Python: Expand py/flask-debug tests a bit

RasmusWL · RasmusWL · commit 0cad5ce5ca7e · 2021-02-24T11:35:17.000+01:00
diff --git a/python/ql/test/query-tests/Security/CWE-215/FlaskDebug.expected b/python/ql/test/query-tests/Security/CWE-215/FlaskDebug.expected
@@ -2,3 +2,4 @@
 | test.py:25:1:25:20 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |
 | test.py:29:1:29:20 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |
 | test.py:37:1:37:18 | ControlFlowNode for runapp() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |
+| test.py:42:1:42:35 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |
diff --git a/python/ql/test/query-tests/Security/CWE-215/settings.py b/python/ql/test/query-tests/Security/CWE-215/settings.py
@@ -0,0 +1 @@
+ALWAYS_TRUE = True
diff --git a/python/ql/test/query-tests/Security/CWE-215/test.py b/python/ql/test/query-tests/Security/CWE-215/test.py
@@ -22,16 +22,29 @@ def main():
 
 DEBUG = True
 
-app.run(debug=DEBUG)
+app.run(debug=DEBUG) # NOT OK
 
 DEBUG = 1
 
-app.run(debug=DEBUG)
+app.run(debug=DEBUG) # NOT OK
 
 if False:
     app.run(debug=True)
 
 
 
 runapp = app.run
-runapp(debug=True)
+runapp(debug=True) # NOT OK
+
+
+# imports from other module
+import settings
+app.run(debug=settings.ALWAYS_TRUE) # NOT OK
+
+
+# depending on environment values
+import os
+
+DEPENDS_ON_ENV = os.environ["ENV"] == "dev"
+
+app.run(debug=DEPENDS_ON_ENV) # OK
