Python: Expand cleartext query tests

RasmusWL · RasmusWL · commit e2facd098111 · 2021-06-23T10:50:04.000+02:00
diff --git a/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/CleartextLogging.expected b/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/CleartextLogging.expected
@@ -1,7 +1,7 @@
 edges
-| test.py:7:16:7:29 | a password | test.py:8:35:8:42 | a password |
-| test.py:7:16:7:29 | a password | test.py:8:35:8:42 | a password |
+| test.py:19:16:19:29 | a password | test.py:20:48:20:55 | a password |
+| test.py:19:16:19:29 | a password | test.py:20:48:20:55 | a password |
 #select
-| test.py:8:35:8:42 | password | test.py:7:16:7:29 | a password | test.py:8:35:8:42 | a password | Sensitive data returned by $@ is logged here. | test.py:7:16:7:29 | get_password() | a call returning a password |
-| test.py:14:30:14:39 | get_cert() | test.py:14:30:14:39 | a certificate or key | test.py:14:30:14:39 | a certificate or key | Sensitive data returned by $@ is logged here. | test.py:14:30:14:39 | get_cert() | a call returning a certificate or key |
-| test.py:17:11:17:24 | get_password() | test.py:17:11:17:24 | a password | test.py:17:11:17:24 | a password | Sensitive data returned by $@ is logged here. | test.py:17:11:17:24 | get_password() | a call returning a password |
+| test.py:20:48:20:55 | password | test.py:19:16:19:29 | a password | test.py:20:48:20:55 | a password | Sensitive data returned by $@ is logged here. | test.py:19:16:19:29 | get_password() | a call returning a password |
+| test.py:34:30:34:39 | get_cert() | test.py:34:30:34:39 | a certificate or key | test.py:34:30:34:39 | a certificate or key | Sensitive data returned by $@ is logged here. | test.py:34:30:34:39 | get_cert() | a call returning a certificate or key |
+| test.py:37:11:37:24 | get_password() | test.py:37:11:37:24 | a password | test.py:37:11:37:24 | a password | Sensitive data returned by $@ is logged here. | test.py:37:11:37:24 | get_password() | a call returning a password |
diff --git a/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/test.py b/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/test.py
@@ -1,17 +1,46 @@
-#Don't import logging; it transitively imports a lot of stuff
+import logging
+import sys
+
+LOGGER = logging.getLogger("LOGGER")
+
+def get_logger():
+    return LOGGER
+
 
 def get_password():
-    pass
+    return "<PASSWORD>"
+
+
+def get_cert():
+    return "<CERT>"
+
 
 def log_password():
     password = get_password()
-    logging.info("Password '%s'", password)
+    logging.info("logging.info Password '%s'", password) # NOT OK
+
+    LOGGER.log(logging.INFO, "LOGGER.log Password '%s'", password) # NOT OK
+    logging.root.info("logging.root.info Password '%s'", password) # NOT OK
+
+    # name of logger variable should not matter
+    foo = LOGGER
+    foo.info("foo.info Password '%s'", password) # NOT OK
+
+    # return value from function
+    get_logger().info("get_logger().info Password '%s'", password) # NOT OK
 
-def get_cert():
-    pass
 
 def log_cert():
-    logging.debug("Cert=%s", get_cert())
+    logging.debug("Cert=%s", get_cert()) # NOT OK
 
 def print_password():
-    print(get_password())
+    print(get_password()) # NOT OK
+
+    sys.stdout.write(get_password()) # NOT OK
+    sys.stderr.write(get_password()) # NOT OK
+
+if __name__ == "__main__":
+    logging.basicConfig(level=logging.DEBUG)
+    log_password()
+    log_cert()
+    print_password()
diff --git a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.expected b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.expected
@@ -0,0 +1,2 @@
+edges
+#select
diff --git a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.qlref b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.qlref
@@ -0,0 +1 @@
+Security/CWE-312/CleartextStorage.ql
diff --git a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/options b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/options
@@ -0,0 +1 @@
+semmle-extractor-options: --lang=3 -p ../lib/ --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/test.py b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/test.py
@@ -0,0 +1,15 @@
+import pathlib
+
+
+def get_cert():
+    return "<CERT>"
+
+
+def write_password(filename):
+    cert = get_cert()
+
+    path = pathlib.Path(filename)
+    path.write_text(cert) # NOT OK
+    path.write_bytes(cert.encode("utf-8")) # NOT OK
+
+    path.open("w").write(cert) # NOT OK
diff --git a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/CleartextStorage.expected b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/CleartextStorage.expected
@@ -3,9 +3,9 @@ edges
 | password_in_cookie.py:7:16:7:43 | a password | password_in_cookie.py:9:33:9:40 | a password |
 | password_in_cookie.py:14:16:14:43 | a password | password_in_cookie.py:16:33:16:40 | a password |
 | password_in_cookie.py:14:16:14:43 | a password | password_in_cookie.py:16:33:16:40 | a password |
-| test.py:10:12:10:21 | a certificate or key | test.py:12:20:12:23 | a certificate or key |
-| test.py:10:12:10:21 | a certificate or key | test.py:12:20:12:23 | a certificate or key |
+| test.py:6:12:6:21 | a certificate or key | test.py:8:20:8:23 | a certificate or key |
+| test.py:6:12:6:21 | a certificate or key | test.py:8:20:8:23 | a certificate or key |
 #select
 | password_in_cookie.py:9:33:9:40 | password | password_in_cookie.py:7:16:7:43 | a password | password_in_cookie.py:9:33:9:40 | a password | Sensitive data from $@ is stored here. | password_in_cookie.py:7:16:7:43 | Attribute() | a request parameter containing a password |
 | password_in_cookie.py:16:33:16:40 | password | password_in_cookie.py:14:16:14:43 | a password | password_in_cookie.py:16:33:16:40 | a password | Sensitive data from $@ is stored here. | password_in_cookie.py:14:16:14:43 | Attribute() | a request parameter containing a password |
-| test.py:12:20:12:23 | cert | test.py:10:12:10:21 | a certificate or key | test.py:12:20:12:23 | a certificate or key | Sensitive data from $@ is stored here. | test.py:10:12:10:21 | get_cert() | a call returning a certificate or key |
+| test.py:8:20:8:23 | cert | test.py:6:12:6:21 | a certificate or key | test.py:8:20:8:23 | a certificate or key | Sensitive data from $@ is stored here. | test.py:6:12:6:21 | get_cert() | a call returning a certificate or key |
diff --git a/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/test.py b/python/ql/test/query-tests/Security/CWE-312-CleartextStorage/test.py
@@ -1,12 +1,10 @@
-#Don't import logging; it transitively imports a lot of stuff
-
-def get_password():
-    pass
-
 def get_cert():
-    pass
+    return "<CERT>"
+
 
 def write_cert(filename):
     cert = get_cert()
     with open(filename, "w") as file:
-        file.write(cert)
+        file.write(cert) # NOT OK
+        lines = [cert + "\n"]
+        file.writelines(lines) # NOT OK

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+semmle-extractor-options: --lang=3 -p ../lib/ --max-import-depth=3`