Merge branch 'main' into py-shell

2026-05-05 05:35:13 +02:00 · 2023-03-13 14:56:04 +01:00
parent 759854991a 705691b096
commit d001cc40d3
3731 changed files with 279060 additions and 217903 deletions
--- a/python/ql/test/library-tests/ApiGraphs/py3/dataflow-consistency.ql
+++ b/python/ql/test/library-tests/ApiGraphs/py3/dataflow-consistency.ql
@@ -1 +1,2 @@
-import semmle.python.dataflow.new.internal.DataFlowImplConsistency::Consistency
+import python
+import experimental.dataflow.TestUtil.DataFlowConsistency
--- a/python/ql/test/library-tests/ApiGraphs/py3/test_captured.py
+++ b/python/ql/test/library-tests/ApiGraphs/py3/test_captured.py
@@ -0,0 +1,14 @@
+from html import escape
+
+def p(x):
+    return escape(x) #$ use=moduleImport("html").getMember("escape").getReturn()
+
+def p_list(l):
+    return ", ".join(p(x) for x in l) #$ use=moduleImport("html").getMember("escape").getReturn()
+
+def pp_list(l):
+    def pp(x):
+        return escape(x) #$ use=moduleImport("html").getMember("escape").getReturn()
+
+    def pp_list_inner(l):
+        return ", ".join(pp(x) for x in l) #$ MISSING: use=moduleImport("html").getMember("escape").getReturn()
--- a/python/ql/test/library-tests/PointsTo/new/ImpliesDataflow.expected
+++ b/python/ql/test/library-tests/PointsTo/new/ImpliesDataflow.expected
@@ -5,11 +5,6 @@
 | code/l_calls.py:12:1:12:20 | ControlFlowNode for ClassExpr | code/l_calls.py:25:16:25:16 | ControlFlowNode for a |
 | code/l_calls.py:33:5:33:23 | ControlFlowNode for FunctionExpr | code/l_calls.py:39:1:39:3 | ControlFlowNode for Attribute |
 | code/l_calls.py:48:5:48:30 | ControlFlowNode for FunctionExpr | code/l_calls.py:53:1:53:3 | ControlFlowNode for Attribute |
-| code/q_super.py:10:18:10:21 | ControlFlowNode for self | code/q_super.py:4:22:4:25 | ControlFlowNode for self |
-| code/q_super.py:26:14:26:17 | ControlFlowNode for self | code/q_super.py:22:32:22:35 | ControlFlowNode for self |
-| code/q_super.py:31:14:31:17 | ControlFlowNode for self | code/q_super.py:22:32:22:35 | ControlFlowNode for self |
-| code/q_super.py:37:14:37:17 | ControlFlowNode for self | code/q_super.py:22:32:22:35 | ControlFlowNode for self |
-| code/q_super.py:37:14:37:17 | ControlFlowNode for self | code/q_super.py:27:32:27:35 | ControlFlowNode for self |
 | code/q_super.py:48:5:48:17 | ControlFlowNode for ClassExpr | code/q_super.py:51:25:51:29 | ControlFlowNode for Attribute |
 | code/q_super.py:63:5:63:17 | ControlFlowNode for ClassExpr | code/q_super.py:66:19:66:23 | ControlFlowNode for Attribute |
 | code/t_type.py:3:1:3:16 | ControlFlowNode for ClassExpr | code/t_type.py:6:1:6:9 | ControlFlowNode for type() |
--- a/python/ql/test/library-tests/filters/tests/Filter.ql
+++ b/python/ql/test/library-tests/filters/tests/Filter.ql
@@ -2,4 +2,5 @@ import python
 import semmle.python.filters.Tests

