Merge pull request #16696 from joefarebrother/python-cookie-write-headers

Python: Model CookieWrites from HeaderWrites

python/ql/test/library-tests/frameworks/aiohttp/response_test.py

@@ -96,7 +96,7 @@ async def streaming_response(request): # $ requestHandler
 async def setting_cookie(request): # $ requestHandler
     resp = web.Response(text="foo") # $ HttpResponse mimetype=text/plain responseBody="foo"
     resp.cookies["key"] = "value" # $ CookieWrite CookieName="key" CookieValue="value"
-    resp.headers["Set-Cookie"] = "key2=value2" # $ MISSING: CookieWrite CookieRawHeader="key2=value2"
+    resp.headers["Set-Cookie"] = "key2=value2" # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2"
     resp.set_cookie("key3", "value3") # $ CookieWrite CookieName="key3" CookieValue="value3"
     resp.set_cookie(name="key3", value="value3") # $ CookieWrite CookieName="key3" CookieValue="value3"
     resp.del_cookie("key4") # $ CookieWrite CookieName="key4"

python/ql/test/library-tests/frameworks/django-v2-v3/response_test.py

@@ -62,7 +62,7 @@ def redirect_through_normal_response(request):
 
     resp = HttpResponse() # $ HttpResponse mimetype=text/html
     resp.status_code = 302
-    resp['Location'] = next # $ MISSING: redirectLocation=next
+    resp['Location'] = next # $ headerWriteName='Location' headerWriteValue=next MISSING: redirectLocation=next
     resp.content = private # $ MISSING: responseBody=private
     return resp
 
@@ -72,7 +72,7 @@ def redirect_through_normal_response_new_headers_attr(request):
 
     resp = HttpResponse() # $ HttpResponse mimetype=text/html
     resp.status_code = 302
-    resp.headers['Location'] = next # $ MISSING: redirectLocation=next
+    resp.headers['Location'] = next # $ headerWriteName='Location' headerWriteValue=next MISSING: redirectLocation=next
     resp.content = private # $ MISSING: responseBody=private
     return resp
 
@@ -130,8 +130,9 @@ def setting_cookie(request):
     resp = HttpResponse() # $ HttpResponse mimetype=text/html
     resp.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value"
     resp.set_cookie(key="key", value="value") # $ CookieWrite CookieName="key" CookieValue="value"
-    resp.headers["Set-Cookie"] = "key2=value2" # $ MISSING: CookieWrite CookieRawHeader="key2=value2"
+    resp.headers["Set-Cookie"] = "key2=value2" # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2"
     resp.cookies["key3"] = "value3" # $ CookieWrite CookieName="key3" CookieValue="value3"
     resp.delete_cookie("key4") # $ CookieWrite CookieName="key4"
     resp.delete_cookie(key="key4") # $ CookieWrite CookieName="key4"
+    resp["Set-Cookie"] = "key5=value5" # $ headerWriteName="Set-Cookie" headerWriteValue="key5=value5" CookieWrite CookieRawHeader="key5=value5"
     return resp

python/ql/test/library-tests/frameworks/fastapi/response_test.py

@@ -11,9 +11,9 @@ app = FastAPI()
 async def response_parameter(response: Response): # $ requestHandler
     response.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value"
     response.set_cookie(key="key", value="value") # $ CookieWrite CookieName="key" CookieValue="value"
-    response.headers.append("Set-Cookie", "key2=value2") # $ CookieWrite CookieRawHeader="key2=value2"
-    response.headers.append(key="Set-Cookie", value="key2=value2") # $ CookieWrite CookieRawHeader="key2=value2"
-    response.headers["X-MyHeader"] = "header-value"
+    response.headers.append("Set-Cookie", "key2=value2") # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2"
+    response.headers.append(key="Set-Cookie", value="key2=value2") # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2"
+    response.headers["X-MyHeader"] = "header-value" # $ headerWriteName="X-MyHeader" headerWriteValue="header-value"
     response.status_code = 418
     return {"message": "response as parameter"} # $ HttpResponse mimetype=application/json responseBody=Dict
 
