Skip to content

Commit c0d71f7

Browse files
RasmusWLRasmusWL
committed
Python: Add taint test for django v2/v3
1 parent 09a2a6c commit c0d71f7

File tree

3 files changed

+241
-0
lines changed

3 files changed

+241
-0
lines changed

python/ql/test/experimental/library-tests/frameworks/django-v2-v3/ConceptsTest.expected

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,5 +24,8 @@
2424
| routing_test.py:84:38:84:94 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar | Missing result:routedParameter=bar |
2525
| routing_test.py:84:38:84:94 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar | Missing result:routedParameter=foo |
2626
| routing_test.py:87:37:87:51 | Comment # $routeHandler | Missing result:routeHandler= |
27+
| taint_test.py:6:60:6:116 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar | Missing result:routeHandler= |
28+
| taint_test.py:6:60:6:116 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar | Missing result:routedParameter=bar |
29+
| taint_test.py:6:60:6:116 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar | Missing result:routedParameter=foo |
2730
| testapp/views.py:3:33:3:47 | Comment # $routeHandler | Missing result:routeHandler= |
2831
| testapp/views.py:6:37:6:51 | Comment # $routeHandler | Missing result:routeHandler= |

python/ql/test/experimental/library-tests/frameworks/django-v2-v3/TestTaint.expected

