Commit 093f506

bcallerBen Caller

authored and

Ben Caller

committed

Add test for vulnerabilities in recursive functions

recur_but_no_propagation is actually safe, but it would be difficult to reliably determine this, so we'll have to do with the false positive at least for now (as recursive functions can call other recursive functions).

1 parent b2daf8b commit 093f506Copy full SHA for 093f506

File tree

3 files changed

+39

-2

lines changed

examples/vulnerable_code
- recursive.py
tests
- main_test.py
- vulnerabilities
  - vulnerabilities_test.py

3 files changed

+39

-2

lines changed

`‎examples/vulnerable_code/recursive.py`

Lines changed: 32 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,32 @@`
	`1`	`+from flask import Flask, request`
	`2`	`+`
	`3`	`+app = Flask(__name__)`
	`4`	`+`
	`5`	`+`
	`6`	`+def recur_without_any_propagation(x):`
	`7`	`+ if len(x) < 20:`
	`8`	`+ return recur_without_any_propagation("a" * 24)`
	`9`	`+ return "Done"`
	`10`	`+`
	`11`	`+`
	`12`	`+def recur_no_propagation_false_positive(x):`
	`13`	`+ if len(x) < 20:`
	`14`	`+ return recur_no_propagation_false_positive(x + "!")`
	`15`	`+ return "Done"`
	`16`	`+`
	`17`	`+`
	`18`	`+def recur_with_propagation(x):`
	`19`	`+ if len(x) < 20:`
	`20`	`+ return recur_with_propagation(x + "!")`
	`21`	`+ return x`
	`22`	`+`
	`23`	`+`
	`24`	`+@app.route('/recursive')`
	`25`	`+def route():`
	`26`	`+ param = request.args.get('param', 'not set')`
	`27`	`+ repeated_completely_untainted = recur_without_any_propagation(param)`
	`28`	`+ app.db.execute(repeated_completely_untainted)`
	`29`	`+ repeated_untainted = recur_no_propagation_false_positive(param)`
	`30`	`+ app.db.execute(repeated_untainted)`
	`31`	`+ repeated_tainted = recur_with_propagation(param)`
	`32`	`+ app.db.execute(repeated_tainted)`

`‎tests/main_test.py`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -108,11 +108,11 @@ def test_targets_with_recursive(self):`
`108`	`108`	`excluded_files = ""`
`109`	`109`
`110`	`110`	`included_files = discover_files(targets, excluded_files, True)`
`111`		`- self.assertEqual(len(included_files), 31)`
	`111`	`+ self.assertEqual(len(included_files), 32)`
`112`	`112`
`113`	`113`	`def test_targets_with_recursive_and_excluded(self):`
`114`	`114`	`targets = ["examples/vulnerable_code/"]`
`115`	`115`	`excluded_files = "inter_command_injection.py"`
`116`	`116`
`117`	`117`	`included_files = discover_files(targets, excluded_files, True)`
`118`		`- self.assertEqual(len(included_files), 30)`
	`118`	`+ self.assertEqual(len(included_files), 31)`

`‎tests/vulnerabilities/vulnerabilities_test.py`

Lines changed: 5 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -465,6 +465,11 @@ def assert_vulnerable(fixture):`
`465`	`465`	`assert_vulnerable('result = repr(str("%s" % TAINT.lower().upper()))')`
`466`	`466`	`assert_vulnerable('result = repr(str("{}".format(TAINT.lower())))')`
`467`	`467`
	`468`	`+ def test_recursion(self):`
	`469`	`+ # Really this file only has one vulnerability, but for now it's safer to keep the false positive.`
	`470`	`+ vulnerabilities = self.run_analysis('examples/vulnerable_code/recursive.py')`
	`471`	`+ self.assert_length(vulnerabilities, expected_length=2)`
	`472`	`+`
`468`	`473`
`469`	`474`	`class EngineDjangoTest(VulnerabilitiesBaseTestCase):`
`470`	`475`	`def run_analysis(self, path):`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 093f506

File tree

3 files changed

3 files changed

`‎examples/vulnerable_code/recursive.py`

`‎tests/main_test.py`

`‎tests/vulnerabilities/vulnerabilities_test.py`

0 commit comments