Skip to content

Commit e8fdff7

Browse files
committed
Python: Expand ExternalAPIs test
We never had a showcase of how keyword arguments were handled
1 parent 6577281 commit e8fdff7

File tree

3 files changed

+20
-1
lines changed

3 files changed

+20
-1
lines changed
Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
| hmac.new [param 1] | 1 | 1 |
1+
| hmac.new [param 1] | 2 | 1 |
Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,16 +1,23 @@
11
edges
22
| test.py:0:0:0:0 | ModuleVariableNode for test.request | test.py:13:16:13:22 | ControlFlowNode for request |
3+
| test.py:0:0:0:0 | ModuleVariableNode for test.request | test.py:23:16:23:22 | ControlFlowNode for request |
34
| test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:5:26:5:32 | GSSA Variable request |
45
| test.py:5:26:5:32 | GSSA Variable request | test.py:0:0:0:0 | ModuleVariableNode for test.request |
56
| test.py:13:16:13:22 | ControlFlowNode for request | test.py:13:16:13:27 | ControlFlowNode for Attribute |
67
| test.py:13:16:13:27 | ControlFlowNode for Attribute | test.py:15:36:15:39 | ControlFlowNode for data |
8+
| test.py:23:16:23:22 | ControlFlowNode for request | test.py:23:16:23:27 | ControlFlowNode for Attribute |
9+
| test.py:23:16:23:27 | ControlFlowNode for Attribute | test.py:25:44:25:47 | ControlFlowNode for data |
710
nodes
811
| test.py:0:0:0:0 | ModuleVariableNode for test.request | semmle.label | ModuleVariableNode for test.request |
912
| test.py:5:26:5:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
1013
| test.py:5:26:5:32 | GSSA Variable request | semmle.label | GSSA Variable request |
1114
| test.py:13:16:13:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
1215
| test.py:13:16:13:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
1316
| test.py:15:36:15:39 | ControlFlowNode for data | semmle.label | ControlFlowNode for data |
17+
| test.py:23:16:23:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
18+
| test.py:23:16:23:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
19+
| test.py:25:44:25:47 | ControlFlowNode for data | semmle.label | ControlFlowNode for data |
1420
subpaths
1521
#select
1622
| test.py:15:36:15:39 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:15:36:15:39 | ControlFlowNode for data | Call to hmac.new [param 1] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember |
23+
| test.py:25:44:25:47 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:25:44:25:47 | ControlFlowNode for data | Call to hmac.new [param 1] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember |

python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/test.py

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,18 +18,30 @@ def hmac_example():
1818
return "ok"
1919

2020

21+
@app.route("/hmac-example2")
22+
def hmac_example2():
23+
data_raw = request.args.get("data").encode('utf-8')
24+
data = base64.decodebytes(data_raw)
25+
my_hmac = hmac.new(key=SECRET_KEY, msg=data, digestmod=hashlib.sha256)
26+
digest = my_hmac.digest()
27+
print(digest)
28+
return "ok"
29+
30+
2131
@app.route("/unknown-lib-1")
2232
def unknown_lib_1():
2333
from unknown.lib import func
2434
data = request.args.get("data")
2535
func(data) # TODO: currently not recognized
36+
func(kw=data) # TODO: currently not recognized
2637

2738

2839
@app.route("/unknown-lib-2")
2940
def unknown_lib_2():
3041
import unknown.lib
3142
data = request.args.get("data")
3243
unknown.lib.func(data) # TODO: currently not recognized
44+
unknown.lib.func(kw=data) # TODO: currently not recognized
3345

3446

3547
if __name__ == "__main__":

0 commit comments

Comments
 (0)