Python: Port old routing tests

Author: RasmusWL

python/ql/test/experimental/library-tests/frameworks/django-v2-v3/ConceptsTest.expected

@@ -1,3 +1,42 @@
+| routing_test.py:7:55:7:111 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar | Missing result:routeHandler= |
+| routing_test.py:7:55:7:111 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar | Missing result:routedParameter=bar |
+| routing_test.py:7:55:7:111 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar | Missing result:routedParameter=foo |
+| routing_test.py:11:31:11:45 | Comment # $routeHandler | Missing result:routeHandler= |
+| routing_test.py:15:32:15:46 | Comment # $routeHandler | Missing result:routeHandler= |
+| routing_test.py:19:32:19:46 | Comment # $routeHandler | Missing result:routeHandler= |
+| routing_test.py:29:42:29:83 | Comment # $routeHandler $routedParameter=untrusted | Missing result:routeHandler= |
+| routing_test.py:29:42:29:83 | Comment # $routeHandler $routedParameter=untrusted | Missing result:routedParameter=untrusted |
+| routing_test.py:35:41:35:82 | Comment # $routeHandler $routedParameter=untrusted | Missing result:routeHandler= |
+| routing_test.py:35:41:35:82 | Comment # $routeHandler $routedParameter=untrusted | Missing result:routedParameter=untrusted |
+| routing_test.py:39:45:39:88 | Comment # $routeHandler $routedParameter=page_number | Missing result:routeHandler= |
+| routing_test.py:39:45:39:88 | Comment # $routeHandler $routedParameter=page_number | Missing result:routedParameter=page_number |
+| routing_test.py:44:62:44:120 | Comment # $routeHandler $routedParameter=arg0 $routedParameter=arg1 | Missing result:routeHandler= |
+| routing_test.py:44:62:44:120 | Comment # $routeHandler $routedParameter=arg0 $routedParameter=arg1 | Missing result:routedParameter=arg0 |
+| routing_test.py:44:62:44:120 | Comment # $routeHandler $routedParameter=arg0 $routedParameter=arg1 | Missing result:routedParameter=arg1 |
+| routing_test.py:49:75:49:131 | Comment # $routeSetup=r"^url_match/(?P<foo>[^/]+)/(?P<bar>[^/]+)" | Missing result:routeSetup=r"^url_match/(?P<foo>[^/]+)/(?P<bar>[^/]+)" |
+| routing_test.py:50:47:50:74 | Comment # $routeSetup=r"^get_params" | Missing result:routeSetup=r"^get_params" |
+| routing_test.py:51:49:51:77 | Comment # $routeSetup=r"^post_params" | Missing result:routeSetup=r"^post_params" |
+| routing_test.py:52:53:52:85 | Comment # $routeSetup=r"^http_resp_write" | Missing result:routeSetup=r"^http_resp_write" |
+| routing_test.py:53:70:53:115 | Comment # $routeSetup=r"^class_view/(?P<untrusted>.+)" | Missing result:routeSetup=r"^class_view/(?P<untrusted>.+)" |
+| routing_test.py:56:76:56:133 | Comment # $routeSetup=r"articles/^(?:page-(?P<page_number>\\d+)/)?" | Missing result:routeSetup=r"articles/^(?:page-(?P<page_number>\\d+)/)?" |
+| routing_test.py:59:95:59:139 | Comment # $routeSetup=r"^([^/]+)/(?:foo\|bar)/([^/]+)" | Missing result:routeSetup=r"^([^/]+)/(?:foo\|bar)/([^/]+)" |
+| routing_test.py:65:31:65:45 | Comment # $routeHandler | Missing result:routeHandler= |
+| routing_test.py:70:84:70:138 | Comment # $routeSetup=r"^specifying-as-kwargs-is-not-a-problem" | Missing result:routeSetup=r"^specifying-as-kwargs-is-not-a-problem" |
+| routing_test.py:78:43:78:86 | Comment # $routeHandler $routedParameter=page_number | Missing result:routeHandler= |
+| routing_test.py:78:43:78:86 | Comment # $routeHandler $routedParameter=page_number | Missing result:routedParameter=page_number |
+| routing_test.py:81:43:81:120 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar $routedParameter=baz | Missing result:routeHandler= |
+| routing_test.py:81:43:81:120 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar $routedParameter=baz | Missing result:routedParameter=bar |
+| routing_test.py:81:43:81:120 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar $routedParameter=baz | Missing result:routedParameter=baz |
+| routing_test.py:81:43:81:120 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar $routedParameter=baz | Missing result:routedParameter=foo |
+| routing_test.py:84:38:84:94 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar | Missing result:routeHandler= |
+| routing_test.py:84:38:84:94 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar | Missing result:routedParameter=bar |
+| routing_test.py:84:38:84:94 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar | Missing result:routedParameter=foo |
+| routing_test.py:87:37:87:51 | Comment # $routeHandler | Missing result:routeHandler= |
+| routing_test.py:91:38:91:62 | Comment # $routeSetup="articles/" | Missing result:routeSetup="articles/" |
+| routing_test.py:92:60:92:106 | Comment # $routeSetup="articles/page-<int:page_number>" | Missing result:routeSetup="articles/page-<int:page_number>" |
+| routing_test.py:93:74:93:114 | Comment # $routeSetup="<int:foo>/<str:bar>/<baz>" | Missing result:routeSetup="<int:foo>/<str:bar>/<baz>" |
+| routing_test.py:95:51:95:77 | Comment # $routeSetup="<foo>/<bar>" | Missing result:routeSetup="<foo>/<bar>" |
+| routing_test.py:98:60:98:97 | Comment # $routeSetup="not_valid/<not_valid!>" | Missing result:routeSetup="not_valid/<not_valid!>" |
 | testapp/urls.py:6:31:6:50 | Comment # $routeSetup="foo/" | Missing result:routeSetup="foo/" |
 | testapp/urls.py:10:43:10:67 | Comment # $routeSetup=r"^ba[rz]/" | Missing result:routeSetup=r"^ba[rz]/" |
 | testapp/views.py:3:33:3:47 | Comment # $routeHandler | Missing result:routeHandler= |

python/ql/test/experimental/library-tests/frameworks/django-v2-v3/routing_test.py

