Merge branch 'main' into python/test-MaD-keyword-argument

2026-04-27 09:45:15 +02:00 · 2024-03-22 10:56:08 +01:00
parent eef60c9ad2 fb4ed39d89
commit c520cb6d58
862 changed files with 70983 additions and 70154 deletions
--- a/python/ql/test/experimental/dataflow/summaries/InlineTaintTest.expected
+++ b/python/ql/test/experimental/dataflow/summaries/InlineTaintTest.expected
@@ -0,0 +1,4 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+testFailures
+failures
--- a/python/ql/test/experimental/dataflow/summaries/InlineTaintTest.ql
+++ b/python/ql/test/experimental/dataflow/summaries/InlineTaintTest.ql
@@ -0,0 +1,4 @@
+import python
+import experimental.meta.InlineTaintTest
+import MakeInlineTaintTest<TestTaintTrackingConfig>
+import TestSummaries
--- a/python/ql/test/experimental/dataflow/summaries/TestSummaries.qll
+++ b/python/ql/test/experimental/dataflow/summaries/TestSummaries.qll
@@ -136,3 +136,108 @@ private class SummarizedCallableJsonLoads extends SummarizedCallable {
    preservesValue = true
  }
 }
+
+// Repeated summaries
+private class SummarizedCallableWithSubpath extends SummarizedCallable {
+  SummarizedCallableWithSubpath() { this = "extracted_package.functions.with_subpath" }
+
+  override DataFlow::CallCfgNode getACall() {
+    result =
+      API::moduleImport("extracted_package")
+          .getMember("functions")
+          .getMember("with_subpath")
+          .getACall()
+  }
+
+  override DataFlow::ArgumentNode getACallback() {
+    result =
+      API::moduleImport("extracted_package")
+          .getMember("functions")
+          .getMember("with_subpath")
+          .getAValueReachableFromSource()
+  }
+
+  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
+    input = "Argument[0]" and
+    output = "ReturnValue" and
+    preservesValue = false
+  }
+}
+
+private class SummarizedCallableWithSubpathAgain extends SummarizedCallable {
+  SummarizedCallableWithSubpathAgain() { this = "extracted_package.functions.with_subpathII" }
+
+  override DataFlow::CallCfgNode getACall() {
+    result =
+      API::moduleImport("extracted_package")
+          .getMember("functions")
+          .getMember("with_subpath")
+          .getACall()
+  }
+
+  override DataFlow::ArgumentNode getACallback() {
+    result =
+      API::moduleImport("extracted_package")
+          .getMember("functions")
+          .getMember("with_subpath")
+          .getAValueReachableFromSource()
+  }
+
+  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
+    input = "Argument[0]" and
+    output = "ReturnValue.Attribute[pattern]" and
+    preservesValue = true
+  }
+}
+
+private class SummarizedCallableWithoutSubpath extends SummarizedCallable {
+  SummarizedCallableWithoutSubpath() { this = "extracted_package.functions.without_subpath" }
+
+  override DataFlow::CallCfgNode getACall() {
+    result =
+      API::moduleImport("extracted_package")
+          .getMember("functions")
+          .getMember("without_subpath")
+          .getACall()
+  }
+
+  override DataFlow::ArgumentNode getACallback() {
+    result =
+      API::moduleImport("extracted_package")
+          .getMember("functions")
+          .getMember("without_subpath")
+          .getAValueReachableFromSource()
+  }
+
+  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
+    input = "Argument[0]" and
+    output = "ReturnValue" and
+    preservesValue = false
+  }
+}
+
+private class SummarizedCallableWithoutSubpathAgain extends SummarizedCallable {
+  SummarizedCallableWithoutSubpathAgain() { this = "extracted_package.functions.without_subpathII" }
+
+  override DataFlow::CallCfgNode getACall() {
+    result =
+      API::moduleImport("extracted_package")
+          .getMember("functions")
+          .getMember("without_subpath")
+          .getACall()
+  }
+
+  override DataFlow::ArgumentNode getACallback() {
+    result =
+      API::moduleImport("extracted_package")
+          .getMember("functions")
+          .getMember("without_subpath")
+          .getAValueReachableFromSource()
+  }
+
+  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
+    input = "Argument[0]" and
+    output = "ReturnValue.Attribute[pattern]" and
+    preservesValue = true
+  }
+}
--- a/python/ql/test/experimental/dataflow/summaries/conflicting_summaries.py
+++ b/python/ql/test/experimental/dataflow/summaries/conflicting_summaries.py
@@ -0,0 +1,18 @@
+# Bad interaction of two summaries for the same function
+ts = TAINTED_STRING
+
+from extracted_package.functions import with_subpath, without_subpath
+
+# For the function `with_subpath`, flow from the first argument to the return value
+# can be concluded from its definition. This seems to discard all summaries, including
+# the one with flow to `ReturnValue.Attribute[pattern]`.
