Python: Move tornado tests from internal repo

RasmusWL · RasmusWL · commit 4248a8418bae · 2019-10-24T15:01:35.000+02:00
diff --git a/python/ql/test/library-tests/web/tornado/Classes.expected b/python/ql/test/library-tests/web/tornado/Classes.expected
@@ -0,0 +1,7 @@
+| class ErrorHandler | resources/lib/python/lib/tornado/web.py:2260 |
+| class FallbackHandler | resources/lib/python/lib/tornado/web.py:2806 |
+| class Handler1 | test.py:4 |
+| class Handler2 | test.py:8 |
+| class Handler3 | test.py:14 |
+| class RedirectHandler | resources/lib/python/lib/tornado/web.py:2275 |
+| class StaticFileHandler | resources/lib/python/lib/tornado/web.py:2319 |
diff --git a/python/ql/test/library-tests/web/tornado/Classes.ql b/python/ql/test/library-tests/web/tornado/Classes.ql
@@ -0,0 +1,9 @@
+
+import python
+
+import semmle.python.TestUtils
+
+import semmle.python.web.tornado.Tornado
+from ClassObject cls
+where cls = aTornadoRequestHandlerClass()
+select cls.toString(), remove_library_prefix(cls.getPyClass().getLocation())
diff --git a/python/ql/test/library-tests/web/tornado/Methods.expected b/python/ql/test/library-tests/web/tornado/Methods.expected
@@ -0,0 +1,76 @@
+| __init__ | Function __init__ | resources/lib/python/lib/tornado/web.py:168 |
+| _break_cycles | Function _break_cycles | resources/lib/python/lib/tornado/web.py:1025 |
+| _clear_headers_for_304 | Function _clear_headers_for_304 | resources/lib/python/lib/tornado/web.py:1636 |
+| _convert_header_value | Function _convert_header_value | resources/lib/python/lib/tornado/web.py:363 |
+| _decode_xsrf_token | Function _decode_xsrf_token | resources/lib/python/lib/tornado/web.py:1294 |
+| _get_argument | Function _get_argument | resources/lib/python/lib/tornado/web.py:479 |
+| _get_arguments | Function _get_arguments | resources/lib/python/lib/tornado/web.py:487 |
+| _get_raw_xsrf_token | Function _get_raw_xsrf_token | resources/lib/python/lib/tornado/web.py:1270 |
+| _handle_request_exception | Function _handle_request_exception | resources/lib/python/lib/tornado/web.py:1581 |
+| _log | Function _log | resources/lib/python/lib/tornado/web.py:1568 |
+| _request_summary | Function _request_summary | resources/lib/python/lib/tornado/web.py:1577 |
+| _stack_context_handle_exception | Function _stack_context_handle_exception | resources/lib/python/lib/tornado/web.py:1493 |
+| _ui_method | Function _ui_method | resources/lib/python/lib/tornado/web.py:1633 |
+| _ui_module | Function _ui_module | resources/lib/python/lib/tornado/web.py:1623 |
+| add_header | Function add_header | resources/lib/python/lib/tornado/web.py:343 |
+| check_etag_header | Function check_etag_header | resources/lib/python/lib/tornado/web.py:1452 |
+| check_xsrf_cookie | Function check_xsrf_cookie | resources/lib/python/lib/tornado/web.py:1330 |
+| clear | Function clear | resources/lib/python/lib/tornado/web.py:288 |
+| clear_all_cookies | Function clear_all_cookies | resources/lib/python/lib/tornado/web.py:597 |
+| clear_cookie | Function clear_cookie | resources/lib/python/lib/tornado/web.py:582 |
+| clear_header | Function clear_header | resources/lib/python/lib/tornado/web.py:352 |
+| compute_etag | Function compute_etag | resources/lib/python/lib/tornado/web.py:1428 |
+| create_signed_value | Function create_signed_value | resources/lib/python/lib/tornado/web.py:642 |
+| create_template_loader | Function create_template_loader | resources/lib/python/lib/tornado/web.py:916 |
+| data_received | Function data_received | resources/lib/python/lib/tornado/web.py:1561 |
+| decode_argument | Function decode_argument | resources/lib/python/lib/tornado/web.py:500 |
+| delete | Function delete | resources/lib/python/lib/tornado/web.py:230 |
+| finish | Function finish | resources/lib/python/lib/tornado/web.py:985 |
+| flush | Function flush | resources/lib/python/lib/tornado/web.py:937 |
+| get | Function get | resources/lib/python/lib/tornado/web.py:224 |
+| get_argument | Function get_argument | resources/lib/python/lib/tornado/web.py:395 |
