Merge pull request #136 from omergunal/patch-5

KevinHock · web-flow · commit cbc27ae92ea5 · 2018-07-01T12:22:02.000-07:00
Tests for 'discover_files' , updated Changelog, added -r and targets usage on README
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -22,39 +22,25 @@ If you love PyT, please star our project on GitHub to show your support! :star:
 [@xxxx]: https://github.com/xxxx
 -->
 
-# 0.34
-##### April 24, 2018
+# 0.35
+##### July 1, 2018
 
 #### :tada: New Features
 
-* Baseline support ([#106], thanks [@omergunal])
+* Recursive option ([#129], [@omergunal])
 
-[#106]: https://github.com/python-security/pyt/pull/106
 [@omergunal]: https://github.com/omergunal
-
-#### :sparkles: Usability
-* Combined all source/sink information files and made it the default ([#116])
-
-#### :telescope: Precision
-* Fixed a bug where `Post.query.paginate` propagated taint ([#115])
-* Fixed a false-positive where `self` was marked as taint ([#119], thanks [@lFatty])
+[#129]: https://github.com/python-security/pyt/pull/129
 
 #### :bug: Bugfixes
-* Fixed a bug where `visit_Raise` raised a `TypeError`  ([#117], thanks [@lFatty])
-* Fixed an infinite loop bug that was caused while handling certain loops ([#118])
-* Fixed a bug where we were not including `pyt/vulnerability_definitions` files ([#122], thanks [@Ekultek])
+* Fixed flake8 errors ([#130])
 
 #### :snake: Miscellaneous
 
-* Moved out a bunch of historical files to the [ReadTheDocs repo](https://github.com/KevinHock/rtdpyt) ([#110], [#111])
+* Re organize code ([#126])
+* Cleaned up pyt/core/ ([#132])
 
-[#116]: https://github.com/python-security/pyt/pull/116
+[#126]: https://github.com/python-security/pyt/pull/129
 [#115]: https://github.com/python-security/pyt/pull/115
-[#119]: https://github.com/python-security/pyt/pull/119
-[#117]: https://github.com/python-security/pyt/pull/117
-[#118]: https://github.com/python-security/pyt/pull/118
-[#111]: https://github.com/python-security/pyt/pull/111
-[#110]: https://github.com/python-security/pyt/pull/110
-[@lfatty]: https://github.com/lfatty
-[#122]: https://github.com/python-security/pyt/issues/122
-[@Ekultek]: https://github.com/Ekultek
+[#130]: https://github.com/python-security/pyt/pull/130
+[#132]: https://github.com/python-security/pyt/pull/132
diff --git a/README.rst b/README.rst
@@ -63,44 +63,48 @@ Usage
 
 .. code-block::
 
-  usage: python -m pyt [-h] [-f FILEPATH] [-a ADAPTOR] [-pr PROJECT_ROOT]
-                       [-b BASELINE_JSON_FILE] [-j] [-m BLACKBOX_MAPPING_FILE]
-                       [-t TRIGGER_WORD_FILE] [-o OUTPUT_FILE] [-trim] [-i]
+  usage: python -m pyt [-h] [-a ADAPTOR] [-pr PROJECT_ROOT]
+                   [-b BASELINE_JSON_FILE] [-j] [-m BLACKBOX_MAPPING_FILE]
+                   [-t TRIGGER_WORD_FILE] [-o OUTPUT_FILE] [--ignore-nosec]
+                   [-r] [-x EXCLUDED_PATHS] [-trim] [-i]
+                   targets [targets ...]
 
   required arguments:
-    -f FILEPATH, --filepath FILEPATH
-                          Path to the file that should be analysed.
+    targets               source file(s) or directory(s) to be tested
 
   optional arguments:
     -a ADAPTOR, --adaptor ADAPTOR
-                          Choose a web framework adaptor: Flask(Default),
-                          Django, Every or Pylons
+                        Choose a web framework adaptor: Flask(Default),
+                        Django, Every or Pylons
     -pr PROJECT_ROOT, --project-root PROJECT_ROOT
-                          Add project root, only important when the entry file
-                          is not at the root of the project.
+                        Add project root, only important when the entry file
+                        is not at the root of the project.
     -b BASELINE_JSON_FILE, --baseline BASELINE_JSON_FILE
-                          Path of a baseline report to compare against (only
-                          JSON-formatted files are accepted)
+                        Path of a baseline report to compare against (only
+                        JSON-formatted files are accepted)
     -j, --json            Prints JSON instead of report.
     -m BLACKBOX_MAPPING_FILE, --blackbox-mapping-file BLACKBOX_MAPPING_FILE
-                          Input blackbox mapping file.
+                        Input blackbox mapping file.
     -t TRIGGER_WORD_FILE, --trigger-word-file TRIGGER_WORD_FILE
-                          Input file with a list of sources and sinks
+                        Input file with a list of sources and sinks
     -o OUTPUT_FILE, --output OUTPUT_FILE
-                          write report to filename
+                        write report to filename
     --ignore-nosec        do not skip lines with # nosec comments
+    -r, --recursive       find and process files in subdirectories
+    -x EXCLUDED_PATHS, --exclude EXCLUDED_PATHS
+                        Separate files with commas
 
   print arguments:
     -trim, --trim-reassigned-in
-                          Trims the reassigned list to just the vulnerability
-                          chain.
+                        Trims the reassigned list to just the vulnerability
+                        chain.
     -i, --interactive     Will ask you about each blackbox function call in
-                          vulnerability chains.
+                        vulnerability chains.
 
 Usage from Source
 =================
 
-Using it like a user ``python3 -m pyt -f example/vulnerable_code/XSS_call.py save -du``
+Using it like a user ``python3 -m pyt examples/vulnerable_code/XSS_call.py``
 
 Running the tests ``python3 -m tests``
 
diff --git a/tests/main_test.py b/tests/main_test.py
@@ -1,7 +1,7 @@
 import mock
 
 from .base_test_case import BaseTestCase
-from pyt.__main__ import main
+from pyt.__main__ import discover_files, main
 
 
 class MainTest(BaseTestCase):
@@ -60,3 +60,35 @@ def test_json_output(self, mock_json, mock_find_vulnerabilities, mock_parse_args
                 mock_find_vulnerabilities.return_value,
                 mock_parse_args.return_value.output_file
             )
+
+
+class MainTest(BaseTestCase):
+    def test_targets_with_no_excluded(self):
+        targets = ["examples/vulnerable_code/inter_command_injection.py"]
+        excluded_files = ""
+
+        included_files = discover_files(targets, excluded_files)
+        expected = ["examples/vulnerable_code/inter_command_injection.py"]
+        self.assertListEqual(included_files, expected)
+
+    def test_targets_with_exluded(self):
+        targets = ["examples/vulnerable_code/inter_command_injection.py"]
+        excluded_files = "examples/vulnerable_code/inter_command_injection.py"
+
+        included_files = discover_files(targets, excluded_files)
+        expected = []
+        self.assertListEqual(included_files, expected)
+
+    def test_targets_with_recursive(self):
+        targets = ["examples/vulnerable_code/"]
+        excluded_files = ""
+
+        included_files = discover_files(targets, excluded_files, True)
+        self.assertEqual(len(included_files), 30)
+
+    def test_targets_with_recursive_and_excluded(self):
+        targets = ["examples/vulnerable_code/"]
+        excluded_files = "inter_command_injection.py"
+
+        included_files = discover_files(targets, excluded_files, True)
+        self.assertEqual(len(included_files), 29)
