hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
tausbn/python-refine-location-of-flask-request-sources
codeql/python/ql/test/library-tests/frameworks/data/test.py
Rasmus Wriedt Larsen eed8b3e87b Python: Add more tests for MaD sources
2024-07-12 15:10:23 +02:00

134 lines
3.6 KiB
Python
Raw Permalink Blame History

from testlib import getSource, mySink, alias
x = getSource()
mySink(x)
mySink(foo=x) # OK
mySink(sinkName=x) # NOT OK
mySink(alias()) # NOT OK
mySink(alias().chain()) # NOT OK
mySink(alias().chain().chain()) # NOT OK
mySink(alias().chain().safeThing()) # OK
from testlib import Args
Args.arg0(one, two, three, four, five)
Args.arg1to3(one, two, three, four, five)
Args.lastarg(one, two, three, four, five)
Args.nonFist(first, second)
from testlib import Callbacks
Callbacks.first(lambda one, two, three, four, five: 0)
Callbacks.param1to3(lambda one, two, three, four, five: 0)
Callbacks.nonFirst(lambda first, second: 0)
from testlib import CallFilter
CallFilter.arityOne(one, two) # NO match
CallFilter.arityOne(one) # Match
CallFilter.twoOrMore(one) # NO match
CallFilter.twoOrMore(one, two) # Match
CallFilter.twoOrMore(one, two, three) # Match
from testlib import CommonTokens
async def async_func():
prom = CommonTokens.makePromise(1);
val = await prom
inst = CommonTokens.Class()
class SubClass (CommonTokens.Super):
pass
sub = SubClass()
class Sub2Class (CommonTokens.Class):
pass
sub2 = Sub2Class()
val = inst.foo()
from testlib import ArgPos
arg_pos = ArgPos(); val = arg_pos.self_thing(arg, named=2);
class SubClass (ArgPos.MyClass):
def foo(self, arg, named=2, otherName=3):
pass
def secondAndAfter(self, arg1, arg2, arg3, arg4, arg5):
pass
ArgPos.anyParam(arg1, arg2, name=namedThing)
ArgPos.anyNamed(arg4, arg5, name=secondNamed)
from testlib import Steps
mySink(Steps.preserveTaint(getSource())) # FLOW
mySink(Steps.preserveTaint("safe", getSource())) # NO FLOW
Steps.taintIntoCallback(
getSource(),
lambda x: mySink(x), # FLOW
lambda y: mySink(y), # FLOW
lambda z: mySink(z) # NO FLOW
)
mySink(Steps.preserveArgZeroAndTwo(getSource())) # FLOW
mySink(Steps.preserveArgZeroAndTwo("foo", getSource())) # NO FLOW
mySink(Steps.preserveArgZeroAndTwo("foo", "bar", getSource())) # FLOW
mySink(Steps.preserveAllButFirstArgument(getSource())) # NO FLOW
mySink(Steps.preserveAllButFirstArgument("foo", getSource())) # FLOW
mySink(Steps.preserveAllButFirstArgument("foo", "bar", getSource())) # FLOW
CallFilter.arityOne(one) # match
CallFilter.arityOne(one=one) # NO match
CallFilter.arityOne(one, two=two) # match - on both the named and positional arguments
CallFilter.arityOne(one=one, two=two) # NO match
from foo1.bar import baz1
baz1(baz1) # no match, and that's the point.
from foo2.bar import baz2
baz2(baz2) # match
class OtherSubClass (ArgPos.MyClass):
def otherSelfTest(self, arg, named=2, otherName=3): # test that Parameter[0] hits `arg`.
pass
def anyParam(self, param1, param2): # Parameter[any] matches all non-self parameters
pass
def anyNamed(self, name1, name2=2): # Parameter[any-named] matches all non-self named parameters
pass
import testlib as testlib
import testlib.nestedlib as testlib2
import otherlib as otherlib
testlib.fuzzyCall(getSource()) # NOT OK
testlib2.fuzzyCall(getSource()) # NOT OK
testlib.foo.bar.baz.fuzzyCall(getSource()) # NOT OK
testlib.foo().bar().fuzzyCall(getSource()) # NOT OK
testlib.foo(lambda x: x.fuzzyCall(getSource())) # NOT OK
otherlib.fuzzyCall(getSource()) # OK
# defining sources through content steps
# dictionaries
testlib.source_dict["key"].func() # source
testlib.source_dict["safe"].func() # not a source
lambda k: testlib.source_dict_any[k].func() # source
# TODO: implement support for lists
lambda i: testlib.source_list[i].func()
# TODO: implement support for tuples
testlib.source_tuple[0].func() # a source
testlib.source_tuple[1].func() # not a source
Reference in New Issue View Git Blame Copy Permalink