Add query tests

Most of these query tests need to be cleaned up. Also, some of these query tests will fail because no user-tainted data is passing into the email bodies that are generated and sent to a victim user.

python/ql/test/experimental/query-tests/Security/CWE-079/flask_mail_bad_1.py

@@ -0,0 +1,14 @@
+# This tests that the user doesn't pass user-tainted data into the msg.html attribute.
+# source: https://pythonhosted.org/Flask-Mail/
+from flask_mail import Message
+
+@app.route("/")
+def index():
+
+    msg = Message("Hello",
+                  sender="from@example.com",
+                  recipients=["to@example.com"])
+
+    msg.html = "<b>testing</b>"
+
+    mail.send(msg)

python/ql/test/experimental/query-tests/Security/CWE-079/flask_mail_bad_2.py

@@ -0,0 +1,14 @@
+# This tests that the user doesn't pass user-tainted data into the msg html initialized argument.
+# source: https://pythonhosted.org/Flask-Mail/
+
+from flask_mail import Message
+
+@app.route("/")
+def index():
+
+    msg = Message("Hello",
+                  sender="from@example.com",
+                  recipients=["to@example.com"],
+                  html="<b>testing</b>")
+
+    mail.send(msg)

python/ql/test/experimental/query-tests/Security/CWE-079/flask_mail_bulk_email_bad.py

@@ -0,0 +1,16 @@
+# This tests that the user can't send multiple vulnerable emails.
+# source: https://pythonhosted.org/Flask-Mail/
+
+from flask_mail import Message
+
+@app.route("/")
+def index():
+  with mail.connect() as conn:
+      for user in users:
+          message = '...'
+          subject = "hello, %s" % user.name
+          msg = Message(recipients=[user.email],
+                        html=message,
+                        subject=subject)
+
+          conn.send(msg)

python/ql/test/experimental/query-tests/Security/CWE-079/sendgrid_mail_helper_content_bad.py

@@ -0,0 +1,16 @@
+# This tests that the developer doesn't pass content via the Content class initializer.
+# source:https://github.com/sendgrid/sendgrid-python
+
+import sendgrid
+import os
+from sendgrid.helpers.mail import *
+
+sg = sendgrid.SendGridAPIClient(api_key=os.environ.get('SENDGRID_API_KEY'))
+from_email = Email("test@example.com")
+to_email = To("test@example.com")
+subject = "Sending with SendGrid is Fun"
+content = Content("text/html", "and <b>easy</b> to do anywhere, even with Python") # Content can also take the MimeType.html as the first arg here. Need to create a separate example for this.
+
+mail = Mail(from_email, to_email, subject, content)
+
+response = sg.client.mail.send.post(request_body=mail.get())

python/ql/test/experimental/query-tests/Security/CWE-079/sendgrid_via_mail_send_post_request_body_bad.py

@@ -0,0 +1,148 @@
+# This tests that the developer doesn't pass tainted user data into the mail.send.post() method in the SendGrid library.
+# source :https://github.com/sendgrid/sendgrid-python
+import sendgrid
+import os
+
+
+sg = sendgrid.SendGridAPIClient(os.environ.get('SENDGRID_API_KEY'))
+
+data = {
+    "asm": {
+        "group_id": 1,
+        "groups_to_display": [
+            1,
+            2,
+            3
+        ]
+    },
+    "attachments": [
+        {
+            "content": "[BASE64 encoded content block here]",
+            "content_id": "ii_139db99fdb5c3704",
+            "disposition": "inline",
+            "filename": "file1.jpg",
+            "name": "file1",
+            "type": "jpg"
+        }
+    ],
+    "batch_id": "[YOUR BATCH ID GOES HERE]",
+    "categories": [
+        "category1",
+        "category2"
+    ],
+    "content": [
+        {
+            "type": "text/html",
+            "value": "<html><p>Hello, world!</p><img src=[CID GOES HERE]></img></html>"
+        }
+    ],
+    "custom_args": {
+        "New Argument 1": "New Value 1",
+        "activationAttempt": "1",
+        "customerAccountNumber": "[CUSTOMER ACCOUNT NUMBER GOES HERE]"
+    },
+    "from": {
+        "email": "sam.smith@example.com",
+        "name": "Sam Smith"
+    },
+    "headers": {},
+    "ip_pool_name": "[YOUR POOL NAME GOES HERE]",
+    "mail_settings": {
+        "bcc": {
+            "email": "ben.doe@example.com",
+            "enable": True
+        },
+        "bypass_list_management": {
+            "enable": True
+        },
+        "footer": {
+            "enable": True,
+            "html": "<p>Thanks</br>The SendGrid Team</p>",
+            "text": "Thanks,/n The SendGrid Team"
+        },
+        "sandbox_mode": {
+            "enable": False
+        },
+        "spam_check": {
+            "enable": True,
+            "post_to_url": "http://example.com/compliance",
+            "threshold": 3
+        }
+    },
+    "personalizations": [
+        {
+            "bcc": [
+                {
+                    "email": "sam.doe@example.com",
+                    "name": "Sam Doe"
+                }
+            ],
+            "cc": [
+                {
+                    "email": "jane.doe@example.com",
+                    "name": "Jane Doe"
+                }
+            ],
+            "custom_args": {
+                "New Argument 1": "New Value 1",
+                "activationAttempt": "1",
+                "customerAccountNumber": "[CUSTOMER ACCOUNT NUMBER GOES HERE]"
+            },
+            "headers": {
+                "X-Accept-Language": "en",
+                "X-Mailer": "MyApp"
+            },
+            "send_at": 1409348513,
+            "subject": "Hello, World!",
+            "substitutions": {
+                "id": "substitutions",
+                "type": "object"
+            },
+            "to": [
+                {
+                    "email": "john.doe@example.com",
+                    "name": "John Doe"
+                }
+            ]
+        }
+    ],
+    "reply_to": {
+        "email": "sam.smith@example.com",
+        "name": "Sam Smith"
+    },
+    "sections": {
+        "section": {
+            ":sectionName1": "section 1 text",
+            ":sectionName2": "section 2 text"
+        }
+    },
+    "send_at": 1409348513,
+    "subject": "Hello, World!",
+    "template_id": "[YOUR TEMPLATE ID GOES HERE]",
+    "tracking_settings": {
+        "click_tracking": {
+            "enable": True,
+            "enable_text": True
+        },
+        "ganalytics": {
+            "enable": True,
+            "utm_campaign": "[NAME OF YOUR REFERRER SOURCE]",
+            "utm_content": "[USE THIS SPACE TO DIFFERENTIATE YOUR EMAIL FROM ADS]",
+            "utm_medium": "[NAME OF YOUR MARKETING MEDIUM e.g. email]",
+            "utm_name": "[NAME OF YOUR CAMPAIGN]",
+            "utm_term": "[IDENTIFY PAID KEYWORDS HERE]"
+        },
+        "open_tracking": {
+            "enable": True,
+            "substitution_tag": "%opentrack"
+        },
+        "subscription_tracking": {
+            "enable": True,
+            "html": "If you would like to unsubscribe and stop receiving these emails <% clickhere %>.",
+            "substitution_tag": "<%click here%>",
+            "text": "If you would like to unsubscribe and stop receiving these emails <% click here %>."
+        }
+    }
+}
+
+response = sg.client.mail.send.post(request_body=data)