@@ -45,7 +45,7 @@ async def response_parameter_custom_type(response: MyXmlResponse): # $ requestHa
     print(type(response))
     assert type(response) == fastapi.responses.Response
     response.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value"
-    response.headers["Custom-Response-Type"] = "yes, but only after function has run"
+    response.headers["Custom-Response-Type"] = "yes, but only after function has run" # $ headerWriteName="Custom-Response-Type" headerWriteValue="yes, but only after function has run"
     xml_data = "<foo>FOO</foo>"
     return xml_data # $ HttpResponse responseBody=xml_data mimetype=application/xml
 

python/ql/test/library-tests/frameworks/flask/response_test.py

@@ -118,7 +118,7 @@ def response_modification1():  # $requestHandler
 @app.route("/content-type/response-modification2")  # $routeSetup="/content-type/response-modification2"
 def response_modification2():  # $requestHandler
     resp = make_response("<h1>hello</h1>")  # $HttpResponse mimetype=text/html responseBody="<h1>hello</h1>"
-    resp.headers["content-type"] = "text/plain"  # $ headerWriteNameUnsanitized="content-type" headerWriteValueSanitized="text/plain" MISSING: HttpResponse mimetype=text/plain
+    resp.headers["content-type"] = "text/plain"  # $ headerWriteNameUnsanitized="content-type" headerWriteValue="text/plain" MISSING: HttpResponse mimetype=text/plain
     return resp  # $ SPURIOUS: HttpResponse mimetype=text/html responseBody=resp
 
 
@@ -148,7 +148,7 @@ def Response3():  # $requestHandler
 @app.route("/content-type/Response4")  # $routeSetup="/content-type/Response4"
 def Response4():  # $requestHandler
     # note: capitalization of Content-Type does not matter
-    resp = Response("<h1>hello</h1>", headers={"Content-TYPE": "text/plain"})  # $ headerWriteBulk=Dict headerWriteNameUnsanitized headerWriteValueSanitized HttpResponse responseBody="<h1>hello</h1>" SPURIOUS: mimetype=text/html MISSING: mimetype=text/plain
+    resp = Response("<h1>hello</h1>", headers={"Content-TYPE": "text/plain"})  # $ headerWriteBulk=Dict headerWriteBulkUnsanitized=name headerWriteNameUnsanitized="Content-TYPE" headerWriteValue="text/plain" HttpResponse responseBody="<h1>hello</h1>" SPURIOUS: mimetype=text/html MISSING: mimetype=text/plain
     return resp  # $ SPURIOUS: HttpResponse mimetype=text/html responseBody=resp
 
 
@@ -156,7 +156,7 @@ def Response4():  # $requestHandler
 def Response5():  # $requestHandler
     # content_type argument takes priority (and result is text/plain)
     # note: capitalization of Content-Type does not matter
-    resp = Response("<h1>hello</h1>", headers={"Content-TYPE": "text/html"}, content_type="text/plain; charset=utf-8")  # $ headerWriteBulk=Dict headerWriteNameUnsanitized headerWriteValueSanitized HttpResponse mimetype=text/plain responseBody="<h1>hello</h1>"
+    resp = Response("<h1>hello</h1>", headers={"Content-TYPE": "text/html"}, content_type="text/plain; charset=utf-8")  # $ headerWriteBulk=Dict headerWriteBulkUnsanitized=name headerWriteNameUnsanitized="Content-TYPE" headerWriteValue="text/html" HttpResponse mimetype=text/plain responseBody="<h1>hello</h1>"
     return resp  # $ SPURIOUS: HttpResponse mimetype=text/html responseBody=resp
 
 
@@ -164,7 +164,7 @@ def Response5():  # $requestHandler
 def Response6():  # $requestHandler
     # mimetype argument takes priority over header (and result is text/plain)
     # note: capitalization of Content-Type does not matter
-    resp = Response("<h1>hello</h1>", headers={"Content-TYPE": "text/html"}, mimetype="text/plain")  # $ headerWriteBulk=Dict headerWriteNameUnsanitized headerWriteValueSanitized HttpResponse mimetype=text/plain responseBody="<h1>hello</h1>"
+    resp = Response("<h1>hello</h1>", headers={"Content-TYPE": "text/html"}, mimetype="text/plain")  # $ headerWriteBulk=Dict headerWriteBulkUnsanitized=name headerWriteNameUnsanitized="Content-TYPE" headerWriteValue="text/html" HttpResponse mimetype=text/plain responseBody="<h1>hello</h1>"
     return resp  # $ SPURIOUS: HttpResponse mimetype=text/html responseBody=resp
 
