Merge pull request github#5878 from RasmusWL/fix-concept-tests-pretty-print

Python: Fix concept tests pretty print

Author: yoff

python/ql/test/experimental/dataflow/TestUtil/PrintNode.qll

@@ -1,7 +1,7 @@
 import python
 import semmle.python.dataflow.new.DataFlow
 
-string prettyExp(Expr e) {
+string prettyExpr(Expr e) {
   not e instanceof Num and
   not e instanceof StrConst and
   not e instanceof Subscript and
@@ -15,17 +15,41 @@ string prettyExp(Expr e) {
     e.(StrConst).getPrefix() + e.(StrConst).getText() +
       e.(StrConst).getPrefix().regexpReplaceAll("[a-zA-Z]+", "")
   or
-  result = prettyExp(e.(Subscript).getObject()) + "[" + prettyExp(e.(Subscript).getIndex()) + "]"
+  result = prettyExpr(e.(Subscript).getObject()) + "[" + prettyExpr(e.(Subscript).getIndex()) + "]"
   or
   (
     if exists(e.(Call).getAnArg()) or exists(e.(Call).getANamedArg())
-    then result = prettyExp(e.(Call).getFunc()) + "(..)"
-    else result = prettyExp(e.(Call).getFunc()) + "()"
+    then result = prettyExpr(e.(Call).getFunc()) + "(..)"
+    else result = prettyExpr(e.(Call).getFunc()) + "()"
   )
   or
-  result = prettyExp(e.(Attribute).getObject()) + "." + e.(Attribute).getName()
+  result = prettyExpr(e.(Attribute).getObject()) + "." + e.(Attribute).getName()
 }
 
+/**
+ * Gets pretty-printed version of the DataFlow::Node `node`
+ */
+bindingset[node]
 string prettyNode(DataFlow::Node node) {
-  if exists(node.asExpr()) then result = prettyExp(node.asExpr()) else result = node.toString()
+  if exists(node.asExpr()) then result = prettyExpr(node.asExpr()) else result = node.toString()
+}
+
+/**
+ * Gets pretty-printed version of the DataFlow::Node `node`, that is suitable for use
+ * with `TestUtilities.InlineExpectationsTest` (that is, no spaces unless required).
+ */
+bindingset[node]
+string prettyNodeForInlineTest(DataFlow::Node node) {
+  exists(node.asExpr()) and
+  result = prettyExpr(node.asExpr())
+  or
+  exists(Expr e | e = node.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() |
+    // since PostUpdateNode both has space in the `[post <thing>]` annotation, and does
+    // not pretty print the pre-update node, we do custom handling of this.
+    result = "[post]" + prettyExpr(e)
+  )
+  or
+  not exists(node.asExpr()) and
+  not exists(Expr e | e = node.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr()) and
+  result = node.toString()
 }

python/ql/test/experimental/dataflow/tainttracking/TestTaintLib.qll

@@ -46,6 +46,6 @@ query predicate test_taint(string arg_location, string test_res, string scope_na
     arg_location = arg.getLocation().toString() and
     test_res = test_res and
     scope_name = call.getScope().getName() and
-    repr = prettyExp(arg)
+    repr = prettyExpr(arg)
   )
 }

python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_json.py

@@ -2,19 +2,7 @@ import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.Concepts
 import TestUtilities.InlineExpectationsTest
-
-string value_from_expr(Expr e) {
-  // TODO: This one is starting to look like `repr` predicate from TestTaintLib
-  result =
-    e.(StrConst).getPrefix() + e.(StrConst).getText() +
-      e.(StrConst).getPrefix().regexpReplaceAll("[a-zA-Z]+", "")
-  or
-  result = e.(Name).getId()
-  or
-  not e instanceof StrConst and
-  not e instanceof Name and
-  result = e.toString()
-}
+import experimental.dataflow.TestUtil.PrintNode
 