+ensure_tainted(
+    with_subpath(ts).pattern,  # $ tainted
+    with_subpath(ts),  # $ tainted
+    with_subpath(ts),  # $ tainted
+)
+ensure_tainted(
+    without_subpath(ts).pattern,  # $ tainted
+    without_subpath(ts),  # $ tainted
+    without_subpath(ts),  # $ tainted
+)
--- a/python/ql/test/experimental/dataflow/summaries/extracted_package/init.py
+++ b/python/ql/test/experimental/dataflow/summaries/extracted_package/init.py
--- a/python/ql/test/experimental/dataflow/summaries/extracted_package/functions.py
+++ b/python/ql/test/experimental/dataflow/summaries/extracted_package/functions.py
@@ -0,0 +1,5 @@
+def with_subpath(x):
+    return x
+
+def without_subpath(x):
+    pass
--- a/python/ql/test/experimental/dataflow/summaries/summaries.expected
+++ b/python/ql/test/experimental/dataflow/summaries/summaries.expected
@@ -4,7 +4,9 @@ edges
 | summaries.py:32:20:32:25 | ControlFlowNode for SOURCE | summaries.py:32:11:32:26 | ControlFlowNode for identity() | provenance |  |
 | summaries.py:36:1:36:14 | ControlFlowNode for tainted_lambda | summaries.py:37:6:37:19 | ControlFlowNode for tainted_lambda | provenance |  |
 | summaries.py:36:18:36:54 | ControlFlowNode for apply_lambda() | summaries.py:36:1:36:14 | ControlFlowNode for tainted_lambda | provenance |  |
+| summaries.py:36:38:36:38 | ControlFlowNode for x | summaries.py:36:41:36:45 | ControlFlowNode for BinaryExpr | provenance |  |
 | summaries.py:36:48:36:53 | ControlFlowNode for SOURCE | summaries.py:36:18:36:54 | ControlFlowNode for apply_lambda() | provenance |  |
+| summaries.py:36:48:36:53 | ControlFlowNode for SOURCE | summaries.py:36:38:36:38 | ControlFlowNode for x | provenance |  |
 | summaries.py:44:1:44:12 | ControlFlowNode for tainted_list | summaries.py:45:6:45:20 | ControlFlowNode for Subscript | provenance |  |
 | summaries.py:44:1:44:12 | ControlFlowNode for tainted_list [List element] | summaries.py:45:6:45:17 | ControlFlowNode for tainted_list [List element] | provenance |  |
 | summaries.py:44:16:44:33 | ControlFlowNode for reversed() | summaries.py:44:1:44:12 | ControlFlowNode for tainted_list | provenance |  |
@@ -14,13 +16,17 @@ edges
 | summaries.py:44:26:44:31 | ControlFlowNode for SOURCE | summaries.py:44:25:44:32 | ControlFlowNode for List | provenance |  |
 | summaries.py:44:26:44:31 | ControlFlowNode for SOURCE | summaries.py:44:25:44:32 | ControlFlowNode for List [List element] | provenance |  |
 | summaries.py:45:6:45:17 | ControlFlowNode for tainted_list [List element] | summaries.py:45:6:45:20 | ControlFlowNode for Subscript | provenance |  |
+| summaries.py:48:15:48:15 | ControlFlowNode for x | summaries.py:49:12:49:18 | ControlFlowNode for BinaryExpr | provenance |  |
 | summaries.py:51:1:51:14 | ControlFlowNode for tainted_mapped [List element] | summaries.py:52:6:52:19 | ControlFlowNode for tainted_mapped [List element] | provenance |  |
 | summaries.py:51:18:51:46 | ControlFlowNode for list_map() [List element] | summaries.py:51:1:51:14 | ControlFlowNode for tainted_mapped [List element] | provenance |  |
+| summaries.py:51:38:51:45 | ControlFlowNode for List [List element] | summaries.py:48:15:48:15 | ControlFlowNode for x | provenance |  |
 | summaries.py:51:38:51:45 | ControlFlowNode for List [List element] | summaries.py:51:18:51:46 | ControlFlowNode for list_map() [List element] | provenance |  |
 | summaries.py:51:39:51:44 | ControlFlowNode for SOURCE | summaries.py:51:38:51:45 | ControlFlowNode for List [List element] | provenance |  |
