Python: Fix up some typos for bottle and add a few more tests.

markshannon · markshannon · commit b644891e530a · 2019-02-12T14:26:06.000Z
diff --git a/python/ql/src/semmle/python/web/bottle/General.qll b/python/ql/src/semmle/python/web/bottle/General.qll
@@ -2,12 +2,12 @@ import python
 import semmle.python.web.Http
 import semmle.python.types.Extensions
 
-/** The flask module */
+/** The bottle module */
 ModuleObject theBottleModule() {
     result = ModuleObject::named("bottle")
 }
 
-/** The flask app class */
+/** The bottle.Bottle class */
 ClassObject theBottleClass() {
     result = ModuleObject::named("bottle").getAttribute("Bottle")
 }
diff --git a/python/ql/src/semmle/python/web/bottle/Response.qll b/python/ql/src/semmle/python/web/bottle/Response.qll
@@ -6,7 +6,7 @@ import semmle.python.web.Http
 import semmle.python.web.bottle.General
 
 
-/** A django.http.response.Response object
+/** A bottle.Response object
  * This isn't really a "taint", but we use the value tracking machinery to
  * track the flow of response objects.
  */
@@ -19,7 +19,7 @@ class BottleResponse extends TaintKind {
 }
 
 private Object theBottleResponseObject() {
-    result = theBottleModule().getAttribute("request")
+    result = theBottleModule().getAttribute("response")
 }
 
 class BottleResponseBodyAssignment extends TaintSink {
@@ -32,7 +32,7 @@ class BottleResponseBodyAssignment extends TaintSink {
     }
 
     override predicate sinks(TaintKind kind) {
-        kind instanceof StringKind
+        kind instanceof UntrustedStringKind
     }
 
 }
diff --git a/python/ql/test/library-tests/web/bottle/Routing.expected b/python/ql/test/library-tests/web/bottle/Routing.expected
@@ -4,3 +4,4 @@
 | /other | test.py:17:1:17:12 | Function other |
 | /wrong/<where> | test.py:27:1:27:31 | Function unsafe |
 | /wrong/url | test.py:23:1:23:11 | Function safe |
+| /xss | test.py:35:1:35:16 | Function maybe_xss |
diff --git a/python/ql/test/library-tests/web/bottle/Sinks.expected b/python/ql/test/library-tests/web/bottle/Sinks.expected
@@ -1,3 +1,4 @@
 | test.py:9 | BinaryExpr | externally controlled string |
 | test.py:13 | BinaryExpr | externally controlled string |
 | test.py:19 | BinaryExpr | externally controlled string |
+| test.py:36 | BinaryExpr | externally controlled string |
diff --git a/python/ql/test/library-tests/web/bottle/Sources.expected b/python/ql/test/library-tests/web/bottle/Sources.expected
@@ -7,3 +7,4 @@
 | test.py:18 | request | bottle.request |
 | test.py:27 | where | externally controlled string |
 | test.py:32 | request | bottle.request |
+| test.py:36 | request | bottle.request |
diff --git a/python/ql/test/library-tests/web/bottle/Taint.expected b/python/ql/test/library-tests/web/bottle/Taint.expected
@@ -19,3 +19,7 @@
 | test.py:32 | Attribute | bottle.FormsDict |
 | test.py:32 | Attribute | externally controlled string |
 | test.py:32 | request | bottle.request |
+| test.py:36 | Attribute | bottle.FormsDict |
+| test.py:36 | Attribute | externally controlled string |
+| test.py:36 | BinaryExpr | externally controlled string |
+| test.py:36 | request | bottle.request |
diff --git a/python/ql/test/library-tests/web/bottle/test.py b/python/ql/test/library-tests/web/bottle/test.py
@@ -1,6 +1,6 @@
 
 
-from bottle import Bottle, route, request, redirect
+from bottle import Bottle, route, request, redirect, response
 
 app = Bottle()
 
@@ -30,3 +30,7 @@ def unsafe(where="/right/url"):
 @route('/args')
 def unsafe2():
     redirect(request.query.where, code)
+
+@route('/xss')
+def maybe_xss():
+    response.body = "name is " + request.query.name

Original file line number	Diff line number	Diff line change
`@@ -2,12 +2,12 @@ import python`
`2`	`2`	`import semmle.python.web.Http`
`3`	`3`	`import semmle.python.types.Extensions`
`4`	`4`
`5`		`-/** The flask module */`
	`5`	`+/** The bottle module */`
`6`	`6`	`ModuleObject theBottleModule() {`
`7`	`7`	`result = ModuleObject::named("bottle")`
`8`	`8`	`}`
`9`	`9`
`10`		`-/** The flask app class */`
	`10`	`+/** The bottle.Bottle class */`
`11`	`11`	`ClassObject theBottleClass() {`
`12`	`12`	`result = ModuleObject::named("bottle").getAttribute("Bottle")`
`13`	`13`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ import semmle.python.web.Http`
`6`	`6`	`import semmle.python.web.bottle.General`
`7`	`7`
`8`	`8`
`9`		`-/** A django.http.response.Response object`
	`9`	`+/** A bottle.Response object`
`10`	`10`	`* This isn't really a "taint", but we use the value tracking machinery to`
`11`	`11`	`* track the flow of response objects.`
`12`	`12`	`*/`
`@@ -19,7 +19,7 @@ class BottleResponse extends TaintKind {`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`private Object theBottleResponseObject() {`
`22`		`- result = theBottleModule().getAttribute("request")`
	`22`	`+ result = theBottleModule().getAttribute("response")`
`23`	`23`	`}`
`24`	`24`
`25`	`25`	`class BottleResponseBodyAssignment extends TaintSink {`
`@@ -32,7 +32,7 @@ class BottleResponseBodyAssignment extends TaintSink {`
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`override predicate sinks(TaintKind kind) {`
`35`		`- kind instanceof StringKind`
	`35`	`+ kind instanceof UntrustedStringKind`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`}`