@@ -25,29 +25,29 @@ def test_taint(request: Request, routed_param): # $ requestHandler routedParamet
2525
2626 # special new attributes added, see https://www.django-rest-framework.org/api-guide/requests/
2727 ensure_tainted (
28- request .data , # $ MISSING: tainted
29- request .data ["key" ], # $ MISSING: tainted
28+ request .data , # $ tainted
29+ request .data ["key" ], # $ tainted
3030
3131 # alias for .GET
32- request .query_params , # $ MISSING: tainted
33- request .query_params ["key" ], # $ MISSING: tainted
34- request .query_params .get ("key" ), # $ MISSING: tainted
35- request .query_params .getlist ("key" ), # $ MISSING: tainted
36- request .query_params .getlist ("key" )[0 ], # $ MISSING: tainted
37- request .query_params .pop ("key" ), # $ MISSING: tainted
38- request .query_params .pop ("key" )[0 ], # $ MISSING: tainted
32+ request .query_params , # $ tainted
33+ request .query_params ["key" ], # $ tainted
34+ request .query_params .get ("key" ), # $ tainted
35+ request .query_params .getlist ("key" ), # $ tainted
36+ request .query_params .getlist ("key" )[0 ], # $ tainted
37+ request .query_params .pop ("key" ), # $ tainted
38+ request .query_params .pop ("key" )[0 ], # $ tainted
3939
4040 # see more detailed tests of `request.user` below
41- request .user , # $ MISSING: tainted
41+ request .user , # $ tainted
4242
43- request .auth , # $ MISSING: tainted
43+ request .auth , # $ tainted
4444
4545 # seems much more likely attack vector than .method, so included
4646 request .content_type , # $ tainted
4747
4848 # file-like
49- request .stream , # $ MISSING: tainted
50- request .stream .read (), # $ MISSING: tainted
49+ request .stream , # $ tainted
50+ request .stream .read (), # $ tainted
5151 )
5252
5353 ensure_not_tainted (
@@ -74,10 +74,10 @@ def test_taint(request: Request, routed_param): # $ requestHandler routedParamet
7474 # username/email is user-controlled, but that password isn't (since it's a hash).
7575 # see https://docs.djangoproject.com/en/3.2/ref/contrib/auth/#fields
7676 ensure_tainted (
77- request .user .username , # $ MISSING: tainted
78- request .user .first_name , # $ MISSING: tainted
79- request .user .last_name , # $ MISSING: tainted
80- request .user .email , # $ MISSING: tainted
77+ request .user .username , # $ tainted
78+ request .user .first_name , # $ tainted
79+ request .user .last_name , # $ tainted
80+ request .user .email , # $ tainted
8181 )
8282 ensure_not_tainted (request .user .password )
8383
@@ -99,7 +99,7 @@ def get(self, request: Request, routed_param): # $ requestHandler routedParamete
9999 # request taint is the same as in function_based_view above
100100 ensure_tainted (
101101 request , # $ tainted
102- request .data # $ MISSING: tainted
102+ request .data # $ tainted
103103 )
104104
105105 # same as for standard Django view
0 commit comments