Python: Fix up some typos for bottle and add a few more tests.

2026-05-01 19:55:15 +02:00 · 2019-02-11 14:33:49 +00:00
parent aab0a243dc
commit b644891e53
7 changed files with 17 additions and 6 deletions
--- a/python/ql/src/semmle/python/web/bottle/General.qll
+++ b/python/ql/src/semmle/python/web/bottle/General.qll
@@ -2,12 +2,12 @@ import python
 import semmle.python.web.Http
 import semmle.python.types.Extensions

-/** The flask module */
+/** The bottle module */
 ModuleObject theBottleModule() {
    result = ModuleObject::named("bottle")
 }

-/** The flask app class */
+/** The bottle.Bottle class */
 ClassObject theBottleClass() {
    result = ModuleObject::named("bottle").getAttribute("Bottle")
 }
--- a/python/ql/src/semmle/python/web/bottle/Response.qll
+++ b/python/ql/src/semmle/python/web/bottle/Response.qll
@@ -6,7 +6,7 @@ import semmle.python.web.Http
 import semmle.python.web.bottle.General


-/** A django.http.response.Response object
+/** A bottle.Response object
 * This isn't really a "taint", but we use the value tracking machinery to
 * track the flow of response objects.
 */
@@ -19,7 +19,7 @@ class BottleResponse extends TaintKind {
 }

 private Object theBottleResponseObject() {
-    result = theBottleModule().getAttribute("request")
+    result = theBottleModule().getAttribute("response")
 }

 class BottleResponseBodyAssignment extends TaintSink {
@@ -32,7 +32,7 @@ class BottleResponseBodyAssignment extends TaintSink {
    }

    override predicate sinks(TaintKind kind) {
-        kind instanceof StringKind
+        kind instanceof UntrustedStringKind
    }

 }
--- a/python/ql/test/library-tests/web/bottle/Routing.expected
+++ b/python/ql/test/library-tests/web/bottle/Routing.expected
@@ -4,3 +4,4 @@
 | /other | test.py:17:1:17:12 | Function other |
 | /wrong/<where> | test.py:27:1:27:31 | Function unsafe |
 | /wrong/url | test.py:23:1:23:11 | Function safe |
+| /xss | test.py:35:1:35:16 | Function maybe_xss |
--- a/python/ql/test/library-tests/web/bottle/Sinks.expected
+++ b/python/ql/test/library-tests/web/bottle/Sinks.expected
@@ -1,3 +1,4 @@
 | test.py:9 | BinaryExpr | externally controlled string |
 | test.py:13 | BinaryExpr | externally controlled string |
 | test.py:19 | BinaryExpr | externally controlled string |
+| test.py:36 | BinaryExpr | externally controlled string |
--- a/python/ql/test/library-tests/web/bottle/Sources.expected
+++ b/python/ql/test/library-tests/web/bottle/Sources.expected
@@ -7,3 +7,4 @@
 | test.py:18 | request | bottle.request |
 | test.py:27 | where | externally controlled string |
 | test.py:32 | request | bottle.request |
+| test.py:36 | request | bottle.request |
--- a/python/ql/test/library-tests/web/bottle/Taint.expected
+++ b/python/ql/test/library-tests/web/bottle/Taint.expected
@@ -19,3 +19,7 @@
 | test.py:32 | Attribute | bottle.FormsDict |
 | test.py:32 | Attribute | externally controlled string |
 | test.py:32 | request | bottle.request |
+| test.py:36 | Attribute | bottle.FormsDict |
+| test.py:36 | Attribute | externally controlled string |
+| test.py:36 | BinaryExpr | externally controlled string |
+| test.py:36 | request | bottle.request |
--- a/python/ql/test/library-tests/web/bottle/test.py
+++ b/python/ql/test/library-tests/web/bottle/test.py
@@ -1,6 +1,6 @@


-from bottle import Bottle, route, request, redirect
+from bottle import Bottle, route, request, redirect, response

 app = Bottle()

@@ -30,3 +30,7 @@ def unsafe(where="/right/url"):
@route('/args')
 def unsafe2():
    redirect(request.query.where, code)
+
+@route('/xss')
+def maybe_xss():
+    response.body = "name is " + request.query.name