Python: Move query tests to reflect new file layout

2026-03-24 00:16:49 +01:00 · 2021-02-16 13:15:01 +01:00
parent 1d6f9bee08
commit 8494fcf45f
114 changed files with 12 additions and 10 deletions
--- a/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextLogging.expected
+++ b/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextLogging.expected
@@ -0,0 +1,10 @@
+edges
+| password_in_cookie.py:7:16:7:43 | a password | password_in_cookie.py:9:33:9:40 | a password |
+| password_in_cookie.py:14:16:14:43 | a password | password_in_cookie.py:16:33:16:40 | a password |
+| test.py:7:16:7:29 | a password | test.py:8:35:8:42 | a password |
+| test.py:7:16:7:29 | a password | test.py:8:35:8:42 | a password |
+| test.py:20:12:20:21 | a certificate or key | test.py:22:20:22:23 | a certificate or key |
+#select
+| test.py:8:35:8:42 | password | test.py:7:16:7:29 | a password | test.py:8:35:8:42 | a password | Sensitive data returned by $@ is logged here. | test.py:7:16:7:29 | get_password() | a call returning a password |
+| test.py:14:30:14:39 | get_cert() | test.py:14:30:14:39 | a certificate or key | test.py:14:30:14:39 | a certificate or key | Sensitive data returned by $@ is logged here. | test.py:14:30:14:39 | get_cert() | a call returning a certificate or key |
+| test.py:17:11:17:24 | get_password() | test.py:17:11:17:24 | a password | test.py:17:11:17:24 | a password | Sensitive data returned by $@ is logged here. | test.py:17:11:17:24 | get_password() | a call returning a password |
--- a/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextLogging.qlref
+++ b/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextLogging.qlref
@@ -0,0 +1 @@
+Security/Exposure/SensitiveDataExposure/CleartextLogging.ql
--- a/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextStorage.expected
+++ b/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextStorage.expected
@@ -0,0 +1,12 @@
+edges
+| password_in_cookie.py:7:16:7:43 | a password | password_in_cookie.py:9:33:9:40 | a password |
+| password_in_cookie.py:7:16:7:43 | a password | password_in_cookie.py:9:33:9:40 | a password |
+| password_in_cookie.py:14:16:14:43 | a password | password_in_cookie.py:16:33:16:40 | a password |
+| password_in_cookie.py:14:16:14:43 | a password | password_in_cookie.py:16:33:16:40 | a password |
+| test.py:7:16:7:29 | a password | test.py:8:35:8:42 | a password |
+| test.py:20:12:20:21 | a certificate or key | test.py:22:20:22:23 | a certificate or key |
+| test.py:20:12:20:21 | a certificate or key | test.py:22:20:22:23 | a certificate or key |
+#select
+| password_in_cookie.py:9:33:9:40 | password | password_in_cookie.py:7:16:7:43 | a password | password_in_cookie.py:9:33:9:40 | a password | Sensitive data from $@ is stored here. | password_in_cookie.py:7:16:7:43 | Attribute() | a request parameter containing a password |
+| password_in_cookie.py:16:33:16:40 | password | password_in_cookie.py:14:16:14:43 | a password | password_in_cookie.py:16:33:16:40 | a password | Sensitive data from $@ is stored here. | password_in_cookie.py:14:16:14:43 | Attribute() | a request parameter containing a password |
+| test.py:22:20:22:23 | cert | test.py:20:12:20:21 | a certificate or key | test.py:22:20:22:23 | a certificate or key | Sensitive data from $@ is stored here. | test.py:20:12:20:21 | get_cert() | a call returning a certificate or key |
--- a/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextStorage.qlref
+++ b/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/CleartextStorage.qlref
@@ -0,0 +1 @@
+Security/Exposure/SensitiveDataExposure/CleartextStorage.ql
--- a/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/options
+++ b/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/options
@@ -0,0 +1 @@
+semmle-extractor-options: -p ../../lib --max-import-depth=3
--- a/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/password_in_cookie.py
+++ b/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/password_in_cookie.py
@@ -0,0 +1,17 @@
+from flask import Flask, make_response, request, Response
+
+app = Flask("Leak password")
+
+@app.route('/')
+def index():
+    password = request.args.get("password")
+    resp = make_response(render_template(...))
+    resp.set_cookie("password", password)
+    return resp
+
+@app.route('/')
+def index2():
+    password = request.args.get("password")
+    resp = Response(...)
+    resp.set_cookie("password", password)
+    return resp
--- a/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/test.py
+++ b/python/ql/test/query-tests/Security/Exposure/SensitiveDataExposure/test.py
@@ -0,0 +1,22 @@
+#Don't import logging; it transitively imports a lot of stuff
+
+def get_password():
+    pass
+
+def log_password():
+    password = get_password()
+    logging.info("Password '%s'", password)
+
+def get_cert():
+    pass
+
+def log_cert():
+    logging.debug("Cert=%s", get_cert())
+
+def print_password():
+    print(get_password())
+
+def write_cert(filename):
+    cert = get_cert()
+    with open(filename, "w") as file:
+        file.write(cert)
				`@@ -0,0 +1 @@`
				`Security/Exposure/SensitiveDataExposure/CleartextLogging.ql`
				`@@ -0,0 +1 @@`
				`semmle-extractor-options: -p ../../lib --max-import-depth=3`