hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 02:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add test cases

Browse Source
This commit is contained in:
Joe Farebrother
2024-04-03 10:32:27 +01:00
parent 68d90918cf
commit b9984beb16
5 changed files with 42 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
python/ql/test/query-tests/Security/CWE-113-HeaderInjection/HeaderInjection.expected Normal file
View File

@@ -0,0 +1,21 @@
edges
| flask_tests.py:1:29:1:35 | ControlFlowNode for ImportMember | flask_tests.py:1:29:1:35 | ControlFlowNode for request | provenance | |
| flask_tests.py:1:29:1:35 | ControlFlowNode for request | flask_tests.py:20:18:20:24 | ControlFlowNode for request | provenance | |
| flask_tests.py:1:29:1:35 | ControlFlowNode for request | flask_tests.py:29:18:29:24 | ControlFlowNode for request | provenance | |
| flask_tests.py:20:5:20:14 | ControlFlowNode for rfs_header | flask_tests.py:23:22:23:31 | ControlFlowNode for rfs_header | provenance | |
| flask_tests.py:20:18:20:24 | ControlFlowNode for request | flask_tests.py:20:5:20:14 | ControlFlowNode for rfs_header | provenance | |
| flask_tests.py:29:5:29:14 | ControlFlowNode for rfs_header | flask_tests.py:32:22:32:31 | ControlFlowNode for rfs_header | provenance | |
| flask_tests.py:29:18:29:24 | ControlFlowNode for request | flask_tests.py:29:5:29:14 | ControlFlowNode for rfs_header | provenance | |
nodes
| flask_tests.py:1:29:1:35 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
| flask_tests.py:1:29:1:35 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| flask_tests.py:20:5:20:14 | ControlFlowNode for rfs_header | semmle.label | ControlFlowNode for rfs_header |
| flask_tests.py:20:18:20:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| flask_tests.py:23:22:23:31 | ControlFlowNode for rfs_header | semmle.label | ControlFlowNode for rfs_header |
| flask_tests.py:29:5:29:14 | ControlFlowNode for rfs_header | semmle.label | ControlFlowNode for rfs_header |
| flask_tests.py:29:18:29:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| flask_tests.py:32:22:32:31 | ControlFlowNode for rfs_header | semmle.label | ControlFlowNode for rfs_header |
subpaths
#select
| flask_tests.py:23:22:23:31 | ControlFlowNode for rfs_header | flask_tests.py:1:29:1:35 | ControlFlowNode for ImportMember | flask_tests.py:23:22:23:31 | ControlFlowNode for rfs_header | This HTTP header is constructed from a $@. | flask_tests.py:1:29:1:35 | ControlFlowNode for ImportMember | user-provided value |
| flask_tests.py:32:22:32:31 | ControlFlowNode for rfs_header | flask_tests.py:1:29:1:35 | ControlFlowNode for ImportMember | flask_tests.py:32:22:32:31 | ControlFlowNode for rfs_header | This HTTP header is constructed from a $@. | flask_tests.py:1:29:1:35 | ControlFlowNode for ImportMember | user-provided value |

1
python/ql/test/query-tests/Security/CWE-113-HeaderInjection/HeaderInjection.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-113/HeaderInjection.ql

24
python/ql/test/experimental/query-tests/Security/CWE-113/flask_bad.py → python/ql/test/query-tests/Security/CWE-113-HeaderInjection/flask_tests.py
View File

@@ -9,8 +9,9 @@ def werkzeug_headers():
rfs_header = request.args["rfs_header"]
response = Response()
headers = Headers()
headers.add("HeaderName", rfs_header)
response.headers = headers
headers.add("HeaderName", rfs_header) # GOOD: Newlines are rejected from header value.
headers.add(rfs_header, "HeaderValue") # BAD: User controls header name. Not yet found.
response.headers = headers
return response
@@ -18,16 +19,18 @@ def werkzeug_headers():
def flask_Response():
rfs_header = request.args["rfs_header"]
response = Response()
response.headers['HeaderName'] = rfs_header
response.headers['HeaderName'] = rfs_header # GOOD
response.headers[rfs_header] = "HeaderValue" # BAD
return response
@app.route("/flask_make_response")
def flask_make_response():
rfs_header = request.args["rfs_header"]
resp = make_response("hello")
resp.headers['HeaderName'] = rfs_header
return resp
response = make_response("hello")
response.headers['HeaderName'] = rfs_header # GOOD
response.headers[rfs_header] = "HeaderValue" # BAD
return response
@app.route("/flask_make_response_extend")
@@ -35,13 +38,12 @@ def flask_make_response_extend():
rfs_header = request.args["rfs_header"]
resp = make_response("hello")
resp.headers.extend(
{'HeaderName': rfs_header})
{'HeaderName': rfs_header}) # GOOD
resp.headers.extend(
{rfs_header: "HeaderValue"}) # BAD but not yet found
return resp
@app.route("/Response_arg")
def Response_arg():
return Response(headers={'HeaderName': request.args["rfs_header"]})
# if __name__ == "__main__":
# app.run(debug=True)
return Response(headers={'HeaderName': request.args["rfs_header"], request.args["rfs_header"]: "HeaderValue"}) # BAD but not yet found