 
@@ -208,7 +208,7 @@ def setting_cookie():  # $requestHandler
     resp = make_response() # $ HttpResponse mimetype=text/html
     resp.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value"
     resp.set_cookie(key="key", value="value") # $ CookieWrite CookieName="key" CookieValue="value"
-    resp.headers.add("Set-Cookie", "key2=value2") # $ headerWriteNameUnsanitized="Set-Cookie" headerWriteValueSanitized="key2=value2" MISSING: CookieWrite CookieRawHeader="key2=value2"
+    resp.headers.add("Set-Cookie", "key2=value2") # $ headerWriteNameUnsanitized="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2"
     resp.delete_cookie("key3") # $ CookieWrite CookieName="key3"
     resp.delete_cookie(key="key3") # $ CookieWrite CookieName="key3"
     return resp  # $ SPURIOUS: HttpResponse mimetype=text/html responseBody=resp
@@ -220,29 +220,29 @@ def setting_cookie():  # $requestHandler
 @app.route("/headers") # $routeSetup="/headers"
 def headers():  # $requestHandler
     resp1 = Response() # $ HttpResponse mimetype=text/html
-    resp1.headers["X-MyHeader"] = "a" # $ headerWriteNameUnsanitized="X-MyHeader" headerWriteValueSanitized="a"
+    resp1.headers["X-MyHeader"] = "a" # $ headerWriteNameUnsanitized="X-MyHeader" headerWriteValue="a"
     resp2 = make_response() # $ HttpResponse mimetype=text/html
-    resp2.headers["X-MyHeader"] = "aa" # $ headerWriteNameUnsanitized="X-MyHeader" headerWriteValueSanitized="aa"
-    resp2.headers.extend({"X-MyHeader2": "b"}) # $ headerWriteBulk=Dict headerWriteNameUnsanitized headerWriteValueSanitized 
-    resp3 = make_response("hello", 200, {"X-MyHeader3": "c"}) # $ HttpResponse mimetype=text/html responseBody="hello" headerWriteBulk=Dict headerWriteNameUnsanitized headerWriteValueSanitized
-    resp4 = make_response("hello", {"X-MyHeader4": "d"}) # $ HttpResponse mimetype=text/html responseBody="hello" headerWriteBulk=Dict headerWriteNameUnsanitized headerWriteValueSanitized
-    resp5 = Response(headers={"X-MyHeader5":"e"}) # $ HttpResponse mimetype=text/html headerWriteBulk=Dict headerWriteNameUnsanitized headerWriteValueSanitized
+    resp2.headers["X-MyHeader"] = "aa" # $ headerWriteNameUnsanitized="X-MyHeader" headerWriteValue="aa"
+    resp2.headers.extend({"X-MyHeader2": "b"}) # $ headerWriteBulk=Dict headerWriteBulkUnsanitized=name headerWriteNameUnsanitized="X-MyHeader2" headerWriteValue="b" 
+    resp3 = make_response("hello", 200, {"X-MyHeader3": "c"}) # $ HttpResponse mimetype=text/html responseBody="hello" headerWriteBulk=Dict headerWriteBulkUnsanitized=name headerWriteNameUnsanitized="X-MyHeader3" headerWriteValue="c"
+    resp4 = make_response("hello", {"X-MyHeader4": "d"}) # $ HttpResponse mimetype=text/html responseBody="hello" headerWriteBulk=Dict headerWriteBulkUnsanitized=name headerWriteNameUnsanitized="X-MyHeader4" headerWriteValue="d"
+    resp5 = Response(headers={"X-MyHeader5":"e"}) # $ HttpResponse mimetype=text/html headerWriteBulk=Dict headerWriteBulkUnsanitized=name headerWriteBulkUnsanitized=name headerWriteNameUnsanitized="X-MyHeader5" headerWriteValue="e"
     return resp5  # $ SPURIOUS: HttpResponse mimetype=text/html responseBody=resp5
 
