Skip to content

Commit 6b87458

Browse files
RasmusWLRasmusWL
committed
Python: Add explicit tests for HttpSources and HttpSinks
Some of the tests currently fail, since they can't reproduce the old tests results (since the sinks/sources defined in the library code are not HttpResponseTaintSink/HttpRequestTaintSource)
1 parent b36a6aa commit 6b87458

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

54 files changed

+221
-129
lines changed

python/ql/test/library-tests/web/bottle/HttpSinks.expected

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
| test.py:9:12:9:26 | bottle handler function result | externally controlled string |
2+
| test.py:13:12:13:24 | bottle handler function result | externally controlled string |
3+
| test.py:19:12:19:33 | bottle handler function result | externally controlled string |
4+
| test.py:36:21:36:51 | Taint sink | externally controlled string |

python/ql/test/library-tests/web/bottle/HttpSinks.ql

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
import python
2+
import semmle.python.web.HttpResponse
3+
import semmle.python.security.strings.Untrusted
4+
5+
from HttpResponseTaintSink sink, TaintKind kind
6+
where sink.sinks(kind)
7+
select sink, kind

python/ql/test/library-tests/web/bottle/HttpSources.expected

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
FIXME

python/ql/test/library-tests/web/bottle/HttpSources.ql

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
import python
2+
import semmle.python.web.HttpRequest
3+
import semmle.python.security.strings.Untrusted
4+
5+
from HttpRequestTaintSource source, TaintKind kind
6+
where source.isSourceOf(kind)
7+
select source.(ControlFlowNode).getNode(), kind

python/ql/test/library-tests/web/bottle/Sinks.expected

Lines changed: 0 additions & 4 deletions
This file was deleted.

python/ql/test/library-tests/web/bottle/Sinks.ql

Lines changed: 0 additions & 8 deletions
This file was deleted.

python/ql/test/library-tests/web/cherrypy/HttpSinks.expected

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
| red.py:8:16:8:20 | cherrypy handler function result | externally controlled string |
2+
| test.py:11:16:11:29 | cherrypy handler function result | externally controlled string |
3+
| test.py:17:16:17:27 | cherrypy handler function result | externally controlled string |

python/ql/test/library-tests/web/cherrypy/HttpSinks.ql

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
import python
2+
import semmle.python.web.HttpResponse
3+
import semmle.python.security.strings.Untrusted
4+
5+
from HttpResponseTaintSink sink, TaintKind kind
6+
where sink.sinks(kind)
7+
select sink, kind

python/ql/test/library-tests/web/cherrypy/HttpSources.expected

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
FIXME

python/ql/test/library-tests/web/cherrypy/HttpSources.ql

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
import python
2+
import semmle.python.web.HttpRequest
3+
import semmle.python.security.strings.Untrusted
4+
5+
from HttpRequestTaintSource source, TaintKind kind
6+
where source.isSourceOf(kind)
7+
select source.(ControlFlowNode).getNode(), kind

0 commit comments

Comments
 (0)