Move tests and qlref to test/

python/ql/src/experimental/Security/CWE-079/unit_tests/ReflectedXSS.qlref

@@ -1 +0,0 @@
-experimental/Security/CWE-079/ReflectedXSS.ql

python/ql/src/experimental/Security/CWE-079/unit_tests/flask_mail.py

@@ -1,33 +0,0 @@
-# https://pythonhosted.org/Flask-Mail/
-# https://github.com/mattupstate/flask-mail/blob/1709c70d839a7cc7b1f7eeb97333b71cd420fe32/flask_mail.py#L239
-
-from flask_mail import Mail, Message
-
-app = Flask(__name__)
-mail = Mail(app)
-
-@app.route("/send")
-def send():
-  msg = Message(subject="Subject",
-                sender="from@example.com",
-                recipients=["to@example.com"],
-                body="body",
-                html=request.args["html"])
-
-  # The message can contain a body and/or HTML:
-  msg.body = "body"
-  msg.html = request.args["html"]
-
-  mail.send(msg)
-
-@app.route("/connect")
-def connect():
-  """
-  Minimal example to test mail.connect() usage
-  """
-  with mail.connect() as conn:
-    msg = Message(subject="Subject",
-                  sender="from@example.com",
-                  recipients=["to@example.com"],
-                  html=request.args["html"])
-    conn.send(msg)

python/ql/src/experimental/Security/CWE-079/unit_tests/sendgrid_mail_helper_content_bad.py

@@ -1,16 +0,0 @@
-# This tests that the developer doesn't pass content via the Content class initializer.
-# source:https://github.com/sendgrid/sendgrid-python
-
-import sendgrid
-import os
-from sendgrid.helpers.mail import *
-
-sg = sendgrid.SendGridAPIClient(api_key=os.environ.get('SENDGRID_API_KEY'))
-from_email = Email("test@example.com")
-to_email = To("test@example.com")
-subject = "Sending with SendGrid is Fun"
-content = Content("text/html", "and <b>easy</b> to do anywhere, even with Python") # Content can also take the MimeType.html as the first arg here. Need to create a separate example for this.
-
-mail = Mail(from_email, to_email, subject, content)
-
-response = sg.client.mail.send.post(request_body=mail.get())

python/ql/src/experimental/Security/CWE-079/unit_tests/sendgrid_via_mail_send_post_request_body_bad.py

@@ -1,148 +0,0 @@
-# This tests that the developer doesn't pass tainted user data into the mail.send.post() method in the SendGrid library.
-# source :https://github.com/sendgrid/sendgrid-python
-import sendgrid
-import os
-
-
-sg = sendgrid.SendGridAPIClient(os.environ.get('SENDGRID_API_KEY'))
-
-data = {
-    "asm": {
-        "group_id": 1,
-        "groups_to_display": [
-            1,
-            2,
-            3
-        ]
-    },
-    "attachments": [
-        {
-            "content": "[BASE64 encoded content block here]",
-            "content_id": "ii_139db99fdb5c3704",
-            "disposition": "inline",
-            "filename": "file1.jpg",
-            "name": "file1",
-            "type": "jpg"
-        }
-    ],
-    "batch_id": "[YOUR BATCH ID GOES HERE]",
-    "categories": [
-        "category1",
-        "category2"
-    ],
-    "content": [
-        {
-            "type": "text/html",
-            "value": "<html><p>Hello, world!</p><img src=[CID GOES HERE]></img></html>"
-        }
-    ],
-    "custom_args": {
-        "New Argument 1": "New Value 1",
-        "activationAttempt": "1",
-        "customerAccountNumber": "[CUSTOMER ACCOUNT NUMBER GOES HERE]"
-    },
-    "from": {
-        "email": "sam.smith@example.com",
-        "name": "Sam Smith"
-    },
-    "headers": {},
-    "ip_pool_name": "[YOUR POOL NAME GOES HERE]",
-    "mail_settings": {
-        "bcc": {
-            "email": "ben.doe@example.com",
-            "enable": True
-        },
-        "bypass_list_management": {
-            "enable": True
-        },
-        "footer": {
-            "enable": True,
-            "html": "<p>Thanks</br>The SendGrid Team</p>",
-            "text": "Thanks,/n The SendGrid Team"
-        },
-        "sandbox_mode": {
-            "enable": False
-        },
-        "spam_check": {
-            "enable": True,
-            "post_to_url": "http://example.com/compliance",
-            "threshold": 3
-        }
-    },
-    "personalizations": [
-        {
-            "bcc": [
-                {
-                    "email": "sam.doe@example.com",
-                    "name": "Sam Doe"
-                }
-            ],
-            "cc": [
-                {
-                    "email": "jane.doe@example.com",
-                    "name": "Jane Doe"
-                }
-            ],
-            "custom_args": {
-                "New Argument 1": "New Value 1",
-                "activationAttempt": "1",
-                "customerAccountNumber": "[CUSTOMER ACCOUNT NUMBER GOES HERE]"
-            },
-            "headers": {
-                "X-Accept-Language": "en",
-                "X-Mailer": "MyApp"
-            },
-            "send_at": 1409348513,
-            "subject": "Hello, World!",
-            "substitutions": {
-                "id": "substitutions",
-                "type": "object"
-            },
-            "to": [
-                {
-                    "email": "john.doe@example.com",
-                    "name": "John Doe"
-                }
-            ]
-        }
-    ],
-    "reply_to": {
-        "email": "sam.smith@example.com",
-        "name": "Sam Smith"
-    },
-    "sections": {
-        "section": {
-            ":sectionName1": "section 1 text",
-            ":sectionName2": "section 2 text"
-        }
-    },
-    "send_at": 1409348513,
-    "subject": "Hello, World!",
-    "template_id": "[YOUR TEMPLATE ID GOES HERE]",
-    "tracking_settings": {
-        "click_tracking": {
-            "enable": True,
-            "enable_text": True
-        },
-        "ganalytics": {
-            "enable": True,
-            "utm_campaign": "[NAME OF YOUR REFERRER SOURCE]",
-            "utm_content": "[USE THIS SPACE TO DIFFERENTIATE YOUR EMAIL FROM ADS]",
-            "utm_medium": "[NAME OF YOUR MARKETING MEDIUM e.g. email]",
-            "utm_name": "[NAME OF YOUR CAMPAIGN]",
-            "utm_term": "[IDENTIFY PAID KEYWORDS HERE]"
-        },
-        "open_tracking": {
-            "enable": True,
-            "substitution_tag": "%opentrack"
-        },
-        "subscription_tracking": {
-            "enable": True,
-            "html": "If you would like to unsubscribe and stop receiving these emails <% clickhere %>.",
-            "substitution_tag": "<%click here%>",
-            "text": "If you would like to unsubscribe and stop receiving these emails <% click here %>."
-        }
-    }
-}
-
-response = sg.client.mail.send.post(request_body=data)

