Python: Fix untrusted data to external API example

RasmusWL · RasmusWL · commit 4ab3fff9733b · 2020-11-30T10:42:30.000+01:00
The hmac.digest function was only added in python 3.7, so obviously doesn't work
on Python 2
diff --git a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.expected b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.expected
@@ -1 +1 @@
-| hmac.digest [param 1] | 1 | 1 |
+| hmac.new [param 1] | 1 | 1 |
diff --git a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.expected b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.expected
@@ -1,7 +1,7 @@
 edges
-| test.py:13:16:13:27 | ControlFlowNode for Attribute | test.py:15:38:15:41 | ControlFlowNode for data |
+| test.py:13:16:13:27 | ControlFlowNode for Attribute | test.py:15:36:15:39 | ControlFlowNode for data |
 nodes
 | test.py:13:16:13:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| test.py:15:38:15:41 | ControlFlowNode for data | semmle.label | ControlFlowNode for data |
+| test.py:15:36:15:39 | ControlFlowNode for data | semmle.label | ControlFlowNode for data |
 #select
-| test.py:15:38:15:41 | ControlFlowNode for data | test.py:13:16:13:27 | ControlFlowNode for Attribute | test.py:15:38:15:41 | ControlFlowNode for data | Call to hmac.digest [param 1] with untrusted data from $@. | test.py:13:16:13:27 | ControlFlowNode for Attribute | ControlFlowNode for Attribute |
+| test.py:15:36:15:39 | ControlFlowNode for data | test.py:13:16:13:27 | ControlFlowNode for Attribute | test.py:15:36:15:39 | ControlFlowNode for data | Call to hmac.new [param 1] with untrusted data from $@. | test.py:13:16:13:27 | ControlFlowNode for Attribute | ControlFlowNode for Attribute |
diff --git a/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/test.py b/python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/test.py
@@ -12,7 +12,8 @@
 def hmac_example():
     data_raw = request.args.get("data").encode('utf-8')
     data = base64.decodebytes(data_raw)
-    digest = hmac.digest(SECRET_KEY, data, hashlib.sha256)
+    my_hmac = hmac.new(SECRET_KEY, data, hashlib.sha256)
+    digest = my_hmac.digest()
     print(digest)
     return "ok"
 
@@ -32,4 +33,5 @@ def unknown_lib_2():
 
 
 if __name__ == "__main__":
+    # http://127.0.0.1:5000/hmac-example?data=aGVsbG8gd29ybGQh
     app.run(debug=True)

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-\| hmac.digest [param 1] \| 1 \| 1 \|`
	`1`	`+\| hmac.new [param 1] \| 1 \| 1 \|`