mirror of
https://github.com/github/codeql.git
synced 2025-12-22 11:46:32 +01:00
add tests
This commit is contained in:
Alvaro Muñoz
@@ -33,3 +33,5 @@ async def test():
|
|||||||
assert context.verify_mode == ssl.VerifyMode.CERT_NONE
|
assert context.verify_mode == ssl.VerifyMode.CERT_NONE
|
||||||
|
|
||||||
s.get("url", ssl=context) # $ clientRequestUrlPart="url" MISSING: clientRequestCertValidationDisabled
|
s.get("url", ssl=context) # $ clientRequestUrlPart="url" MISSING: clientRequestCertValidationDisabled
|
||||||
|
|
||||||
|
s.ws_connect("url") # $ clientRequestUrlPart="url"
|
||||||
|
|||||||
@@ -23,6 +23,12 @@ async def html_text(request): # $ requestHandler
|
|||||||
async def html_body(request): # $ requestHandler
|
async def html_body(request): # $ requestHandler
|
||||||
return web.Response(body=b"foo", content_type="text/html") # $ HttpResponse mimetype=text/html responseBody=b"foo"
|
return web.Response(body=b"foo", content_type="text/html") # $ HttpResponse mimetype=text/html responseBody=b"foo"
|
||||||
|
|
||||||
|
@routes.get("/html_body_header") # $ routeSetup="/html_body_header"
|
||||||
|
async def html_body_header(request): # $ requestHandler
|
||||||
|
return web.Response(
|
||||||
|
headers={"content-type": "text/html"},
|
||||||
|
text="<script>window.close()</script>Success! This window can be closed",
|
||||||
|
)
|
||||||
|
|
||||||
@routes.get("/html_body_set_later") # $ routeSetup="/html_body_set_later"
|
@routes.get("/html_body_set_later") # $ routeSetup="/html_body_set_later"
|
||||||
async def html_body_set_later(request): # $ requestHandler
|
async def html_body_set_later(request): # $ requestHandler
|
||||||
@@ -65,6 +71,11 @@ async def redirect_302(request): # $ requestHandler
|
|||||||
else:
|
else:
|
||||||
raise web.HTTPFound(location="/logout") # $ HttpResponse HttpRedirectResponse mimetype=application/octet-stream redirectLocation="/logout"
|
raise web.HTTPFound(location="/logout") # $ HttpResponse HttpRedirectResponse mimetype=application/octet-stream redirectLocation="/logout"
|
||||||
|
|
||||||
|
@routes.get("/serve_file") # $ routeSetup="/serve_file"
|
||||||
|
async def serve_file(request): # $ requestHandler
|
||||||
|
filename = request.query.getone("filename"),
|
||||||
|
return web.FileResponse(filename) # $ HttpResponse mimetype=application/octet-stream
|
||||||
|
|
||||||
################################################################################
|
################################################################################
|
||||||
# Cookies
|
# Cookies
|
||||||
################################################################################
|
################################################################################
|
||||||
|
|||||||
@@ -1,5 +1,134 @@
|
|||||||
from aiohttp import web
|
from aiohttp import web
|
||||||
|
|
||||||
|
async def test_heuristic_taint(request: web.Request):
|
||||||
|
ensure_tainted(
|
||||||
|
# see https://docs.aiohttp.org/en/stable/web_reference.html#request-and-base-request
|
||||||
|
request, # $ tainted
|
||||||
|
|
||||||
|
# yarl.URL (see `yarl` framework tests)
|
||||||
|
request.url, # $ tainted
|
||||||
|
request.url.human_repr(), # $ tainted
|
||||||
|
request.rel_url, # $ tainted
|
||||||
|
request.rel_url.human_repr(), # $ tainted
|
||||||
|
|
||||||
|
request.forwarded, # $ tainted
|
||||||
|
|
||||||
|
request.host, # $ tainted
|
||||||
|
request.remote, # $ tainted
|
||||||
|
request.path, # $ tainted
|
||||||
|
request.path_qs, # $ tainted
|
||||||
|
request.raw_path, # $ tainted
|
||||||
|
|
||||||
|
# dict-like for captured parts of the URL
|
||||||
|
request.match_info, # $ tainted
|
||||||
|
request.match_info["key"], # $ tainted
|
||||||
|
request.match_info.get("key"), # $ tainted
|
||||||
|
|
||||||
|
# multidict.MultiDictProxy[str] (see `multidict` framework tests)
|
||||||
|
request.query, # $ tainted
|
||||||
|
request.query.getone("key"), # $ tainted
|
||||||
|
|
||||||
|
# multidict.CIMultiDictProxy[str] (see `multidict` framework tests)
|
||||||
|