 | summaries.py:52:6:52:19 | ControlFlowNode for tainted_mapped [List element] | summaries.py:52:6:52:22 | ControlFlowNode for Subscript | provenance |  |
+| summaries.py:54:23:54:23 | ControlFlowNode for x | summaries.py:55:12:55:12 | ControlFlowNode for x | provenance |  |
 | summaries.py:57:1:57:23 | ControlFlowNode for tainted_mapped_explicit [List element] | summaries.py:58:6:58:28 | ControlFlowNode for tainted_mapped_explicit [List element] | provenance |  |
 | summaries.py:57:27:57:63 | ControlFlowNode for list_map() [List element] | summaries.py:57:1:57:23 | ControlFlowNode for tainted_mapped_explicit [List element] | provenance |  |
+| summaries.py:57:55:57:62 | ControlFlowNode for List [List element] | summaries.py:54:23:54:23 | ControlFlowNode for x | provenance |  |
 | summaries.py:57:55:57:62 | ControlFlowNode for List [List element] | summaries.py:57:27:57:63 | ControlFlowNode for list_map() [List element] | provenance |  |
 | summaries.py:57:56:57:61 | ControlFlowNode for SOURCE | summaries.py:57:55:57:62 | ControlFlowNode for List [List element] | provenance |  |
 | summaries.py:58:6:58:28 | ControlFlowNode for tainted_mapped_explicit [List element] | summaries.py:58:6:58:31 | ControlFlowNode for Subscript | provenance |  |
@@ -46,6 +52,8 @@ nodes
 | summaries.py:33:6:33:12 | ControlFlowNode for tainted | semmle.label | ControlFlowNode for tainted |
 | summaries.py:36:1:36:14 | ControlFlowNode for tainted_lambda | semmle.label | ControlFlowNode for tainted_lambda |
 | summaries.py:36:18:36:54 | ControlFlowNode for apply_lambda() | semmle.label | ControlFlowNode for apply_lambda() |
+| summaries.py:36:38:36:38 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| summaries.py:36:41:36:45 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
 | summaries.py:36:48:36:53 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | summaries.py:37:6:37:19 | ControlFlowNode for tainted_lambda | semmle.label | ControlFlowNode for tainted_lambda |
 | summaries.py:44:1:44:12 | ControlFlowNode for tainted_list | semmle.label | ControlFlowNode for tainted_list |
@@ -57,12 +65,16 @@ nodes
 | summaries.py:44:26:44:31 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | summaries.py:45:6:45:17 | ControlFlowNode for tainted_list [List element] | semmle.label | ControlFlowNode for tainted_list [List element] |
 | summaries.py:45:6:45:20 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| summaries.py:48:15:48:15 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| summaries.py:49:12:49:18 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
 | summaries.py:51:1:51:14 | ControlFlowNode for tainted_mapped [List element] | semmle.label | ControlFlowNode for tainted_mapped [List element] |
 | summaries.py:51:18:51:46 | ControlFlowNode for list_map() [List element] | semmle.label | ControlFlowNode for list_map() [List element] |
 | summaries.py:51:38:51:45 | ControlFlowNode for List [List element] | semmle.label | ControlFlowNode for List [List element] |
 | summaries.py:51:39:51:44 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | summaries.py:52:6:52:19 | ControlFlowNode for tainted_mapped [List element] | semmle.label | ControlFlowNode for tainted_mapped [List element] |
 | summaries.py:52:6:52:22 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| summaries.py:54:23:54:23 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| summaries.py:55:12:55:12 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
 | summaries.py:57:1:57:23 | ControlFlowNode for tainted_mapped_explicit [List element] | semmle.label | ControlFlowNode for tainted_mapped_explicit [List element] |
