From a387496832f32e5b54a31695bc1b9341d0b0bb93 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Fri, 26 Feb 2021 16:23:21 +0100
Subject: [PATCH] Python: Highlight how request.uri works in Tornado

---
 .../frameworks/tornado/TestTaint.expected     | 48 +++++++++----------
 .../frameworks/tornado/taint_test.py          |  4 ++
 2 files changed, 28 insertions(+), 24 deletions(-)

diff --git a/python/ql/test/experimental/library-tests/frameworks/tornado/TestTaint.expected b/python/ql/test/experimental/library-tests/frameworks/tornado/TestTaint.expected
index f14b12d580e7..2952218d16ff 100644
--- a/python/ql/test/experimental/library-tests/frameworks/tornado/TestTaint.expected
+++ b/python/ql/test/experimental/library-tests/frameworks/tornado/TestTaint.expected
@@ -15,27 +15,27 @@
 | taint_test.py:26 | ok   | get | self.path_kwargs |
 | taint_test.py:27 | ok   | get | self.path_kwargs["name"] |
 | taint_test.py:34 | ok   | get | request |
-| taint_test.py:36 | ok   | get | request.uri |
-| taint_test.py:37 | ok   | get | request.path |
-| taint_test.py:38 | ok   | get | request.query |
-| taint_test.py:39 | ok   | get | request.full_url() |
-| taint_test.py:41 | ok   | get | request.remote_ip |
-| taint_test.py:43 | ok   | get | request.body |
-| taint_test.py:45 | ok   | get | request.arguments |
-| taint_test.py:46 | ok   | get | request.arguments["name"] |
-| taint_test.py:47 | ok   | get | request.arguments["name"][0] |
-| taint_test.py:49 | ok   | get | request.query_arguments |
-| taint_test.py:50 | ok   | get | request.query_arguments["name"] |
-| taint_test.py:51 | ok   | get | request.query_arguments["name"][0] |
-| taint_test.py:53 | ok   | get | request.body_arguments |
-| taint_test.py:54 | ok   | get | request.body_arguments["name"] |
-| taint_test.py:55 | ok   | get | request.body_arguments["name"][0] |
-| taint_test.py:58 | ok   | get | request.headers |
-| taint_test.py:59 | ok   | get | request.headers["header-name"] |
-| taint_test.py:60 | fail | get | request.headers.get_list(..) |
-| taint_test.py:61 | fail | get | request.headers.get_all() |
-| taint_test.py:62 | fail | get | ListComp |
-| taint_test.py:65 | ok   | get | request.cookies |
-| taint_test.py:66 | ok   | get | request.cookies["cookie-name"] |
-| taint_test.py:67 | fail | get | request.cookies["cookie-name"].key |
-| taint_test.py:68 | fail | get | request.cookies["cookie-name"].value |
+| taint_test.py:40 | ok   | get | request.uri |
+| taint_test.py:41 | ok   | get | request.path |
+| taint_test.py:42 | ok   | get | request.query |
+| taint_test.py:43 | ok   | get | request.full_url() |
+| taint_test.py:45 | ok   | get | request.remote_ip |
+| taint_test.py:47 | ok   | get | request.body |
+| taint_test.py:49 | ok   | get | request.arguments |
+| taint_test.py:50 | ok   | get | request.arguments["name"] |
+| taint_test.py:51 | ok   | get | request.arguments["name"][0] |
+| taint_test.py:53 | ok   | get | request.query_arguments |
+| taint_test.py:54 | ok   | get | request.query_arguments["name"] |
+| taint_test.py:55 | ok   | get | request.query_arguments["name"][0] |
+| taint_test.py:57 | ok   | get | request.body_arguments |
+| taint_test.py:58 | ok   | get | request.body_arguments["name"] |
+| taint_test.py:59 | ok   | get | request.body_arguments["name"][0] |
+| taint_test.py:62 | ok   | get | request.headers |
+| taint_test.py:63 | ok   | get | request.headers["header-name"] |
+| taint_test.py:64 | fail | get | request.headers.get_list(..) |
+| taint_test.py:65 | fail | get | request.headers.get_all() |
+| taint_test.py:66 | fail | get | ListComp |
+| taint_test.py:69 | ok   | get | request.cookies |
+| taint_test.py:70 | ok   | get | request.cookies["cookie-name"] |
+| taint_test.py:71 | fail | get | request.cookies["cookie-name"].key |
+| taint_test.py:72 | fail | get | request.cookies["cookie-name"].value |
diff --git a/python/ql/test/experimental/library-tests/frameworks/tornado/taint_test.py b/python/ql/test/experimental/library-tests/frameworks/tornado/taint_test.py
index cb41cfe1d7f1..e3297a1d2f95 100644
--- a/python/ql/test/experimental/library-tests/frameworks/tornado/taint_test.py
+++ b/python/ql/test/experimental/library-tests/frameworks/tornado/taint_test.py
@@ -33,6 +33,10 @@ def get(self, name = "World!", number="0", foo="foo"):  # $ requestHandler route
             # see https://www.tornadoweb.org/en/stable/httputil.html#tornado.httputil.HTTPServerRequest
             request,
 
+            # For the URL https:://example.com/foo/bar?baz=42
+            # request.uri="/foo/bar?baz=42"
+            # request.path="/foo/bar"
+            # request.query="baz=42"
             request.uri,
             request.path,
             request.query,