Skip to content

Commit 979dc47

Browse files
committed
Python: Port old routing tests
1 parent ca60132 commit 979dc47

File tree

2 files changed

+138
-0
lines changed

2 files changed

+138
-0
lines changed

python/ql/test/experimental/library-tests/frameworks/django-v2-v3/ConceptsTest.expected

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,42 @@
1+
| routing_test.py:7:55:7:111 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar | Missing result:routeHandler= |
2+
| routing_test.py:7:55:7:111 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar | Missing result:routedParameter=bar |
3+
| routing_test.py:7:55:7:111 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar | Missing result:routedParameter=foo |
4+
| routing_test.py:11:31:11:45 | Comment # $routeHandler | Missing result:routeHandler= |
5+
| routing_test.py:15:32:15:46 | Comment # $routeHandler | Missing result:routeHandler= |
6+
| routing_test.py:19:32:19:46 | Comment # $routeHandler | Missing result:routeHandler= |
7+
| routing_test.py:29:42:29:83 | Comment # $routeHandler $routedParameter=untrusted | Missing result:routeHandler= |
8+
| routing_test.py:29:42:29:83 | Comment # $routeHandler $routedParameter=untrusted | Missing result:routedParameter=untrusted |
9+
| routing_test.py:35:41:35:82 | Comment # $routeHandler $routedParameter=untrusted | Missing result:routeHandler= |
10+
| routing_test.py:35:41:35:82 | Comment # $routeHandler $routedParameter=untrusted | Missing result:routedParameter=untrusted |
11+
| routing_test.py:39:45:39:88 | Comment # $routeHandler $routedParameter=page_number | Missing result:routeHandler= |
12+
| routing_test.py:39:45:39:88 | Comment # $routeHandler $routedParameter=page_number | Missing result:routedParameter=page_number |
13+
| routing_test.py:44:62:44:120 | Comment # $routeHandler $routedParameter=arg0 $routedParameter=arg1 | Missing result:routeHandler= |
14+
| routing_test.py:44:62:44:120 | Comment # $routeHandler $routedParameter=arg0 $routedParameter=arg1 | Missing result:routedParameter=arg0 |
15+
| routing_test.py:44:62:44:120 | Comment # $routeHandler $routedParameter=arg0 $routedParameter=arg1 | Missing result:routedParameter=arg1 |
16+
| routing_test.py:49:75:49:131 | Comment # $routeSetup=r"^url_match/(?P<foo>[^/]+)/(?P<bar>[^/]+)" | Missing result:routeSetup=r"^url_match/(?P<foo>[^/]+)/(?P<bar>[^/]+)" |
17+
| routing_test.py:50:47:50:74 | Comment # $routeSetup=r"^get_params" | Missing result:routeSetup=r"^get_params" |
18+
| routing_test.py:51:49:51:77 | Comment # $routeSetup=r"^post_params" | Missing result:routeSetup=r"^post_params" |
19+
| routing_test.py:52:53:52:85 | Comment # $routeSetup=r"^http_resp_write" | Missing result:routeSetup=r"^http_resp_write" |
20+
| routing_test.py:53:70:53:115 | Comment # $routeSetup=r"^class_view/(?P<untrusted>.+)" | Missing result:routeSetup=r"^class_view/(?P<untrusted>.+)" |
21+
| routing_test.py:56:76:56:133 | Comment # $routeSetup=r"articles/^(?:page-(?P<page_number>\\d+)/)?" | Missing result:routeSetup=r"articles/^(?:page-(?P<page_number>\\d+)/)?" |
22+
| routing_test.py:59:95:59:139 | Comment # $routeSetup=r"^([^/]+)/(?:foo\|bar)/([^/]+)" | Missing result:routeSetup=r"^([^/]+)/(?:foo\|bar)/([^/]+)" |
23+
| routing_test.py:65:31:65:45 | Comment # $routeHandler | Missing result:routeHandler= |
24+
| routing_test.py:70:84:70:138 | Comment # $routeSetup=r"^specifying-as-kwargs-is-not-a-problem" | Missing result:routeSetup=r"^specifying-as-kwargs-is-not-a-problem" |