 | summaries.py:57:27:57:63 | ControlFlowNode for list_map() [List element] | semmle.label | ControlFlowNode for list_map() [List element] |
 | summaries.py:57:55:57:62 | ControlFlowNode for List [List element] | semmle.label | ControlFlowNode for List [List element] |
@@ -87,6 +99,9 @@ nodes
 | summaries.py:68:6:68:23 | ControlFlowNode for tainted_resultlist [List element] | semmle.label | ControlFlowNode for tainted_resultlist [List element] |
 | summaries.py:68:6:68:26 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 subpaths
+| summaries.py:36:48:36:53 | ControlFlowNode for SOURCE | summaries.py:36:38:36:38 | ControlFlowNode for x | summaries.py:36:41:36:45 | ControlFlowNode for BinaryExpr | summaries.py:36:18:36:54 | ControlFlowNode for apply_lambda() |
+| summaries.py:51:38:51:45 | ControlFlowNode for List [List element] | summaries.py:48:15:48:15 | ControlFlowNode for x | summaries.py:49:12:49:18 | ControlFlowNode for BinaryExpr | summaries.py:51:18:51:46 | ControlFlowNode for list_map() [List element] |
+| summaries.py:57:55:57:62 | ControlFlowNode for List [List element] | summaries.py:54:23:54:23 | ControlFlowNode for x | summaries.py:55:12:55:12 | ControlFlowNode for x | summaries.py:57:27:57:63 | ControlFlowNode for list_map() [List element] |
 invalidSpecComponent
 #select
 | summaries.py:33:6:33:12 | ControlFlowNode for tainted | summaries.py:32:20:32:25 | ControlFlowNode for SOURCE | summaries.py:33:6:33:12 | ControlFlowNode for tainted | $@ | summaries.py:32:20:32:25 | ControlFlowNode for SOURCE | ControlFlowNode for SOURCE |
--- a/python/ql/test/experimental/dataflow/variable-capture/by_value.py
+++ b/python/ql/test/experimental/dataflow/variable-capture/by_value.py
@@ -34,7 +34,7 @@ def by_value1():
    a = SOURCE
    def inner(a_val=a):
        SINK(a_val) #$ captured
-        SINK_F(a) #$ SPURIOUS: captured
+        SINK_F(a)
    a = NONSOURCE
    inner()

--- a/python/ql/test/experimental/query-tests/Security/CWE-770/UnicodeDoS.expected
+++ b/python/ql/test/experimental/query-tests/Security/CWE-770/UnicodeDoS.expected
@@ -0,0 +1,73 @@
+edges
+| tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:1:35:1:41 | ControlFlowNode for request | provenance |  |
+| tests.py:1:35:1:41 | ControlFlowNode for request | tests.py:12:17:12:23 | ControlFlowNode for request | provenance |  |
+| tests.py:1:35:1:41 | ControlFlowNode for request | tests.py:24:9:24:15 | ControlFlowNode for request | provenance |  |
+| tests.py:1:35:1:41 | ControlFlowNode for request | tests.py:36:9:36:15 | ControlFlowNode for request | provenance |  |
+| tests.py:1:35:1:41 | ControlFlowNode for request | tests.py:48:9:48:15 | ControlFlowNode for request | provenance |  |
+| tests.py:1:35:1:41 | ControlFlowNode for request | tests.py:60:9:60:15 | ControlFlowNode for request | provenance |  |
+| tests.py:1:35:1:41 | ControlFlowNode for request | tests.py:72:9:72:15 | ControlFlowNode for request | provenance |  |
+| tests.py:12:5:12:13 | ControlFlowNode for file_path | tests.py:16:39:16:47 | ControlFlowNode for file_path | provenance |  |
+| tests.py:12:17:12:23 | ControlFlowNode for request | tests.py:12:17:12:28 | ControlFlowNode for Attribute | provenance |  |
+| tests.py:12:17:12:28 | ControlFlowNode for Attribute | tests.py:12:17:12:49 | ControlFlowNode for Attribute() | provenance |  |
+| tests.py:12:17:12:49 | ControlFlowNode for Attribute() | tests.py:12:5:12:13 | ControlFlowNode for file_path | provenance |  |
