hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 18:25:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: FastAPI: Ignore scheme as tainted

Browse Source 
reasoning highlighted in the comment
This commit is contained in:
Rasmus Wriedt Larsen
2021-10-25 14:29:25 +02:00
parent bd8eec8475
commit b69977b37a
1 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
python/ql/test/library-tests/frameworks/fastapi/taint_test.py
View File

@@ -113,7 +113,6 @@ async def websocket_test(websocket: WebSocket):
websocket.url, # $ MISSING: tainted
websocket.url.scheme, # $ MISSING: tainted
websocket.url.netloc, # $ MISSING: tainted
websocket.url.path, # $ MISSING: tainted
websocket.url.query, # $ MISSING: tainted
@@ -124,7 +123,6 @@ async def websocket_test(websocket: WebSocket):
websocket.url.port, # $ MISSING: tainted
websocket.url.components, # $ MISSING: tainted
websocket.url.components.scheme, # $ MISSING: tainted
websocket.url.components.netloc, # $ MISSING: tainted
websocket.url.components.path, # $ MISSING: tainted
websocket.url.components.query, # $ MISSING: tainted
@@ -149,6 +147,12 @@ async def websocket_test(websocket: WebSocket):
await websocket.receive_json(), # $ MISSING: tainted
)
# scheme seems very unlikely to give interesting results, but very likely to give FPs.
ensure_not_tainted(
websocket.url.scheme,
websocket.url.components.scheme,
)
async for data in websocket.iter_bytes():
ensure_tainted(data) # $ MISSING: tainted