Python: Tests for new query: requests called with verify=False.

markshannon · markshannon · commit f0206a2ff4d6 · 2018-11-23T14:42:45.000Z
diff --git a/python/ql/test/query-tests/Security/CWE-295/make_request.py b/python/ql/test/query-tests/Security/CWE-295/make_request.py
@@ -0,0 +1,32 @@
+import requests
+
+#Simple cases
+requests.get('https://semmle.com', verify=True) # GOOD
+requests.get('https://semmle.com', verify=False) # BAD
+requests.post('https://semmle.com', verify=True) # GOOD
+requests.post('https://semmle.com', verify=False) # BAD
+
+# Simple flow
+put = requests.put
+put('https://semmle.com', verify="/path/to/cert/") # GOOD
+put('https://semmle.com', verify=False) # BAD
+
+#Other flow
+delete = requests.delete
+
+def req1(verify=False):
+    delete('https://semmle.com', verify) # BAD
+    if verify:
+        delete('https://semmle.com', verify) # GOOD
+    if not verify:
+        return
+    delete('https://semmle.com', verify) # GOOD
+
+patch = requests.patch
+
+def req2(verify):
+    patch('https://semmle.com', verify=verify) # BAD (from line 30)
+
+req2(False) # BAD (at line 28)
+req2("/path/to/cert/") # GOOD
+
diff --git a/python/ql/test/query-tests/Security/lib/requests.py b/python/ql/test/query-tests/Security/lib/requests.py
@@ -0,0 +1,21 @@
+
+def get(url, params=None, **kwargs):
+    pass
+
+def options(url, **kwargs):
+    pass
+
+def head(url, **kwargs):
+    pass
+
+def post(url, data=None, json=None, **kwargs):
+    pass
+
+def put(url, data=None, **kwargs):
+    pass
+
+def patch(url, data=None, **kwargs):
+    pass
+
+def delete(url, **kwargs):
+    pass
