Python: Add taint tests for .get() in flask

2026-05-01 03:35:13 +02:00 · 2021-04-15 13:37:11 +02:00
parent 972cc47f67
commit b359205d17
2 changed files with 93 additions and 77 deletions
--- a/python/ql/test/library-tests/frameworks/flask/TestTaint.expected
+++ b/python/ql/test/library-tests/frameworks/flask/TestTaint.expected
@@ -19,80 +19,88 @@
 | taint_test.py:36 | ok   | test_taint | request.access_route[0] |
 | taint_test.py:39 | ok   | test_taint | request.args |
 | taint_test.py:40 | ok   | test_taint | request.args['key'] |
-| taint_test.py:41 | ok   | test_taint | request.args.getlist(..) |
-| taint_test.py:44 | ok   | test_taint | request.authorization |
-| taint_test.py:45 | ok   | test_taint | request.authorization['username'] |
-| taint_test.py:46 | fail | test_taint | request.authorization.username |
-| taint_test.py:49 | ok   | test_taint | request.cache_control |
-| taint_test.py:51 | fail | test_taint | request.cache_control.max_age |
-| taint_test.py:52 | fail | test_taint | request.cache_control.max_stale |
-| taint_test.py:53 | fail | test_taint | request.cache_control.min_fresh |
-| taint_test.py:55 | ok   | test_taint | request.content_encoding |
-| taint_test.py:57 | ok   | test_taint | request.content_md5 |
-| taint_test.py:59 | ok   | test_taint | request.content_type |
-| taint_test.py:62 | ok   | test_taint | request.cookies |
-| taint_test.py:63 | ok   | test_taint | request.cookies['key'] |
-| taint_test.py:65 | ok   | test_taint | request.data |
-| taint_test.py:68 | ok   | test_taint | request.files |
-| taint_test.py:69 | ok   | test_taint | request.files['key'] |
-| taint_test.py:70 | fail | test_taint | request.files['key'].filename |
-| taint_test.py:71 | fail | test_taint | request.files['key'].stream |
-| taint_test.py:72 | ok   | test_taint | request.files.getlist(..) |
-| taint_test.py:73 | fail | test_taint | request.files.getlist(..)[0].filename |
-| taint_test.py:74 | fail | test_taint | request.files.getlist(..)[0].stream |
-| taint_test.py:77 | ok   | test_taint | request.form |
-| taint_test.py:78 | ok   | test_taint | request.form['key'] |
-| taint_test.py:79 | ok   | test_taint | request.form.getlist(..) |
-| taint_test.py:81 | ok   | test_taint | request.get_data() |
-| taint_test.py:83 | ok   | test_taint | request.get_json() |
-| taint_test.py:84 | ok   | test_taint | request.get_json()['foo'] |
-| taint_test.py:85 | ok   | test_taint | request.get_json()['foo']['bar'] |
-| taint_test.py:89 | ok   | test_taint | request.headers |
-| taint_test.py:90 | ok   | test_taint | request.headers['key'] |
-| taint_test.py:91 | fail | test_taint | request.headers.get_all(..) |
-| taint_test.py:92 | fail | test_taint | request.headers.getlist(..) |
-| taint_test.py:93 | ok   | test_taint | list(..) |
-| taint_test.py:94 | fail | test_taint | request.headers.to_wsgi_list() |
-| taint_test.py:96 | ok   | test_taint | request.json |
-| taint_test.py:97 | ok   | test_taint | request.json['foo'] |
-| taint_test.py:98 | ok   | test_taint | request.json['foo']['bar'] |
-| taint_test.py:100 | ok   | test_taint | request.method |
-| taint_test.py:102 | ok   | test_taint | request.mimetype |
-| taint_test.py:104 | ok   | test_taint | request.mimetype_params |
-| taint_test.py:106 | ok   | test_taint | request.origin |
-| taint_test.py:109 | ok   | test_taint | request.pragma |
-| taint_test.py:111 | ok   | test_taint | request.query_string |
-| taint_test.py:113 | ok   | test_taint | request.referrer |
-| taint_test.py:115 | ok   | test_taint | request.remote_addr |
-| taint_test.py:117 | ok   | test_taint | request.remote_user |
-| taint_test.py:120 | ok   | test_taint | request.stream |
-| taint_test.py:121 | ok   | test_taint | request.input_stream |
-| taint_test.py:123 | ok   | test_taint | request.url |
-| taint_test.py:125 | ok   | test_taint | request.user_agent |
-| taint_test.py:128 | ok   | test_taint | request.values |
-| taint_test.py:129 | ok   | test_taint | request.values['key'] |
-| taint_test.py:130 | ok   | test_taint | request.values.getlist(..) |
-| taint_test.py:133 | ok   | test_taint | request.view_args |
-| taint_test.py:134 | ok   | test_taint | request.view_args['key'] |
-| taint_test.py:138 | ok   | test_taint | request.script_root |
-| taint_test.py:139 | ok   | test_taint | request.url_root |
-| taint_test.py:143 | ok   | test_taint | request.charset |
-| taint_test.py:144 | ok   | test_taint | request.url_charset |
-| taint_test.py:148 | ok   | test_taint | request.date |
-| taint_test.py:151 | ok   | test_taint | request.endpoint |
-| taint_test.py:156 | ok   | test_taint | request.host |
-| taint_test.py:157 | ok   | test_taint | request.host_url |
-| taint_test.py:159 | ok   | test_taint | request.scheme |
-| taint_test.py:161 | ok   | test_taint | request.script_root |
-| taint_test.py:169 | ok   | test_taint | request.args |
-| taint_test.py:170 | ok   | test_taint | a |
-| taint_test.py:171 | ok   | test_taint | b |
-| taint_test.py:173 | ok   | test_taint | request.args['key'] |
-| taint_test.py:174 | ok   | test_taint | a['key'] |
-| taint_test.py:175 | ok   | test_taint | b['key'] |
-| taint_test.py:177 | ok   | test_taint | request.args.getlist(..) |
-| taint_test.py:178 | ok   | test_taint | a.getlist(..) |
-| taint_test.py:179 | ok   | test_taint | b.getlist(..) |
-| taint_test.py:180 | ok   | test_taint | gl(..) |
-| taint_test.py:187 | ok   | test_taint | req.path |
-| taint_test.py:188 | ok   | test_taint | gd() |
+| taint_test.py:41 | ok   | test_taint | request.args.get(..) |
+| taint_test.py:42 | ok   | test_taint | request.args.getlist(..) |
+| taint_test.py:45 | ok   | test_taint | request.authorization |