 from TestScope t
+where exists(t.getLocation().getFile().getRelativePath())
 select t
--- a/python/ql/test/library-tests/frameworks/django-orm/ReflectedXss.expected
+++ b/python/ql/test/library-tests/frameworks/django-orm/ReflectedXss.expected
@@ -5,13 +5,13 @@ edges
 | testapp/orm_security_tests.py:15:1:15:27 | [orm-model] Class Person [Attribute name] | testapp/orm_security_tests.py:47:14:47:53 | ControlFlowNode for Attribute() [Attribute name] |
 | testapp/orm_security_tests.py:19:12:19:18 | ControlFlowNode for request | testapp/orm_security_tests.py:22:23:22:34 | ControlFlowNode for Attribute |
 | testapp/orm_security_tests.py:19:12:19:18 | ControlFlowNode for request | testapp/orm_security_tests.py:23:22:23:33 | ControlFlowNode for Attribute |
-| testapp/orm_security_tests.py:22:9:22:14 | [post store] ControlFlowNode for person [Attribute name] | testapp/orm_security_tests.py:23:9:23:14 | ControlFlowNode for person [Attribute name] |
+| testapp/orm_security_tests.py:22:9:22:14 | [post] ControlFlowNode for person [Attribute name] | testapp/orm_security_tests.py:23:9:23:14 | ControlFlowNode for person [Attribute name] |
 | testapp/orm_security_tests.py:22:23:22:34 | ControlFlowNode for Attribute | testapp/orm_security_tests.py:22:23:22:42 | ControlFlowNode for Subscript |
-| testapp/orm_security_tests.py:22:23:22:42 | ControlFlowNode for Subscript | testapp/orm_security_tests.py:22:9:22:14 | [post store] ControlFlowNode for person [Attribute name] |
+| testapp/orm_security_tests.py:22:23:22:42 | ControlFlowNode for Subscript | testapp/orm_security_tests.py:22:9:22:14 | [post] ControlFlowNode for person [Attribute name] |
 | testapp/orm_security_tests.py:23:9:23:14 | ControlFlowNode for person [Attribute name] | testapp/orm_security_tests.py:28:9:28:14 | ControlFlowNode for person [Attribute name] |
-| testapp/orm_security_tests.py:23:9:23:14 | [post store] ControlFlowNode for person [Attribute age] | testapp/orm_security_tests.py:28:9:28:14 | ControlFlowNode for person [Attribute age] |
+| testapp/orm_security_tests.py:23:9:23:14 | [post] ControlFlowNode for person [Attribute age] | testapp/orm_security_tests.py:28:9:28:14 | ControlFlowNode for person [Attribute age] |
 | testapp/orm_security_tests.py:23:22:23:33 | ControlFlowNode for Attribute | testapp/orm_security_tests.py:23:22:23:40 | ControlFlowNode for Subscript |
-| testapp/orm_security_tests.py:23:22:23:40 | ControlFlowNode for Subscript | testapp/orm_security_tests.py:23:9:23:14 | [post store] ControlFlowNode for person [Attribute age] |
+| testapp/orm_security_tests.py:23:22:23:40 | ControlFlowNode for Subscript | testapp/orm_security_tests.py:23:9:23:14 | [post] ControlFlowNode for person [Attribute age] |
 | testapp/orm_security_tests.py:28:9:28:14 | ControlFlowNode for person [Attribute age] | testapp/orm_security_tests.py:15:1:15:27 | [orm-model] Class Person [Attribute age] |
 | testapp/orm_security_tests.py:28:9:28:14 | ControlFlowNode for person [Attribute name] | testapp/orm_security_tests.py:15:1:15:27 | [orm-model] Class Person [Attribute name] |
 | testapp/orm_security_tests.py:42:13:42:18 | SSA variable person [Attribute age] | testapp/orm_security_tests.py:43:62:43:67 | ControlFlowNode for person [Attribute age] |
@@ -48,11 +48,11 @@ nodes
 | testapp/orm_security_tests.py:15:1:15:27 | [orm-model] Class Person [Attribute age] | semmle.label | [orm-model] Class Person [Attribute age] |
 | testapp/orm_security_tests.py:15:1:15:27 | [orm-model] Class Person [Attribute name] | semmle.label | [orm-model] Class Person [Attribute name] |
 | testapp/orm_security_tests.py:19:12:19:18 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| testapp/orm_security_tests.py:22:9:22:14 | [post store] ControlFlowNode for person [Attribute name] | semmle.label | [post store] ControlFlowNode for person [Attribute name] |
+| testapp/orm_security_tests.py:22:9:22:14 | [post] ControlFlowNode for person [Attribute name] | semmle.label | [post] ControlFlowNode for person [Attribute name] |
 | testapp/orm_security_tests.py:22:23:22:34 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | testapp/orm_security_tests.py:22:23:22:42 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 | testapp/orm_security_tests.py:23:9:23:14 | ControlFlowNode for person [Attribute name] | semmle.label | ControlFlowNode for person [Attribute name] |
-| testapp/orm_security_tests.py:23:9:23:14 | [post store] ControlFlowNode for person [Attribute age] | semmle.label | [post store] ControlFlowNode for person [Attribute age] |
+| testapp/orm_security_tests.py:23:9:23:14 | [post] ControlFlowNode for person [Attribute age] | semmle.label | [post] ControlFlowNode for person [Attribute age] |
 | testapp/orm_security_tests.py:23:22:23:33 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | testapp/orm_security_tests.py:23:22:23:40 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 | testapp/orm_security_tests.py:28:9:28:14 | ControlFlowNode for person [Attribute age] | semmle.label | ControlFlowNode for person [Attribute age] |
--- a/python/ql/test/library-tests/frameworks/django-orm/dataflow-consistency.ql
+++ b/python/ql/test/library-tests/frameworks/django-orm/dataflow-consistency.ql
@@ -1 +1,2 @@
-import semmle.python.dataflow.new.internal.DataFlowImplConsistency::Consistency
+import python
+import experimental.dataflow.TestUtil.DataFlowConsistency
--- a/python/ql/test/library-tests/frameworks/django-v2-v3/testproj/settings.py
+++ b/python/ql/test/library-tests/frameworks/django-v2-v3/testproj/settings.py
@@ -40,7 +40,7 @@ INSTALLED_APPS = [
    'django.contrib.staticfiles',
 ]