python/ql/src/experimental/Security/CWE-079/unit_tests/smtplib_bad_subparts.py

@@ -1,43 +0,0 @@
-# This test checks that the developer doesn't pass a MIMEText instance to a MIMEMultipart initializer via the subparts parameter.
-
-# source꞉  https꞉//www.programcreek.com/python/example/53141/email.MIMEMultipart.MIMEMultipart
-from flask import Flask, request
-import json
-import smtplib, ssl
-from email.mime.text import MIMEText
-from email.mime.multipart import MIMEMultipart
-
-app = Flask(__name__)
-
-@app.route("/")
-def email_person():
-    sender_email = "my@gmail.com"
-    receiver_email = "your@gmail.com"
-    password = input("Type your password and press enter:")
-
-    name = request.args['search']
-    # Create the plain-text and HTML version of your message
-    text = "hello there"
-    html = f"hello {name}"
-
-    # Turn these into plain/html MIMEText objects
-    part1 = MIMEText(text, "plain")
-    part2 = MIMEText(html, "html")
-
-    message = MIMEMultipart(_subparts=(part1, part2))
-    message["Subject"] = "multipart test"
-    message["From"] = sender_email
-    message["To"] = receiver_email
-
-    # Create secure connection with server and send email
-    context = ssl.create_default_context()
-    server = smtplib.SMTP_SSL("smtp.gmail.com", 465, context=context);
-    
-    server.login(sender_email, password)
-    server.sendmail(
-        sender_email, receiver_email, message.as_string()
-    )
-
-
-# if __name__ == "__main__":
-#     app.run(debug=True)

python/ql/src/experimental/Security/CWE-079/unit_tests/smtplib_bad_via_attach.py

@@ -1,47 +0,0 @@
-# This test checks that the developer doesn't pass a MIMEText instance to a MIMEMultipart message.
-# source꞉ https꞉//realpython.com/python-send-email/
-from flask import Flask, request
-import json
-import smtplib, ssl
-from email.mime.text import MIMEText
-from email.mime.multipart import MIMEMultipart
-
-app = Flask(__name__)
-
-@app.route("/")
-def email_person():
-    sender_email = "my@gmail.com"
-    receiver_email = "your@gmail.com"
-    password = input("Type your password and press enter:")
-
-    message = MIMEMultipart("alternative")
-    message["Subject"] = "multipart test"
-    message["From"] = sender_email
-    message["To"] = receiver_email
-
-    name = request.args['name']
-    # Create the plain-text and HTML version of your message
-    text = "hello there"
-    html = f"hello {name}" # here is the exploit. passing vulnerable data into the html portion of the email
-
-    # Turn these into plain/html MIMEText objects
-    part1 = MIMEText(text, "plain")
-    part2 = MIMEText(html, "html")
-
-    # Add HTML/plain-text parts to MIMEMultipart message
-    # The email client will try to render the last part first
-    message.attach(part1)
-    message.attach(part2)
-
-    # Create secure connection with server and send email
-    context = ssl.create_default_context()
-    server = smtplib.SMTP_SSL("smtp.gmail.com", 465, context=context)
-
-    server.login(sender_email, password)
-    server.sendmail(
-        sender_email, receiver_email, message.as_string()
-    )
-
-
-# if __name__ == "__main__":
-#     app.run(debug=True)