Python: Add tests for turbogears.

markshannon · markshannon · commit 7d0943f30d8e · 2019-02-26T10:15:37.000Z
diff --git a/python/ql/test/library-tests/web/turbogears/Controller.expected b/python/ql/test/library-tests/web/turbogears/Controller.expected
@@ -0,0 +1,4 @@
+| test.py:7:5:7:32 | Function onerror |
+| test.py:13:5:13:50 | Function ok_validated |
+| test.py:18:5:18:57 | Function partially_validated |
+| test.py:22:5:22:51 | Function not_validated |
diff --git a/python/ql/test/library-tests/web/turbogears/Controller.ql b/python/ql/test/library-tests/web/turbogears/Controller.ql
@@ -0,0 +1,9 @@
+
+
+import python
+
+import semmle.python.web.turbogears.TurboGears
+
+from TurboGearsControllerMethod m
+select m
+
diff --git a/python/ql/test/library-tests/web/turbogears/Sinks.expected b/python/ql/test/library-tests/web/turbogears/Sinks.expected
@@ -0,0 +1,4 @@
+| test.py:8 | BinaryExpr | externally controlled string |
+| test.py:14 | BinaryExpr | externally controlled string |
+| test.py:19 | BinaryExpr | externally controlled string |
+| test.py:23 | BinaryExpr | externally controlled string |
diff --git a/python/ql/test/library-tests/web/turbogears/Sinks.ql b/python/ql/test/library-tests/web/turbogears/Sinks.ql
@@ -0,0 +1,10 @@
+
+import python
+
+import semmle.python.web.HttpRequest
+import semmle.python.web.HttpResponse
+import semmle.python.security.strings.Untrusted
+
+from TaintSink sink, TaintKind kind
+where sink.sinks(kind)
+select sink.getLocation().toString(), sink.(ControlFlowNode).getNode().toString(), kind
diff --git a/python/ql/test/library-tests/web/turbogears/Sources.expected b/python/ql/test/library-tests/web/turbogears/Sources.expected
@@ -0,0 +1,3 @@
+| test.py:18 | b | externally controlled string |
+| test.py:22 | a | externally controlled string |
+| test.py:22 | b | externally controlled string |
diff --git a/python/ql/test/library-tests/web/turbogears/Sources.ql b/python/ql/test/library-tests/web/turbogears/Sources.ql
@@ -0,0 +1,10 @@
+
+import python
+
+import semmle.python.web.HttpRequest
+import semmle.python.security.strings.Untrusted
+
+
+from TaintSource src, TaintKind kind
+where src.isSourceOf(kind)
+select src.getLocation().toString(), src.(ControlFlowNode).getNode().toString(), kind
diff --git a/python/ql/test/library-tests/web/turbogears/Taint.expected b/python/ql/test/library-tests/web/turbogears/Taint.expected
@@ -0,0 +1,12 @@
+| test.py:18 | b | externally controlled string |
+| test.py:19 | BinaryExpr | [externally controlled string] |
+| test.py:19 | BinaryExpr | externally controlled string |
+| test.py:19 | Tuple | [externally controlled string] |
+| test.py:19 | b | externally controlled string |
+| test.py:22 | a | externally controlled string |
+| test.py:22 | b | externally controlled string |
+| test.py:23 | BinaryExpr | [externally controlled string] |
+| test.py:23 | BinaryExpr | externally controlled string |
+| test.py:23 | Tuple | [externally controlled string] |
+| test.py:23 | a | externally controlled string |
+| test.py:23 | b | externally controlled string |
diff --git a/python/ql/test/library-tests/web/turbogears/Taint.ql b/python/ql/test/library-tests/web/turbogears/Taint.ql
@@ -0,0 +1,13 @@
+
+import python
+
+
+import semmle.python.web.HttpRequest
+import semmle.python.web.HttpResponse
+import semmle.python.security.strings.Untrusted
+
+
+from TaintedNode node
+
+select node.getLocation().toString(), node.getNode().getNode().toString(), node.getTaintKind()
+
diff --git a/python/ql/test/library-tests/web/turbogears/options b/python/ql/test/library-tests/web/turbogears/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: --max-import-depth=3 --lang=3 -p ../../../query-tests/Security/lib/
+optimize: true
diff --git a/python/ql/test/library-tests/web/turbogears/test.py b/python/ql/test/library-tests/web/turbogears/test.py
@@ -0,0 +1,23 @@
+
+from tg import request, validate, expose, TGController
+from formencode import validators
+
+class RootController(TGController):
+    @expose()
+    def onerror(self, **kwargs):
+        return 'An error occurred: %s' % request.validation['errors']
+
+    @expose()
+    @validate({"a": validators.Int(not_empty=True), "b": validators.Email},
+              error_handler=onerror)
+    def ok_validated(self, a=None, b=None, *args):
+        return 'Values: %s, %s, %s' % (a, b, args)
+
+    @expose()
+    @validate({"a": validators.Int(not_empty=True)})
+    def partially_validated(self, a=None, b=None, *args):
+        return 'Values: %s, %s, %s' % (a, b, args)
+
+    @expose()
+    def not_validated(self, a=None, b=None, *args):
+        return 'Values: %s, %s, %s' % (a, b, args)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+\| test.py:18 \| b \| externally controlled string \|`
	`2`	`+\| test.py:22 \| a \| externally controlled string \|`
	`3`	`+\| test.py:22 \| b \| externally controlled string \|`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+semmle-extractor-options: --max-import-depth=3 --lang=3 -p ../../../query-tests/Security/lib/`
	`2`	`+optimize: true`