request.headers, # $ tainted
|
||||||
|
request.headers.getone("key"), # $ tainted
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# dict-like (readonly)
|
||||||
|
request.cookies, # $ tainted
|
||||||
|
request.cookies["key"], # $ tainted
|
||||||
|
request.cookies.get("key"), # $ tainted
|
||||||
|
request.cookies.keys(), # $ tainted
|
||||||
|
request.cookies.values(), # $ tainted
|
||||||
|
request.cookies.items(), # $ tainted
|
||||||
|
list(request.cookies), # $ tainted
|
||||||
|
iter(request.cookies), # $ tainted
|
||||||
|
|
||||||
|
|
||||||
|
# aiohttp.StreamReader
|
||||||
|
# see https://docs.aiohttp.org/en/stable/streams.html#aiohttp.StreamReader
|
||||||
|
request.content, # $ tainted
|
||||||
|
await request.content.read(), # $ tainted
|
||||||
|
await request.content.readany(), # $ tainted
|
||||||
|
await request.content.readexactly(42), # $ tainted
|
||||||
|
await request.content.readline(), # $ tainted
|
||||||
|
await request.content.readchunk(), # $ tainted
|
||||||
|
(await request.content.readchunk())[0], # $ tainted
|
||||||
|
[line async for line in request.content], # $ tainted
|
||||||
|
[data async for data in request.content.iter_chunked(1024)], # $ tainted
|
||||||
|
[data async for data in request.content.iter_any()], # $ tainted
|
||||||
|
[data async for data, _ in request.content.iter_chunks()], # $ tainted
|
||||||
|
request.content.read_nowait(), # $ tainted
|
||||||
|
|
||||||
|
# aiohttp.StreamReader
|
||||||
|
request._payload, # $ tainted
|
||||||
|
await request._payload.readany(), # $ tainted
|
||||||
|
|
||||||
|
request.content_type, # $ tainted
|
||||||
|
request.charset, # $ tainted
|
||||||
|
|
||||||
|
request.http_range, # $ tainted
|
||||||
|
|
||||||
|
# Optional[datetime]
|
||||||
|
request.if_modified_since, # $ tainted
|
||||||
|
request.if_unmodified_since, # $ tainted
|
||||||
|
request.if_range, # $ tainted
|
||||||
|
|
||||||
|
request.clone(scheme="https"), # $ tainted
|
||||||
|
|
||||||
|
# asyncio.Transport
|
||||||
|
# https://docs.python.org/3/library/asyncio-protocol.html#asyncio-transport
|
||||||
|
# example given in https://docs.aiohttp.org/en/stable/web_reference.html#aiohttp.web.BaseRequest.transport
|
||||||
|
# uses `peername` to get IP address of client
|
||||||
|
request.transport, # $ tainted
|
||||||
|
request.transport.get_extra_info("key"), # $ MISSING: tainted
|
||||||
|
|
||||||
|
# Like request.transport.get_extra_info
|
||||||
|
request.get_extra_info("key"), # $ tainted
|
||||||
|
|
||||||
|
# Like request.transport.get_extra_info
|
||||||
|
request.protocol.transport.get_extra_info("key"), # $ MISSING: tainted
|
||||||
|
|
||||||
|
# bytes
|
||||||
|
await request.read(), # $ tainted
|
||||||
|
|
||||||
|
# str
|
||||||
|
await request.text(), # $ tainted
|
||||||
|
|
||||||
|
# obj
|
||||||
|
await request.json(), # $ tainted
|
||||||
|
|
||||||
|
# aiohttp.multipart.MultipartReader
|
||||||
|
await request.multipart(), # $ tainted
|
||||||
|
|
||||||
|
# multidict.MultiDictProxy[str] (see `multidict` framework tests)
|
||||||
|
await request.post(), # $ tainted
|
||||||
|
(await request.post()).getone("key"), # $ tainted
|
||||||
|
)
|
||||||
|
|
||||||
|
# things that are technically controlled by sender of request,
|
||||||
|
# but doesn't seem that likely for exploitation.
|
||||||
|
ensure_not_tainted(
|
||||||
|
request.method,
|
||||||
|
request.version,
|
||||||
|
request.scheme,
|
||||||
|
request.secure,
|
||||||
|
request.keep_alive,
|
||||||
|
|
||||||
|
request.content_length,
|
||||||
|
request.body_exists,
|
||||||
|
request.has_body,
|
||||||
|
request.can_read_body,
|
||||||
|
)
|
||||||
|
|
||||||
|
ensure_not_tainted(
|
||||||
|
request.loop,
|
||||||
|
|
||||||
|
request.app,
|
||||||
|
request.config_dict,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
async def test_taint(request: web.Request): # $ requestHandler
|
async def test_taint(request: web.Request): # $ requestHandler
|
||||||
|
|
||||||
ensure_tainted(
|
ensure_tainted(
|
||||||
|
|||||||
Reference in New Issue
Block a user