Python: add test for __traceback__

yoff · yoff · commit 296297915cb3 · 2021-03-07T17:50:28.000+01:00
diff --git a/python/ql/test/query-tests/Security/CWE-209/StackTraceExposure.expected b/python/ql/test/query-tests/Security/CWE-209/StackTraceExposure.expected
@@ -1,11 +1,11 @@
 edges
-| test.py:33:15:33:36 | ControlFlowNode for Attribute() | test.py:34:29:34:31 | ControlFlowNode for err |
-| test.py:34:29:34:31 | ControlFlowNode for err | test.py:34:16:34:32 | ControlFlowNode for format_error() |
+| test.py:49:15:49:36 | ControlFlowNode for Attribute() | test.py:50:29:50:31 | ControlFlowNode for err |
+| test.py:50:29:50:31 | ControlFlowNode for err | test.py:50:16:50:32 | ControlFlowNode for format_error() |
 nodes
 | test.py:16:16:16:37 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| test.py:33:15:33:36 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| test.py:34:16:34:32 | ControlFlowNode for format_error() | semmle.label | ControlFlowNode for format_error() |
-| test.py:34:29:34:31 | ControlFlowNode for err | semmle.label | ControlFlowNode for err |
+| test.py:49:15:49:36 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| test.py:50:16:50:32 | ControlFlowNode for format_error() | semmle.label | ControlFlowNode for format_error() |
+| test.py:50:29:50:31 | ControlFlowNode for err | semmle.label | ControlFlowNode for err |
 #select
 | test.py:16:16:16:37 | ControlFlowNode for Attribute() | test.py:16:16:16:37 | ControlFlowNode for Attribute() | test.py:16:16:16:37 | ControlFlowNode for Attribute() | $@ may be exposed to an external user | test.py:16:16:16:37 | ControlFlowNode for Attribute() | Error information |
-| test.py:34:16:34:32 | ControlFlowNode for format_error() | test.py:33:15:33:36 | ControlFlowNode for Attribute() | test.py:34:16:34:32 | ControlFlowNode for format_error() | $@ may be exposed to an external user | test.py:33:15:33:36 | ControlFlowNode for Attribute() | Error information |
+| test.py:50:16:50:32 | ControlFlowNode for format_error() | test.py:49:15:49:36 | ControlFlowNode for Attribute() | test.py:50:16:50:32 | ControlFlowNode for format_error() | $@ may be exposed to an external user | test.py:49:15:49:36 | ControlFlowNode for Attribute() | Error information |
diff --git a/python/ql/test/query-tests/Security/CWE-209/test.py b/python/ql/test/query-tests/Security/CWE-209/test.py
@@ -12,15 +12,31 @@ def do_computation():
 def server_bad():
     try:
         do_computation()
-    except Exception as e:  #$ exceptionInfo
+    except Exception:
         return traceback.format_exc()  #$ exceptionInfo
 
+# BAD
+@app.route('/bad/clearly')
+def server_bad():
+    try:
+        do_computation()
+    except Exception as e:  #$ exceptionInfo
+        return e
+
+# BAD
+@app.route('/bad/also')
+def server_bad():
+    try:
+        do_computation()
+    except Exception as e:  #$ exceptionInfo
+        return e.__traceback__
+
 # GOOD
 @app.route('/good')
 def server_good():
     try:
         do_computation()
-    except Exception as e:  #$ exceptionInfo
+    except Exception:
         log(traceback.format_exc())  #$ exceptionInfo
         return "An internal error has occurred!"
 
@@ -29,7 +45,7 @@ def server_good():
 def server_bad_flow():
     try:
         do_computation()
-    except Exception as e:  #$ exceptionInfo
+    except Exception:
         err = traceback.format_exc()  #$ exceptionInfo
         return format_error(err)
 
