Merge pull request #2664 from RasmusWL/python-fix-redirect-example

tausbn · web-flow · commit 618a35bb7c22 · 2020-01-23T13:42:00.000+01:00
Python: Remove unused variable in example for py/url-redirection
diff --git a/python/ql/src/Security/CWE-601/examples/redirect_bad.py b/python/ql/src/Security/CWE-601/examples/redirect_bad.py
@@ -4,5 +4,5 @@
 
 @app.route('/')
 def hello():
-    target = files = request.args.get('target', '')
+    target = request.args.get('target', '')
     return redirect(target, code=302)
diff --git a/python/ql/src/Security/CWE-601/examples/redirect_good.py b/python/ql/src/Security/CWE-601/examples/redirect_good.py
@@ -6,7 +6,7 @@
 
 @app.route('/')
 def hello():
-    target = files = request.args.get('target', '')
+    target = request.args.get('target', '')
     if target == VALID_REDIRECT:
         return redirect(target, code=302)
     else:
diff --git a/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected b/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected
@@ -1,7 +1,7 @@
 edges
-| test.py:7:22:7:33 | dict of externally controlled string | test.py:7:22:7:51 | externally controlled string |
-| test.py:7:22:7:33 | dict of externally controlled string | test.py:7:22:7:51 | externally controlled string |
-| test.py:7:22:7:51 | externally controlled string | test.py:8:21:8:26 | externally controlled string |
-| test.py:7:22:7:51 | externally controlled string | test.py:8:21:8:26 | externally controlled string |
+| test.py:7:14:7:25 | dict of externally controlled string | test.py:7:14:7:43 | externally controlled string |
+| test.py:7:14:7:25 | dict of externally controlled string | test.py:7:14:7:43 | externally controlled string |
+| test.py:7:14:7:43 | externally controlled string | test.py:8:21:8:26 | externally controlled string |
+| test.py:7:14:7:43 | externally controlled string | test.py:8:21:8:26 | externally controlled string |
 #select
-| test.py:8:21:8:26 | target | test.py:7:22:7:33 | dict of externally controlled string | test.py:8:21:8:26 | externally controlled string | Untrusted URL redirection due to $@. | test.py:7:22:7:33 | Attribute | a user-provided value |
+| test.py:8:21:8:26 | target | test.py:7:14:7:25 | dict of externally controlled string | test.py:8:21:8:26 | externally controlled string | Untrusted URL redirection due to $@. | test.py:7:14:7:25 | Attribute | a user-provided value |
diff --git a/python/ql/test/query-tests/Security/CWE-601/test.py b/python/ql/test/query-tests/Security/CWE-601/test.py
@@ -4,7 +4,7 @@
 
 @app.route('/')
 def hello():
-    target = files = request.args.get('target', '')
+    target = request.args.get('target', '')
     return redirect(target, code=302)
 
 
