From ee1ba71e5da4e0730d43de9571489e8912e2dc8d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= <pwntester@github.com>
Date: Thu, 13 Jul 2023 13:07:12 +0200
Subject: [PATCH] add tests

---
 .../frameworks/aiohttp/client_request.py      |   2 +
 .../frameworks/aiohttp/response_test.py       |  11 ++
 .../frameworks/aiohttp/taint_test.py          | 129 ++++++++++++++++++
 3 files changed, 142 insertions(+)

diff --git a/python/ql/test/library-tests/frameworks/aiohttp/client_request.py b/python/ql/test/library-tests/frameworks/aiohttp/client_request.py
index 1bafb4ef583..d7958cf660f 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/client_request.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/client_request.py
@@ -33,3 +33,5 @@ async def test():
     assert context.verify_mode == ssl.VerifyMode.CERT_NONE
 
     s.get("url", ssl=context) # $ clientRequestUrlPart="url" MISSING: clientRequestCertValidationDisabled
+
+    s.ws_connect("url") # $ clientRequestUrlPart="url"
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/response_test.py b/python/ql/test/library-tests/frameworks/aiohttp/response_test.py
index e800c28234a..dc7b3699cbf 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/response_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/response_test.py
@@ -23,6 +23,12 @@ async def html_text(request): # $ requestHandler
 async def html_body(request): # $ requestHandler
     return web.Response(body=b"foo", content_type="text/html") # $ HttpResponse mimetype=text/html responseBody=b"foo"
 
+@routes.get("/html_body_header") # $ routeSetup="/html_body_header"
+async def html_body_header(request): # $ requestHandler
+    return web.Response(
+        headers={"content-type": "text/html"},
+        text="<script>window.close()</script>Success! This window can be closed",
+    )
 
 @routes.get("/html_body_set_later") # $ routeSetup="/html_body_set_later"
 async def html_body_set_later(request): # $ requestHandler
@@ -65,6 +71,11 @@ async def redirect_302(request): # $ requestHandler
     else:
         raise web.HTTPFound(location="/logout") # $ HttpResponse HttpRedirectResponse mimetype=application/octet-stream redirectLocation="/logout"
 
+@routes.get("/serve_file") # $ routeSetup="/serve_file"
+async def serve_file(request): # $ requestHandler
+    filename = request.query.getone("filename"),
+    return web.FileResponse(filename) # $ HttpResponse mimetype=application/octet-stream
+
 ################################################################################
 # Cookies
 ################################################################################
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
index 54da5726803..bca7a4d1471 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
@@ -1,5 +1,134 @@
 from aiohttp import web
 
+async def test_heuristic_taint(request: web.Request):
+    ensure_tainted(
+        # see https://docs.aiohttp.org/en/stable/web_reference.html#request-and-base-request
+        request, # $ tainted
+
+        # yarl.URL (see `yarl` framework tests)
+        request.url, # $ tainted
+        request.url.human_repr(), # $ tainted
+        request.rel_url, # $ tainted
+        request.rel_url.human_repr(), # $ tainted
+
+        request.forwarded, # $ tainted
+
+        request.host, # $ tainted
+        request.remote, # $ tainted
+        request.path, # $ tainted
+        request.path_qs, # $ tainted
+        request.raw_path, # $ tainted
+
+        # dict-like for captured parts of the URL
+        request.match_info, # $ tainted
+        request.match_info["key"], # $ tainted
+        request.match_info.get("key"), # $ tainted
+
+        # multidict.MultiDictProxy[str] (see `multidict` framework tests)
+        request.query, # $ tainted
+        request.query.getone("key"), # $ tainted
+
+        # multidict.CIMultiDictProxy[str] (see `multidict` framework tests)
+        request.headers, # $ tainted
+        request.headers.getone("key"), # $ tainted
+
+
+
+        # dict-like (readonly)
+        request.cookies, # $ tainted
+        request.cookies["key"], # $ tainted
+        request.cookies.get("key"), # $ tainted
+        request.cookies.keys(), # $ tainted
+        request.cookies.values(), # $ tainted
+        request.cookies.items(), # $ tainted
+        list(request.cookies), # $ tainted
+        iter(request.cookies), # $ tainted
+
+
+        # aiohttp.StreamReader
+        # see https://docs.aiohttp.org/en/stable/streams.html#aiohttp.StreamReader
+        request.content, # $ tainted
+        await request.content.read(), # $ tainted
+        await request.content.readany(), # $ tainted
+        await request.content.readexactly(42), # $ tainted
+        await request.content.readline(), # $ tainted
+        await request.content.readchunk(), # $ tainted
+        (await request.content.readchunk())[0], # $ tainted
+        [line async for line in request.content], # $ tainted
+        [data async for data in request.content.iter_chunked(1024)], # $ tainted
+        [data async for data in request.content.iter_any()], # $ tainted
+        [data async for data, _ in request.content.iter_chunks()], # $ tainted
+        request.content.read_nowait(), # $ tainted
+
+        # aiohttp.StreamReader
+        request._payload, # $ tainted
+        await request._payload.readany(), # $ tainted
+
+        request.content_type, # $ tainted
+        request.charset, # $ tainted
+
+        request.http_range, # $ tainted
+
+        # Optional[datetime]
+        request.if_modified_since, # $ tainted
+        request.if_unmodified_since, # $ tainted
+        request.if_range, # $ tainted
+
+        request.clone(scheme="https"), # $ tainted
+
+        # asyncio.Transport
+        # https://docs.python.org/3/library/asyncio-protocol.html#asyncio-transport
+        # example given in https://docs.aiohttp.org/en/stable/web_reference.html#aiohttp.web.BaseRequest.transport
+        # uses `peername` to get IP address of client
+        request.transport, # $ tainted
+        request.transport.get_extra_info("key"), # $ MISSING: tainted
+
+        # Like request.transport.get_extra_info
+        request.get_extra_info("key"), # $ tainted
+
+        # Like request.transport.get_extra_info
+        request.protocol.transport.get_extra_info("key"), # $ MISSING: tainted
+
+        # bytes
+        await request.read(), # $ tainted
+
+        # str
+        await request.text(), # $ tainted
+
+        # obj
+        await request.json(), # $ tainted
+
+        # aiohttp.multipart.MultipartReader
+        await request.multipart(), # $ tainted
+
+        # multidict.MultiDictProxy[str] (see `multidict` framework tests)
+        await request.post(), # $ tainted
+        (await request.post()).getone("key"), # $ tainted
+    )
+
+    # things that are technically controlled by sender of request,
+    # but doesn't seem that likely for exploitation.
+    ensure_not_tainted(
+        request.method,
+        request.version,
+        request.scheme,
+        request.secure,
+        request.keep_alive,
+
+        request.content_length,
+        request.body_exists,
+        request.has_body,
+        request.can_read_body,
+    )
+
+    ensure_not_tainted(
+        request.loop,
+
+        request.app,
+        request.config_dict,
+    )
+
+
 async def test_taint(request: web.Request): # $ requestHandler
 
     ensure_tainted(