Python: Move query tests to reflect new file layout

2026-05-01 19:55:15 +02:00 · 2021-02-16 13:15:01 +01:00
parent 1d6f9bee08
commit 8494fcf45f
114 changed files with 12 additions and 10 deletions
--- a/python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.expected
+++ b/python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.expected
@@ -0,0 +1,5 @@
+| jinja2_escaping.py:9:14:9:39 | ControlFlowNode for Environment() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
+| jinja2_escaping.py:41:5:41:29 | ControlFlowNode for Environment() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
+| jinja2_escaping.py:43:1:43:3 | ControlFlowNode for E() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
+| jinja2_escaping.py:44:1:44:15 | ControlFlowNode for E() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
+| jinja2_escaping.py:53:15:53:43 | ControlFlowNode for Template() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
--- a/python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.qlref
+++ b/python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.qlref
@@ -0,0 +1 @@
+Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.ql
--- a/python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/jinja2_escaping.py
+++ b/python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/jinja2_escaping.py
@@ -0,0 +1,55 @@
+
+Environment(loader=templateLoader, autoescape=fake_func())
+from flask import Flask, request, make_response, escape
+from jinja2 import Environment, select_autoescape, FileSystemLoader, Template
+
+app = Flask(__name__)
+loader = FileSystemLoader( searchpath="templates/" )
+
+unsafe_env = Environment(loader=loader)
+safe1_env = Environment(loader=loader, autoescape=True)
+safe2_env = Environment(loader=loader, autoescape=select_autoescape())
+
+def render_response_from_env(env):
+    name = request.args.get('name', '')
+    template = env.get_template('template.html')
+    return make_response(template.render(name=name))
+
+@app.route('/unsafe')
+def unsafe():
+    return render_response_from_env(unsafe_env)
+
+@app.route('/safe1')
+def safe1():
+    return render_response_from_env(safe1_env)
+
+@app.route('/safe2')
+def safe2():
+    return render_response_from_env(safe2_env)
+
+# Explicit autoescape
+
+e = Environment(
+    loader=loader,
+    autoescape=select_autoescape(['html', 'htm', 'xml'])
+) # GOOD
+
+# Additional checks with flow.
+auto = select_autoescape
+e = Environment(autoescape=auto) # GOOD
+z = 0
+e = Environment(autoescape=z) # BAD
+E = Environment
+E() # BAD
+E(autoescape=z) # BAD
+E(autoescape=auto) # GOOD
+E(autoescape=0+1) # GOOD
+
+def checked(cond=False):
+    if cond:
+        e = Environment(autoescape=cond) # GOOD
+
+
+unsafe_tmpl = Template('Hello {{ name }}!')
+safe1_tmpl = Template('Hello {{ name }}!', autoescape=True)
+safe2_tmpl = Template('Hello {{ name }}!', autoescape=select_autoescape())
--- a/python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/options
+++ b/python/ql/test/query-tests/Security/BadPractice/Jinja2RenderWithoutEscape/options
@@ -0,0 +1 @@
+semmle-extractor-options: -p ../lib/ --max-import-depth=3
				`@@ -0,0 +1 @@`
				`Security/BadPractice/Jinja2RenderWithoutEscape/Jinja2WithoutEscaping.ql`
				`@@ -0,0 +1 @@`
				`semmle-extractor-options: -p ../lib/ --max-import-depth=3`