Skip to content

Commit 6934d5e

Browse files
committed
Python: Add django test of RedirectView subclass
1 parent 7985515 commit 6934d5e

File tree

3 files changed

+25
-1
lines changed

3 files changed

+25
-1
lines changed

python/ql/test/experimental/library-tests/frameworks/django-v2-v3/response_test.py

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
11
from django.http.response import HttpResponse, HttpResponseRedirect, HttpResponsePermanentRedirect, JsonResponse, HttpResponseNotFound
2+
from django.views.generic import RedirectView
23
import django.shortcuts
34

45
# Not an XSS sink, since the Content-Type is not "text/html"
@@ -54,6 +55,13 @@ def redirect_shortcut(request):
5455
return django.shortcuts.redirect(next) # $ HttpResponse HttpRedirectResponse redirectLocation=next
5556

5657

58+
class CustomRedirectView(RedirectView):
59+
60+
def get_redirect_url(self, foo): # $ MISSING: routedParameter=foo
61+
next = "https://example.com/{}".format(foo)
62+
return next # $ MISSING: HttpResponse HttpRedirectResponse redirectLocation=next
63+
64+
5765
# Ensure that simple subclasses are still vuln to XSS
5866
def xss__not_found(request):
5967
return HttpResponseNotFound(request.GET.get("name")) # $HttpResponse mimetype=text/html responseBody=Attribute()

python/ql/test/experimental/library-tests/frameworks/django-v2-v3/testapp/urls.py

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,4 +15,7 @@
1515

1616
path("basic-view-handler/", views.MyBasicViewHandler.as_view()), # $routeSetup="basic-view-handler/"
1717
path("custom-inheritance-view-handler/", views.MyViewHandlerWithCustomInheritance.as_view()), # $routeSetup="custom-inheritance-view-handler/"
18+
19+
path("CustomRedirectView/<foo>", views.CustomRedirectView.as_view()), # $routeSetup="CustomRedirectView/<foo>"
20+
path("CustomRedirectView2/<foo>", views.CustomRedirectView2.as_view()), # $routeSetup="CustomRedirectView2/<foo>"
1821
]

python/ql/test/experimental/library-tests/frameworks/django-v2-v3/testapp/views.py

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
from django.http import HttpRequest, HttpResponse
2-
from django.views import View
2+
from django.views.generic import View, RedirectView
33
from django.views.decorators.csrf import csrf_exempt
44

55

@@ -32,3 +32,16 @@ class MyViewHandlerWithCustomInheritance(MyCustomViewBaseClass):
3232
def get(self, request: HttpRequest): # $ requestHandler
3333
print(self.request.GET)
3434
return HttpResponse("MyViewHandlerWithCustomInheritance: GET") # $ HttpResponse
35+
36+
# RedirectView
37+
# See docs at https://docs.djangoproject.com/en/3.1/ref/class-based-views/base/#redirectview
38+
class CustomRedirectView(RedirectView):
39+
40+
def get_redirect_url(self, foo): # $ MISSING: routedParameter=foo
41+
next = "https://example.com/{}".format(foo)
42+
return next # $ MISSING: HttpResponse HttpRedirectResponse redirectLocation=next
43+
44+
45+
class CustomRedirectView2(RedirectView):
46+
47+
url = "https://example.com/%(foo)s"

0 commit comments

Comments
 (0)