Skip to content

Commit d18b9a2

Browse files
RasmusWLRasmusWL
committed
Python: Add markupsafe tests
1 parent 19305a2 commit d18b9a2

File tree

5 files changed

+84
-0
lines changed

5 files changed

+84
-0
lines changed

python/ql/test/library-tests/frameworks/markupsafe/ConceptsTest.expected

Whitespace-only changes.

python/ql/test/library-tests/frameworks/markupsafe/ConceptsTest.ql

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
import python
2+
import experimental.meta.ConceptsTest

python/ql/test/library-tests/frameworks/markupsafe/InlineTaintTest.expected

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
argumentToEnsureNotTaintedNotMarkedAsSpurious
2+
untaintedArgumentToEnsureTaintedNotMarkedAsMissing
3+
failures

python/ql/test/library-tests/frameworks/markupsafe/InlineTaintTest.ql

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
import experimental.meta.InlineTaintTest

python/ql/test/library-tests/frameworks/markupsafe/taint_test.py

Lines changed: 78 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,78 @@
1+
from markupsafe import escape, escape_silent, Markup
2+
3+
def ensure_tainted(*args):
4+
print("ensure_tainted")
5+
for x in args: print(" ", x)
6+
7+
def ensure_not_tainted(*args):
8+
print("ensure_not_tainted")
9+
for x in args: print(" ", x)
10+
11+
# these contain `{}` so we can use .format
12+
TAINTED_STRING = '<"TAINTED_STRING" {}>'
13+
SAFE = "SAFE {}"
14+
15+
def test():
16+
ts = TAINTED_STRING
17+
18+
# class `Markup` can be used for things that are already safe.
19+
# if used with any text in a string operation, that other text will be escaped.
20+
#
21+
# see https://markupsafe.palletsprojects.com/en/2.0.x/
22+
m_unsafe = Markup(TAINTED_STRING)
23+
m_safe = Markup(SAFE)
24+
25+
26+
# this 3 tests might look strange, but the purpose is to check we still treat `ts`
27+
# as tainted even after it has been escaped in some place. This _might_ not be the
28+
# case since data-flow library has taint-steps from adjacent uses...
29+
ensure_tainted(ts) # $ tainted
30+
ensure_not_tainted(escape(ts))
31+
ensure_tainted(ts) # $ tainted
32+
33+
ensure_tainted(
34+
ts, # $ tainted
35+
m_unsafe, # $ MISSING: tainted
36+
m_unsafe + SAFE, # $ MISSING: tainted
37+
SAFE + m_unsafe, # $ MISSING: tainted
38+
m_unsafe.format(SAFE), # $ MISSING: tainted
39+
m_unsafe + ts, # $ tainted
40+
41+
m_safe.format(m_unsafe), # $ MISSING: tainted
42+
43+
escape(ts).unescape(), # $ MISSING: tainted
44+
escape_silent(ts).unescape(), # $ MISSING: tainted
45+
)
46+
47+
ensure_not_tainted(
48+
escape(ts),
49+
escape_silent(ts),
50+
51+
Markup.escape(ts),
52+
53+
m_safe,
54+
m_safe + ts, # $ SPURIOUS: tainted
55+
ts + m_safe, # $ SPURIOUS: tainted
56+
m_safe.format(ts), # $ SPURIOUS: tainted
57+
58+
escape(ts) + ts, # $ SPURIOUS: tainted
59+
escape_silent(ts) + ts, # $ SPURIOUS: tainted
60+
Markup.escape(ts) + ts, # $ SPURIOUS: tainted
61+
)
62+
63+
# flask re-exports these, as:
64+
# flask.escape = markupsafe.escape
65+
# flask.Markup = markupsafe.Markup
66+
import flask
67+
68+
ensure_tainted(
69+
flask.Markup(ts), # $ MISSING: tainted
70+
)
71+
72+
ensure_not_tainted(
73+
flask.escape(ts),
74+
flask.Markup.escape(ts),
75+
)
76+
77+
78+
test()

0 commit comments

Comments
 (0)