Skip to content

Commit d49c23f

Browse files
jorgectfjorgectf
committed
Improve tests' readability
1 parent 0e169ba commit d49c23f

File tree

2 files changed

+48
-14
lines changed

2 files changed

+48
-14
lines changed

python/ql/src/experimental/Security/CWE-730/unit_tests/re_bad.py

Lines changed: 23 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,3 @@
1-
# move outside test folder
2-
31
from flask import request, Flask
42
import re
53

@@ -8,19 +6,37 @@
86

97
@app.route("/direct")
108
def direct():
11-
pattern = request.args['pattern']
12-
re.search(pattern, "")
9+
"""
10+
A RemoteFlowSource is used directly as re.search's pattern
11+
"""
12+
13+
unsafe_pattern = request.args["pattern"]
14+
re.search(unsafe_pattern, "")
15+
1316

17+
# A RemoteFlowSource is used directly as re.compile's pattern
1418

1519
@app.route("/compile")
1620
def compile():
17-
pattern = re.compile(request.args['pattern'])
18-
pattern.search("")
21+
"""
22+
A RemoteFlowSource is used directly as re.compile's pattern
23+
which also executes .search()
24+
"""
25+
26+
unsafe_pattern = request.args["pattern"]
27+
compiled_pattern = re.compile(unsafe_pattern)
28+
compiled_pattern.search("")
1929

2030

2131
@app.route("/compile_direct")
2232
def compile_direct():
23-
re.compile(request.args['pattern']).search("")
33+
"""
34+
A RemoteFlowSource is used directly as re.compile's pattern
35+
which also executes .search() in the same line
36+
"""
37+
38+
unsafe_pattern = request.args["pattern"]
39+
re.compile(unsafe_pattern).search("")
2440

2541
# if __name__ == "__main__":
2642
# app.run(debug=True)

python/ql/src/experimental/Security/CWE-730/unit_tests/re_good.py

Lines changed: 25 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,3 @@
1-
# move outside test folder
2-
31
from flask import request, Flask
42
import re
53

@@ -8,19 +6,39 @@
86

97
@app.route("/direct")
108
def direct():
11-
pattern = re.escape(request.args['pattern'])
12-
re.search(pattern, "")
9+
"""
10+
A RemoteFlowSource is escaped by re.escape and then used as
11+
re'search pattern
12+
"""
13+
14+
unsafe_pattern = request.args['pattern']
15+
safe_pattern = re.escape(unsafe_pattern)
16+
re.search(safe_pattern, "")
1317

1418

1519
@app.route("/compile")
1620
def compile():
17-
pattern = re.compile(re.escape(request.args['pattern']))
18-
pattern.search("")
21+
"""
22+
A RemoteFlowSource is escaped by re.escape and used as re.compile's
23+
pattern which also executes .search()
24+
"""
25+
26+
unsafe_pattern = request.args['pattern']
27+
safe_pattern = re.escape(unsafe_pattern)
28+
compiled_pattern = re.compile(safe_pattern)
29+
compiled_pattern.search("")
1930

2031

2132
@app.route("/compile_direct")
2233
def compile_direct():
23-
re.compile(re.escape(request.args['pattern'])).search("")
34+
"""
35+
A RemoteFlowSource is escaped by re.escape and then used as re.compile's
36+
pattern which also executes .search() in the same line
37+
"""
38+
39+
unsafe_pattern = request.args['pattern']
40+
safe_pattern = re.escape(unsafe_pattern)
41+
re.compile(safe_pattern).search("")
2442

2543

2644
# if __name__ == "__main__":

0 commit comments

Comments
 (0)