+| taint_test.py:46 | ok   | test_taint | request.authorization['username'] |
+| taint_test.py:47 | fail | test_taint | request.authorization.username |
+| taint_test.py:50 | ok   | test_taint | request.cache_control |
+| taint_test.py:52 | fail | test_taint | request.cache_control.max_age |
+| taint_test.py:53 | fail | test_taint | request.cache_control.max_stale |
+| taint_test.py:54 | fail | test_taint | request.cache_control.min_fresh |
+| taint_test.py:56 | ok   | test_taint | request.content_encoding |
+| taint_test.py:58 | ok   | test_taint | request.content_md5 |
+| taint_test.py:60 | ok   | test_taint | request.content_type |
+| taint_test.py:63 | ok   | test_taint | request.cookies |
+| taint_test.py:64 | ok   | test_taint | request.cookies['key'] |
+| taint_test.py:66 | ok   | test_taint | request.data |
+| taint_test.py:69 | ok   | test_taint | request.files |
+| taint_test.py:70 | ok   | test_taint | request.files['key'] |
+| taint_test.py:71 | fail | test_taint | request.files['key'].filename |
+| taint_test.py:72 | fail | test_taint | request.files['key'].stream |
+| taint_test.py:73 | ok   | test_taint | request.files.get(..) |
+| taint_test.py:74 | fail | test_taint | request.files.get(..).filename |
+| taint_test.py:75 | fail | test_taint | request.files.get(..).stream |
+| taint_test.py:76 | ok   | test_taint | request.files.getlist(..) |
+| taint_test.py:77 | fail | test_taint | request.files.getlist(..)[0].filename |
+| taint_test.py:78 | fail | test_taint | request.files.getlist(..)[0].stream |
+| taint_test.py:81 | ok   | test_taint | request.form |
+| taint_test.py:82 | ok   | test_taint | request.form['key'] |
+| taint_test.py:83 | ok   | test_taint | request.form.get(..) |
+| taint_test.py:84 | ok   | test_taint | request.form.getlist(..) |
+| taint_test.py:86 | ok   | test_taint | request.get_data() |
+| taint_test.py:88 | ok   | test_taint | request.get_json() |
+| taint_test.py:89 | ok   | test_taint | request.get_json()['foo'] |
+| taint_test.py:90 | ok   | test_taint | request.get_json()['foo']['bar'] |
+| taint_test.py:94 | ok   | test_taint | request.headers |
+| taint_test.py:95 | ok   | test_taint | request.headers['key'] |
+| taint_test.py:96 | ok   | test_taint | request.headers.get(..) |
+| taint_test.py:97 | fail | test_taint | request.headers.get_all(..) |
+| taint_test.py:98 | fail | test_taint | request.headers.getlist(..) |
+| taint_test.py:99 | ok   | test_taint | list(..) |
+| taint_test.py:100 | fail | test_taint | request.headers.to_wsgi_list() |
+| taint_test.py:102 | ok   | test_taint | request.json |
+| taint_test.py:103 | ok   | test_taint | request.json['foo'] |
+| taint_test.py:104 | ok   | test_taint | request.json['foo']['bar'] |
+| taint_test.py:106 | ok   | test_taint | request.method |
+| taint_test.py:108 | ok   | test_taint | request.mimetype |
+| taint_test.py:110 | ok   | test_taint | request.mimetype_params |
+| taint_test.py:112 | ok   | test_taint | request.origin |
+| taint_test.py:115 | ok   | test_taint | request.pragma |
+| taint_test.py:117 | ok   | test_taint | request.query_string |
+| taint_test.py:119 | ok   | test_taint | request.referrer |
+| taint_test.py:121 | ok   | test_taint | request.remote_addr |
+| taint_test.py:123 | ok   | test_taint | request.remote_user |
+| taint_test.py:126 | ok   | test_taint | request.stream |
+| taint_test.py:127 | ok   | test_taint | request.input_stream |
+| taint_test.py:129 | ok   | test_taint | request.url |
+| taint_test.py:131 | ok   | test_taint | request.user_agent |
+| taint_test.py:134 | ok   | test_taint | request.values |
+| taint_test.py:135 | ok   | test_taint | request.values['key'] |
+| taint_test.py:136 | ok   | test_taint | request.values.get(..) |
+| taint_test.py:137 | ok   | test_taint | request.values.getlist(..) |
+| taint_test.py:140 | ok   | test_taint | request.view_args |
+| taint_test.py:141 | ok   | test_taint | request.view_args['key'] |
+| taint_test.py:142 | ok   | test_taint | request.view_args.get(..) |
+| taint_test.py:146 | ok   | test_taint | request.script_root |
+| taint_test.py:147 | ok   | test_taint | request.url_root |
+| taint_test.py:151 | ok   | test_taint | request.charset |
+| taint_test.py:152 | ok   | test_taint | request.url_charset |
+| taint_test.py:156 | ok   | test_taint | request.date |
+| taint_test.py:159 | ok   | test_taint | request.endpoint |
+| taint_test.py:164 | ok   | test_taint | request.host |
+| taint_test.py:165 | ok   | test_taint | request.host_url |
+| taint_test.py:167 | ok   | test_taint | request.scheme |
+| taint_test.py:169 | ok   | test_taint | request.script_root |
+| taint_test.py:177 | ok   | test_taint | request.args |
+| taint_test.py:178 | ok   | test_taint | a |
+| taint_test.py:179 | ok   | test_taint | b |
+| taint_test.py:181 | ok   | test_taint | request.args['key'] |
+| taint_test.py:182 | ok   | test_taint | a['key'] |
+| taint_test.py:183 | ok   | test_taint | b['key'] |
+| taint_test.py:185 | ok   | test_taint | request.args.getlist(..) |
+| taint_test.py:186 | ok   | test_taint | a.getlist(..) |
+| taint_test.py:187 | ok   | test_taint | b.getlist(..) |
+| taint_test.py:188 | ok   | test_taint | gl(..) |
+| taint_test.py:195 | ok   | test_taint | req.path |
+| taint_test.py:196 | ok   | test_taint | gd() |
--- a/python/ql/test/library-tests/frameworks/flask/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/flask/taint_test.py
@@ -38,6 +38,7 @@ def test_taint(name = "World!", number="0", foo="foo"):  # $requestHandler route
        # By default werkzeug.datastructures.ImmutableMultiDict -- although can be changed :\
        request.args,
        request.args['key'],
+        request.args.get('key'),
        request.args.getlist('key'),

