Pre formatting Bottle tests

Kwstubbs · Kwstubbs · commit 5d12f7bd30a8 · 2024-09-23T14:37:22.000-07:00
diff --git a/python/ql/lib/semmle/python/frameworks/Bottle.qll b/python/ql/lib/semmle/python/frameworks/Bottle.qll
@@ -4,10 +4,13 @@
  */
 
 private import python
+private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.frameworks.internal.InstanceTaintStepsHelper
+private import semmle.python.frameworks.Stdlib
+private import semmle.python.dataflow.new.RemoteFlowSources
 
 /**
  * INTERNAL: Do not use.
@@ -21,11 +24,65 @@ module Bottle {
 
   /** Provides models for the `bottle` module. */
   module BottleModule {
+    module App {
+      API::Node cls() { result = API::moduleImport("bottle").getMember("Bottle") }
+
+      /** Gets a reference to a FastAPI application (an instance of `fastapi.FastAPI`). */
+      API::Node instance() { result = cls().getReturn() }
+
+      API::Node app() { result = bottle().getMember("app").getReturn() }
+    }
+
+    /** Provides models for functions that are possible "views" */
+    module View {
+      /**
+       * A Bottle view callable, that handles incoming requests.
+       */
+      class ViewCallable extends Function {
+        ViewCallable() { this = any(BottleRouteSetup rs).getARequestHandler() }
+      }
+
+      private class BottleRouteSetup extends Http::Server::RouteSetup::Range, DataFlow::CallCfgNode {
+        BottleRouteSetup() {
+          this =
+            [
+              App::instance()
+                  .getMember(["route", "get", "post", "put", "delete", "patch"])
+                  .getACall(),
+              App::app().getMember(["route", "get", "post", "put", "delete", "patch"]).getACall(),
+              bottle().getMember(["route", "get", "post", "put", "delete", "patch"]).getACall()
+            ]
+        }
+
+        override DataFlow::Node getUrlPatternArg() {
+          result in [this.getArg(0), this.getArgByName("route")]
+        }
+
+        override string getFramework() { result = "Bottle" }
+
+        override Parameter getARoutedParameter() { none() }
+
+        override Function getARequestHandler() { result.getADecorator().getAFlowNode() = node }
+      }
+    }
+
     /** Provides models for the `bottle.response` module */
     module Response {
       /** Gets a reference to the `bottle.response` module. */
       API::Node response() { result = bottle().getMember("response") }
 
+      class BottleReturnResponse extends Http::Server::HttpResponse::Range {
+        BottleReturnResponse() {
+          this.asCfgNode() = any(View::ViewCallable vc).getAReturnValueFlowNode()
+        }
+
+        override DataFlow::Node getBody() { result = this }
+
+        override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
+
+        override string getMimetypeDefault() { result = "text/html" }
+      }
+
       /**
        * A call to the `bottle.BaseResponse.set_header` or `bottle.BaseResponse.add_header` method.
        *
@@ -50,66 +107,68 @@ module Bottle {
 
         override predicate valueAllowsNewline() { none() }
       }
+    }
 
-      /** Provides models for the `bottle.request` module */
-      module Request {
-        /** Gets a reference to the `bottle.request` module. */
-        API::Node request() { result = bottle().getMember("request") }
-
-        private class Request extends RemoteFlowSource::Range {
-          Request() { this = request().asSource() }
-
-          override string getSourceType() { result = "bottle.request" }
-        }
+    /** Provides models for the `bottle.request` module */
+    module Request {
+      /** Gets a reference to the `bottle.request` module. */
+      API::Node request() { result = bottle().getMember("request") }
 
-        /**
-         * Taint propagation for `bottle.request`.
-         *
-         * See https://bottlepy.org/docs/dev/api.html#bottle.request
-         */
-        private class InstanceTaintSteps extends InstanceTaintStepsHelper {
-          InstanceTaintSteps() { this = "bottle.request" }
+      private class Request extends RemoteFlowSource::Range {
+        Request() { this = request().asSource() }
 
-          override DataFlow::Node getInstance() {
-            result = request().getAValueReachableFromSource()
-          }
+        override string getSourceType() { result = "bottle.request" }
+      }
 
-          override string getAttributeName() {
-            result in ["headers", "query", "forms", "params", "json", "url"]
-          }
+      /**
+       * Taint propagation for `bottle.request`.
+       *
+       * See https://bottlepy.org/docs/dev/api.html#bottle.request
+       */
+      private class InstanceTaintSteps extends InstanceTaintStepsHelper {
+        InstanceTaintSteps() { this = "bottle.request" }
 