25+
| routing_test.py:78:43:78:86 | Comment # $routeHandler $routedParameter=page_number | Missing result:routeHandler= |
26+
| routing_test.py:78:43:78:86 | Comment # $routeHandler $routedParameter=page_number | Missing result:routedParameter=page_number |
27+
| routing_test.py:81:43:81:120 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar $routedParameter=baz | Missing result:routeHandler= |
28+
| routing_test.py:81:43:81:120 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar $routedParameter=baz | Missing result:routedParameter=bar |
29+
| routing_test.py:81:43:81:120 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar $routedParameter=baz | Missing result:routedParameter=baz |
30+
| routing_test.py:81:43:81:120 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar $routedParameter=baz | Missing result:routedParameter=foo |
31+
| routing_test.py:84:38:84:94 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar | Missing result:routeHandler= |
32+
| routing_test.py:84:38:84:94 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar | Missing result:routedParameter=bar |
33+
| routing_test.py:84:38:84:94 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar | Missing result:routedParameter=foo |
34+
| routing_test.py:87:37:87:51 | Comment # $routeHandler | Missing result:routeHandler= |
35+
| routing_test.py:91:38:91:62 | Comment # $routeSetup="articles/" | Missing result:routeSetup="articles/" |
36+
| routing_test.py:92:60:92:106 | Comment # $routeSetup="articles/page-<int:page_number>" | Missing result:routeSetup="articles/page-<int:page_number>" |
37+
| routing_test.py:93:74:93:114 | Comment # $routeSetup="<int:foo>/<str:bar>/<baz>" | Missing result:routeSetup="<int:foo>/<str:bar>/<baz>" |
38+
| routing_test.py:95:51:95:77 | Comment # $routeSetup="<foo>/<bar>" | Missing result:routeSetup="<foo>/<bar>" |
39+
| routing_test.py:98:60:98:97 | Comment # $routeSetup="not_valid/<not_valid!>" | Missing result:routeSetup="not_valid/<not_valid!>" |
140
| testapp/urls.py:6:31:6:50 | Comment # $routeSetup="foo/" | Missing result:routeSetup="foo/" |
241
| testapp/urls.py:10:43:10:67 | Comment # $routeSetup=r"^ba[rz]/" | Missing result:routeSetup=r"^ba[rz]/" |
342
| testapp/views.py:3:33:3:47 | Comment # $routeHandler | Missing result:routeHandler= |
Lines changed: 99 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,99 @@
1+
"""testing views for Django 2.x and 3.x"""
2+
from django.urls import path, re_path
3+
from django.http import HttpResponse, HttpResponseRedirect, JsonResponse, HttpResponseNotFound
4+
from django.views import View
5+
6+
7+
def url_match_xss(request, foo, bar, no_taint=None): # $routeHandler $routedParameter=foo $routedParameter=bar
8+
return HttpResponse('url_match_xss: {} {}'.format(foo, bar))
9+
10+
11+
def get_params_xss(request): # $routeHandler
12+
return HttpResponse(request.GET.get("untrusted"))
13+
14+
15+
def post_params_xss(request): # $routeHandler
16+
return HttpResponse(request.POST.get("untrusted"))
17+
18+
19+
def http_resp_write(request): # $routeHandler
20+
rsp = HttpResponse()
21+
rsp.write(request.GET.get("untrusted"))
22+
return rsp
23+
24+
25+
class Foo(object):
26+
# Note: since Foo is used as the super type in a class view, it will be able to handle requests.
27+
28+
29+
def post(self, request, untrusted): # $routeHandler $routedParameter=untrusted
30+
return HttpResponse('Foo post: {}'.format(untrusted))
31+