@@ -0,0 +1,99 @@
+"""testing views for Django 2.x and 3.x"""
+from django.urls import path, re_path
+from django.http import HttpResponse, HttpResponseRedirect, JsonResponse, HttpResponseNotFound
+from django.views import View
+
+
+def url_match_xss(request, foo, bar, no_taint=None):  # $routeHandler $routedParameter=foo $routedParameter=bar
+    return HttpResponse('url_match_xss: {} {}'.format(foo, bar))
+
+
+def get_params_xss(request):  # $routeHandler
+    return HttpResponse(request.GET.get("untrusted"))
+
+
+def post_params_xss(request):  # $routeHandler
+    return HttpResponse(request.POST.get("untrusted"))
+
+
+def http_resp_write(request):  # $routeHandler
+    rsp = HttpResponse()
+    rsp.write(request.GET.get("untrusted"))
+    return rsp
+
+
+class Foo(object):
+    # Note: since Foo is used as the super type in a class view, it will be able to handle requests.
+
+
+    def post(self, request, untrusted):  # $routeHandler $routedParameter=untrusted
+        return HttpResponse('Foo post: {}'.format(untrusted))
+
+
+class ClassView(View, Foo):
+
+    def get(self, request, untrusted):  # $routeHandler $routedParameter=untrusted
+        return HttpResponse('ClassView get: {}'.format(untrusted))
+
+
+def show_articles(request, page_number=1):  # $routeHandler $routedParameter=page_number
+    page_number = int(page_number)
+    return HttpResponse('articles page: {}'.format(page_number))
+
+
+def xxs_positional_arg(request, arg0, arg1, no_taint=None):  # $routeHandler $routedParameter=arg0 $routedParameter=arg1
+    return HttpResponse('xxs_positional_arg: {} {}'.format(arg0, arg1))
+
+
+urlpatterns = [
+    re_path(r"^url_match/(?P<foo>[^/]+)/(?P<bar>[^/]+)", url_match_xss),  # $routeSetup=r"^url_match/(?P<foo>[^/]+)/(?P<bar>[^/]+)"
+    re_path(r"^get_params", get_params_xss),  # $routeSetup=r"^get_params"
+    re_path(r"^post_params", post_params_xss),  # $routeSetup=r"^post_params"
+    re_path(r"^http_resp_write", http_resp_write),  # $routeSetup=r"^http_resp_write"
+    re_path(r"^class_view/(?P<untrusted>.+)", ClassView.as_view()),  # $routeSetup=r"^class_view/(?P<untrusted>.+)"
+
+    # one pattern to support `articles/page-<n>` and ensuring that articles/ goes to page-1
+    re_path(r"articles/^(?:page-(?P<page_number>\d+)/)?", show_articles),  # $routeSetup=r"articles/^(?:page-(?P<page_number>\d+)/)?"
+    # passing as positional argument is not the recommended way of doing things, but it is certainly
+    # possible
+    re_path(r"^([^/]+)/(?:foo|bar)/([^/]+)", xxs_positional_arg, name='xxs_positional_arg'),  # $routeSetup=r"^([^/]+)/(?:foo|bar)/([^/]+)"
+]
+
+
+# Show we understand the keyword arguments to from django.urls.re_path
+
+def re_path_kwargs(request):  # $routeHandler
+    return HttpResponse('re_path_kwargs')
+
+
+urlpatterns = [
+    re_path(view=re_path_kwargs, regex=r"^specifying-as-kwargs-is-not-a-problem")  # $routeSetup=r"^specifying-as-kwargs-is-not-a-problem"
+]
+
+################################################################################
+# Using path
+################################################################################
+
+# saying page_number is an externally controlled *string* is a bit strange, when we have an int converter :O
+def page_number(request, page_number=1):  # $routeHandler $routedParameter=page_number
+    return HttpResponse('page_number: {}'.format(page_number))
+
+def foo_bar_baz(request, foo, bar, baz):  # $routeHandler $routedParameter=foo $routedParameter=bar $routedParameter=baz
+    return HttpResponse('foo_bar_baz: {} {} {}'.format(foo, bar, baz))
+
+def path_kwargs(request, foo, bar):  # $routeHandler $routedParameter=foo $routedParameter=bar
+    return HttpResponse('path_kwargs: {} {} {}'.format(foo, bar))
+
+def not_valid_identifier(request):  # $routeHandler
+    return HttpResponse('<foo!>')
+
+urlpatterns = [
+    path("articles/", page_number),  # $routeSetup="articles/"
+    path("articles/page-<int:page_number>", page_number),  # $routeSetup="articles/page-<int:page_number>"
+    path("<int:foo>/<str:bar>/<baz>", foo_bar_baz, name='foo-bar-baz'),  # $routeSetup="<int:foo>/<str:bar>/<baz>"
+
+    path(view=path_kwargs, route="<foo>/<bar>"),  # $routeSetup="<foo>/<bar>"
+
+    # We should not report there is a request parameter called `not_valid!`
+    path("not_valid/<not_valid!>", not_valid_identifier),  # $routeSetup="not_valid/<not_valid!>"
+]