Improve tests

jorgectf · jorgectf · commit d7a79469e62e · 2021-11-05T20:08:52.000+01:00
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-614/django_bad.py b/python/ql/test/experimental/query-tests/Security/CWE-614/django_bad.py
@@ -8,8 +8,21 @@ def django_response(request):
     return resp
 
 
+def django_response():
+    response = django.http.HttpResponse()
+    response['Set-Cookie'] = "name=value; SameSite=None;"
+    return response
+
+
 def django_response(request):
     resp = django.http.HttpResponse()
-    resp.set_cookie("name", "value", secure=False,
-                    httponly=False, samesite='None')
+    resp.set_cookie(django.http.request.GET.get("name"),
+                    django.http.request.GET.get("value"),
+                    secure=False, httponly=False, samesite='None')
     return resp
+
+
+def django_response():
+    response = django.http.HttpResponse()
+    response['Set-Cookie'] = f"{django.http.request.GET.get('name')}={django.http.request.GET.get('value')}; SameSite=None;"
+    return response
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-614/flask_bad.py b/python/ql/test/experimental/query-tests/Security/CWE-614/flask_bad.py
@@ -6,23 +6,32 @@
 @app.route("/false")
 def false():
     resp = make_response()
-    resp.set_cookie(request.args["name"], value=request.args["value"], secure=False,
+    resp.set_cookie("name", value="value", secure=False,
                     httponly=False, samesite='None')
     return resp
 
 
 @app.route("/flask_Response")
 def flask_Response():
     resp = Response()
-    resp.headers['Set-Cookie'] = "name=value;"
+    resp.headers['Set-Cookie'] = "name=value; SameSite=None;"
     return resp
 
 
-@app.route("/flask_make_response")
-def flask_make_response():
-    resp = make_response("hello")
-    resp.headers['Set-Cookie'] = "name=value; SameSite=None;"
+@app.route("/false")
+def false():
+    resp = make_response()
+    resp.set_cookie(request.args["name"], value=request.args["value"], secure=False,
+                    httponly=False, samesite='None')
     return resp
 
+
+@app.route("/flask_Response")
+def flask_Response():
+    resp = Response()
+    resp.headers['Set-Cookie'] = f"{request.args['name']}={request.args['value']}; SameSite=None;"
+    return resp
+
+
 # if __name__ == "__main__":
 #     app.run(debug=True)
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-614/flask_good.py b/python/ql/test/experimental/query-tests/Security/CWE-614/flask_good.py
@@ -18,13 +18,6 @@ def flask_Response():
     return resp
 
 
-@app.route("/flask_make_response")
-def flask_make_response():
-    resp = make_response("hello")
-    resp.headers['Set-Cookie'] = "name=value; Secure; HttpOnly; SameSite=Lax;"
-    return resp
-
-
 def indeterminate(secure):
     resp = make_response()
     resp.set_cookie("name", value="value", secure=secure)
