not_empty=True)})
+    def partially_validated(self, a=None, b=None, *args):
+        return 'Values: %s, %s, %s' % (a, b, args)
+
+    @expose()
+    def not_validated(self, a=None, b=None, *args):
+        return 'Values: %s, %s, %s' % (a, b, args)