hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Copy old flask tests to new dataflow setup

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2020-09-30 14:33:14 +02:00
parent 339c0721c5
commit d7526c40ba
3 changed files with 165 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

196
python/ql/test/experimental/library-tests/frameworks/flask/TestTaint.expected
View File

@@ -1,98 +1,98 @@
| test.py:6 | fail | test_taint | name |
| test.py:6 | fail | test_taint | number |
| test.py:7 | ok | test_taint | foo |
| test.py:14 | ok | test_taint | request.environ |
| test.py:15 | ok | test_taint | request.environ.get(..) |
| test.py:17 | ok | test_taint | request.path |
| test.py:18 | ok | test_taint | request.full_path |
| test.py:19 | ok | test_taint | request.base_url |
| test.py:20 | ok | test_taint | request.url |
| test.py:23 | fail | test_taint | request.accept_charsets.best |
| test.py:24 | fail | test_taint | request.accept_charsets.best_match(..) |
| test.py:25 | ok | test_taint | request.accept_charsets[0] |
| test.py:26 | ok | test_taint | request.accept_encodings |
| test.py:27 | ok | test_taint | request.accept_languages |
| test.py:28 | ok | test_taint | request.accept_mimetypes |
| test.py:31 | ok | test_taint | request.access_control_request_headers |
| test.py:33 | ok | test_taint | request.access_control_request_method |
| test.py:35 | ok | test_taint | request.access_route |
| test.py:36 | ok | test_taint | request.access_route[0] |
| test.py:39 | ok | test_taint | request.args |
| test.py:40 | ok | test_taint | request.args['key'] |
| test.py:41 | ok | test_taint | request.args.getlist(..) |
| test.py:44 | ok | test_taint | request.authorization |
| test.py:45 | ok | test_taint | request.authorization['username'] |
| test.py:46 | fail | test_taint | request.authorization.username |
| test.py:49 | ok | test_taint | request.cache_control |
| test.py:51 | fail | test_taint | request.cache_control.max_age |
| test.py:52 | fail | test_taint | request.cache_control.max_stale |
| test.py:53 | fail | test_taint | request.cache_control.min_fresh |
| test.py:55 | ok | test_taint | request.content_encoding |
| test.py:57 | ok | test_taint | request.content_md5 |
| test.py:59 | ok | test_taint | request.content_type |
| test.py:62 | ok | test_taint | request.cookies |
| test.py:63 | ok | test_taint | request.cookies['key'] |
| test.py:65 | ok | test_taint | request.data |
| test.py:68 | ok | test_taint | request.files |
| test.py:69 | ok | test_taint | request.files['key'] |
| test.py:70 | fail | test_taint | request.files['key'].filename |
| test.py:71 | fail | test_taint | request.files['key'].stream |
| test.py:72 | ok | test_taint | request.files.getlist(..) |
| test.py:73 | fail | test_taint | request.files.getlist(..)[0].filename |
| test.py:74 | fail | test_taint | request.files.getlist(..)[0].stream |
| test.py:77 | ok | test_taint | request.form |
| test.py:78 | ok | test_taint | request.form['key'] |
| test.py:79 | ok | test_taint | request.form.getlist(..) |
| test.py:81 | ok | test_taint | request.get_data() |
| test.py:83 | ok | test_taint | request.get_json() |
| test.py:84 | ok | test_taint | request.get_json()['foo'] |
| test.py:85 | ok | test_taint | request.get_json()['foo']['bar'] |
| test.py:89 | ok | test_taint | request.headers |
| test.py:90 | ok | test_taint | request.headers['key'] |
| test.py:91 | fail | test_taint | request.headers.get_all(..) |
| test.py:92 | fail | test_taint | request.headers.getlist(..) |
| test.py:93 | ok | test_taint | list(..) |
| test.py:94 | fail | test_taint | request.headers.to_wsgi_list() |
| test.py:96 | ok | test_taint | request.json |
| test.py:97 | ok | test_taint | request.json['foo'] |
| test.py:98 | ok | test_taint | request.json['foo']['bar'] |
| test.py:100 | ok | test_taint | request.method |
| test.py:102 | ok | test_taint | request.mimetype |
| test.py:104 | ok | test_taint | request.mimetype_params |
| test.py:106 | ok | test_taint | request.origin |
| test.py:109 | ok | test_taint | request.pragma |
| test.py:111 | ok | test_taint | request.query_string |
| test.py:113 | ok | test_taint | request.referrer |
| test.py:115 | ok | test_taint | request.remote_addr |
| test.py:117 | ok | test_taint | request.remote_user |
| test.py:120 | ok | test_taint | request.stream |
| test.py:121 | ok | test_taint | request.input_stream |
| test.py:123 | ok | test_taint | request.url |
| test.py:125 | ok | test_taint | request.user_agent |
| test.py:128 | ok | test_taint | request.values |
| test.py:129 | ok | test_taint | request.values['key'] |
| test.py:130 | ok | test_taint | request.values.getlist(..) |
| test.py:133 | ok | test_taint | request.view_args |
| test.py:134 | ok | test_taint | request.view_args['key'] |
| test.py:138 | ok | test_taint | request.script_root |
| test.py:139 | ok | test_taint | request.url_root |
| test.py:143 | ok | test_taint | request.charset |
| test.py:144 | ok | test_taint | request.url_charset |
| test.py:148 | ok | test_taint | request.date |
| test.py:151 | ok | test_taint | request.endpoint |
| test.py:156 | ok | test_taint | request.host |
| test.py:157 | ok | test_taint | request.host_url |
| test.py:159 | ok | test_taint | request.scheme |
| test.py:161 | ok | test_taint | request.script_root |
| test.py:169 | ok | test_taint | request.args |
| test.py:170 | ok | test_taint | a |
| test.py:171 | ok | test_taint | b |
| test.py:173 | ok | test_taint | request.args['key'] |
| test.py:174 | ok | test_taint | a['key'] |
| test.py:175 | ok | test_taint | b['key'] |
| test.py:177 | ok | test_taint | request.args.getlist(..) |
| test.py:178 | ok | test_taint | a.getlist(..) |
| test.py:179 | ok | test_taint | b.getlist(..) |
| test.py:180 | ok | test_taint | gl(..) |
| test.py:187 | ok | test_taint | req.path |
| test.py:188 | ok | test_taint | gd() |
| taint_test.py:6 | fail | test_taint | name |
| taint_test.py:6 | fail | test_taint | number |