+| tests.py:24:5:24:5 | ControlFlowNode for r | tests.py:28:43:28:43 | ControlFlowNode for r | provenance |  |
+| tests.py:24:9:24:15 | ControlFlowNode for request | tests.py:24:9:24:20 | ControlFlowNode for Attribute | provenance |  |
+| tests.py:24:9:24:20 | ControlFlowNode for Attribute | tests.py:24:9:24:33 | ControlFlowNode for Attribute() | provenance |  |
+| tests.py:24:9:24:33 | ControlFlowNode for Attribute() | tests.py:24:5:24:5 | ControlFlowNode for r | provenance |  |
+| tests.py:36:5:36:5 | ControlFlowNode for r | tests.py:40:43:40:43 | ControlFlowNode for r | provenance |  |
+| tests.py:36:9:36:15 | ControlFlowNode for request | tests.py:36:9:36:20 | ControlFlowNode for Attribute | provenance |  |
+| tests.py:36:9:36:20 | ControlFlowNode for Attribute | tests.py:36:9:36:33 | ControlFlowNode for Attribute() | provenance |  |
+| tests.py:36:9:36:33 | ControlFlowNode for Attribute() | tests.py:36:5:36:5 | ControlFlowNode for r | provenance |  |
+| tests.py:48:5:48:5 | ControlFlowNode for r | tests.py:52:43:52:43 | ControlFlowNode for r | provenance |  |
+| tests.py:48:9:48:15 | ControlFlowNode for request | tests.py:48:9:48:20 | ControlFlowNode for Attribute | provenance |  |
+| tests.py:48:9:48:20 | ControlFlowNode for Attribute | tests.py:48:9:48:33 | ControlFlowNode for Attribute() | provenance |  |
+| tests.py:48:9:48:33 | ControlFlowNode for Attribute() | tests.py:48:5:48:5 | ControlFlowNode for r | provenance |  |
+| tests.py:60:5:60:5 | ControlFlowNode for r | tests.py:64:43:64:43 | ControlFlowNode for r | provenance |  |
+| tests.py:60:9:60:15 | ControlFlowNode for request | tests.py:60:9:60:20 | ControlFlowNode for Attribute | provenance |  |
+| tests.py:60:9:60:20 | ControlFlowNode for Attribute | tests.py:60:9:60:33 | ControlFlowNode for Attribute() | provenance |  |
+| tests.py:60:9:60:33 | ControlFlowNode for Attribute() | tests.py:60:5:60:5 | ControlFlowNode for r | provenance |  |
+| tests.py:72:5:72:5 | ControlFlowNode for r | tests.py:76:43:76:43 | ControlFlowNode for r | provenance |  |
+| tests.py:72:9:72:15 | ControlFlowNode for request | tests.py:72:9:72:20 | ControlFlowNode for Attribute | provenance |  |
+| tests.py:72:9:72:20 | ControlFlowNode for Attribute | tests.py:72:9:72:33 | ControlFlowNode for Attribute() | provenance |  |
+| tests.py:72:9:72:33 | ControlFlowNode for Attribute() | tests.py:72:5:72:5 | ControlFlowNode for r | provenance |  |
+nodes
+| tests.py:1:35:1:41 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
+| tests.py:1:35:1:41 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| tests.py:12:5:12:13 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path |
+| tests.py:12:17:12:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| tests.py:12:17:12:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| tests.py:12:17:12:49 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| tests.py:16:39:16:47 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path |
+| tests.py:24:5:24:5 | ControlFlowNode for r | semmle.label | ControlFlowNode for r |
+| tests.py:24:9:24:15 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| tests.py:24:9:24:20 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| tests.py:24:9:24:33 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| tests.py:28:43:28:43 | ControlFlowNode for r | semmle.label | ControlFlowNode for r |
+| tests.py:36:5:36:5 | ControlFlowNode for r | semmle.label | ControlFlowNode for r |
