hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 12:15:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Add note about .method

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2021-10-29 11:28:16 +02:00
parent 75e2555a8a
commit a64e939d71
1 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
python/ql/test/library-tests/frameworks/rest_framework/taint_test.py
View File

@@ -53,6 +53,15 @@ def test_taint(request: Request, routed_param): # $ requestHandler routedParamet
ensure_not_tainted(
# although these could technically be user-controlled, it seems more likely to lead to FPs than interesting results.
request.accepted_media_type,
# In normal Django, if you disable CSRF middleware, you're allowed to use custom
# HTTP methods, like `curl -X FOO <url>`.
# However, with Django REST framework, doing that will yield:
# `{"detail":"Method \"FOO\" not allowed."}`
#
# In the end, since we model a Django REST framework request entirely as a
# extension of a Django request, we're not easily able to remove the taint from
# `.method`.
request.method, # $ SPURIOUS: tainted
)