Python: Add test of routed parameters to *args

RasmusWL · RasmusWL · commit c51c15ae7485 · 2023-11-21T13:01:01.000+01:00
Also move the **kwargs and *args test to a more appropriate file
diff --git a/python/ql/test/library-tests/frameworks/django-v2-v3/routing_test.py b/python/ql/test/library-tests/frameworks/django-v2-v3/routing_test.py
@@ -150,3 +150,40 @@ def get(self, request): # $ requestHandler
 urlpatterns = [
     path("UnknownViewSubclass/", UnknownViewSubclass.as_view()),  # $ routeSetup="UnknownViewSubclass/"
 ]
+
+################################################################################
+# Routing to *args and **kwargs
+################################################################################
+
+def kwargs_param(request, **kwargs): # $ requestHandler routedParameter=kwargs
+    ensure_tainted(
+        kwargs, # $ tainted
+        kwargs["foo"], # $ tainted
+        kwargs["bar"]  # $ tainted
+    )
+
+    ensure_tainted(request) # $ tainted
+
+
+def star_args_param(request, *args): # $ requestHandler MISSING: routedParameter=args
+    ensure_tainted(
+        args, # $ MISSING: tainted
+        args[0], # $ MISSING: tainted
+        args[1], # $ MISSING: tainted
+    )
+    ensure_tainted(request) # $ tainted
+
+
+def star_args_param_check(request, foo, bar): # $ requestHandler routedParameter=foo routedParameter=bar
+    ensure_tainted(
+        foo, # $ tainted
+        bar, # $ tainted
+    )
+    ensure_tainted(request) # $ tainted
+
+
+urlpatterns = [
+    path("test-kwargs_param/<foo>/<bar>", kwargs_param),  # $ routeSetup="test-kwargs_param/<foo>/<bar>"
+    re_path("test-star_args_param/([^/]+)/(.+)", star_args_param),  # $ routeSetup="test-star_args_param/([^/]+)/(.+)"
+    re_path("test-star_args_param_check/([^/]+)/(.+)", star_args_param_check),  # $ routeSetup="test-star_args_param_check/([^/]+)/(.+)"
+]
diff --git a/python/ql/test/library-tests/frameworks/django-v2-v3/taint_test.py b/python/ql/test/library-tests/frameworks/django-v2-v3/taint_test.py
@@ -174,20 +174,8 @@ def some_method(self):
         )
 
 
-def kwargs_param(request, **kwargs): # $ requestHandler routedParameter=kwargs
-    ensure_tainted(
-        kwargs, # $ tainted
-        kwargs["foo"], # $ tainted
-        kwargs["bar"]  # $ tainted
-    )
-
-    ensure_tainted(request) # $ tainted
-
-
 # fake setup, you can't actually run this
 urlpatterns = [
     path("test-taint/<foo>/<bar>", test_taint),  # $ routeSetup="test-taint/<foo>/<bar>"
     path("ClassView/", ClassView.as_view()), # $ routeSetup="ClassView/"
-    path("test-kwargs_param/<foo>/<bar>", kwargs_param),  # $ routeSetup="test-kwargs_param/<foo>/<bar>"
-
 ]