+| tests.py:36:9:36:15 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| tests.py:36:9:36:20 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| tests.py:36:9:36:33 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| tests.py:40:43:40:43 | ControlFlowNode for r | semmle.label | ControlFlowNode for r |
+| tests.py:48:5:48:5 | ControlFlowNode for r | semmle.label | ControlFlowNode for r |
+| tests.py:48:9:48:15 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| tests.py:48:9:48:20 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| tests.py:48:9:48:33 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| tests.py:52:43:52:43 | ControlFlowNode for r | semmle.label | ControlFlowNode for r |
+| tests.py:60:5:60:5 | ControlFlowNode for r | semmle.label | ControlFlowNode for r |
+| tests.py:60:9:60:15 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| tests.py:60:9:60:20 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| tests.py:60:9:60:33 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| tests.py:64:43:64:43 | ControlFlowNode for r | semmle.label | ControlFlowNode for r |
+| tests.py:72:5:72:5 | ControlFlowNode for r | semmle.label | ControlFlowNode for r |
+| tests.py:72:9:72:15 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| tests.py:72:9:72:20 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| tests.py:72:9:72:33 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| tests.py:76:43:76:43 | ControlFlowNode for r | semmle.label | ControlFlowNode for r |
+subpaths
+#select
+| tests.py:16:39:16:47 | ControlFlowNode for file_path | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:16:39:16:47 | ControlFlowNode for file_path | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:16:39:16:47 | ControlFlowNode for file_path | costly Unicode normalization operation |
+| tests.py:28:43:28:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:28:43:28:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:28:43:28:43 | ControlFlowNode for r | costly Unicode normalization operation |
+| tests.py:40:43:40:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:40:43:40:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:40:43:40:43 | ControlFlowNode for r | costly Unicode normalization operation |
+| tests.py:52:43:52:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:52:43:52:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:52:43:52:43 | ControlFlowNode for r | costly Unicode normalization operation |
+| tests.py:64:43:64:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:64:43:64:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:64:43:64:43 | ControlFlowNode for r | costly Unicode normalization operation |
+| tests.py:76:43:76:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:76:43:76:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:76:43:76:43 | ControlFlowNode for r | costly Unicode normalization operation |
--- a/python/ql/test/experimental/query-tests/Security/CWE-770/UnicodeDoS.qlref
+++ b/python/ql/test/experimental/query-tests/Security/CWE-770/UnicodeDoS.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-770/UnicodeDoS.ql
--- a/python/ql/test/experimental/query-tests/Security/CWE-770/tests.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-770/tests.py
@@ -0,0 +1,129 @@
+from flask import Flask, jsonify, request
+import unicodedata
+
+app = Flask(__name__)
+
+STATIC_DIR = "/home/unknown/"
+
+
+@app.route("/bad_1")
+def bad_1():
+    # User controlled data
+    file_path = request.args.get("file_path", "")
+
+    # Normalize the file path using NFKC Unicode normalization
+    return (