| taint_test.py:7 | ok | test_taint | foo |
| taint_test.py:14 | ok | test_taint | request.environ |
| taint_test.py:15 | ok | test_taint | request.environ.get(..) |
| taint_test.py:17 | ok | test_taint | request.path |
| taint_test.py:18 | ok | test_taint | request.full_path |
| taint_test.py:19 | ok | test_taint | request.base_url |
| taint_test.py:20 | ok | test_taint | request.url |
| taint_test.py:23 | fail | test_taint | request.accept_charsets.best |
| taint_test.py:24 | fail | test_taint | request.accept_charsets.best_match(..) |
| taint_test.py:25 | ok | test_taint | request.accept_charsets[0] |
| taint_test.py:26 | ok | test_taint | request.accept_encodings |
| taint_test.py:27 | ok | test_taint | request.accept_languages |
| taint_test.py:28 | ok | test_taint | request.accept_mimetypes |
| taint_test.py:31 | ok | test_taint | request.access_control_request_headers |
| taint_test.py:33 | ok | test_taint | request.access_control_request_method |
| taint_test.py:35 | ok | test_taint | request.access_route |
| taint_test.py:36 | ok | test_taint | request.access_route[0] |
| taint_test.py:39 | ok | test_taint | request.args |
| taint_test.py:40 | ok | test_taint | request.args['key'] |
| taint_test.py:41 | ok | test_taint | request.args.getlist(..) |
| taint_test.py:44 | ok | test_taint | request.authorization |
| taint_test.py:45 | ok | test_taint | request.authorization['username'] |
| taint_test.py:46 | fail | test_taint | request.authorization.username |
| taint_test.py:49 | ok | test_taint | request.cache_control |
| taint_test.py:51 | fail | test_taint | request.cache_control.max_age |
| taint_test.py:52 | fail | test_taint | request.cache_control.max_stale |
| taint_test.py:53 | fail | test_taint | request.cache_control.min_fresh |
| taint_test.py:55 | ok | test_taint | request.content_encoding |
| taint_test.py:57 | ok | test_taint | request.content_md5 |
| taint_test.py:59 | ok | test_taint | request.content_type |
| taint_test.py:62 | ok | test_taint | request.cookies |
| taint_test.py:63 | ok | test_taint | request.cookies['key'] |
| taint_test.py:65 | ok | test_taint | request.data |
| taint_test.py:68 | ok | test_taint | request.files |
| taint_test.py:69 | ok | test_taint | request.files['key'] |
| taint_test.py:70 | fail | test_taint | request.files['key'].filename |
| taint_test.py:71 | fail | test_taint | request.files['key'].stream |
| taint_test.py:72 | ok | test_taint | request.files.getlist(..) |
| taint_test.py:73 | fail | test_taint | request.files.getlist(..)[0].filename |
| taint_test.py:74 | fail | test_taint | request.files.getlist(..)[0].stream |
| taint_test.py:77 | ok | test_taint | request.form |
| taint_test.py:78 | ok | test_taint | request.form['key'] |
| taint_test.py:79 | ok | test_taint | request.form.getlist(..) |
| taint_test.py:81 | ok | test_taint | request.get_data() |
| taint_test.py:83 | ok | test_taint | request.get_json() |
| taint_test.py:84 | ok | test_taint | request.get_json()['foo'] |
| taint_test.py:85 | ok | test_taint | request.get_json()['foo']['bar'] |
| taint_test.py:89 | ok | test_taint | request.headers |
| taint_test.py:90 | ok | test_taint | request.headers['key'] |
| taint_test.py:91 | fail | test_taint | request.headers.get_all(..) |
| taint_test.py:92 | fail | test_taint | request.headers.getlist(..) |
| taint_test.py:93 | ok | test_taint | list(..) |
| taint_test.py:94 | fail | test_taint | request.headers.to_wsgi_list() |
| taint_test.py:96 | ok | test_taint | request.json |
| taint_test.py:97 | ok | test_taint | request.json['foo'] |
| taint_test.py:98 | ok | test_taint | request.json['foo']['bar'] |
| taint_test.py:100 | ok | test_taint | request.method |
| taint_test.py:102 | ok | test_taint | request.mimetype |
| taint_test.py:104 | ok | test_taint | request.mimetype_params |
| taint_test.py:106 | ok | test_taint | request.origin |
| taint_test.py:109 | ok | test_taint | request.pragma |
| taint_test.py:111 | ok | test_taint | request.query_string |
| taint_test.py:113 | ok | test_taint | request.referrer |
| taint_test.py:115 | ok | test_taint | request.remote_addr |
| taint_test.py:117 | ok | test_taint | request.remote_user |
| taint_test.py:120 | ok | test_taint | request.stream |
| taint_test.py:121 | ok | test_taint | request.input_stream |
| taint_test.py:123 | ok | test_taint | request.url |
| taint_test.py:125 | ok | test_taint | request.user_agent |
| taint_test.py:128 | ok | test_taint | request.values |
| taint_test.py:129 | ok | test_taint | request.values['key'] |
| taint_test.py:130 | ok | test_taint | request.values.getlist(..) |
| taint_test.py:133 | ok | test_taint | request.view_args |
| taint_test.py:134 | ok | test_taint | request.view_args['key'] |
| taint_test.py:138 | ok | test_taint | request.script_root |
| taint_test.py:139 | ok | test_taint | request.url_root |
| taint_test.py:143 | ok | test_taint | request.charset |
| taint_test.py:144 | ok | test_taint | request.url_charset |
| taint_test.py:148 | ok | test_taint | request.date |
| taint_test.py:151 | ok | test_taint | request.endpoint |
| taint_test.py:156 | ok | test_taint | request.host |
| taint_test.py:157 | ok | test_taint | request.host_url |
| taint_test.py:159 | ok | test_taint | request.scheme |
| taint_test.py:161 | ok | test_taint | request.script_root |
| taint_test.py:169 | ok | test_taint | request.args |
| taint_test.py:170 | ok | test_taint | a |
| taint_test.py:171 | ok | test_taint | b |
| taint_test.py:173 | ok | test_taint | request.args['key'] |
| taint_test.py:174 | ok | test_taint | a['key'] |
| taint_test.py:175 | ok | test_taint | b['key'] |
| taint_test.py:177 | ok | test_taint | request.args.getlist(..) |
| taint_test.py:178 | ok | test_taint | a.getlist(..) |
| taint_test.py:179 | ok | test_taint | b.getlist(..) |
| taint_test.py:180 | ok | test_taint | gl(..) |
| taint_test.py:187 | ok | test_taint | req.path |
| taint_test.py:188 | ok | test_taint | gd() |

