hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 04:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Port old routing tests

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2020-10-15 20:43:46 +02:00
parent ca60132e24
commit 979dc471ac
2 changed files with 138 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
python/ql/test/experimental/library-tests/frameworks/django-v2-v3/ConceptsTest.expected
View File

@@ -1,3 +1,42 @@
| routing_test.py:7:55:7:111 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar | Missing result:routeHandler= |
| routing_test.py:7:55:7:111 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar | Missing result:routedParameter=bar |
| routing_test.py:7:55:7:111 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar | Missing result:routedParameter=foo |
| routing_test.py:11:31:11:45 | Comment # $routeHandler | Missing result:routeHandler= |
| routing_test.py:15:32:15:46 | Comment # $routeHandler | Missing result:routeHandler= |
| routing_test.py:19:32:19:46 | Comment # $routeHandler | Missing result:routeHandler= |
| routing_test.py:29:42:29:83 | Comment # $routeHandler $routedParameter=untrusted | Missing result:routeHandler= |
| routing_test.py:29:42:29:83 | Comment # $routeHandler $routedParameter=untrusted | Missing result:routedParameter=untrusted |
| routing_test.py:35:41:35:82 | Comment # $routeHandler $routedParameter=untrusted | Missing result:routeHandler= |
| routing_test.py:35:41:35:82 | Comment # $routeHandler $routedParameter=untrusted | Missing result:routedParameter=untrusted |
| routing_test.py:39:45:39:88 | Comment # $routeHandler $routedParameter=page_number | Missing result:routeHandler= |
| routing_test.py:39:45:39:88 | Comment # $routeHandler $routedParameter=page_number | Missing result:routedParameter=page_number |
| routing_test.py:44:62:44:120 | Comment # $routeHandler $routedParameter=arg0 $routedParameter=arg1 | Missing result:routeHandler= |
| routing_test.py:44:62:44:120 | Comment # $routeHandler $routedParameter=arg0 $routedParameter=arg1 | Missing result:routedParameter=arg0 |
| routing_test.py:44:62:44:120 | Comment # $routeHandler $routedParameter=arg0 $routedParameter=arg1 | Missing result:routedParameter=arg1 |
| routing_test.py:49:75:49:131 | Comment # $routeSetup=r"^url_match/(?P<foo>[^/]+)/(?P<bar>[^/]+)" | Missing result:routeSetup=r"^url_match/(?P<foo>[^/]+)/(?P<bar>[^/]+)" |
| routing_test.py:50:47:50:74 | Comment # $routeSetup=r"^get_params" | Missing result:routeSetup=r"^get_params" |
| routing_test.py:51:49:51:77 | Comment # $routeSetup=r"^post_params" | Missing result:routeSetup=r"^post_params" |
| routing_test.py:52:53:52:85 | Comment # $routeSetup=r"^http_resp_write" | Missing result:routeSetup=r"^http_resp_write" |
| routing_test.py:53:70:53:115 | Comment # $routeSetup=r"^class_view/(?P<untrusted>.+)" | Missing result:routeSetup=r"^class_view/(?P<untrusted>.+)" |
| routing_test.py:56:76:56:133 | Comment # $routeSetup=r"articles/^(?:page-(?P<page_number>\\d+)/)?" | Missing result:routeSetup=r"articles/^(?:page-(?P<page_number>\\d+)/)?" |
| routing_test.py:59:95:59:139 | Comment # $routeSetup=r"^([^/]+)/(?:foo\|bar)/([^/]+)" | Missing result:routeSetup=r"^([^/]+)/(?:foo\|bar)/([^/]+)" |
| routing_test.py:65:31:65:45 | Comment # $routeHandler | Missing result:routeHandler= |
| routing_test.py:70:84:70:138 | Comment # $routeSetup=r"^specifying-as-kwargs-is-not-a-problem" | Missing result:routeSetup=r"^specifying-as-kwargs-is-not-a-problem" |
| routing_test.py:78:43:78:86 | Comment # $routeHandler $routedParameter=page_number | Missing result:routeHandler= |
| routing_test.py:78:43:78:86 | Comment # $routeHandler $routedParameter=page_number | Missing result:routedParameter=page_number |
| routing_test.py:81:43:81:120 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar $routedParameter=baz | Missing result:routeHandler= |
| routing_test.py:81:43:81:120 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar $routedParameter=baz | Missing result:routedParameter=bar |
| routing_test.py:81:43:81:120 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar $routedParameter=baz | Missing result:routedParameter=baz |
| routing_test.py:81:43:81:120 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar $routedParameter=baz | Missing result:routedParameter=foo |
| routing_test.py:84:38:84:94 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar | Missing result:routeHandler= |
| routing_test.py:84:38:84:94 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar | Missing result:routedParameter=bar |
| routing_test.py:84:38:84:94 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar | Missing result:routedParameter=foo |
| routing_test.py:87:37:87:51 | Comment # $routeHandler | Missing result:routeHandler= |
| routing_test.py:91:38:91:62 | Comment # $routeSetup="articles/" | Missing result:routeSetup="articles/" |
| routing_test.py:92:60:92:106 | Comment # $routeSetup="articles/page-<int:page_number>" | Missing result:routeSetup="articles/page-<int:page_number>" |
| routing_test.py:93:74:93:114 | Comment # $routeSetup="<int:foo>/<str:bar>/<baz>" | Missing result:routeSetup="<int:foo>/<str:bar>/<baz>" |
| routing_test.py:95:51:95:77 | Comment # $routeSetup="<foo>/<bar>" | Missing result:routeSetup="<foo>/<bar>" |
| routing_test.py:98:60:98:97 | Comment # $routeSetup="not_valid/<not_valid!>" | Missing result:routeSetup="not_valid/<not_valid!>" |
| testapp/urls.py:6:31:6:50 | Comment # $routeSetup="foo/" | Missing result:routeSetup="foo/" |
| testapp/urls.py:10:43:10:67 | Comment # $routeSetup=r"^ba[rz]/" | Missing result:routeSetup=r"^ba[rz]/" |
| testapp/views.py:3:33:3:47 | Comment # $routeHandler | Missing result:routeHandler= |

