Python: Expand flask tests a bit

RasmusWL · RasmusWL · commit 3c08590ee4e1 · 2020-09-22T16:28:24.000+02:00
diff --git a/python/ql/test/experimental/library-tests/frameworks/flask/TestTaint.expected b/python/ql/test/experimental/library-tests/frameworks/flask/TestTaint.expected
@@ -38,47 +38,59 @@
 | test.py:70 | fail | test_taint | request.files['key'].filename |
 | test.py:71 | fail | test_taint | request.files['key'].stream |
 | test.py:72 | fail | test_taint | request.files.getlist(..) |
-| test.py:75 | ok   | test_taint | request.form |
-| test.py:76 | ok   | test_taint | request.form['key'] |
-| test.py:77 | ok   | test_taint | request.form.getlist(..) |
-| test.py:79 | ok   | test_taint | request.get_data() |
-| test.py:81 | ok   | test_taint | request.get_json() |
-| test.py:82 | ok   | test_taint | request.get_json()['foo'] |
-| test.py:83 | ok   | test_taint | request.get_json()['foo']['bar'] |
-| test.py:87 | ok   | test_taint | request.headers |
-| test.py:88 | ok   | test_taint | request.headers['key'] |
-| test.py:89 | fail | test_taint | request.headers.get_all(..) |
-| test.py:90 | fail | test_taint | request.headers.getlist(..) |
-| test.py:91 | ok   | test_taint | list(..) |
-| test.py:92 | fail | test_taint | request.headers.to_wsgi_list() |
-| test.py:94 | ok   | test_taint | request.json |
-| test.py:95 | ok   | test_taint | request.json['foo'] |
-| test.py:96 | ok   | test_taint | request.json['foo']['bar'] |
-| test.py:98 | ok   | test_taint | request.method |
-| test.py:100 | ok   | test_taint | request.mimetype |
-| test.py:102 | ok   | test_taint | request.mimetype_params |
-| test.py:104 | ok   | test_taint | request.origin |
-| test.py:107 | ok   | test_taint | request.pragma |
-| test.py:109 | ok   | test_taint | request.query_string |
-| test.py:111 | ok   | test_taint | request.referrer |
-| test.py:113 | ok   | test_taint | request.remote_addr |
-| test.py:115 | ok   | test_taint | request.remote_user |
-| test.py:118 | ok   | test_taint | request.stream |
-| test.py:119 | ok   | test_taint | request.input_stream |
-| test.py:121 | ok   | test_taint | request.url |
-| test.py:123 | ok   | test_taint | request.user_agent |
-| test.py:126 | ok   | test_taint | request.values |
-| test.py:127 | ok   | test_taint | request.values['key'] |
-| test.py:128 | ok   | test_taint | request.values.getlist(..) |
-| test.py:131 | ok   | test_taint | request.view_args |
-| test.py:132 | ok   | test_taint | request.view_args['key'] |
-| test.py:136 | ok   | test_taint | request.script_root |
-| test.py:137 | ok   | test_taint | request.url_root |
-| test.py:141 | ok   | test_taint | request.charset |
-| test.py:142 | ok   | test_taint | request.url_charset |
-| test.py:146 | ok   | test_taint | request.date |
-| test.py:149 | ok   | test_taint | request.endpoint |
-| test.py:154 | ok   | test_taint | request.host |
-| test.py:155 | ok   | test_taint | request.host_url |
-| test.py:157 | ok   | test_taint | request.scheme |
-| test.py:159 | ok   | test_taint | request.script_root |
+| test.py:73 | fail | test_taint | request.files.getlist(..)[0].filename |
+| test.py:74 | fail | test_taint | request.files.getlist(..)[0].stream |
+| test.py:77 | ok   | test_taint | request.form |
+| test.py:78 | ok   | test_taint | request.form['key'] |
+| test.py:79 | ok   | test_taint | request.form.getlist(..) |
+| test.py:81 | ok   | test_taint | request.get_data() |
+| test.py:83 | ok   | test_taint | request.get_json() |
+| test.py:84 | ok   | test_taint | request.get_json()['foo'] |
+| test.py:85 | ok   | test_taint | request.get_json()['foo']['bar'] |
+| test.py:89 | ok   | test_taint | request.headers |
+| test.py:90 | ok   | test_taint | request.headers['key'] |
+| test.py:91 | fail | test_taint | request.headers.get_all(..) |
+| test.py:92 | fail | test_taint | request.headers.getlist(..) |
+| test.py:93 | ok   | test_taint | list(..) |
+| test.py:94 | fail | test_taint | request.headers.to_wsgi_list() |
+| test.py:96 | ok   | test_taint | request.json |
+| test.py:97 | ok   | test_taint | request.json['foo'] |
+| test.py:98 | ok   | test_taint | request.json['foo']['bar'] |
+| test.py:100 | ok   | test_taint | request.method |
+| test.py:102 | ok   | test_taint | request.mimetype |
+| test.py:104 | ok   | test_taint | request.mimetype_params |
+| test.py:106 | ok   | test_taint | request.origin |
+| test.py:109 | ok   | test_taint | request.pragma |
+| test.py:111 | ok   | test_taint | request.query_string |
+| test.py:113 | ok   | test_taint | request.referrer |
+| test.py:115 | ok   | test_taint | request.remote_addr |
+| test.py:117 | ok   | test_taint | request.remote_user |
+| test.py:120 | ok   | test_taint | request.stream |
+| test.py:121 | ok   | test_taint | request.input_stream |
+| test.py:123 | ok   | test_taint | request.url |
+| test.py:125 | ok   | test_taint | request.user_agent |
+| test.py:128 | ok   | test_taint | request.values |
+| test.py:129 | ok   | test_taint | request.values['key'] |
+| test.py:130 | ok   | test_taint | request.values.getlist(..) |
+| test.py:133 | ok   | test_taint | request.view_args |
+| test.py:134 | ok   | test_taint | request.view_args['key'] |
+| test.py:138 | ok   | test_taint | request.script_root |
+| test.py:139 | ok   | test_taint | request.url_root |
+| test.py:143 | ok   | test_taint | request.charset |
+| test.py:144 | ok   | test_taint | request.url_charset |
+| test.py:148 | ok   | test_taint | request.date |
+| test.py:151 | ok   | test_taint | request.endpoint |
+| test.py:156 | ok   | test_taint | request.host |
+| test.py:157 | ok   | test_taint | request.host_url |
+| test.py:159 | ok   | test_taint | request.scheme |
+| test.py:161 | ok   | test_taint | request.script_root |
+| test.py:169 | ok   | test_taint | request.args |
+| test.py:170 | ok   | test_taint | a |
+| test.py:171 | ok   | test_taint | b |
+| test.py:173 | ok   | test_taint | request.args['key'] |
+| test.py:174 | ok   | test_taint | a['key'] |
+| test.py:175 | ok   | test_taint | b['key'] |
+| test.py:177 | ok   | test_taint | request.args.getlist(..) |
+| test.py:178 | ok   | test_taint | a.getlist(..) |
+| test.py:179 | ok   | test_taint | b.getlist(..) |
+| test.py:180 | fail | test_taint | gl(..) |
diff --git a/python/ql/test/experimental/library-tests/frameworks/flask/test.py b/python/ql/test/experimental/library-tests/frameworks/flask/test.py
@@ -70,6 +70,8 @@ def test_taint(name = "World!", number="0", foo="foo"):
         request.files['key'].filename,
         request.files['key'].stream,
         request.files.getlist('key'),
+        request.files.getlist('key')[0].filename,
+        request.files.getlist('key')[0].stream,
 
