diff --git a/python/ql/test/TestUtilities/InlineExpectationsTest.qll b/python/ql/test/TestUtilities/InlineExpectationsTest.qll index 40ed5d47efb..ad671cbef39 100644 --- a/python/ql/test/TestUtilities/InlineExpectationsTest.qll +++ b/python/ql/test/TestUtilities/InlineExpectationsTest.qll @@ -5,15 +5,5 @@ private import python as PY private import codeql.util.test.InlineExpectationsTest - -private module Impl implements InlineExpectationsTestSig { - /** - * A class representing line comments in Python. As this is the only form of comment Python - * permits, we simply reuse the `Comment` class. - */ - class ExpectationComment = PY::Comment; - - class Location = PY::Location; -} - +private import internal.InlineExpectationsTestImpl import Make diff --git a/python/ql/test/TestUtilities/InlineExpectationsTestQuery.ql b/python/ql/test/TestUtilities/InlineExpectationsTestQuery.ql new file mode 100644 index 00000000000..9ce5fdf326c --- /dev/null +++ b/python/ql/test/TestUtilities/InlineExpectationsTestQuery.ql @@ -0,0 +1,21 @@ +/** + * @kind test-postprocess + */ + +private import python +private import codeql.util.test.InlineExpectationsTest as T +private import internal.InlineExpectationsTestImpl +import T::TestPostProcessing +import T::TestPostProcessing::Make + +private module Input implements T::TestPostProcessing::InputSig { + string getRelativeUrl(Location location) { + exists(File f, int startline, int startcolumn, int endline, int endcolumn | + location.hasLocationInfo(_, startline, startcolumn, endline, endcolumn) and + f = location.getFile() + | + result = + f.getRelativePath() + ":" + startline + ":" + startcolumn + ":" + endline + ":" + endcolumn + ) + } +} diff --git a/python/ql/test/TestUtilities/internal/InlineExpectationsTestImpl.qll b/python/ql/test/TestUtilities/internal/InlineExpectationsTestImpl.qll new file mode 100644 index 00000000000..ea8faaeeae3 --- /dev/null +++ b/python/ql/test/TestUtilities/internal/InlineExpectationsTestImpl.qll @@ -0,0 +1,12 @@ +private import python as PY +private import codeql.util.test.InlineExpectationsTest + +module Impl implements InlineExpectationsTestSig { + /** + * A class representing line comments in Python. As this is the only form of comment Python + * permits, we simply reuse the `Comment` class. + */ + class ExpectationComment = PY::Comment; + + class Location = PY::Location; +} diff --git a/python/ql/test/query-tests/Numerics/Pythagorean.qlref b/python/ql/test/query-tests/Numerics/Pythagorean.qlref index bc7326b415a..541bd35ac62 100644 --- a/python/ql/test/query-tests/Numerics/Pythagorean.qlref +++ b/python/ql/test/query-tests/Numerics/Pythagorean.qlref @@ -1 +1,2 @@ -Numerics/Pythagorean.ql \ No newline at end of file +query: Numerics/Pythagorean.ql +postprocess: TestUtilities/InlineExpectationsTestQuery.ql \ No newline at end of file diff --git a/python/ql/test/query-tests/Numerics/pythagorean_test.py b/python/ql/test/query-tests/Numerics/pythagorean_test.py index 2503a1d6c22..6dd005b55b3 100644 --- a/python/ql/test/query-tests/Numerics/pythagorean_test.py +++ b/python/ql/test/query-tests/Numerics/pythagorean_test.py @@ -3,12 +3,12 @@ from math import sqrt def withPow(a, b): - return sqrt(a**2 + b**2) + return sqrt(a**2 + b**2) # $ Alert def withMul(a, b): - return sqrt(a*a + b*b) + return sqrt(a*a + b*b) # $ Alert def withRef(a, b): a2 = a**2 b2 = b*b - return sqrt(a2 + b2) \ No newline at end of file + return sqrt(a2 + b2) # $ Alert \ No newline at end of file diff --git a/python/ql/test/query-tests/Security/CWE-094-CodeInjection/CodeInjection.qlref b/python/ql/test/query-tests/Security/CWE-094-CodeInjection/CodeInjection.qlref index fe9adbf3b64..0135c6787d4 100644 --- a/python/ql/test/query-tests/Security/CWE-094-CodeInjection/CodeInjection.qlref +++ b/python/ql/test/query-tests/Security/CWE-094-CodeInjection/CodeInjection.qlref @@ -1 +1,2 @@ -Security/CWE-094/CodeInjection.ql +query: Security/CWE-094/CodeInjection.ql +postprocess: TestUtilities/InlineExpectationsTestQuery.ql diff --git a/python/ql/test/query-tests/Security/CWE-094-CodeInjection/code_injection.py b/python/ql/test/query-tests/Security/CWE-094-CodeInjection/code_injection.py index 05dabe166cf..c775d01250c 100644 --- a/python/ql/test/query-tests/Security/CWE-094-CodeInjection/code_injection.py +++ b/python/ql/test/query-tests/Security/CWE-094-CodeInjection/code_injection.py @@ -1,13 +1,13 @@ -from flask import Flask, request +from flask import Flask, request # $ Source=flask app = Flask(__name__) @app.route("/code-execution") def code_execution(): code = request.args.get("code") - exec(code) # NOT OK - eval(code) # NOT OK + exec(code) # $ Alert=flask + eval(code) # $ Alert=flask cmd = compile(code, "", "exec") - exec(cmd) # NOT OK + exec(cmd) # $ Alert=flask @app.route("/safe-code-execution") @@ -18,5 +18,5 @@ def code_execution(): obj_name = request.args.get("obj") if obj_name == "foo" or obj_name == "bar": # TODO: Should not alert on this - obj = eval(obj_name) # OK + obj = eval(obj_name) # $ SPURIOUS: Alert=flask print(obj, obj*10)