Python: Copy old flask tests to new dataflow setup

Author: RasmusWL

python/ql/test/experimental/library-tests/frameworks/flask/TestTaint.expected

@@ -1,98 +1,98 @@
-| test.py:6 | fail | test_taint | name |
-| test.py:6 | fail | test_taint | number |
-| test.py:7 | ok   | test_taint | foo |
-| test.py:14 | ok   | test_taint | request.environ |
-| test.py:15 | ok   | test_taint | request.environ.get(..) |
-| test.py:17 | ok   | test_taint | request.path |
-| test.py:18 | ok   | test_taint | request.full_path |
-| test.py:19 | ok   | test_taint | request.base_url |
-| test.py:20 | ok   | test_taint | request.url |
-| test.py:23 | fail | test_taint | request.accept_charsets.best |
-| test.py:24 | fail | test_taint | request.accept_charsets.best_match(..) |
-| test.py:25 | ok   | test_taint | request.accept_charsets[0] |
-| test.py:26 | ok   | test_taint | request.accept_encodings |
-| test.py:27 | ok   | test_taint | request.accept_languages |
-| test.py:28 | ok   | test_taint | request.accept_mimetypes |
-| test.py:31 | ok   | test_taint | request.access_control_request_headers |
-| test.py:33 | ok   | test_taint | request.access_control_request_method |
-| test.py:35 | ok   | test_taint | request.access_route |
-| test.py:36 | ok   | test_taint | request.access_route[0] |
-| test.py:39 | ok   | test_taint | request.args |
-| test.py:40 | ok   | test_taint | request.args['key'] |
-| test.py:41 | ok   | test_taint | request.args.getlist(..) |
-| test.py:44 | ok   | test_taint | request.authorization |
-| test.py:45 | ok   | test_taint | request.authorization['username'] |
-| test.py:46 | fail | test_taint | request.authorization.username |
-| test.py:49 | ok   | test_taint | request.cache_control |
-| test.py:51 | fail | test_taint | request.cache_control.max_age |
-| test.py:52 | fail | test_taint | request.cache_control.max_stale |
-| test.py:53 | fail | test_taint | request.cache_control.min_fresh |
-| test.py:55 | ok   | test_taint | request.content_encoding |
-| test.py:57 | ok   | test_taint | request.content_md5 |
-| test.py:59 | ok   | test_taint | request.content_type |
-| test.py:62 | ok   | test_taint | request.cookies |
-| test.py:63 | ok   | test_taint | request.cookies['key'] |
-| test.py:65 | ok   | test_taint | request.data |
-| test.py:68 | ok   | test_taint | request.files |
-| test.py:69 | ok   | test_taint | request.files['key'] |
-| test.py:70 | fail | test_taint | request.files['key'].filename |
-| test.py:71 | fail | test_taint | request.files['key'].stream |
-| test.py:72 | ok   | test_taint | request.files.getlist(..) |
-| test.py:73 | fail | test_taint | request.files.getlist(..)[0].filename |
-| test.py:74 | fail | test_taint | request.files.getlist(..)[0].stream |
-| test.py:77 | ok   | test_taint | request.form |
-| test.py:78 | ok   | test_taint | request.form['key'] |
-| test.py:79 | ok   | test_taint | request.form.getlist(..) |
-| test.py:81 | ok   | test_taint | request.get_data() |
-| test.py:83 | ok   | test_taint | request.get_json() |
-| test.py:84 | ok   | test_taint | request.get_json()['foo'] |
-| test.py:85 | ok   | test_taint | request.get_json()['foo']['bar'] |
-| test.py:89 | ok   | test_taint | request.headers |
-| test.py:90 | ok   | test_taint | request.headers['key'] |
-| test.py:91 | fail | test_taint | request.headers.get_all(..) |
-| test.py:92 | fail | test_taint | request.headers.getlist(..) |
-| test.py:93 | ok   | test_taint | list(..) |
-| test.py:94 | fail | test_taint | request.headers.to_wsgi_list() |
