Python: Expand flask tests to use "variable rules"

RasmusWL · RasmusWL · commit 7d5e35a7aae5 · 2020-05-12T14:23:24.000+02:00
which is what flask calls them. wildcard rules in bottle, django doesn't even
give them a proper term :(
diff --git a/python/ql/test/library-tests/web/flask/HttpResponseSinks.expected b/python/ql/test/library-tests/web/flask/HttpResponseSinks.expected
@@ -6,3 +6,11 @@
 | test.py:41:26:41:53 | flask.response.argument | externally controlled string |
 | test.py:46:12:46:62 | flask.routed.response | externally controlled string |
 | test.py:46:26:46:61 | flask.response.argument | externally controlled string |
+| test.py:50:12:50:48 | flask.routed.response | externally controlled string |
+| test.py:50:26:50:47 | flask.response.argument | externally controlled string |
+| test.py:54:12:54:53 | flask.routed.response | externally controlled string |
+| test.py:54:26:54:52 | flask.response.argument | externally controlled string |
+| test.py:60:12:60:62 | flask.routed.response | externally controlled string |
+| test.py:60:26:60:61 | flask.response.argument | externally controlled string |
+| test.py:64:12:64:58 | flask.routed.response | externally controlled string |
+| test.py:64:26:64:57 | flask.response.argument | externally controlled string |
diff --git a/python/ql/test/library-tests/web/flask/Routing.expected b/python/ql/test/library-tests/web/flask/Routing.expected
@@ -1,6 +1,10 @@
-| / | Function hello |
+| / | Function hello_world |
+| /complex/<string(length=2):lang_code> | Function complex |
 | /dangerous | Function dangerous |
 | /dangerous-with-cfg-split | Function dangerous2 |
+| /foo/<path:subpath> | Function foo |
+| /hello/<name> | Function hello |
+| /multiple/bar/<bar> | Function multiple |
 | /safe | Function safe |
 | /the/ | Function get |
 | /unsafe | Function unsafe |
diff --git a/python/ql/test/library-tests/web/flask/Taint.expected b/python/ql/test/library-tests/web/flask/Taint.expected
@@ -15,3 +15,7 @@
 | test.py:45 | Attribute() | externally controlled string |
 | test.py:46 | first_name | externally controlled string |
 | test.py:46 | make_response() | flask.Response |
+| test.py:50 | make_response() | flask.Response |
+| test.py:54 | make_response() | flask.Response |
+| test.py:60 | make_response() | flask.Response |
+| test.py:64 | make_response() | flask.Response |
diff --git a/python/ql/test/library-tests/web/flask/test.py b/python/ql/test/library-tests/web/flask/test.py
@@ -4,7 +4,7 @@
 app = Flask(__name__)
 
 @app.route("/")
-def hello():
+def hello_world():
     return "Hello World!"
 
 from flask.views import MethodView
@@ -44,3 +44,24 @@ def unsafe():
 def safe():
     first_name = request.args.get('name', '')
     return make_response("Your name is " + escape(first_name))
+
+@app.route('/hello/<name>')
+def hello(name):
+    return make_response("Your name is " + name)
+
+@app.route('/foo/<path:subpath>')
+def foo(subpath):
+    return make_response("The subpath is " + subpath)
+
+@app.route('/multiple/') # TODO: not recognized as route
+@app.route('/multiple/foo/<foo>') # TODO: not recognized as route
+@app.route('/multiple/bar/<bar>')
+def multiple(foo=None, bar=None):
+    return make_response("foo={!r} bar={!r}".format(foo, bar))
+
+@app.route('/complex/<string(length=2):lang_code>')
+def complex(lang_code):
+    return make_response("lang_code {}".format(lang_code))
+
+if __name__ == "__main__":
+    app.run(debug=True)
