Python: Add django test of RedirectView subclass

RasmusWL · RasmusWL · commit 6934d5e642fe · 2021-02-15T10:55:51.000+01:00
diff --git a/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/response_test.py b/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/response_test.py
@@ -1,4 +1,5 @@
 from django.http.response import HttpResponse, HttpResponseRedirect, HttpResponsePermanentRedirect, JsonResponse, HttpResponseNotFound
+from django.views.generic import RedirectView
 import django.shortcuts
 
 # Not an XSS sink, since the Content-Type is not "text/html"
@@ -54,6 +55,13 @@ def redirect_shortcut(request):
     return django.shortcuts.redirect(next) # $ HttpResponse HttpRedirectResponse redirectLocation=next
 
 
+class CustomRedirectView(RedirectView):
+
+    def get_redirect_url(self, foo): # $ MISSING: routedParameter=foo
+        next = "https://example.com/{}".format(foo)
+        return next # $ MISSING: HttpResponse HttpRedirectResponse redirectLocation=next
+
+
 # Ensure that simple subclasses are still vuln to XSS
 def xss__not_found(request):
     return HttpResponseNotFound(request.GET.get("name"))  # $HttpResponse mimetype=text/html responseBody=Attribute()
diff --git a/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/testapp/urls.py b/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/testapp/urls.py
@@ -15,4 +15,7 @@
 
     path("basic-view-handler/", views.MyBasicViewHandler.as_view()),  # $routeSetup="basic-view-handler/"
     path("custom-inheritance-view-handler/", views.MyViewHandlerWithCustomInheritance.as_view()),  # $routeSetup="custom-inheritance-view-handler/"
+
+    path("CustomRedirectView/<foo>", views.CustomRedirectView.as_view()),  # $routeSetup="CustomRedirectView/<foo>"
+    path("CustomRedirectView2/<foo>", views.CustomRedirectView2.as_view()),  # $routeSetup="CustomRedirectView2/<foo>"
 ]
diff --git a/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/testapp/views.py b/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/testapp/views.py
@@ -1,5 +1,5 @@
 from django.http import HttpRequest, HttpResponse
-from django.views import View
+from django.views.generic import View, RedirectView
 from django.views.decorators.csrf import csrf_exempt
 
 
@@ -32,3 +32,16 @@ class MyViewHandlerWithCustomInheritance(MyCustomViewBaseClass):
     def get(self, request: HttpRequest): # $ requestHandler
         print(self.request.GET)
         return HttpResponse("MyViewHandlerWithCustomInheritance: GET") # $ HttpResponse
+
+# RedirectView
+# See docs at https://docs.djangoproject.com/en/3.1/ref/class-based-views/base/#redirectview
+class CustomRedirectView(RedirectView):
+
+    def get_redirect_url(self, foo): # $ MISSING: routedParameter=foo
+        next = "https://example.com/{}".format(foo)
+        return next # $ MISSING: HttpResponse HttpRedirectResponse redirectLocation=next
+
+
+class CustomRedirectView2(RedirectView):
+
+    url = "https://example.com/%(foo)s"

Original file line number	Diff line number	Diff line change
`@@ -15,4 +15,7 @@`
`15`	`15`
`16`	`16`	`path("basic-view-handler/", views.MyBasicViewHandler.as_view()), # $routeSetup="basic-view-handler/"`
`17`	`17`	`path("custom-inheritance-view-handler/", views.MyViewHandlerWithCustomInheritance.as_view()), # $routeSetup="custom-inheritance-view-handler/"`
	`18`	`+`
	`19`	`+ path("CustomRedirectView/<foo>", views.CustomRedirectView.as_view()), # $routeSetup="CustomRedirectView/<foo>"`
	`20`	`+ path("CustomRedirectView2/<foo>", views.CustomRedirectView2.as_view()), # $routeSetup="CustomRedirectView2/<foo>"`
`18`	`21`	`]`