+| get_arguments | Function get_arguments | resources/lib/python/lib/tornado/web.py:408 |
+| get_body_argument | Function get_body_argument | resources/lib/python/lib/tornado/web.py:423 |
+| get_body_arguments | Function get_body_arguments | resources/lib/python/lib/tornado/web.py:440 |
+| get_browser_locale | Function get_browser_locale | resources/lib/python/lib/tornado/web.py:1127 |
+| get_cookie | Function get_cookie | resources/lib/python/lib/tornado/web.py:525 |
+| get_current_user | Function get_current_user | resources/lib/python/lib/tornado/web.py:1191 |
+| get_login_url | Function get_login_url | resources/lib/python/lib/tornado/web.py:1198 |
+| get_query_argument | Function get_query_argument | resources/lib/python/lib/tornado/web.py:451 |
+| get_query_arguments | Function get_query_arguments | resources/lib/python/lib/tornado/web.py:468 |
+| get_secure_cookie | Function get_secure_cookie | resources/lib/python/lib/tornado/web.py:665 |
+| get_secure_cookie_key_version | Function get_secure_cookie_key_version | resources/lib/python/lib/tornado/web.py:688 |
+| get_status | Function get_status | resources/lib/python/lib/tornado/web.py:329 |
+| get_template_namespace | Function get_template_namespace | resources/lib/python/lib/tornado/web.py:893 |
+| get_template_path | Function get_template_path | resources/lib/python/lib/tornado/web.py:1206 |
+| get_user_locale | Function get_user_locale | resources/lib/python/lib/tornado/web.py:1117 |
+| head | Function head | resources/lib/python/lib/tornado/web.py:221 |
+| initialize | Function initialize | resources/lib/python/lib/tornado/web.py:195 |
+| log_exception | Function log_exception | resources/lib/python/lib/tornado/web.py:1603 |
+| on_connection_close | Function on_connection_close | resources/lib/python/lib/tornado/web.py:269 |
+| on_finish | Function on_finish | resources/lib/python/lib/tornado/web.py:259 |
+| options | Function options | resources/lib/python/lib/tornado/web.py:239 |
+| patch | Function patch | resources/lib/python/lib/tornado/web.py:233 |
+| post | Function post | resources/lib/python/lib/tornado/web.py:227 |
+| prepare | Function prepare | resources/lib/python/lib/tornado/web.py:242 |
+| put | Function put | resources/lib/python/lib/tornado/web.py:236 |
+| redirect | Function redirect | resources/lib/python/lib/tornado/web.py:698 |
+| render | Function render | resources/lib/python/lib/tornado/web.py:746 |
+| render_embed_css | Function render_embed_css | resources/lib/python/lib/tornado/web.py:859 |
+| render_embed_js | Function render_embed_js | resources/lib/python/lib/tornado/web.py:830 |
+| render_linked_css | Function render_linked_css | resources/lib/python/lib/tornado/web.py:839 |
+| render_linked_js | Function render_linked_js | resources/lib/python/lib/tornado/web.py:810 |
+| render_string | Function render_string | resources/lib/python/lib/tornado/web.py:868 |
+| require_setting | Function require_setting | resources/lib/python/lib/tornado/web.py:1418 |
+| reverse_url | Function reverse_url | resources/lib/python/lib/tornado/web.py:1424 |
+| send_error | Function send_error | resources/lib/python/lib/tornado/web.py:1030 |
+| set_cookie | Function set_cookie | resources/lib/python/lib/tornado/web.py:538 |
+| set_default_headers | Function set_default_headers | resources/lib/python/lib/tornado/web.py:300 |
+| set_etag_header | Function set_etag_header | resources/lib/python/lib/tornado/web.py:1441 |
+| set_header | Function set_header | resources/lib/python/lib/tornado/web.py:333 |
+| set_secure_cookie | Function set_secure_cookie | resources/lib/python/lib/tornado/web.py:613 |
+| set_status | Function set_status | resources/lib/python/lib/tornado/web.py:310 |
+| static_url | Function static_url | resources/lib/python/lib/tornado/web.py:1383 |
+| write | Function write | resources/lib/python/lib/tornado/web.py:716 |
+| write_error | Function write_error | resources/lib/python/lib/tornado/web.py:1069 |
+| xsrf_form_html | Function xsrf_form_html | resources/lib/python/lib/tornado/web.py:1367 |