 class SystemCommandExecutionTest extends InlineExpectationsTest {
   SystemCommandExecutionTest() { this = "SystemCommandExecutionTest" }
@@ -27,7 +15,7 @@ class SystemCommandExecutionTest extends InlineExpectationsTest {
       command = sce.getCommand() and
       location = command.getLocation() and
       element = command.toString() and
-      value = value_from_expr(command.asExpr()) and
+      value = prettyNodeForInlineTest(command) and
       tag = "getCommand"
     )
   }
@@ -46,7 +34,7 @@ class DecodingTest extends InlineExpectationsTest {
       exists(DataFlow::Node data |
         location = data.getLocation() and
         element = data.toString() and
-        value = value_from_expr(data.asExpr()) and
+        value = prettyNodeForInlineTest(data) and
         (
           data = d.getAnInput() and
           tag = "decodeInput"
@@ -84,7 +72,7 @@ class EncodingTest extends InlineExpectationsTest {
       exists(DataFlow::Node data |
         location = data.getLocation() and
         element = data.toString() and
-        value = value_from_expr(data.asExpr()) and
+        value = prettyNodeForInlineTest(data) and
         (
           data = e.getAnInput() and
           tag = "encodeInput"
@@ -117,7 +105,7 @@ class CodeExecutionTest extends InlineExpectationsTest {
       code = ce.getCode() and
       location = code.getLocation() and
       element = code.toString() and
-      value = value_from_expr(code.asExpr()) and
+      value = prettyNodeForInlineTest(code) and
       tag = "getCode"
     )
   }
@@ -135,7 +123,7 @@ class SqlExecutionTest extends InlineExpectationsTest {
       sql = e.getSql() and
       location = e.getLocation() and
       element = sql.toString() and
-      value = value_from_expr(sql.asExpr()) and
+      value = prettyNodeForInlineTest(sql) and
       tag = "getSql"
     )
   }
@@ -218,7 +206,7 @@ class HttpServerHttpResponseTest extends InlineExpectationsTest {
       exists(HTTP::Server::HttpResponse response |
         location = response.getLocation() and
         element = response.toString() and
-        value = value_from_expr(response.getBody().asExpr()) and
+        value = prettyNodeForInlineTest(response.getBody()) and
         tag = "responseBody"
       )
       or
@@ -257,7 +245,7 @@ class HttpServerHttpRedirectResponseTest extends InlineExpectationsTest {
       exists(HTTP::Server::HttpRedirectResponse redirect |
         location = redirect.getLocation() and
         element = redirect.toString() and
-        value = value_from_expr(redirect.getRedirectLocation().asExpr()) and
+        value = prettyNodeForInlineTest(redirect.getRedirectLocation()) and
         tag = "redirectLocation"
       )
     )
@@ -275,7 +263,7 @@ class FileSystemAccessTest extends InlineExpectationsTest {
       path = a.getAPathArgument() and
       location = a.getLocation() and
       element = path.toString() and
-      value = value_from_expr(path.asExpr()) and
+      value = prettyNodeForInlineTest(path) and
       tag = "getAPathArgument"
     )
   }
@@ -309,7 +297,7 @@ class SafeAccessCheckTest extends InlineExpectationsTest {
       location = c.getLocation() and
       (
         element = checks.toString() and
-        value = value_from_expr(checks.asExpr()) and
+        value = prettyNodeForInlineTest(checks) and
         tag = "checks"
         or
         element = branch.toString() and

python/ql/test/experimental/meta/ConceptsTest.qll

@@ -58,7 +58,7 @@ class InlineTaintTest extends InlineExpectationsTest {
     exists(DataFlow::Node sink |
       any(TestTaintTrackingConfiguration config).hasFlow(_, sink) and
       location = sink.getLocation() and
-      element = prettyExp(sink.asExpr()) and
+      element = prettyExpr(sink.asExpr()) and
       value = "" and
       tag = "tainted"
     )
@@ -84,7 +84,7 @@ query predicate untaintedArgumentToEnsureTaintedNotMarkedAsMissing(
   error = "ERROR, you should add `# $ MISSING: tainted` annotation" and
   exists(DataFlow::Node sink |
     sink = shouldBeTainted() and
-    element = prettyExp(sink.asExpr()) and
+    element = prettyExpr(sink.asExpr()) and
     not any(TestTaintTrackingConfiguration config).hasFlow(_, sink) and
     location = sink.getLocation() and
     not exists(FalseNegativeExpectation missingResult |