-| test.py:96 | ok   | test_taint | request.json |
-| test.py:97 | ok   | test_taint | request.json['foo'] |
-| test.py:98 | ok   | test_taint | request.json['foo']['bar'] |
-| test.py:100 | ok   | test_taint | request.method |
-| test.py:102 | ok   | test_taint | request.mimetype |
-| test.py:104 | ok   | test_taint | request.mimetype_params |
-| test.py:106 | ok   | test_taint | request.origin |
-| test.py:109 | ok   | test_taint | request.pragma |
-| test.py:111 | ok   | test_taint | request.query_string |
-| test.py:113 | ok   | test_taint | request.referrer |
-| test.py:115 | ok   | test_taint | request.remote_addr |
-| test.py:117 | ok   | test_taint | request.remote_user |
-| test.py:120 | ok   | test_taint | request.stream |
-| test.py:121 | ok   | test_taint | request.input_stream |
-| test.py:123 | ok   | test_taint | request.url |
-| test.py:125 | ok   | test_taint | request.user_agent |
-| test.py:128 | ok   | test_taint | request.values |
-| test.py:129 | ok   | test_taint | request.values['key'] |
-| test.py:130 | ok   | test_taint | request.values.getlist(..) |
-| test.py:133 | ok   | test_taint | request.view_args |
-| test.py:134 | ok   | test_taint | request.view_args['key'] |
-| test.py:138 | ok   | test_taint | request.script_root |
-| test.py:139 | ok   | test_taint | request.url_root |
-| test.py:143 | ok   | test_taint | request.charset |
-| test.py:144 | ok   | test_taint | request.url_charset |
-| test.py:148 | ok   | test_taint | request.date |
-| test.py:151 | ok   | test_taint | request.endpoint |
-| test.py:156 | ok   | test_taint | request.host |
-| test.py:157 | ok   | test_taint | request.host_url |
-| test.py:159 | ok   | test_taint | request.scheme |
-| test.py:161 | ok   | test_taint | request.script_root |
-| test.py:169 | ok   | test_taint | request.args |
-| test.py:170 | ok   | test_taint | a |
-| test.py:171 | ok   | test_taint | b |
-| test.py:173 | ok   | test_taint | request.args['key'] |
-| test.py:174 | ok   | test_taint | a['key'] |
-| test.py:175 | ok   | test_taint | b['key'] |
-| test.py:177 | ok   | test_taint | request.args.getlist(..) |
-| test.py:178 | ok   | test_taint | a.getlist(..) |
-| test.py:179 | ok   | test_taint | b.getlist(..) |
-| test.py:180 | ok   | test_taint | gl(..) |
-| test.py:187 | ok   | test_taint | req.path |
-| test.py:188 | ok   | test_taint | gd() |
+| taint_test.py:6 | fail | test_taint | name |
+| taint_test.py:6 | fail | test_taint | number |
+| taint_test.py:7 | ok   | test_taint | foo |
+| taint_test.py:14 | ok   | test_taint | request.environ |
+| taint_test.py:15 | ok   | test_taint | request.environ.get(..) |
+| taint_test.py:17 | ok   | test_taint | request.path |
+| taint_test.py:18 | ok   | test_taint | request.full_path |
+| taint_test.py:19 | ok   | test_taint | request.base_url |
+| taint_test.py:20 | ok   | test_taint | request.url |
+| taint_test.py:23 | fail | test_taint | request.accept_charsets.best |
+| taint_test.py:24 | fail | test_taint | request.accept_charsets.best_match(..) |
+| taint_test.py:25 | ok   | test_taint | request.accept_charsets[0] |
+| taint_test.py:26 | ok   | test_taint | request.accept_encodings |
+| taint_test.py:27 | ok   | test_taint | request.accept_languages |
+| taint_test.py:28 | ok   | test_taint | request.accept_mimetypes |
+| taint_test.py:31 | ok   | test_taint | request.access_control_request_headers |
+| taint_test.py:33 | ok   | test_taint | request.access_control_request_method |
+| taint_test.py:35 | ok   | test_taint | request.access_route |