diff --git a/python/ql/test/library-tests/web/tornado/Methods.ql b/python/ql/test/library-tests/web/tornado/Methods.ql
@@ -0,0 +1,12 @@
+
+import python
+
+import semmle.python.TestUtils
+
+import semmle.python.web.tornado.Tornado
+
+from FunctionObject func, string name
+where func = getTornadoRequestHandlerMethod(name) and
+/* Compatibility hack to make tests pass on both 1.20 and 1.21 */
+not name = "_execute"
+select name, func.toString(), remove_library_prefix(func.getFunction().getLocation())
diff --git a/python/ql/test/library-tests/web/tornado/Sinks.expected b/python/ql/test/library-tests/web/tornado/Sinks.expected
@@ -0,0 +1,6 @@
+| resources/lib/python/lib/tornado/web.py:2316 | to_url | externally controlled string |
+| resources/lib/python/lib/tornado/web.py:2471 | chunk | externally controlled string |
+| resources/lib/python/lib/tornado/web.py:2597 | BinaryExpr | externally controlled string |
+| test.py:6 | Attribute() | externally controlled string |
+| test.py:12 | name | externally controlled string |
+| test.py:20 | url | externally controlled string |
diff --git a/python/ql/test/library-tests/web/tornado/Sinks.ql b/python/ql/test/library-tests/web/tornado/Sinks.ql
@@ -0,0 +1,11 @@
+
+import python
+
+import semmle.python.web.HttpRequest
+import semmle.python.web.HttpResponse
+import semmle.python.security.strings.Untrusted
+import semmle.python.TestUtils
+
+from TaintSink sink, TaintKind kind
+where sink.sinks(kind)
+select remove_library_prefix(sink.getLocation()), sink.(ControlFlowNode).getNode().toString(), kind
diff --git a/python/ql/test/library-tests/web/tornado/Sources.expected b/python/ql/test/library-tests/web/tornado/Sources.expected
@@ -0,0 +1,15 @@
+| resources/lib/python/lib/tornado/web.py:406 | Attribute | tornado.request.HttpRequest |
+| resources/lib/python/lib/tornado/web.py:449 | Attribute | tornado.request.HttpRequest |
+| resources/lib/python/lib/tornado/web.py:2313 | Attribute | tornado.request.HttpRequest |
+| resources/lib/python/lib/tornado/web.py:2315 | Attribute | tornado.request.HttpRequest |
+| resources/lib/python/lib/tornado/web.py:2421 | Attribute | tornado.request.HttpRequest |
+| resources/lib/python/lib/tornado/web.py:2476 | Attribute | tornado.request.HttpRequest |
+| resources/lib/python/lib/tornado/web.py:2522 | Attribute | tornado.request.HttpRequest |
+| resources/lib/python/lib/tornado/web.py:2527 | Attribute | tornado.request.HttpRequest |
+| resources/lib/python/lib/tornado/web.py:2596 | Attribute | tornado.request.HttpRequest |
+| resources/lib/python/lib/tornado/web.py:2597 | Attribute | tornado.request.HttpRequest |
+| resources/lib/python/lib/tornado/web.py:2728 | Attribute | tornado.request.HttpRequest |
+| resources/lib/python/lib/tornado/web.py:2826 | Attribute | tornado.request.HttpRequest |
+| test.py:6 | Attribute() | externally controlled string |
+| test.py:10 | Attribute() | [externally controlled string] |
+| test.py:17 | Attribute | tornado.request.HttpRequest |
diff --git a/python/ql/test/library-tests/web/tornado/Sources.ql b/python/ql/test/library-tests/web/tornado/Sources.ql
@@ -0,0 +1,13 @@
+
+import python
+
+import semmle.python.TestUtils
+
+import semmle.python.web.HttpRequest
+import semmle.python.web.HttpResponse
+import semmle.python.security.strings.Untrusted
+
+
+from TaintSource src, TaintKind kind
+where src.isSourceOf(kind)
+select remove_library_prefix(src.getLocation()), src.(ControlFlowNode).getNode().toString(), kind
diff --git a/python/ql/test/library-tests/web/tornado/Taint.expected b/python/ql/test/library-tests/web/tornado/Taint.expected
@@ -0,0 +1,38 @@
+| resources/lib/python/lib/tornado/web.py:406 | Attribute | tornado.request.HttpRequest |
+| resources/lib/python/lib/tornado/web.py:406 | Attribute | {[externally controlled string]} |
+| resources/lib/python/lib/tornado/web.py:449 | Attribute | tornado.request.HttpRequest |
+| resources/lib/python/lib/tornado/web.py:449 | Attribute | {[externally controlled string]} |
+| resources/lib/python/lib/tornado/web.py:2313 | Attribute | tornado.request.HttpRequest |