python/ql/test/experimental/meta/InlineTaintTest.qll

@@ -1,3 +1,3 @@
 import dill
 
-dill.loads(payload)  # $decodeInput=payload decodeOutput=Attribute() decodeFormat=dill decodeMayExecuteInput
+dill.loads(payload)  # $decodeInput=payload decodeOutput=dill.loads(..) decodeFormat=dill decodeMayExecuteInput

python/ql/test/library-tests/frameworks/dill/Decoding.py

@@ -74,28 +74,28 @@ def get_redirect_url(self, foo): # $ requestHandler routedParameter=foo
 
 # Ensure that simple subclasses are still vuln to XSS
 def xss__not_found(request):
-    return HttpResponseNotFound(request.GET.get("name"))  # $HttpResponse mimetype=text/html responseBody=Attribute()
+    return HttpResponseNotFound(request.GET.get("name"))  # $HttpResponse mimetype=text/html responseBody=request.GET.get(..)
 
 # Ensure we still have an XSS sink when manually setting the content_type to HTML
 def xss__manual_response_type(request):
-    return HttpResponse(request.GET.get("name"), content_type="text/html; charset=utf-8")  # $HttpResponse mimetype=text/html responseBody=Attribute()
+    return HttpResponse(request.GET.get("name"), content_type="text/html; charset=utf-8")  # $HttpResponse mimetype=text/html responseBody=request.GET.get(..)
 
 def xss__write(request):
     response = HttpResponse()  # $HttpResponse mimetype=text/html
-    response.write(request.GET.get("name"))  # $HttpResponse mimetype=text/html responseBody=Attribute()
+    response.write(request.GET.get("name"))  # $HttpResponse mimetype=text/html responseBody=request.GET.get(..)
 
 # This is safe but probably a bug if the argument to `write` is not a result of `json.dumps` or similar.
 def safe__write_json(request):
     response = JsonResponse()  # $HttpResponse mimetype=application/json
-    response.write(request.GET.get("name"))  # $HttpResponse mimetype=application/json responseBody=Attribute()
+    response.write(request.GET.get("name"))  # $HttpResponse mimetype=application/json responseBody=request.GET.get(..)
 
 # Ensure manual subclasses are vulnerable
 class CustomResponse(HttpResponse):
     def __init__(self, banner, content, *args, **kwargs):
         super().__init__(content, *args, content_type="text/html", **kwargs)
 
 def xss__custom_response(request):
-    return CustomResponse("ACME Responses", request.GET("name"))  # $HttpResponse MISSING: mimetype=text/html responseBody=Attribute() SPURIOUS: responseBody="ACME Responses"
+    return CustomResponse("ACME Responses", request.GET("name"))  # $HttpResponse MISSING: mimetype=text/html responseBody=request.GET.get(..) SPURIOUS: responseBody="ACME Responses"
 
 class CustomJsonResponse(JsonResponse):
     def __init__(self, banner, content, *args, **kwargs):

python/ql/test/library-tests/frameworks/django-v2-v3/response_test.py

@@ -13,7 +13,7 @@
 from pathlib import Path
 
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
-BASE_DIR = Path(__file__).resolve().parent.parent  #$ getAPathArgument=Path()
+BASE_DIR = Path(__file__).resolve().parent.parent  #$ getAPathArgument=Path(..)
 
