mirror of
https://github.com/github/codeql.git
synced 2026-04-25 08:45:14 +02:00
Python: Add test of routed parameters to *args
Also move the **kwargs and *args test to a more appropriate file
This commit is contained in:
@@ -150,3 +150,40 @@ class UnknownViewSubclass(UnknownViewSuperclass):
|
||||
urlpatterns = [
|
||||
path("UnknownViewSubclass/", UnknownViewSubclass.as_view()), # $ routeSetup="UnknownViewSubclass/"
|
||||
]
|
||||
|
||||
################################################################################
|
||||
# Routing to *args and **kwargs
|
||||
################################################################################
|
||||
|
||||
def kwargs_param(request, **kwargs): # $ requestHandler routedParameter=kwargs
|
||||
ensure_tainted(
|
||||
kwargs, # $ tainted
|
||||
kwargs["foo"], # $ tainted
|
||||
kwargs["bar"] # $ tainted
|
||||
)
|
||||
|
||||
ensure_tainted(request) # $ tainted
|
||||
|
||||
|
||||
def star_args_param(request, *args): # $ requestHandler MISSING: routedParameter=args
|
||||
ensure_tainted(
|
||||
args, # $ MISSING: tainted
|
||||
args[0], # $ MISSING: tainted
|
||||
args[1], # $ MISSING: tainted
|
||||
)
|
||||
ensure_tainted(request) # $ tainted
|
||||
|
||||
|
||||
def star_args_param_check(request, foo, bar): # $ requestHandler routedParameter=foo routedParameter=bar
|
||||
ensure_tainted(
|
||||
foo, # $ tainted
|
||||
bar, # $ tainted
|
||||
)
|
||||
ensure_tainted(request) # $ tainted
|
||||
|
||||
|
||||
urlpatterns = [
|
||||
path("test-kwargs_param/<foo>/<bar>", kwargs_param), # $ routeSetup="test-kwargs_param/<foo>/<bar>"
|
||||
re_path("test-star_args_param/([^/]+)/(.+)", star_args_param), # $ routeSetup="test-star_args_param/([^/]+)/(.+)"
|
||||
re_path("test-star_args_param_check/([^/]+)/(.+)", star_args_param_check), # $ routeSetup="test-star_args_param_check/([^/]+)/(.+)"
|
||||
]
|
||||
|
||||
@@ -174,20 +174,8 @@ class ClassView(View):
|
||||
)
|
||||
|
||||
|
||||
def kwargs_param(request, **kwargs): # $ requestHandler routedParameter=kwargs
|
||||
ensure_tainted(
|
||||
kwargs, # $ tainted
|
||||
kwargs["foo"], # $ tainted
|
||||
kwargs["bar"] # $ tainted
|
||||
)
|
||||
|
||||
ensure_tainted(request) # $ tainted
|
||||
|
||||
|
||||
# fake setup, you can't actually run this
|
||||
urlpatterns = [
|
||||
path("test-taint/<foo>/<bar>", test_taint), # $ routeSetup="test-taint/<foo>/<bar>"
|
||||
path("ClassView/", ClassView.as_view()), # $ routeSetup="ClassView/"
|
||||
path("test-kwargs_param/<foo>/<bar>", kwargs_param), # $ routeSetup="test-kwargs_param/<foo>/<bar>"
|
||||
|
||||
]
|
||||
|
||||
Reference in New Issue
Block a user