+| resources/lib/python/lib/tornado/web.py:2313 | Attribute | {[externally controlled string]} |
+| resources/lib/python/lib/tornado/web.py:2315 | Attribute | tornado.request.HttpRequest |
+| resources/lib/python/lib/tornado/web.py:2315 | Attribute | {[externally controlled string]} |
+| resources/lib/python/lib/tornado/web.py:2421 | Attribute | tornado.request.HttpRequest |
+| resources/lib/python/lib/tornado/web.py:2421 | Attribute | {externally controlled string} |
+| resources/lib/python/lib/tornado/web.py:2421 | Attribute() | externally controlled string |
+| resources/lib/python/lib/tornado/web.py:2422 | range_header | externally controlled string |
+| resources/lib/python/lib/tornado/web.py:2425 | range_header | externally controlled string |
+| resources/lib/python/lib/tornado/web.py:2476 | Attribute | tornado.request.HttpRequest |
+| resources/lib/python/lib/tornado/web.py:2522 | Attribute | tornado.request.HttpRequest |
+| resources/lib/python/lib/tornado/web.py:2522 | Attribute | {externally controlled string} |
+| resources/lib/python/lib/tornado/web.py:2522 | Attribute() | externally controlled string |
+| resources/lib/python/lib/tornado/web.py:2527 | Attribute | tornado.request.HttpRequest |
+| resources/lib/python/lib/tornado/web.py:2527 | Attribute | {externally controlled string} |
+| resources/lib/python/lib/tornado/web.py:2527 | Attribute() | externally controlled string |
+| resources/lib/python/lib/tornado/web.py:2528 | ims_value | externally controlled string |
+| resources/lib/python/lib/tornado/web.py:2529 | ims_value | externally controlled string |
+| resources/lib/python/lib/tornado/web.py:2596 | Attribute | tornado.request.HttpRequest |
+| resources/lib/python/lib/tornado/web.py:2597 | Attribute | tornado.request.HttpRequest |
+| resources/lib/python/lib/tornado/web.py:2728 | Attribute | tornado.request.HttpRequest |
+| resources/lib/python/lib/tornado/web.py:2728 | Attribute | {[externally controlled string]} |
+| resources/lib/python/lib/tornado/web.py:2826 | Attribute | tornado.request.HttpRequest |
+| test.py:6 | Attribute() | externally controlled string |
+| test.py:10 | Attribute() | [externally controlled string] |
+| test.py:11 | Subscript | externally controlled string |
+| test.py:11 | args | [externally controlled string] |
+| test.py:12 | name | externally controlled string |
+| test.py:17 | Attribute | tornado.request.HttpRequest |
+| test.py:18 | Attribute | {externally controlled string} |
+| test.py:18 | req | tornado.request.HttpRequest |
+| test.py:19 | Subscript | externally controlled string |
+| test.py:19 | h | {externally controlled string} |
+| test.py:20 | url | externally controlled string |
diff --git a/python/ql/test/library-tests/web/tornado/Taint.ql b/python/ql/test/library-tests/web/tornado/Taint.ql
@@ -0,0 +1,14 @@
+
+import python
+
+import semmle.python.TestUtils
+
+import semmle.python.web.HttpRequest
+import semmle.python.web.HttpResponse
+import semmle.python.security.strings.Untrusted
+
+from TaintedNode node
+// Add this restriction to keep Python2 and 3 results the same.
+where not exists(node.getContext().getCaller())
+select remove_library_prefix(node.getLocation()), node.getAstNode().toString(), node.getTaintKind()
+
diff --git a/python/ql/test/library-tests/web/tornado/options b/python/ql/test/library-tests/web/tornado/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: --max-import-depth=2 -p ../../../../../../../resources/lib/python/lib/
+optimize: true
diff --git a/python/ql/test/library-tests/web/tornado/test.py b/python/ql/test/library-tests/web/tornado/test.py
@@ -0,0 +1,20 @@
+
+import tornado.web
+
+class Handler1(tornado.web.RequestHandler):
+    def get(self):
+        self.write(self.get_argument("xss"))
+
+class Handler2(tornado.web.RequestHandler):
+    def get(self):
+        args = self.get_body_arguments()
+        name = args[0]
+        self.write(name)
+
+class Handler3(tornado.web.RequestHandler):
+
+    def get(self):
+        req = self.request
+        h = req.headers
+        url = h["url"]
+        self.redirect(url)