 
 # Quick-start development settings - unsuitable for production

python/ql/test/library-tests/frameworks/django-v2-v3/testproj/settings.py

@@ -5,9 +5,9 @@ def test_idna():
     tb = TAINTED_BYTES
 
     ensure_tainted(
-        idna.encode(ts),  # $ tainted encodeInput=ts encodeOutput=Attribute() encodeFormat=IDNA
-        idna.encode(s=ts),  # $ tainted encodeInput=ts encodeOutput=Attribute() encodeFormat=IDNA
+        idna.encode(ts),  # $ tainted encodeInput=ts encodeOutput=idna.encode(..) encodeFormat=IDNA
+        idna.encode(s=ts),  # $ tainted encodeInput=ts encodeOutput=idna.encode(..) encodeFormat=IDNA
 
-        idna.decode(tb),  # $ tainted decodeInput=tb decodeOutput=Attribute() decodeFormat=IDNA
-        idna.decode(s=tb),  # $ tainted decodeInput=tb decodeOutput=Attribute() decodeFormat=IDNA
+        idna.decode(tb),  # $ tainted decodeInput=tb decodeOutput=idna.decode(..) decodeFormat=IDNA
+        idna.decode(s=tb),  # $ tainted decodeInput=tb decodeOutput=idna.decode(..) decodeFormat=IDNA
     )

python/ql/test/library-tests/frameworks/idna/taint_test.py

@@ -5,14 +5,14 @@ def test():
     ts = TAINTED_STRING
     tainted_obj = {"foo": ts}
 
-    encoded = simplejson.dumps(tainted_obj) # $ encodeOutput=Attribute() encodeFormat=JSON encodeInput=tainted_obj
+    encoded = simplejson.dumps(tainted_obj) # $ encodeOutput=simplejson.dumps(..) encodeFormat=JSON encodeInput=tainted_obj
 
     ensure_tainted(
         encoded, # $ tainted
-        simplejson.dumps(tainted_obj), # $ tainted encodeOutput=Attribute() encodeFormat=JSON encodeInput=tainted_obj
-        simplejson.dumps(obj=tainted_obj), # $ tainted encodeOutput=Attribute() encodeFormat=JSON encodeInput=tainted_obj
-        simplejson.loads(encoded), # $ tainted decodeOutput=Attribute() decodeFormat=JSON decodeInput=encoded
-        simplejson.loads(s=encoded), # $ tainted decodeOutput=Attribute() decodeFormat=JSON decodeInput=encoded
+        simplejson.dumps(tainted_obj), # $ tainted encodeOutput=simplejson.dumps(..) encodeFormat=JSON encodeInput=tainted_obj
+        simplejson.dumps(obj=tainted_obj), # $ tainted encodeOutput=simplejson.dumps(..) encodeFormat=JSON encodeInput=tainted_obj
+        simplejson.loads(encoded), # $ tainted decodeOutput=simplejson.loads(..) decodeFormat=JSON decodeInput=encoded
+        simplejson.loads(s=encoded), # $ tainted decodeOutput=simplejson.loads(..) decodeFormat=JSON decodeInput=encoded
     )
 
     # load/dump with file-like
@@ -22,7 +22,7 @@ def test():
     tainted_filelike.seek(0)
     ensure_tainted(
         tainted_filelike, # $ MISSING: tainted
-        simplejson.load(tainted_filelike), # $ decodeOutput=Attribute() decodeFormat=JSON decodeInput=tainted_filelike MISSING: tainted
+        simplejson.load(tainted_filelike), # $ decodeOutput=simplejson.load(..) decodeFormat=JSON decodeInput=tainted_filelike MISSING: tainted
     )
 
     # load/dump with file-like using keyword-args
@@ -32,7 +32,7 @@ def test():
     tainted_filelike.seek(0)
     ensure_tainted(
         tainted_filelike, # $ MISSING: tainted
-        simplejson.load(fp=tainted_filelike), # $ decodeOutput=Attribute() decodeFormat=JSON decodeInput=tainted_filelike MISSING: tainted
+        simplejson.load(fp=tainted_filelike), # $ decodeOutput=simplejson.load(..) decodeFormat=JSON decodeInput=tainted_filelike MISSING: tainted
     )
 
 # To make things runable