67
python/ql/test/experimental/library-tests/frameworks/flask/old_test.py Normal file
View File

@@ -0,0 +1,67 @@
import flask
from flask import Flask, request, make_response
app = Flask(__name__)
@app.route("/")
def hello_world():
return "Hello World!"
from flask.views import MethodView
class MyView(MethodView):
def get(self, user_id):
if user_id is None:
# return a list of users
pass
else:
# expose a single user
pass
the_view = MyView.as_view('my_view')
app.add_url_rule('/the/', defaults={'user_id': None},
view_func=the_view, methods=['GET',])
@app.route("/dangerous")
def dangerous():
return request.args.get('payload')
@app.route("/dangerous-with-cfg-split")
def dangerous2():
x = request.form['param0']
if request.method == "POST":
return request.form['param1']
return None
@app.route('/unsafe')
def unsafe():
first_name = request.args.get('name', '')
return make_response("Your name is " + first_name)
@app.route('/safe')
def safe():
first_name = request.args.get('name', '')
return make_response("Your name is " + escape(first_name))
@app.route('/hello/<name>')
def hello(name):
return make_response("Your name is " + name)
@app.route('/foo/<path:subpath>')
def foo(subpath):
return make_response("The subpath is " + subpath)
@app.route('/multiple/') # TODO: not recognized as route
@app.route('/multiple/foo/<foo>') # TODO: not recognized as route
@app.route('/multiple/bar/<bar>')
def multiple(foo=None, bar=None):
return make_response("foo={!r} bar={!r}".format(foo, bar))
@app.route('/complex/<string(length=2):lang_code>')
def complex(lang_code):
return make_response("lang_code {}".format(lang_code))
if __name__ == "__main__":
app.run(debug=True)

0
python/ql/test/experimental/library-tests/frameworks/flask/test.py → python/ql/test/experimental/library-tests/frameworks/flask/taint_test.py
View File