Lines changed: 82 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,82 @@
1+
| taint_test.py:7 | fail | test_taint | bar |
2+
| taint_test.py:7 | fail | test_taint | foo |
3+
| taint_test.py:8 | ok | test_taint | baz |
4+
| taint_test.py:14 | fail | test_taint | request |
5+
| taint_test.py:16 | fail | test_taint | request.body |
6+
| taint_test.py:17 | fail | test_taint | request.path |
7+
| taint_test.py:18 | fail | test_taint | request.path_info |
8+
| taint_test.py:22 | fail | test_taint | request.method |
9+
| taint_test.py:24 | fail | test_taint | request.encoding |
10+
| taint_test.py:25 | fail | test_taint | request.content_type |
11+
| taint_test.py:28 | fail | test_taint | request.content_params |
12+
| taint_test.py:29 | fail | test_taint | request.content_params["key"] |
13+
| taint_test.py:30 | fail | test_taint | request.content_params.get(..) |
14+
| taint_test.py:34 | fail | test_taint | request.GET |
15+
| taint_test.py:35 | fail | test_taint | request.GET["key"] |
16+
| taint_test.py:36 | fail | test_taint | request.GET.get(..) |
17+
| taint_test.py:37 | fail | test_taint | request.GET.getlist(..) |
18+
| taint_test.py:38 | fail | test_taint | request.GET.getlist(..)[0] |
19+
| taint_test.py:39 | fail | test_taint | request.GET.pop(..) |
20+
| taint_test.py:40 | fail | test_taint | request.GET.pop(..)[0] |
21+
| taint_test.py:41 | fail | test_taint | request.GET.popitem()[0] |
22+
| taint_test.py:42 | fail | test_taint | request.GET.popitem()[1] |
23+
| taint_test.py:43 | fail | test_taint | request.GET.popitem()[1][0] |
24+
| taint_test.py:44 | fail | test_taint | request.GET.dict() |
25+
| taint_test.py:45 | fail | test_taint | request.GET.dict()["key"] |
26+
| taint_test.py:46 | fail | test_taint | request.GET.urlencode() |
27+
| taint_test.py:49 | fail | test_taint | request.POST |
28+
| taint_test.py:52 | fail | test_taint | request.COOKIES |
29+
| taint_test.py:53 | fail | test_taint | request.COOKIES["key"] |
30+
| taint_test.py:54 | fail | test_taint | request.COOKIES.get(..) |
31+
| taint_test.py:57 | fail | test_taint | request.FILES |
32+
| taint_test.py:58 | fail | test_taint | request.FILES["key"] |
33+
| taint_test.py:59 | fail | test_taint | request.FILES["key"].content_type |
34+
| taint_test.py:60 | fail | test_taint | request.FILES["key"].content_type_extra |
35+
| taint_test.py:61 | fail | test_taint | request.FILES["key"].content_type_extra["key"] |
36+
| taint_test.py:62 | fail | test_taint | request.FILES["key"].charset |
37+
| taint_test.py:63 | fail | test_taint | request.FILES["key"].name |
38+
| taint_test.py:64 | fail | test_taint | request.FILES["key"].file |
39+
| taint_test.py:65 | fail | test_taint | request.FILES["key"].file.read() |
40+
| taint_test.py:67 | fail | test_taint | request.FILES.get(..) |
41+
| taint_test.py:68 | fail | test_taint | request.FILES.get(..).name |
42+
| taint_test.py:69 | fail | test_taint | request.FILES.getlist(..) |
43+
| taint_test.py:70 | fail | test_taint | request.FILES.getlist(..)[0] |
44+
| taint_test.py:71 | fail | test_taint | request.FILES.getlist(..)[0].name |
45+
| taint_test.py:72 | fail | test_taint | request.FILES.dict() |
46+
| taint_test.py:73 | fail | test_taint | request.FILES.dict()["key"] |
47+
| taint_test.py:74 | fail | test_taint | request.FILES.dict()["key"].name |
48+
| taint_test.py:77 | fail | test_taint | request.META |
49+
| taint_test.py:78 | fail | test_taint | request.META["HTTP_USER_AGENT"] |
50+
| taint_test.py:79 | fail | test_taint | request.META.get(..) |
51+
| taint_test.py:82 | fail | test_taint | request.headers |
52+
| taint_test.py:83 | fail | test_taint | request.headers["user-agent"] |
53+
| taint_test.py:84 | fail | test_taint | request.headers["USER_AGENT"] |
54+
| taint_test.py:87 | fail | test_taint | request.resolver_match |
55+
| taint_test.py:88 | fail | test_taint | request.resolver_match.args |
56+
| taint_test.py:89 | fail | test_taint | request.resolver_match.args[0] |
57+
| taint_test.py:90 | fail | test_taint | request.resolver_match.kwargs |
58+
| taint_test.py:91 | fail | test_taint | request.resolver_match.kwargs["key"] |
59+
| taint_test.py:93 | fail | test_taint | request.get_full_path() |
60+
| taint_test.py:94 | fail | test_taint | request.get_full_path_info() |
61+
| taint_test.py:98 | fail | test_taint | request.read() |
62+
| taint_test.py:99 | fail | test_taint | request.readline() |
63+
| taint_test.py:100 | fail | test_taint | request.readlines() |
64+
| taint_test.py:101 | fail | test_taint | request.readlines()[0] |
65+
| taint_test.py:102 | fail | test_taint | ListComp |
66+
| taint_test.py:108 | fail | test_taint | args |
67+
| taint_test.py:109 | fail | test_taint | args[0] |
68+
| taint_test.py:110 | fail | test_taint | kwargs |
69+
| taint_test.py:111 | fail | test_taint | kwargs["key"] |
70+
| taint_test.py:115 | ok | test_taint | request.current_app |
71+
| taint_test.py:120 | ok | test_taint | request.get_host() |
72+
| taint_test.py:121 | ok | test_taint | request.get_port() |
73+
| taint_test.py:128 | fail | test_taint | request.build_absolute_uri() |
74+
| taint_test.py:129 | fail | test_taint | request.build_absolute_uri(..) |
75+
| taint_test.py:130 | fail | test_taint | request.build_absolute_uri(..) |
76+
| taint_test.py:133 | ok | test_taint | request.build_absolute_uri(..) |
77+
| taint_test.py:134 | ok | test_taint | request.build_absolute_uri(..) |
78+
| taint_test.py:142 | ok | test_taint | request.get_signed_cookie(..) |
79+
| taint_test.py:143 | ok | test_taint | request.get_signed_cookie(..) |
80+
| taint_test.py:144 | ok | test_taint | request.get_signed_cookie(..) |
81+
| taint_test.py:148 | fail | test_taint | request.get_signed_cookie(..) |
82+
| taint_test.py:149 | fail | test_taint | request.get_signed_cookie(..) |