 @app.route("/werkzeug-headers") # $routeSetup="/werkzeug-headers"
 def werkzeug_headers():  # $requestHandler
     response = Response() # $ HttpResponse mimetype=text/html
     headers = Headers()
-    headers.add("X-MyHeader1", "a") # $ headerWriteNameUnsanitized="X-MyHeader1" headerWriteValueSanitized="a"
-    headers.add_header("X-MyHeader2", "b") # $ headerWriteNameUnsanitized="X-MyHeader2" headerWriteValueSanitized="b"
-    headers.set("X-MyHeader3", "c") # $ headerWriteNameUnsanitized="X-MyHeader3" headerWriteValueSanitized="c" 
-    headers.setdefault("X-MyHeader4", "d") # $ headerWriteNameUnsanitized="X-MyHeader4" headerWriteValueSanitized="d" 
-    headers.__setitem__("X-MyHeader5", "e") # $ headerWriteNameUnsanitized="X-MyHeader5" headerWriteValueSanitized="e" 
-    headers["X-MyHeader6"] = "f" # $ headerWriteNameUnsanitized="X-MyHeader6" headerWriteValueSanitized="f" 
-    h1 = {"X-MyHeader7": "g"}
-    headers.extend(h1) # $ headerWriteBulk=h1 headerWriteNameUnsanitized headerWriteValueSanitized 
-    h2 = [("X-MyHeader8", "h")]
-    headers.extend(h2) # $ headerWriteBulk=h2 headerWriteNameUnsanitized headerWriteValueSanitized 
+    headers.add("X-MyHeader1", "a") # $ headerWriteNameUnsanitized="X-MyHeader1" headerWriteValue="a"
+    headers.add_header("X-MyHeader2", "b") # $ headerWriteNameUnsanitized="X-MyHeader2" headerWriteValue="b"
+    headers.set("X-MyHeader3", "c") # $ headerWriteNameUnsanitized="X-MyHeader3" headerWriteValue="c" 
+    headers.setdefault("X-MyHeader4", "d") # $ headerWriteNameUnsanitized="X-MyHeader4" headerWriteValue="d" 
+    headers.__setitem__("X-MyHeader5", "e") # $ headerWriteNameUnsanitized="X-MyHeader5" headerWriteValue="e" 
+    headers["X-MyHeader6"] = "f" # $ headerWriteNameUnsanitized="X-MyHeader6" headerWriteValue="f" 
+    h1 = {"X-MyHeader7": "g"} # $ headerWriteNameUnsanitized="X-MyHeader7" headerWriteValue="g"
+    headers.extend(h1) # $ headerWriteBulk=h1 headerWriteBulkUnsanitized=name 
+    h2 = [("X-MyHeader8", "h")] # $ headerWriteNameUnsanitized="X-MyHeader8" headerWriteValue="h"
+    headers.extend(h2) # $ headerWriteBulk=h2 headerWriteBulkUnsanitized=name 
     response.headers = headers 
     return response # $ SPURIOUS: HttpResponse mimetype=text/html responseBody=response
 

python/ql/test/library-tests/frameworks/rest_framework/response_test.py

@@ -28,7 +28,7 @@ def setting_cookie(request):
     resp = Response() # $ HttpResponse
     resp.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value"
     resp.set_cookie(key="key4", value="value") # $ CookieWrite CookieName="key4" CookieValue="value"
-    resp.headers["Set-Cookie"] = "key2=value2" # $ MISSING: CookieWrite CookieRawHeader="key2=value2"
+    resp.headers["Set-Cookie"] = "key2=value2" # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2"
     resp.cookies["key3"] = "value3" # $ CookieWrite CookieName="key3" CookieValue="value3"
     resp.delete_cookie("key4") # $ CookieWrite CookieName="key4"
     resp.delete_cookie(key="key4") # $ CookieWrite CookieName="key4"

python/ql/test/library-tests/frameworks/rest_framework/testapp/views.py

@@ -70,7 +70,7 @@ def cookie_test(request: Request): # $ requestHandler
     resp = Response("wat") # $ HttpResponse
     resp.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value"
     resp.set_cookie(key="key4", value="value") # $ CookieWrite CookieName="key4" CookieValue="value"
-    resp.headers["Set-Cookie"] = "key2=value2" # $ MISSING: CookieWrite CookieRawHeader="key2=value2"
+    resp.headers["Set-Cookie"] = "key2=value2" # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2"
     resp.cookies["key3"] = "value3" # $ CookieWrite CookieName="key3" CookieValue="value3"
     return resp
 

python/ql/test/library-tests/frameworks/stdlib/wsgiref_simple_server_test.py

@@ -18,7 +18,7 @@ def func(environ, start_response): # $ requestHandler
         environ, # $ tainted
         environ["PATH_INFO"], # $ tainted
     )
-    write = start_response("200 OK", [("Content-Type", "text/plain")]) # $ headerWriteBulk=List headerWriteNameUnsanitized headerWriteValueUnsanitized
+    write = start_response("200 OK", [("Content-Type", "text/plain")]) # $ headerWriteBulk=List headerWriteBulkUnsanitized=name,value headerWriteNameUnsanitized="Content-Type" headerWriteValueUnsanitized="text/plain"
     write(b"hello") # $ HttpResponse responseBody=b"hello"
     write(data=b" ") # $ HttpResponse responseBody=b" "
 
