Python: Improve django tests (and prepare for v2 + v3 support)

2026-04-30 19:26:02 +02:00 · 2020-02-17 16:39:01 +01:00
parent 990d1c1663
commit a3c6472b9b
4 changed files with 45 additions and 33 deletions
--- a/python/ql/test/library-tests/web/django/HttpResponseSinks.expected
+++ b/python/ql/test/library-tests/web/django/HttpResponseSinks.expected
@@ -1,7 +1,10 @@
-| views.py:7:25:7:63 | django.Response(...) | externally controlled string |
-| views.py:11:25:11:52 | django.Response(...) | externally controlled string |
-| views.py:15:25:15:53 | django.Response(...) | externally controlled string |
-| views.py:23:29:23:60 | django.Response(...) | externally controlled string |
-| views.py:29:29:29:65 | django.Response(...) | externally controlled string |
-| views.py:34:25:34:63 | django.Response(...) | externally controlled string |
-| views.py:38:25:38:70 | django.Response(...) | externally controlled string |
+| views_1x.py:8:25:8:63 | django.Response(...) | externally controlled string |
+| views_1x.py:12:25:12:52 | django.Response(...) | externally controlled string |
+| views_1x.py:16:25:16:53 | django.Response(...) | externally controlled string |
+| views_1x.py:21:15:21:42 | django.Response.write(...) | externally controlled string |
+| views_1x.py:30:29:30:60 | django.Response(...) | externally controlled string |
+| views_1x.py:36:29:36:65 | django.Response(...) | externally controlled string |
+| views_1x.py:41:25:41:63 | django.Response(...) | externally controlled string |
+| views_1x.py:45:25:45:70 | django.Response(...) | externally controlled string |
+| views_1x.py:66:25:66:55 | django.Response(...) | externally controlled string |
+| views_1x.py:75:25:75:33 | django.Response(...) | externally controlled string |
--- a/python/ql/test/library-tests/web/django/HttpSources.expected
+++ b/python/ql/test/library-tests/web/django/HttpSources.expected
@@ -1,19 +1,20 @@
-| test.py:5:19:5:25 | request | django.request.HttpRequest |
-| test.py:5:28:5:31 | path | externally controlled string |
-| test.py:11:19:11:25 | request | django.request.HttpRequest |
-| test.py:11:28:11:31 | path | externally controlled string |
-| views.py:6:19:6:25 | request | django.request.HttpRequest |
-| views.py:6:28:6:30 | foo | externally controlled string |
-| views.py:6:33:6:35 | bar | externally controlled string |
-| views.py:10:20:10:26 | request | django.request.HttpRequest |
-| views.py:14:21:14:27 | request | django.request.HttpRequest |
-| views.py:22:20:22:26 | request | django.request.HttpRequest |
-| views.py:28:19:28:25 | request | django.request.HttpRequest |
-| views.py:32:19:32:25 | request | django.request.HttpRequest |
-| views.py:32:28:32:38 | page_number | externally controlled string |
-| views.py:37:24:37:30 | request | django.request.HttpRequest |
-| views.py:37:33:37:36 | arg0 | externally controlled string |
-| views.py:37:39:37:42 | arg1 | externally controlled string |
-| views.py:57:15:57:21 | request | django.request.HttpRequest |
-| views.py:57:24:57:31 | username | externally controlled string |
-| views.py:66:30:66:36 | request | django.request.HttpRequest |
+| test_1x.py:6:19:6:25 | request | django.request.HttpRequest |
+| test_1x.py:6:28:6:31 | path | externally controlled string |
+| test_1x.py:12:19:12:25 | request | django.request.HttpRequest |
+| test_1x.py:12:28:12:31 | path | externally controlled string |
+| views_1x.py:7:19:7:25 | request | django.request.HttpRequest |
+| views_1x.py:7:28:7:30 | foo | externally controlled string |
+| views_1x.py:7:33:7:35 | bar | externally controlled string |
+| views_1x.py:11:20:11:26 | request | django.request.HttpRequest |
+| views_1x.py:15:21:15:27 | request | django.request.HttpRequest |
+| views_1x.py:19:21:19:27 | request | django.request.HttpRequest |
+| views_1x.py:29:20:29:26 | request | django.request.HttpRequest |
+| views_1x.py:35:19:35:25 | request | django.request.HttpRequest |
+| views_1x.py:39:19:39:25 | request | django.request.HttpRequest |
+| views_1x.py:39:28:39:38 | page_number | externally controlled string |
+| views_1x.py:44:24:44:30 | request | django.request.HttpRequest |
+| views_1x.py:44:33:44:36 | arg0 | externally controlled string |
+| views_1x.py:44:39:44:42 | arg1 | externally controlled string |
+| views_1x.py:65:15:65:21 | request | django.request.HttpRequest |
+| views_1x.py:65:24:65:31 | username | externally controlled string |
+| views_1x.py:74:13:74:19 | request | django.request.HttpRequest |
--- a/python/ql/test/library-tests/web/django/test_1x.py
+++ b/python/ql/test/library-tests/web/django/test_1x.py
@@ -1,3 +1,4 @@
+"""tests for Django 1.x"""
 from django.conf.urls import url
 from django.shortcuts import redirect, render

--- a/python/ql/test/library-tests/web/django/views_1x.py
+++ b/python/ql/test/library-tests/web/django/views_1x.py
@@ -1,3 +1,4 @@
+"""test of views for Django 1.x"""
 from django.conf.urls import patterns, url
 from django.http.response import HttpResponse
 from django.views.generic import View
@@ -15,6 +16,12 @@ def post_params_xss(request):
    return HttpResponse(request.POST.get("untrusted"))


+def http_resp_write(request):
+    rsp = HttpResponse()
+    rsp.write(request.GET.get("untrusted"))
+    return rsp
+
+
 class Foo(object):
    # Note: since Foo is used as the super type in a class view, it will be able to handle requests.

@@ -42,6 +49,7 @@ urlpatterns = [
    url(r'^url_match/(?P<foo>[^/]+)/(?P<bar>[^/]+)$', url_match_xss),
    url(r'^get_params$', get_params_xss),
    url(r'^post_params$', post_params_xss),
+    url(r'^http_resp_write$', http_resp_write),
    url(r'^class_view/(?P<untrusted>.+)$', ClassView.as_view()),

    # one pattern to support `articles/page-<n>` and ensuring that articles/ goes to page-1
@@ -51,22 +59,21 @@ urlpatterns = [
    url(r'^([^/]+)/(?:foo|bar)/([^/]+)$', xxs_positional_arg, name='xxs_positional_arg'),
 ]

-
+################################################################################
 # Using patterns() for routing

 def show_user(request, username):
-    pass
+    return HttpResponse('show_user {}'.format(username))


 urlpatterns = patterns(url(r'^users/(?P<username>[^/]+)$', show_user))

-
+################################################################################
 # Show we understand the keyword arguments to django.conf.urls.url

-def we_understand_url_kwargs(request):
-    pass
-
+def kw_args(request):
+    return HttpResponse('kw_args')

 urlpatterns = [
-    url(view=we_understand_url_kwargs, regex=r'^specifying-as-kwargs-is-not-a-problem$')
+    url(view=kw_args, regex=r'^kw_args$')
 ]