Merge pull request github#5280 from RasmusWL/highlight-tornado-uri

Python: Highlight how request.uri works in Tornado

Author: tausbn

python/ql/test/experimental/library-tests/frameworks/tornado/TestTaint.expected

@@ -15,27 +15,27 @@
 | taint_test.py:26 | ok   | get | self.path_kwargs |
 | taint_test.py:27 | ok   | get | self.path_kwargs["name"] |
 | taint_test.py:34 | ok   | get | request |
-| taint_test.py:36 | ok   | get | request.uri |
-| taint_test.py:37 | ok   | get | request.path |
-| taint_test.py:38 | ok   | get | request.query |
-| taint_test.py:39 | ok   | get | request.full_url() |
-| taint_test.py:41 | ok   | get | request.remote_ip |
-| taint_test.py:43 | ok   | get | request.body |
-| taint_test.py:45 | ok   | get | request.arguments |
-| taint_test.py:46 | ok   | get | request.arguments["name"] |
-| taint_test.py:47 | ok   | get | request.arguments["name"][0] |
-| taint_test.py:49 | ok   | get | request.query_arguments |
-| taint_test.py:50 | ok   | get | request.query_arguments["name"] |
-| taint_test.py:51 | ok   | get | request.query_arguments["name"][0] |
-| taint_test.py:53 | ok   | get | request.body_arguments |
-| taint_test.py:54 | ok   | get | request.body_arguments["name"] |
-| taint_test.py:55 | ok   | get | request.body_arguments["name"][0] |
-| taint_test.py:58 | ok   | get | request.headers |
-| taint_test.py:59 | ok   | get | request.headers["header-name"] |
-| taint_test.py:60 | fail | get | request.headers.get_list(..) |
-| taint_test.py:61 | fail | get | request.headers.get_all() |
-| taint_test.py:62 | fail | get | ListComp |
-| taint_test.py:65 | ok   | get | request.cookies |
-| taint_test.py:66 | ok   | get | request.cookies["cookie-name"] |
-| taint_test.py:67 | fail | get | request.cookies["cookie-name"].key |
-| taint_test.py:68 | fail | get | request.cookies["cookie-name"].value |
+| taint_test.py:40 | ok   | get | request.uri |
+| taint_test.py:41 | ok   | get | request.path |
+| taint_test.py:42 | ok   | get | request.query |
+| taint_test.py:43 | ok   | get | request.full_url() |
+| taint_test.py:45 | ok   | get | request.remote_ip |
+| taint_test.py:47 | ok   | get | request.body |
+| taint_test.py:49 | ok   | get | request.arguments |
+| taint_test.py:50 | ok   | get | request.arguments["name"] |
+| taint_test.py:51 | ok   | get | request.arguments["name"][0] |
+| taint_test.py:53 | ok   | get | request.query_arguments |
+| taint_test.py:54 | ok   | get | request.query_arguments["name"] |
+| taint_test.py:55 | ok   | get | request.query_arguments["name"][0] |
+| taint_test.py:57 | ok   | get | request.body_arguments |
+| taint_test.py:58 | ok   | get | request.body_arguments["name"] |
+| taint_test.py:59 | ok   | get | request.body_arguments["name"][0] |
+| taint_test.py:62 | ok   | get | request.headers |
+| taint_test.py:63 | ok   | get | request.headers["header-name"] |
+| taint_test.py:64 | fail | get | request.headers.get_list(..) |
+| taint_test.py:65 | fail | get | request.headers.get_all() |
+| taint_test.py:66 | fail | get | ListComp |
+| taint_test.py:69 | ok   | get | request.cookies |
+| taint_test.py:70 | ok   | get | request.cookies["cookie-name"] |
+| taint_test.py:71 | fail | get | request.cookies["cookie-name"].key |
+| taint_test.py:72 | fail | get | request.cookies["cookie-name"].value |

python/ql/test/experimental/library-tests/frameworks/tornado/taint_test.py

@@ -33,6 +33,10 @@ def get(self, name = "World!", number="0", foo="foo"):  # $ requestHandler route
             # see https://www.tornadoweb.org/en/stable/httputil.html#tornado.httputil.HTTPServerRequest
             request,
 
+            # For the URL https:://example.com/foo/bar?baz=42
+            # request.uri="/foo/bar?baz=42"
+            # request.path="/foo/bar"
+            # request.query="baz=42"
             request.uri,
             request.path,
             request.query,