         # By default werkzeug.datastructures.ImmutableMultiDict -- although can be changed :\
         request.form,
@@ -159,6 +161,27 @@ def test_taint(name = "World!", number="0", foo="foo"):
         request.script_root,
     )
 
+    # Testing some more tricky data-flow still works
+    a = request.args
+    b = a
+    gl = b.getlist
+    ensure_tainted(
+        request.args,
+        a,
+        b,
+
+        request.args['key'],
+        a['key'],
+        b['key'],
+
+        request.args.getlist('key'),
+        a.getlist('key'),
+        b.getlist('key'),
+        gl('key'),
+    )
+
+
+
 
 @app.route('/debug/<foo>/<bar>', methods=['GET'])
 def debug(foo, bar):
@@ -216,6 +239,13 @@ def file_upload():
 
     return 'ok'
 
+@app.route('/args', methods=['GET'])
+def args():
+    print(request.path)
+    print("request.args", request.args)
+
+    return 'ok'
+
 # curl --header "My-Header: some-value" http://localhost:5000/debug/fooval/barval
 # curl --header "Pragma: foo, bar" --header "Pragma: stuff, foo" http://localhost:5000/debug/fooval/barval
 
@@ -229,5 +259,7 @@ def file_upload():
 
 # curl -F myfile=@<some-file> localhost:5000/file_upload
 
+# curl http://localhost:5000/args?foo=42&bar=bar
+
 if __name__ == "__main__":
     app.run(debug=True)