python/ql/test/experimental/library-tests/frameworks/django-v2-v3/taint_test.py

Lines changed: 156 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,156 @@
1+
"""testing views for Django 2.x and 3.x"""
2+
from django.urls import path
3+
from django.http import HttpRequest
4+
5+
6+
def test_taint(request: HttpRequest, foo, bar, baz=None): # $routeHandler $routedParameter=foo $routedParameter=bar
7+
ensure_tainted(foo, bar)
8+
ensure_not_tainted(baz)
9+
10+
# Manually inspected all fields of the HttpRequest object
11+
# https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects
12+
13+
ensure_tainted(
14+
request,
15+
16+
request.body,
17+
request.path,
18+
request.path_info,
19+
20+
# With CSRF middleware disabled, it's possible to use custom methods,
21+
# for example by `curl -X FOO <url>`
22+
request.method,
23+
24+
request.encoding,
25+
request.content_type,
26+
27+
# Dict[str, str]
28+
request.content_params,
29+
request.content_params["key"],
30+
request.content_params.get("key"),
31+
32+
# django.http.QueryDict
33+
# see https://docs.djangoproject.com/en/3.0/ref/request-response/#querydict-objects
34+
request.GET,
35+
request.GET["key"],
36+
request.GET.get("key"),
37+
request.GET.getlist("key"),
38+
request.GET.getlist("key")[0],
39+
request.GET.pop("key"),
40+
request.GET.pop("key")[0],
41+
request.GET.popitem()[0], # key
42+
request.GET.popitem()[1], # values
43+
request.GET.popitem()[1][0], # values[0]
44+
request.GET.dict(),
45+
request.GET.dict()["key"],
46+
request.GET.urlencode(),
47+
48+
# django.http.QueryDict (same as above, did not duplicate tests)
49+
request.POST,
50+
51+
# Dict[str, str]
52+
request.COOKIES,
53+
request.COOKIES["key"],
54+
request.COOKIES.get("key"),
55+
56+
# MultiValueDict[str, UploadedFile]
57+
request.FILES,
58+
request.FILES["key"],
59+
request.FILES["key"].content_type,
60+
request.FILES["key"].content_type_extra,
61+
request.FILES["key"].content_type_extra["key"],
62+
request.FILES["key"].charset,
63+
request.FILES["key"].name,
64+
request.FILES["key"].file,
65+
request.FILES["key"].file.read(),
66+
67+
request.FILES.get("key"),
68+
request.FILES.get("key").name,
69+
request.FILES.getlist("key"),
70+
request.FILES.getlist("key")[0],
71+
request.FILES.getlist("key")[0].name,
72+
request.FILES.dict(),
73+
request.FILES.dict()["key"],
74+
request.FILES.dict()["key"].name,
75+
76+
# Dict[str, Any]
77+
request.META,
78+
request.META["HTTP_USER_AGENT"],
79+
request.META.get("HTTP_USER_AGENT"),
80+
81+
# HttpHeaders (case insensitive dict-like)
82+
request.headers,
83+
request.headers["user-agent"],
84+
request.headers["USER_AGENT"],
85+
86+
# django.urls.ResolverMatch
87+
request.resolver_match,
88+
request.resolver_match.args,
89+
request.resolver_match.args[0],
90+
request.resolver_match.kwargs,
91+
request.resolver_match.kwargs["key"],
92+
93+
request.get_full_path(),
94+
request.get_full_path_info(),
95+
# build_absolute_uri handled below
96+
# get_signed_cookie handled below
97+
98+
request.read(),
99+
request.readline(),
100+
request.readlines(),
101+
request.readlines()[0],
102+
[line for line in request],
103+
)
104+
105+
# django.urls.ResolverMatch also supports iterable unpacking
106+
_view, args, kwargs = request.resolver_match
107+
ensure_tainted(
108+
args,
109+
args[0],
110+
kwargs,
111+
kwargs["key"],
112+
)
113+
114+
ensure_not_tainted(
115+
request.current_app,
116+
117+
# Django has `ALLOWED_HOSTS` to ensure the HOST value cannot be tampered with.
118+
# It is possible to remove this protection, but it seems reasonable to assume
119+
# people don"t do this by default.
120+
request.get_host(),
121+
request.get_port(),
122+
)
123+
124+
####################################
125+
# build_absolute_uri
126+
####################################
127+
ensure_tainted(
128+
request.build_absolute_uri(),
129+
request.build_absolute_uri(request.GET["key"]),
130+
request.build_absolute_uri(location=request.GET["key"]),
131+
)
132+
ensure_not_tainted(
133+
request.build_absolute_uri("/hardcoded/"),
134+
request.build_absolute_uri("https://example.com"),
135+
)
136+
137+
####################################
138+
# get_signed_cookie
139+
####################################
140+
# We don't consider user to be able to tamper with cookies that are signed
141+
ensure_not_tainted(
142+
request.get_signed_cookie("key"),
143+
request.get_signed_cookie("key", salt="salt"),
144+
request.get_signed_cookie("key", max_age=60),
145+
)
146+
# However, providing tainted default value might result in taint
147+
ensure_tainted(
148+
request.get_signed_cookie("key", request.COOKIES["key"]),
149+
request.get_signed_cookie("key", default=request.COOKIES["key"]),
150+
)
151+
152+
153+
# fake setup, you can't actually run this
154+
urlpatterns = [
155+
path("test-taint/<foo>/<bar>", test_taint), # $routeSetup="test-taint/<foo>/<bar>"
156+
]

0 commit comments

Comments
 (0)