99
python/ql/test/experimental/library-tests/frameworks/django-v2-v3/routing_test.py Normal file
View File

@@ -0,0 +1,99 @@
"""testing views for Django 2.x and 3.x"""
from django.urls import path, re_path
from django.http import HttpResponse, HttpResponseRedirect, JsonResponse, HttpResponseNotFound
from django.views import View
def url_match_xss(request, foo, bar, no_taint=None): # $routeHandler $routedParameter=foo $routedParameter=bar
return HttpResponse('url_match_xss: {} {}'.format(foo, bar))
def get_params_xss(request): # $routeHandler
return HttpResponse(request.GET.get("untrusted"))
def post_params_xss(request): # $routeHandler
return HttpResponse(request.POST.get("untrusted"))
def http_resp_write(request): # $routeHandler
rsp = HttpResponse()
rsp.write(request.GET.get("untrusted"))
return rsp
class Foo(object):
# Note: since Foo is used as the super type in a class view, it will be able to handle requests.
def post(self, request, untrusted): # $routeHandler $routedParameter=untrusted
return HttpResponse('Foo post: {}'.format(untrusted))
class ClassView(View, Foo):
def get(self, request, untrusted): # $routeHandler $routedParameter=untrusted
return HttpResponse('ClassView get: {}'.format(untrusted))
def show_articles(request, page_number=1): # $routeHandler $routedParameter=page_number
page_number = int(page_number)
return HttpResponse('articles page: {}'.format(page_number))
def xxs_positional_arg(request, arg0, arg1, no_taint=None): # $routeHandler $routedParameter=arg0 $routedParameter=arg1
return HttpResponse('xxs_positional_arg: {} {}'.format(arg0, arg1))
urlpatterns = [
re_path(r"^url_match/(?P<foo>[^/]+)/(?P<bar>[^/]+)", url_match_xss), # $routeSetup=r"^url_match/(?P<foo>[^/]+)/(?P<bar>[^/]+)"
re_path(r"^get_params", get_params_xss), # $routeSetup=r"^get_params"
re_path(r"^post_params", post_params_xss), # $routeSetup=r"^post_params"
re_path(r"^http_resp_write", http_resp_write), # $routeSetup=r"^http_resp_write"
re_path(r"^class_view/(?P<untrusted>.+)", ClassView.as_view()), # $routeSetup=r"^class_view/(?P<untrusted>.+)"
# one pattern to support `articles/page-<n>` and ensuring that articles/ goes to page-1
re_path(r"articles/^(?:page-(?P<page_number>\d+)/)?", show_articles), # $routeSetup=r"articles/^(?:page-(?P<page_number>\d+)/)?"
# passing as positional argument is not the recommended way of doing things, but it is certainly
# possible
re_path(r"^([^/]+)/(?:foo|bar)/([^/]+)", xxs_positional_arg, name='xxs_positional_arg'), # $routeSetup=r"^([^/]+)/(?:foo|bar)/([^/]+)"
]
# Show we understand the keyword arguments to from django.urls.re_path
def re_path_kwargs(request): # $routeHandler
return HttpResponse('re_path_kwargs')
urlpatterns = [
re_path(view=re_path_kwargs, regex=r"^specifying-as-kwargs-is-not-a-problem") # $routeSetup=r"^specifying-as-kwargs-is-not-a-problem"
]
################################################################################
# Using path
################################################################################
# saying page_number is an externally controlled *string* is a bit strange, when we have an int converter :O
def page_number(request, page_number=1): # $routeHandler $routedParameter=page_number
return HttpResponse('page_number: {}'.format(page_number))
def foo_bar_baz(request, foo, bar, baz): # $routeHandler $routedParameter=foo $routedParameter=bar $routedParameter=baz
return HttpResponse('foo_bar_baz: {} {} {}'.format(foo, bar, baz))
def path_kwargs(request, foo, bar): # $routeHandler $routedParameter=foo $routedParameter=bar
return HttpResponse('path_kwargs: {} {} {}'.format(foo, bar))
def not_valid_identifier(request): # $routeHandler
return HttpResponse('<foo!>')
urlpatterns = [
path("articles/", page_number), # $routeSetup="articles/"
path("articles/page-<int:page_number>", page_number), # $routeSetup="articles/page-<int:page_number>"
path("<int:foo>/<str:bar>/<baz>", foo_bar_baz, name='foo-bar-baz'), # $routeSetup="<int:foo>/<str:bar>/<baz>"
path(view=path_kwargs, route="<foo>/<bar>"), # $routeSetup="<foo>/<bar>"
# We should not report there is a request parameter called `not_valid!`
path("not_valid/<not_valid!>", not_valid_identifier), # $routeSetup="not_valid/<not_valid!>"
]