python: add concept tests

yoff · yoff · commit 6c2449564a76 · 2022-03-23T12:05:09.000+01:00
diff --git a/python/ql/test/experimental/meta/ConceptsTest.qll b/python/ql/test/experimental/meta/ConceptsTest.qll
@@ -503,3 +503,35 @@ class HttpClientRequestTest extends InlineExpectationsTest {
     )
   }
 }
+
+class CsrfProtectionSettingTest extends InlineExpectationsTest {
+  CsrfProtectionSettingTest() { this = "CsrfProtectionSettingTest" }
+
+  override string getARelevantTag() { result = "CsrfProtectionSetting" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(location.getFile().getRelativePath()) and
+    exists(CsrfProtectionSetting setting |
+      location = setting.getLocation() and
+      element = setting.toString() and
+      value = setting.getVerificationSetting().toString() and
+      tag = "CsrfProtectionSetting"
+    )
+  }
+}
+
+class CsrfLocalProtectionTest extends InlineExpectationsTest {
+  CsrfLocalProtectionTest() { this = "CsrfLocalProtectionTest" }
+
+  override string getARelevantTag() { result = "CsrfLocalProtection" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(location.getFile().getRelativePath()) and
+    exists(CsrfLocalProtection p |
+      location = p.getLocation() and
+      element = p.toString() and
+      value = p.getProtected().getName().toString() and
+      tag = "CsrfLocalProtection"
+    )
+  }
+}
diff --git a/python/ql/test/library-tests/frameworks/django-v2-v3/response_test.py b/python/ql/test/library-tests/frameworks/django-v2-v3/response_test.py
@@ -118,7 +118,7 @@ class CustomJsonResponse(JsonResponse):
     def __init__(self, banner, content, *args, **kwargs):
         super().__init__(content, *args, content_type="text/html", **kwargs)
 
-@csrf_protect
+@csrf_protect  # $CsrfLocalProtection=safe__custom_json_response
 def safe__custom_json_response(request):
     return CustomJsonResponse("ACME Responses", {"foo": request.GET.get("foo")})  # $HttpResponse mimetype=application/json MISSING: responseBody=Dict SPURIOUS: responseBody="ACME Responses"
 
diff --git a/python/ql/test/library-tests/frameworks/django-v2-v3/testproj/settings.py b/python/ql/test/library-tests/frameworks/django-v2-v3/testproj/settings.py
@@ -40,7 +40,7 @@
     'django.contrib.staticfiles',
 ]
 
-MIDDLEWARE = [
+MIDDLEWARE = [  # $CsrfProtectionSetting=false
     'django.middleware.security.SecurityMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.middleware.common.CommonMiddleware',

Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@`
`40`	`40`	`'django.contrib.staticfiles',`
`41`	`41`	`]`
`42`	`42`
`43`		`-MIDDLEWARE = [`
	`43`	`+MIDDLEWARE = [ # $CsrfProtectionSetting=false`
`44`	`44`	`'django.middleware.security.SecurityMiddleware',`
`45`	`45`	`'django.contrib.sessions.middleware.SessionMiddleware',`
`46`	`46`	`'django.middleware.common.CommonMiddleware',`