python/ql/test/experimental/query-tests/Security/CWE-079/smtplib_bad_subparts.py

@@ -0,0 +1,43 @@
+# This test checks that the developer doesn't pass a MIMEText instance to a MIMEMultipart initializer via the subparts parameter.
+
+# source꞉  https꞉//www.programcreek.com/python/example/53141/email.MIMEMultipart.MIMEMultipart
+from flask import Flask, request
+import json
+import smtplib, ssl
+from email.mime.text import MIMEText
+from email.mime.multipart import MIMEMultipart
+
+app = Flask(__name__)
+
+@app.route("/")
+def email_person():
+    sender_email = "my@gmail.com"
+    receiver_email = "your@gmail.com"
+    password = input("Type your password and press enter:")
+
+    name = request.args['search']
+    # Create the plain-text and HTML version of your message
+    text = "hello there"
+    html = f"hello {name}"
+
+    # Turn these into plain/html MIMEText objects
+    part1 = MIMEText(text, "plain")
+    part2 = MIMEText(html, "html")
+
+    message = MIMEMultipart(_subparts=(part1, part2))
+    message["Subject"] = "multipart test"
+    message["From"] = sender_email
+    message["To"] = receiver_email
+
+    # Create secure connection with server and send email
+    context = ssl.create_default_context()
+    server = smtplib.SMTP_SSL("smtp.gmail.com", 465, context=context);
+    
+    server.login(sender_email, password)
+    server.sendmail(
+        sender_email, receiver_email, message.as_string()
+    )
+
+
+# if __name__ == "__main__":
+#     app.run(debug=True)

python/ql/test/experimental/query-tests/Security/CWE-079/smtplib_bad_via_attach.py

@@ -0,0 +1,47 @@
+# This test checks that the developer doesn't pass a MIMEText instance to a MIMEMultipart message.
+# source꞉ https꞉//realpython.com/python-send-email/
+from flask import Flask, request
+import json
+import smtplib, ssl
+from email.mime.text import MIMEText
+from email.mime.multipart import MIMEMultipart
+
+app = Flask(__name__)
+
+@app.route("/")
+def email_person():
+    sender_email = "my@gmail.com"
+    receiver_email = "your@gmail.com"
+    password = input("Type your password and press enter:")
+
+    message = MIMEMultipart("alternative")
+    message["Subject"] = "multipart test"
+    message["From"] = sender_email
+    message["To"] = receiver_email
+
+    name = request.args['name']
+    # Create the plain-text and HTML version of your message
+    text = "hello there"
+    html = f"hello {name}" # here is the exploit. passing vulnerable data into the html portion of the email
+
+    # Turn these into plain/html MIMEText objects
+    part1 = MIMEText(text, "plain")
+    part2 = MIMEText(html, "html")
+
+    # Add HTML/plain-text parts to MIMEMultipart message
+    # The email client will try to render the last part first
+    message.attach(part1)
+    message.attach(part2)
+
+    # Create secure connection with server and send email
+    context = ssl.create_default_context()
+    server = smtplib.SMTP_SSL("smtp.gmail.com", 465, context=context)
+
+    server.login(sender_email, password)
+    server.sendmail(
+        sender_email, receiver_email, message.as_string()
+    )
+
+
+# if __name__ == "__main__":
+#     app.run(debug=True)