Python: Add tests for clear-text storage and logging.

markshannon · markshannon · commit 816938369e8c · 2019-08-22T15:27:48.000+01:00
diff --git a/python/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected b/python/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
@@ -0,0 +1,6 @@
+edges
+| test.py:7:16:7:29 | a password | test.py:8:35:8:42 | a password |
+parents
+#select
+| test.py:8:35:8:42 | Taint sink | test.py:7:16:7:29 | a password | test.py:8:35:8:42 | a password | Sensitive data returned by $@ is stored here. | test.py:7:16:7:29 | Taint source | Call returning a password |
+| test.py:14:30:14:39 | Taint sink | test.py:14:30:14:39 | a certificate or key | test.py:14:30:14:39 | a certificate or key | Sensitive data returned by $@ is stored here. | test.py:14:30:14:39 | Taint source | Call returning a certificate or key |
diff --git a/python/ql/test/query-tests/Security/CWE-312/CleartextLogging.qlref b/python/ql/test/query-tests/Security/CWE-312/CleartextLogging.qlref
@@ -0,0 +1 @@
+Security/CWE-312/CleartextLogging.ql
diff --git a/python/ql/test/query-tests/Security/CWE-312/CleartextStorage.expected b/python/ql/test/query-tests/Security/CWE-312/CleartextStorage.expected
@@ -0,0 +1,11 @@
+edges
+| file:///usr/lib/python3.6/keyword.py:65:10:65:34 | an open file | file:///usr/lib/python3.6/keyword.py:66:18:66:19 | an open file |
+| file:///usr/lib/python3.6/keyword.py:70:10:70:22 | an open file | file:///usr/lib/python3.6/keyword.py:73:21:73:22 | an open file |
+| file:///usr/lib/python3.6/keyword.py:90:10:90:39 | an open file | file:///usr/lib/python3.6/keyword.py:91:9:91:10 | an open file |
+| password_in_cookie.py:7:16:7:27 | dict of externally controlled string | password_in_cookie.py:7:16:7:43 | externally controlled string |
+| password_in_cookie.py:7:16:7:43 | a password | password_in_cookie.py:9:33:9:40 | a password |
+| password_in_cookie.py:7:16:7:43 | externally controlled string | password_in_cookie.py:9:33:9:40 | externally controlled string |
+| test.py:7:16:7:29 | a password | test.py:8:35:8:42 | a password |
+parents
+#select
+| password_in_cookie.py:9:33:9:40 | Taint sink | password_in_cookie.py:7:16:7:43 | a password | password_in_cookie.py:9:33:9:40 | a password | Sensitive data from $@ is stored here. | password_in_cookie.py:7:16:7:43 | Taint source | a request parameter containing a password |
diff --git a/python/ql/test/query-tests/Security/CWE-312/CleartextStorage.qlref b/python/ql/test/query-tests/Security/CWE-312/CleartextStorage.qlref
@@ -0,0 +1 @@
+Security/CWE-312/CleartextStorage.ql
diff --git a/python/ql/test/query-tests/Security/CWE-312/options b/python/ql/test/query-tests/Security/CWE-312/options
@@ -0,0 +1 @@
+semmle-extractor-options: -p ../lib/ --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/CWE-312/password_in_cookie.py b/python/ql/test/query-tests/Security/CWE-312/password_in_cookie.py
@@ -0,0 +1,10 @@
+from flask import Flask, make_response, request
+
+app = Flask("Leak password")
+
+@app.route('/')
+def index():
+    password = request.args.get("password")
+    resp = make_response(render_template(...))
+    resp.set_cookie("password", password)
+    return resp
diff --git a/python/ql/test/query-tests/Security/CWE-312/test.py b/python/ql/test/query-tests/Security/CWE-312/test.py
@@ -0,0 +1,15 @@
+import logging
+
+def get_password():
+    pass
+
+def log_password():
+    password = get_password()
+    logging.info("Password '%s'", password)
+
+def get_cert():
+    pass
+
+def log_cert():
+    logging.debug("Cert=%s", get_cert())
+

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+semmle-extractor-options: -p ../lib/ --max-import-depth=3`