+        unicodedata.normalize("NFKC", file_path),
+        200,
+        {"Content-Type": "application/octet-stream"},
+    )
+
+
+@app.route("/bad_2")
+def bad_2():
+    r = request.args.get("r", "")
+
+    if len(r) >= 10:
+        # Normalize the r using NFKD Unicode normalization
+        r = unicodedata.normalize("NFKD", r)
+        return r, 200, {"Content-Type": "application/octet-stream"}
+    else:
+        return jsonify({"error": "File not found"}), 404
+
+
+@app.route("/bad_3")
+def bad_3():
+    r = request.args.get("r", "")
+    length = len(r)
+    if length >= 1_000:
+        # Normalize the r using NFKD Unicode normalization
+        r = unicodedata.normalize("NFKD", r)
+        return r, 200, {"Content-Type": "application/octet-stream"}
+    else:
+        return jsonify({"error": "File not found"}), 404
+
+
+@app.route("/bad_4")
+def bad_4():
+    r = request.args.get("r", "")
+    length = len(r)
+    if 1_000 <= length:
+        # Normalize the r using NFKD Unicode normalization
+        r = unicodedata.normalize("NFKD", r)
+        return r, 200, {"Content-Type": "application/octet-stream"}
+    else:
+        return jsonify({"error": "File not found"}), 404
+
+
+@app.route("/bad_5")
+def bad_5():
+    r = request.args.get("r", "")
+    length = len(r)
+    if not length < 1_000:
+        # Normalize the r using NFKD Unicode normalization
+        r = unicodedata.normalize("NFKD", r)
+        return r, 200, {"Content-Type": "application/octet-stream"}
+    else:
+        return jsonify({"error": "File not found"}), 404
+
+
+@app.route("/bad_6")
+def bad_6():
+    r = request.args.get("r", "")
+    length = len(r)
+    if not 1_000 > length:
+        # Normalize the r using NFKD Unicode normalization
+        r = unicodedata.normalize("NFKD", r)
+        return r, 200, {"Content-Type": "application/octet-stream"}
+    else:
+        return jsonify({"error": "File not found"}), 404
+
+
+@app.route("/good_1")
+def good_1():
+    r = request.args.get("r", "")
+
+    if len(r) <= 1_000:
+        # Normalize the r using NFKD Unicode normalization
+        r = unicodedata.normalize("NFKD", r)
+        return r, 200, {"Content-Type": "application/octet-stream"}
+    else:
+        return jsonify({"error": "File not found"}), 404
+
+
+@app.route("/good_2")
+def good_2():
+    r = request.args.get("r", "")
+    MAX_LENGTH = 1_000
+    length = len(r)
+    if length <= MAX_LENGTH:
+        # Normalize the r using NFKD Unicode normalization
+        r = unicodedata.normalize("NFKD", r)
+        return r, 200, {"Content-Type": "application/octet-stream"}
+    else:
+        return jsonify({"error": "File not found"}), 404
+
+@app.route("/good_3")
+def good_3():
+    r = request.args.get("r", "")
+    MAX_LENGTH = 1_000
+    length = len(r)
+    if not length >= MAX_LENGTH:
+        # Normalize the r using NFKD Unicode normalization
+        r = unicodedata.normalize("NFKD", r)
+        return r, 200, {"Content-Type": "application/octet-stream"}
+    else:
+        return jsonify({"error": "File not found"}), 404
+
+
+@app.route("/good_4")
+def good_4():
+    r = request.args.get("r", "")
+    MAX_LENGTH = 1_000
+    length = len(r)
+    if not MAX_LENGTH <= length:
+        # Normalize the r using NFKD Unicode normalization
+        r = unicodedata.normalize("NFKD", r)
+        return r, 200, {"Content-Type": "application/octet-stream"}
+    else:
+        return jsonify({"error": "File not found"}), 404
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE-770/UnicodeDoS.ql`