-MIDDLEWARE = [  # $CsrfProtectionSetting=false
+MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
@@ -48,7 +48,7 @@ MIDDLEWARE = [  # $CsrfProtectionSetting=false
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
-]
+] # $CsrfProtectionSetting=false

 ROOT_URLCONF = 'testproj.urls'

--- a/python/ql/test/library-tests/frameworks/flask/old_test.py
+++ b/python/ql/test/library-tests/frameworks/flask/old_test.py
@@ -21,8 +21,8 @@ class MyView(MethodView):

 the_view = MyView.as_view('my_view')

-app.add_url_rule('/the/', defaults={'user_id': None},  # $routeSetup="/the/"
-                 view_func=the_view, methods=['GET',])
+app.add_url_rule('/the/', defaults={'user_id': None},
+                 view_func=the_view, methods=['GET',]) # $routeSetup="/the/"

@app.route("/dangerous")  # $routeSetup="/dangerous"
 def dangerous():  # $requestHandler
--- a/python/ql/test/library-tests/frameworks/stdlib/test_hmac.py
+++ b/python/ql/test/library-tests/frameworks/stdlib/test_hmac.py
@@ -0,0 +1,33 @@
+import hmac
+import hashlib
+
+key = b"<secret key>"
+
+hmac_obj = hmac.new(key, b"secret message", "sha256") # $ CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=SHA256
+print(hmac_obj.digest())
+print(hmac_obj.hexdigest())
+
+hmac_obj = hmac.new(key, msg=b"secret message", digestmod="sha256") # $ CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=SHA256
+print(hmac_obj.hexdigest())
+
+
+hmac_obj = hmac.new(key, digestmod="sha256")
+hmac_obj.update(b"secret") # $ CryptographicOperation CryptographicOperationInput=b"secret" CryptographicOperationAlgorithm=SHA256
+hmac_obj.update(msg=b" message") # $ CryptographicOperation CryptographicOperationInput=b" message" CryptographicOperationAlgorithm=SHA256
+print(hmac_obj.hexdigest())
+
+
+hmac_obj = hmac.new(key, b"secret message", hashlib.sha256) # $ CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=SHA256
+print(hmac_obj.hexdigest())
+
+
+# like hmac.new
+hmac_obj = hmac.HMAC(key, digestmod="sha256")
+hmac_obj.update(b"secret message") # $ CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=SHA256
+print(hmac_obj.hexdigest())
+
+
+dig = hmac.digest(key, b"secret message", "sha256") # $ CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=SHA256
+print(dig)
+dig = hmac.digest(key, msg=b"secret message", digest="sha256") # $ CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=SHA256
+print(dig)