Python: FastAPI: Add tests with response parameter

2026-04-29 18:55:14 +02:00 · 2021-09-22 15:49:57 +02:00
parent 285de2b4c8
commit d34c5fd72f
2 changed files with 38 additions and 2 deletions
--- a/python/ql/test/library-tests/frameworks/fastapi/basic.py
+++ b/python/ql/test/library-tests/frameworks/fastapi/basic.py
@@ -60,7 +60,6 @@ async def get_baz(baz_id: int): # $ requestHandler routedParameter=baz_id
 # see https://fastapi.tiangolo.com/tutorial/path-params/

 # More stuff that we should support:
-# - https://fastapi.tiangolo.com/advanced/response-cookies/
 # - https://fastapi.tiangolo.com/tutorial/dependencies/
 # - Extra taint-steps for files
 #   - https://fastapi.tiangolo.com/tutorial/request-files/
--- a/python/ql/test/library-tests/frameworks/fastapi/response_test.py
+++ b/python/ql/test/library-tests/frameworks/fastapi/response_test.py
@@ -1 +1,38 @@
-# TODO: Add detailed tests of ways to create responses in this file.
+# see https://fastapi.tiangolo.com/advanced/response-cookies/
+
+from fastapi import FastAPI, Response
+
+
+app = FastAPI()
+
+
+@app.get("/response_parameter") # $ routeSetup="/response_parameter"
+async def response_parameter(response: Response): # $ requestHandler SPURIOUS: routedParameter=response
+    response.set_cookie("key", "value") # $ MISSING: CookieWrite CookieName="key" CookieValue="value"
+    response.set_cookie(key="key", value="value") # $ MISSING: CookieWrite CookieName="key" CookieValue="value"
+    response.headers.append("Set-Cookie", "key2=value2") # $ MISSING: CookieWrite CookieRawHeader="key2=value2"
+    response.headers.append(key="Set-Cookie", value="key2=value2") # $ MISSING: CookieWrite CookieRawHeader="key2=value2"
+    response.headers["X-MyHeader"] = "header-value"
+    response.status_code = 418
+    return {"message": "response as parameter"} # $ HttpResponse mimetype=application/json responseBody=Dict
+
+
+@app.get("/resp_parameter") # $ routeSetup="/resp_parameter"
+async def resp_parameter(resp: Response): # $ requestHandler SPURIOUS: routedParameter=resp
+    resp.status_code = 418
+    return {"message": "resp as parameter"} # $ HttpResponse mimetype=application/json responseBody=Dict
+
+
+@app.get("/response_parameter_no_type") # $ routeSetup="/response_parameter_no_type"
+async def response_parameter_no_type(response): # $ requestHandler routedParameter=response
+    # NOTE: This does in fact not work, since FastAPI relies on the type annotations,
+    # and not on the name of the parameter
+    response.status_code = 418
+    return {"message": "response as parameter"} # $ HttpResponse mimetype=application/json responseBody=Dict
+
+
+# Direct response
+
+# see https://fastapi.tiangolo.com/advanced/response-directly/
+
+# TODO