+| taint_test.py:36 | ok   | test_taint | request.access_route[0] |
+| taint_test.py:39 | ok   | test_taint | request.args |
+| taint_test.py:40 | ok   | test_taint | request.args['key'] |
+| taint_test.py:41 | ok   | test_taint | request.args.getlist(..) |
+| taint_test.py:44 | ok   | test_taint | request.authorization |
+| taint_test.py:45 | ok   | test_taint | request.authorization['username'] |
+| taint_test.py:46 | fail | test_taint | request.authorization.username |
+| taint_test.py:49 | ok   | test_taint | request.cache_control |
+| taint_test.py:51 | fail | test_taint | request.cache_control.max_age |
+| taint_test.py:52 | fail | test_taint | request.cache_control.max_stale |
+| taint_test.py:53 | fail | test_taint | request.cache_control.min_fresh |
+| taint_test.py:55 | ok   | test_taint | request.content_encoding |
+| taint_test.py:57 | ok   | test_taint | request.content_md5 |
+| taint_test.py:59 | ok   | test_taint | request.content_type |
+| taint_test.py:62 | ok   | test_taint | request.cookies |
+| taint_test.py:63 | ok   | test_taint | request.cookies['key'] |
+| taint_test.py:65 | ok   | test_taint | request.data |
+| taint_test.py:68 | ok   | test_taint | request.files |
+| taint_test.py:69 | ok   | test_taint | request.files['key'] |
+| taint_test.py:70 | fail | test_taint | request.files['key'].filename |
+| taint_test.py:71 | fail | test_taint | request.files['key'].stream |
+| taint_test.py:72 | ok   | test_taint | request.files.getlist(..) |
+| taint_test.py:73 | fail | test_taint | request.files.getlist(..)[0].filename |
+| taint_test.py:74 | fail | test_taint | request.files.getlist(..)[0].stream |
+| taint_test.py:77 | ok   | test_taint | request.form |
+| taint_test.py:78 | ok   | test_taint | request.form['key'] |
+| taint_test.py:79 | ok   | test_taint | request.form.getlist(..) |
+| taint_test.py:81 | ok   | test_taint | request.get_data() |
+| taint_test.py:83 | ok   | test_taint | request.get_json() |
+| taint_test.py:84 | ok   | test_taint | request.get_json()['foo'] |
+| taint_test.py:85 | ok   | test_taint | request.get_json()['foo']['bar'] |
+| taint_test.py:89 | ok   | test_taint | request.headers |
+| taint_test.py:90 | ok   | test_taint | request.headers['key'] |
+| taint_test.py:91 | fail | test_taint | request.headers.get_all(..) |
+| taint_test.py:92 | fail | test_taint | request.headers.getlist(..) |
+| taint_test.py:93 | ok   | test_taint | list(..) |
+| taint_test.py:94 | fail | test_taint | request.headers.to_wsgi_list() |
+| taint_test.py:96 | ok   | test_taint | request.json |
+| taint_test.py:97 | ok   | test_taint | request.json['foo'] |
+| taint_test.py:98 | ok   | test_taint | request.json['foo']['bar'] |
+| taint_test.py:100 | ok   | test_taint | request.method |
+| taint_test.py:102 | ok   | test_taint | request.mimetype |
+| taint_test.py:104 | ok   | test_taint | request.mimetype_params |
+| taint_test.py:106 | ok   | test_taint | request.origin |
+| taint_test.py:109 | ok   | test_taint | request.pragma |
+| taint_test.py:111 | ok   | test_taint | request.query_string |
+| taint_test.py:113 | ok   | test_taint | request.referrer |
+| taint_test.py:115 | ok   | test_taint | request.remote_addr |
+| taint_test.py:117 | ok   | test_taint | request.remote_user |
+| taint_test.py:120 | ok   | test_taint | request.stream |
+| taint_test.py:121 | ok   | test_taint | request.input_stream |
+| taint_test.py:123 | ok   | test_taint | request.url |
+| taint_test.py:125 | ok   | test_taint | request.user_agent |
