@@ -5,11 +5,12 @@ async def test_taint(request: web.Request): # $ requestHandler
55 ensure_tainted (
66 request , # $ tainted
77
8- # yarl.URL instances
8+ # yarl.URL instances, see tests under `yarl` framework tests
99 # https://yarl.readthedocs.io/en/stable/api.html#yarl.URL
10- # see below
1110 request .url , # $ tainted
11+ request .url .human_repr (), # $ tainted
1212 request .rel_url , # $ tainted
13+ request .rel_url .human_repr (), # $ tainted
1314
1415 request .forwarded , # $ tainted
1516
@@ -130,68 +131,6 @@ async def test_taint(request: web.Request): # $ requestHandler
130131 request .config_dict ,
131132 )
132133
133- # TODO: Should have a better way to capture that we in fact _do_ model this as a
134- # an instance of the right class, and have the actual taint_test for that in a
135- # different file!
136- import yarl
137-
138- ensure_tainted (
139- # see https://yarl.readthedocs.io/en/stable/api.html#yarl.URL
140- request .url .user , # $ tainted
141- request .url .raw_user , # $ tainted
142-
143- request .url .password , # $ tainted
144- request .url .raw_password , # $ tainted
145-
146- request .url .host , # $ tainted
147- request .url .raw_host , # $ tainted
148-
149- request .url .port , # $ tainted
150- request .url .explicit_port , # $ tainted
151-
152- request .url .authority , # $ tainted
153- request .url .raw_authority , # $ tainted
154-
155- request .url .path , # $ tainted
156- request .url .raw_path , # $ tainted
157-
158- request .url .path_qs , # $ tainted
159- request .url .raw_path_qs , # $ tainted
160-
161- request .url .query_string , # $ tainted
162- request .url .raw_query_string , # $ tainted
163-
164- request .url .fragment , # $ tainted
165- request .url .raw_fragment , # $ tainted
166-
167- request .url .parts , # $ tainted
168- request .url .raw_parts , # $ tainted
169-
170- request .url .name , # $ tainted
171- request .url .raw_name , # $ tainted
172-
173- # multidict.MultiDictProxy[str]
174- request .url .query , # $ tainted
175- request .url .query .getone ("key" ), # $ tainted
176-
177- request .url .with_scheme ("foo" ), # $ tainted
178- request .url .with_user ("foo" ), # $ tainted
179- request .url .with_password ("foo" ), # $ tainted
180- request .url .with_host ("foo" ), # $ tainted
181- request .url .with_port ("foo" ), # $ tainted
182- request .url .with_path ("foo" ), # $ tainted
183- request .url .with_query ({"foo" : 42 }), # $ tainted
184- request .url .with_query (foo = 42 ), # $ tainted
185- request .url .update_query ({"foo" : 42 }), # $ tainted
186- request .url .update_query (foo = 42 ), # $ tainted
187- request .url .with_fragment ("foo" ), # $ tainted
188- request .url .with_name ("foo" ), # $ tainted
189-
190- request .url .join (yarl .URL ("wat.html" )), # $ tainted
191-
192- request .url .human_repr (), # $ tainted
193- )
194-
195134
196135class TaintTestClass (web .View ):
197136 def get (self ): # $ requestHandler
0 commit comments