Python: Add FastAPI request test

RasmusWL · joefarebrother · RasmusWL · commit 79dfbf7b2168 · 2024-12-18T15:48:29.000+01:00
Co-authored-by: Joe Farebrother &lt;joefarebrother@github.com&gt;
diff --git a/python/ql/test/library-tests/frameworks/fastapi/taint_test.py b/python/ql/test/library-tests/frameworks/fastapi/taint_test.py
@@ -187,3 +187,38 @@ async def websocket_test(websocket: WebSocket): # $ requestHandler routedParamet
 
     async for data in  websocket.iter_json():
         ensure_tainted(data) # $ tainted
+
+
+# --- Request ---
+
+import starlette.requests
+from fastapi import Request
+
+
+assert Request == starlette.requests.Request
+
+@app.websocket("/req") # $ routeSetup="/req"
+async def request_test(request: Request): # $ requestHandler routedParameter=request
+    ensure_tainted(
+        request, # $ tainted
+
+        await request.body(), # $ MISSING: tainted
+
+        await request.json(), # $ MISSING: tainted
+        await request.json()["key"], # $ MISSING: tainted
+
+        # form() returns a FormDat (which is a starlette ImmutableMultiDict)
+        await request.form(), # $ MISSING: tainted
+        await request.form()["key"], # $ MISSING: tainted
+        await request.form().getlist("key"), # $ MISSING: tainted
+        await request.form().getlist("key")[0], # $ MISSING: tainted
+        # data in the form could be an starlette.datastructures.UploadFile
+        await request.form()["file"].filename, # $ MISSING: tainted
+        await request.form().getlist("file")[0].filename, # $ MISSING: tainted
+
+        request.cookies, # $ MISSING: tainted
+        request.cookies["key"], # $ MISSING: tainted
+    )
+
+    async for chunk in request.stream():
+        ensure_tainted(chunk) # $ MISSING: tainted