+| taint_test.py:128 | ok   | test_taint | request.values |
+| taint_test.py:129 | ok   | test_taint | request.values['key'] |
+| taint_test.py:130 | ok   | test_taint | request.values.getlist(..) |
+| taint_test.py:133 | ok   | test_taint | request.view_args |
+| taint_test.py:134 | ok   | test_taint | request.view_args['key'] |
+| taint_test.py:138 | ok   | test_taint | request.script_root |
+| taint_test.py:139 | ok   | test_taint | request.url_root |
+| taint_test.py:143 | ok   | test_taint | request.charset |
+| taint_test.py:144 | ok   | test_taint | request.url_charset |
+| taint_test.py:148 | ok   | test_taint | request.date |
+| taint_test.py:151 | ok   | test_taint | request.endpoint |
+| taint_test.py:156 | ok   | test_taint | request.host |
+| taint_test.py:157 | ok   | test_taint | request.host_url |
+| taint_test.py:159 | ok   | test_taint | request.scheme |
+| taint_test.py:161 | ok   | test_taint | request.script_root |
+| taint_test.py:169 | ok   | test_taint | request.args |
+| taint_test.py:170 | ok   | test_taint | a |
+| taint_test.py:171 | ok   | test_taint | b |
+| taint_test.py:173 | ok   | test_taint | request.args['key'] |
+| taint_test.py:174 | ok   | test_taint | a['key'] |
+| taint_test.py:175 | ok   | test_taint | b['key'] |
+| taint_test.py:177 | ok   | test_taint | request.args.getlist(..) |
+| taint_test.py:178 | ok   | test_taint | a.getlist(..) |
+| taint_test.py:179 | ok   | test_taint | b.getlist(..) |
+| taint_test.py:180 | ok   | test_taint | gl(..) |
+| taint_test.py:187 | ok   | test_taint | req.path |
+| taint_test.py:188 | ok   | test_taint | gd() |

python/ql/test/experimental/library-tests/frameworks/flask/old_test.py

@@ -0,0 +1,67 @@
+import flask
+
+from flask import Flask, request, make_response
+app = Flask(__name__)
+
+@app.route("/")
+def hello_world():
+    return "Hello World!"
+
+from flask.views import MethodView
+
+class MyView(MethodView):
+
+    def get(self, user_id):
+        if user_id is None:
+            # return a list of users
+            pass
+        else:
+            # expose a single user
+            pass
+
+the_view = MyView.as_view('my_view')
+
+app.add_url_rule('/the/', defaults={'user_id': None},
+                 view_func=the_view, methods=['GET',])
+
+@app.route("/dangerous")
+def dangerous():
+    return request.args.get('payload')
+
+@app.route("/dangerous-with-cfg-split")
+def dangerous2():
+    x = request.form['param0']
+    if request.method == "POST":
+        return request.form['param1']
+    return None
+
+@app.route('/unsafe')
+def unsafe():
+    first_name = request.args.get('name', '')
+    return make_response("Your name is " + first_name)
+
+@app.route('/safe')
+def safe():
+    first_name = request.args.get('name', '')
+    return make_response("Your name is " + escape(first_name))
+
+@app.route('/hello/<name>')
+def hello(name):
+    return make_response("Your name is " + name)
+
+@app.route('/foo/<path:subpath>')
+def foo(subpath):
+    return make_response("The subpath is " + subpath)
+
+@app.route('/multiple/') # TODO: not recognized as route
+@app.route('/multiple/foo/<foo>') # TODO: not recognized as route
+@app.route('/multiple/bar/<bar>')
+def multiple(foo=None, bar=None):
+    return make_response("foo={!r} bar={!r}".format(foo, bar))
+
+@app.route('/complex/<string(length=2):lang_code>')
+def complex(lang_code):
+    return make_response("lang_code {}".format(lang_code))
+
+if __name__ == "__main__":
+    app.run(debug=True)