Python: Add test of routed parameters to *args

Also move the **kwargs and *args test to a more appropriate file
2026-04-25 08:45:14 +02:00 · 2023-11-21 13:01:01 +01:00
parent 5f26790b90
commit c51c15ae74
2 changed files with 37 additions and 12 deletions
--- a/python/ql/test/library-tests/frameworks/django-v2-v3/routing_test.py
+++ b/python/ql/test/library-tests/frameworks/django-v2-v3/routing_test.py
@@ -150,3 +150,40 @@ class UnknownViewSubclass(UnknownViewSuperclass):
 urlpatterns = [
    path("UnknownViewSubclass/", UnknownViewSubclass.as_view()),  # $ routeSetup="UnknownViewSubclass/"
 ]
+
+################################################################################
+# Routing to *args and **kwargs
+################################################################################
+
+def kwargs_param(request, **kwargs): # $ requestHandler routedParameter=kwargs
+    ensure_tainted(
+        kwargs, # $ tainted
+        kwargs["foo"], # $ tainted
+        kwargs["bar"]  # $ tainted
+    )
+
+    ensure_tainted(request) # $ tainted
+
+
+def star_args_param(request, *args): # $ requestHandler MISSING: routedParameter=args
+    ensure_tainted(
+        args, # $ MISSING: tainted
+        args[0], # $ MISSING: tainted
+        args[1], # $ MISSING: tainted
+    )
+    ensure_tainted(request) # $ tainted
+
+
+def star_args_param_check(request, foo, bar): # $ requestHandler routedParameter=foo routedParameter=bar
+    ensure_tainted(
+        foo, # $ tainted
+        bar, # $ tainted
+    )
+    ensure_tainted(request) # $ tainted
+
+
+urlpatterns = [
+    path("test-kwargs_param/<foo>/<bar>", kwargs_param),  # $ routeSetup="test-kwargs_param/<foo>/<bar>"
+    re_path("test-star_args_param/([^/]+)/(.+)", star_args_param),  # $ routeSetup="test-star_args_param/([^/]+)/(.+)"
+    re_path("test-star_args_param_check/([^/]+)/(.+)", star_args_param_check),  # $ routeSetup="test-star_args_param_check/([^/]+)/(.+)"
+]
--- a/python/ql/test/library-tests/frameworks/django-v2-v3/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/django-v2-v3/taint_test.py
@@ -174,20 +174,8 @@ class ClassView(View):
        )


-def kwargs_param(request, **kwargs): # $ requestHandler routedParameter=kwargs
-    ensure_tainted(
-        kwargs, # $ tainted
-        kwargs["foo"], # $ tainted
-        kwargs["bar"]  # $ tainted
-    )
-
-    ensure_tainted(request) # $ tainted
-
-
 # fake setup, you can't actually run this
 urlpatterns = [
    path("test-taint/<foo>/<bar>", test_taint),  # $ routeSetup="test-taint/<foo>/<bar>"
    path("ClassView/", ClassView.as_view()), # $ routeSetup="ClassView/"
-    path("test-kwargs_param/<foo>/<bar>", kwargs_param),  # $ routeSetup="test-kwargs_param/<foo>/<bar>"
-
 ]