        # werkzeug.datastructures.Authorization (a dict, with some properties)
@@ -69,6 +70,9 @@ def test_taint(name = "World!", number="0", foo="foo"):  # $requestHandler route
        request.files['key'],
        request.files['key'].filename,
        request.files['key'].stream,
+        request.files.get('key'),
+        request.files.get('key').filename,
+        request.files.get('key').stream,
        request.files.getlist('key'),
        request.files.getlist('key')[0].filename,
        request.files.getlist('key')[0].stream,
@@ -76,6 +80,7 @@ def test_taint(name = "World!", number="0", foo="foo"):  # $requestHandler route
        # By default werkzeug.datastructures.ImmutableMultiDict -- although can be changed :\
        request.form,
        request.form['key'],
+        request.form.get('key'),
        request.form.getlist('key'),

        request.get_data(),
@@ -88,6 +93,7 @@ def test_taint(name = "World!", number="0", foo="foo"):  # $requestHandler route
        # which has same interface as werkzeug.datastructures.Headers
        request.headers,
        request.headers['key'],
+        request.headers.get('key'),
        request.headers.get_all('key'),
        request.headers.getlist('key'),
        list(request.headers), # (k, v) list
@@ -127,11 +133,13 @@ def test_taint(name = "World!", number="0", foo="foo"):  # $requestHandler route
        # werkzeug.datastructures.CombinedMultiDict, which is basically just a werkzeug.datastructures.MultiDict
        request.values,
        request.values['key'],
+        request.values.get('key'),
        request.values.getlist('key'),

        # dict
        request.view_args,
        request.view_args['key'],
+        request.view_args.get('key'),
    )

    ensure_not_tainted(