-          override string getMethodName() { none() }
+        override DataFlow::Node getInstance() { result = request().getAValueReachableFromSource() }
 
-          override string getAsyncMethodName() { none() }
+        override string getAttributeName() {
+          result in [
+              "headers", "query", "forms", "params", "json", "url", "body", "fullpath",
+              "query_string"
+            ]
         }
-      }
 
-      /** Provides models for the `bottle.headers` module */
-      module Headers {
-        /** Gets a reference to the `bottle.headers` module. */
-        API::Node headers() { result = bottle().getMember("response").getMember("headers") }
+        override string getMethodName() { none() }
 
-        /** A dict-like write to a response header. */
-        class HeaderWriteSubscript extends Http::Server::ResponseHeaderWrite::Range, DataFlow::Node {
-          API::Node name;
-          API::Node value;
+        override string getAsyncMethodName() { none() }
+      }
+    }
 
-          HeaderWriteSubscript() {
-            exists(API::Node holder |
-              holder = headers() and
-              this = holder.asSource() and
-              value = holder.getSubscriptAt(name)
-            )
-          }
+    /** Provides models for the `bottle.headers` module */
+    module Headers {
+      /** Gets a reference to the `bottle.headers` module. */
+      API::Node headers() { result = bottle().getMember("response").getMember("headers") }
+
+      /** A dict-like write to a response header. */
+      class HeaderWriteSubscript extends Http::Server::ResponseHeaderWrite::Range, DataFlow::Node {
+        DataFlow::Node name;
+        DataFlow::Node value;
+
+        HeaderWriteSubscript() {
+          exists(SubscriptNode subscript |
+            this.asCfgNode() = subscript and
+            value.asCfgNode() = subscript.(DefinitionNode).getValue() and
+            name.asCfgNode() = subscript.getIndex() and
+            subscript.getObject() = headers().asSource().asCfgNode()
+          )
+        }
 
-          override DataFlow::Node getNameArg() { result = name.asSink() }
+        override DataFlow::Node getNameArg() { result = name }
 
-          override DataFlow::Node getValueArg() { result = value.asSink() }
+        override DataFlow::Node getValueArg() { result = value }
 
-          override predicate nameAllowsNewline() { none() }
+        override predicate nameAllowsNewline() { none() }
 
-          override predicate valueAllowsNewline() { none() }
-        }
+        override predicate valueAllowsNewline() { none() }
       }
     }
   }
diff --git a/python/ql/test/library-tests/frameworks/bottle/InlineTaintTest.expected b/python/ql/test/library-tests/frameworks/bottle/InlineTaintTest.expected
@@ -0,0 +1,4 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+testFailures
+failures
diff --git a/python/ql/test/library-tests/frameworks/bottle/InlineTaintTest.ql b/python/ql/test/library-tests/frameworks/bottle/InlineTaintTest.ql
@@ -0,0 +1,2 @@
+import experimental.meta.InlineTaintTest
+import MakeInlineTaintTest<TestTaintTrackingConfig>
diff --git a/python/ql/test/library-tests/frameworks/bottle/bottle_test.py b/python/ql/test/library-tests/frameworks/bottle/bottle_test.py
@@ -0,0 +1,10 @@
+import bottle
+from bottle import Bottle, response, request
+
+app = Bottle()
+@app.route('/test', method=['OPTIONS', 'GET']) # $ routeSetup="/test"
+def test1():  # $ requestHandler
+    response.headers['Content-type'] = 'application/json' # $ headerWriteName='Content-type' headerWriteValue='application/json'
+    return '[1]' # $ HttpResponse responseBody='[1]' mimetype=text/html
+
+app.run()
diff --git a/python/ql/test/library-tests/frameworks/bottle/taint_test.py b/python/ql/test/library-tests/frameworks/bottle/taint_test.py
@@ -0,0 +1,21 @@
+import bottle
+from bottle import response, request
+
+
+app = bottle.app()
+@app.route('/test', method=['OPTIONS', 'GET']) # $ routeSetup="/test"
+def test1():   # $ requestHandler
+
+    ensure_tainted(
+        request.headers,  # $ tainted
+        request.headers,  # $ tainted
+        request.forms,  # $ tainted
+        request.params, # $ tainted
+        request.url,  # $ tainted
+        request.body, # $ tainted
+        request.fullpath, # $ tainted
+        request.query_string # $ tainted
+    )
+    return '[1]' # $ HttpResponse mimetype=text/html responseBody='[1]'
+
+app.run()

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+import experimental.meta.InlineTaintTest`
	`2`	`+import MakeInlineTaintTest<TestTaintTrackingConfig>`