@@ -33,16 +33,16 @@ class MyServer(wsgiref.simple_server.WSGIServer):
         self.set_app(self.my_method)
 
     def my_method(self, _env, start_response): # $ requestHandler
-        start_response("200 OK", []) # $ headerWriteBulk=List headerWriteNameUnsanitized headerWriteValueUnsanitized
+        start_response("200 OK", []) # $ headerWriteBulk=List headerWriteBulkUnsanitized=name,value
         return [b"my_method"] # $ HttpResponse responseBody=List
 
 def func2(environ, start_response): # $ requestHandler
-    headers = wsgiref.headers.Headers([("Content-Type", "text/plain")]) # $ headerWriteBulk=List headerWriteNameUnsanitized headerWriteValueUnsanitized
+    headers = wsgiref.headers.Headers([("Content-Type", "text/plain")]) # $ headerWriteBulk=List headerWriteBulkUnsanitized=name,value headerWriteNameUnsanitized="Content-Type" headerWriteValueUnsanitized="text/plain"
     headers.add_header("X-MyHeader", "a") # $ headerWriteNameUnsanitized="X-MyHeader" headerWriteValueUnsanitized="a"
     headers.setdefault("X-MyHeader2", "b") # $ headerWriteNameUnsanitized="X-MyHeader2" headerWriteValueUnsanitized="b"
     headers.__setitem__("X-MyHeader3", "c") # $ headerWriteNameUnsanitized="X-MyHeader3" headerWriteValueUnsanitized="c"
     headers["X-MyHeader4"] = "d" # $ headerWriteNameUnsanitized="X-MyHeader4" headerWriteValueUnsanitized="d"
-    start_response(status, headers) # $ headerWriteBulk=headers headerWriteNameUnsanitized headerWriteValueUnsanitized
+    start_response(status, headers) # $ headerWriteBulk=headers headerWriteBulkUnsanitized=name,value
     return [b"Hello"] # $ HttpResponse responseBody=List
 
 case = sys.argv[1]
@@ -54,7 +54,7 @@ elif case == "2":
 elif case == "3":
     server = MyServer()
     def func3(_env, start_response): # $ requestHandler
-        start_response("200 OK", []) # $ headerWriteBulk=List headerWriteNameUnsanitized headerWriteValueUnsanitized
+        start_response("200 OK", []) # $ headerWriteBulk=List headerWriteBulkUnsanitized=name,value
         return [b"foo"] # $ HttpResponse responseBody=List
     server.set_app(func3)
 elif case == "4":

python/ql/test/library-tests/frameworks/tornado/response_test.py

@@ -24,10 +24,10 @@ class ExplicitContentType(tornado.web.RequestHandler):
         # what matters.
 
         self.write("foo") # $ HttpResponse mimetype=text/html responseBody="foo"
-        self.set_header("Content-Type", "text/plain; charset=utf-8")
+        self.set_header("Content-Type", "text/plain; charset=utf-8") # $ headerWriteName="Content-Type" headerWriteValue="text/plain; charset=utf-8"
 
     def post(self): # $ requestHandler
-        self.set_header("Content-Type", "text/plain; charset=utf-8")
+        self.set_header("Content-Type", "text/plain; charset=utf-8") # $ headerWriteName="Content-Type" headerWriteValue="text/plain; charset=utf-8"
         self.write("foo") # $ HttpResponse responseBody="foo" MISSING: mimetype=text/plain SPURIOUS: mimetype=text/html
 
 
@@ -67,7 +67,10 @@ class CookieWriting(tornado.web.RequestHandler):
         self.write("foo") # $ HttpResponse mimetype=text/html responseBody="foo"
         self.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value"
         self.set_cookie(name="key", value="value") # $ CookieWrite CookieName="key" CookieValue="value"
-        self.set_header("Set-Cookie", "key2=value2") # $ MISSING: CookieWrite CookieRawHeader="key2=value2"
+        self.set_header("Set-Cookie", "key2=value2") # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2"
+        self.add_header("Set-Cookie", "key3=value3") # $ headerWriteName="Set-Cookie" headerWriteValue="key3=value3" CookieWrite CookieRawHeader="key3=value3"
+        self.request.headers.add("Set-Cookie", "key4=value4") # $ headerWriteName="Set-Cookie" headerWriteValue="key4=value4" CookieWrite CookieRawHeader="key4=value4"
+        self.request.headers["Set-Cookie"] = "key5=value5" # $ headerWriteName="Set-Cookie" headerWriteValue="key5=value5" CookieWrite CookieRawHeader="key5=value5"
 
 
 def make_app():