32+
33+
class ClassView(View, Foo):
34+
35+
def get(self, request, untrusted): # $routeHandler $routedParameter=untrusted
36+
return HttpResponse('ClassView get: {}'.format(untrusted))
37+
38+
39+
def show_articles(request, page_number=1): # $routeHandler $routedParameter=page_number
40+
page_number = int(page_number)
41+
return HttpResponse('articles page: {}'.format(page_number))
42+
43+
44+
def xxs_positional_arg(request, arg0, arg1, no_taint=None): # $routeHandler $routedParameter=arg0 $routedParameter=arg1
45+
return HttpResponse('xxs_positional_arg: {} {}'.format(arg0, arg1))
46+
47+
48+
urlpatterns = [
49+
re_path(r"^url_match/(?P<foo>[^/]+)/(?P<bar>[^/]+)", url_match_xss), # $routeSetup=r"^url_match/(?P<foo>[^/]+)/(?P<bar>[^/]+)"
50+
re_path(r"^get_params", get_params_xss), # $routeSetup=r"^get_params"
51+
re_path(r"^post_params", post_params_xss), # $routeSetup=r"^post_params"
52+
re_path(r"^http_resp_write", http_resp_write), # $routeSetup=r"^http_resp_write"
53+
re_path(r"^class_view/(?P<untrusted>.+)", ClassView.as_view()), # $routeSetup=r"^class_view/(?P<untrusted>.+)"
54+
55+
# one pattern to support `articles/page-<n>` and ensuring that articles/ goes to page-1
56+
re_path(r"articles/^(?:page-(?P<page_number>\d+)/)?", show_articles), # $routeSetup=r"articles/^(?:page-(?P<page_number>\d+)/)?"
57+
# passing as positional argument is not the recommended way of doing things, but it is certainly
58+
# possible
59+
re_path(r"^([^/]+)/(?:foo|bar)/([^/]+)", xxs_positional_arg, name='xxs_positional_arg'), # $routeSetup=r"^([^/]+)/(?:foo|bar)/([^/]+)"
60+
]
61+
62+
63+
# Show we understand the keyword arguments to from django.urls.re_path
64+
65+
def re_path_kwargs(request): # $routeHandler
66+
return HttpResponse('re_path_kwargs')
67+
68+
69+
urlpatterns = [
70+
re_path(view=re_path_kwargs, regex=r"^specifying-as-kwargs-is-not-a-problem") # $routeSetup=r"^specifying-as-kwargs-is-not-a-problem"
71+
]
72+
73+
################################################################################
74+
# Using path
75+
################################################################################
76+
77+
# saying page_number is an externally controlled *string* is a bit strange, when we have an int converter :O
78+
def page_number(request, page_number=1): # $routeHandler $routedParameter=page_number
79+
return HttpResponse('page_number: {}'.format(page_number))
80+
81+
def foo_bar_baz(request, foo, bar, baz): # $routeHandler $routedParameter=foo $routedParameter=bar $routedParameter=baz
82+
return HttpResponse('foo_bar_baz: {} {} {}'.format(foo, bar, baz))
83+
84+
def path_kwargs(request, foo, bar): # $routeHandler $routedParameter=foo $routedParameter=bar
85+
return HttpResponse('path_kwargs: {} {} {}'.format(foo, bar))
86+
87+
def not_valid_identifier(request): # $routeHandler
88+
return HttpResponse('<foo!>')
89+
90+
urlpatterns = [
91+
path("articles/", page_number), # $routeSetup="articles/"
92+
path("articles/page-<int:page_number>", page_number), # $routeSetup="articles/page-<int:page_number>"
93+
path("<int:foo>/<str:bar>/<baz>", foo_bar_baz, name='foo-bar-baz'), # $routeSetup="<int:foo>/<str:bar>/<baz>"
94+
95+
path(view=path_kwargs, route="<foo>/<bar>"), # $routeSetup="<foo>/<bar>"
96+
97+
# We should not report there is a request parameter called `not_valid!`
98+
path("not_valid/<not_valid!>", not_valid_identifier), # $routeSetup="not_valid/<not_valid!>"
99+
]

0 commit comments

Comments
 (0)