Add concepts tests + some fixes

Author: joefarebrother

python/ql/lib/semmle/python/frameworks/Flask.qll

@@ -722,10 +722,13 @@ module Flask {
     }
   }
 
-  /** A call to `flask.render_template_string` as a template construction sink. */
+  /** A call to `flask.render_template_string` or `flask.stream_template_string` as a template construction sink. */
   private class FlaskTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
     FlaskTemplateConstruction() {
-      this = API::moduleImport("flask").getMember("render_template_string").getACall()
+      this =
+        API::moduleImport("flask")
+            .getMember(["render_template_string", "stream_template_string"])
+            .getACall()
     }
 
     override DataFlow::Node getSourceArg() { result = this.getArg(0) }

python/ql/lib/semmle/python/frameworks/Genshi.qll

@@ -21,7 +21,7 @@ module Genshi {
         API::moduleImport("genshi")
             .getMember("template")
             .getMember("text")
-            .getMember(["NewTextTemplate", "OldTextTemplate"])
+            .getMember(["NewTextTemplate", "OldTextTemplate", "TextTemplate"])
             .getACall()
     }
 

python/ql/lib/semmle/python/frameworks/Jinja2.qll

@@ -24,6 +24,7 @@ module Jinja2 {
     override DataFlow::Node getSourceArg() { result = this.getArg(0) }
   }
 
+  /** Definitions for modeling jinja `Environment`s. */
   module EnvironmentClass {
     /** Gets a reference to the `jinja2.Environment` class. */
     API::Node classRef() {

python/ql/test/experimental/meta/ConceptsTest.qll

@@ -663,6 +663,20 @@ module CorsMiddlewareTest implements TestSig {
   }
 }
 
+module TemplateConstructionTest implements TestSig {
+  string getARelevantTag() { result = "templateConstruction" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(location.getFile().getRelativePath()) and
+    exists(TemplateConstruction tc |
+      location = tc.getLocation() and
+      element = tc.toString() and
+      value = prettyNodeForInlineTest(tc.getSourceArg()) and
+      tag = "templateConstruction"
+    )
+  }
+}
+
 import MakeTest<MergeTests5<MergeTests5<SystemCommandExecutionTest, DecodingTest, EncodingTest, LoggingTest,
     CodeExecutionTest>,
   MergeTests5<SqlConstructionTest, SqlExecutionTest, XPathConstructionTest, XPathExecutionTest,
@@ -673,4 +687,5 @@ import MakeTest<MergeTests5<MergeTests5<SystemCommandExecutionTest, DecodingTest
   MergeTests5<FileSystemAccessTest, FileSystemWriteAccessTest, PathNormalizationTest,
     SafeAccessCheckTest, PublicKeyGenerationTest>,
   MergeTests5<CryptographicOperationTest, HttpClientRequestTest, CsrfProtectionSettingTest,
-    CsrfLocalProtectionSettingTest, MergeTests<XmlParsingTest, ThreatModelSourceTest>>>>
+    CsrfLocalProtectionSettingTest,
+    MergeTests3<XmlParsingTest, ThreatModelSourceTest, TemplateConstructionTest>>>>

python/ql/test/library-tests/frameworks/Genshi/ConceptsTest.expected

@@ -0,0 +1,2 @@
+testFailures
+failures

python/ql/test/library-tests/frameworks/Genshi/ConceptsTest.ql

@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest

python/ql/test/library-tests/frameworks/Genshi/template_test.py

@@ -0,0 +1,9 @@
+from genshi.template.text import TextTemplate, NewTextTemplate, OldTextTemplate
+from genshi.template.markup import MarkupTemplate
+
+def test():
+    a = TextTemplate("abc") # $ templateConstruction="abc"
+    a = OldTextTemplate("abc") # $ templateConstruction="abc"
+    a = NewTextTemplate("abc") # $ templateConstruction="abc"
+    a = MarkupTemplate("abc") # $ templateConstruction="abc"
+    return a

python/ql/test/library-tests/frameworks/Mako/ConceptsTest.expected

@@ -0,0 +1,2 @@
+testFailures
+failures

python/ql/test/library-tests/frameworks/Mako/ConceptsTest.ql

@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest

python/ql/test/library-tests/frameworks/Mako/template_test.py

@@ -0,0 +1,4 @@
+from mako.template import Template
+
+def test():
+    return Template("abc") # $ templateConstruction="abc"