Python: Add test for taint in django forms/fields

RasmusWL · RasmusWL · commit 3a83ecf067a5 · 2021-03-22T10:03:32.000+01:00
diff --git a/python/ql/test/library-tests/frameworks/django-v2-v3/TestTaint.expected b/python/ql/test/library-tests/frameworks/django-v2-v3/TestTaint.expected
@@ -1,4 +1,15 @@
 | response_test.py:61 | ok   | get_redirect_url | foo |
+| taint_forms.py:6 | fail | to_python | value |
+| taint_forms.py:9 | fail | validate | value |
+| taint_forms.py:12 | fail | run_validators | value |
+| taint_forms.py:15 | fail | clean | value |
+| taint_forms.py:33 | fail | clean | cleaned_data |
+| taint_forms.py:34 | fail | clean | cleaned_data["key"] |
+| taint_forms.py:35 | fail | clean | cleaned_data.get(..) |
+| taint_forms.py:39 | fail | clean | self.cleaned_data |
+| taint_forms.py:40 | fail | clean | self.cleaned_data["key"] |
+| taint_forms.py:41 | fail | clean | self.cleaned_data.get(..) |
+| taint_forms.py:46 | fail | clean_foo | self.cleaned_data |
 | taint_test.py:8 | ok   | test_taint | bar |
 | taint_test.py:8 | ok   | test_taint | foo |
 | taint_test.py:9 | ok   | test_taint | baz |
diff --git a/python/ql/test/library-tests/frameworks/django-v2-v3/taint_forms.py b/python/ql/test/library-tests/frameworks/django-v2-v3/taint_forms.py
@@ -0,0 +1,46 @@
+import django.forms
+
+
+class MyField(django.forms.Field):
+    def to_python(self, value):
+        ensure_tainted(value)
+
+    def validate(self, value):
+        ensure_tainted(value)
+
+    def run_validators(self, value):
+        ensure_tainted(value)
+
+    def clean(self, value):
+        ensure_tainted(value)
+
+        # # Base definition of `clean` looks like the following, so there is actually
+        # # _data flow_ from the methods, but we will ignore for simplicity.
+        # value = self.to_python(value)
+        # self.validate(value)
+        # self.run_validators(value)
+        # return value
+
+
+class MyForm(django.forms.Form):
+
+    foo = MyField()
+
+    def clean(self):
+        cleaned_data = super().clean()
+
+        ensure_tainted(
+            cleaned_data,
+            cleaned_data["key"],
+            cleaned_data.get("key"),
+        )
+
+        ensure_tainted(
+            self.cleaned_data,
+            self.cleaned_data["key"],
+            self.cleaned_data.get("key"),
+        )
+
+    def clean_foo(self):
+        # This method is supposed to clean a the `foo` field in context of this form.
+        ensure_tainted(self.cleaned_data)
