Python: more expectations

Author: yoff

python/ql/test/library-tests/frameworks/tornado/taint_test.py

@@ -63,7 +63,7 @@ def get(self, name = "World!", number="0", foo="foo"):  # $ requestHandler route
             request.headers["header-name"], # $ tainted
             request.headers.get_list("header-name"), # $ tainted
             request.headers.get_all(), # $ tainted
-            [(k, v) for (k, v) in request.headers.get_all()], # $ tainted
+            [(k, v) for (k, v) in request.headers.get_all()], # $ MISSING: tainted
 
             # Dict[str, http.cookies.Morsel]
             request.cookies, # $ tainted

python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.expected

@@ -1,3 +1,4 @@
+| hmac.new [**] | 1 | 1 |
 | hmac.new [keyword msg] | 1 | 1 |
 | hmac.new [position 1] | 1 | 1 |
 | unknown.lib.func [keyword kw] | 2 | 1 |

python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.expected

@@ -9,12 +9,18 @@ edges
 | test.py:13:16:13:22 | ControlFlowNode for request | test.py:13:16:13:27 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
 | test.py:13:16:13:27 | ControlFlowNode for Attribute | test.py:13:16:13:39 | ControlFlowNode for Attribute() | provenance | dict.get |
 | test.py:13:16:13:39 | ControlFlowNode for Attribute() | test.py:13:5:13:12 | ControlFlowNode for data_raw | provenance |  |
+| test.py:13:16:13:39 | ControlFlowNode for Attribute() | test.py:13:16:13:55 | ControlFlowNode for Attribute() | provenance | string.encode |
+| test.py:13:16:13:55 | ControlFlowNode for Attribute() | test.py:13:5:13:12 | ControlFlowNode for data_raw | provenance |  |
 | test.py:14:5:14:8 | ControlFlowNode for data | test.py:15:36:15:39 | ControlFlowNode for data | provenance |  |
 | test.py:23:5:23:12 | ControlFlowNode for data_raw | test.py:24:5:24:8 | ControlFlowNode for data | provenance | Decoding-Base64 |
 | test.py:23:16:23:22 | ControlFlowNode for request | test.py:23:16:23:27 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
 | test.py:23:16:23:27 | ControlFlowNode for Attribute | test.py:23:16:23:39 | ControlFlowNode for Attribute() | provenance | dict.get |
 | test.py:23:16:23:39 | ControlFlowNode for Attribute() | test.py:23:5:23:12 | ControlFlowNode for data_raw | provenance |  |
+| test.py:23:16:23:39 | ControlFlowNode for Attribute() | test.py:23:16:23:55 | ControlFlowNode for Attribute() | provenance | string.encode |
+| test.py:23:16:23:55 | ControlFlowNode for Attribute() | test.py:23:5:23:12 | ControlFlowNode for data_raw | provenance |  |
 | test.py:24:5:24:8 | ControlFlowNode for data | test.py:25:44:25:47 | ControlFlowNode for data | provenance |  |
+| test.py:24:5:24:8 | ControlFlowNode for data | test.py:25:44:25:47 | ControlFlowNode for data | provenance |  |
+| test.py:25:44:25:47 | ControlFlowNode for data | test.py:25:15:25:74 | SynthDictSplatArgumentNode | provenance |  |
 | test.py:34:5:34:8 | ControlFlowNode for data | test.py:35:10:35:13 | ControlFlowNode for data | provenance |  |
 | test.py:34:5:34:8 | ControlFlowNode for data | test.py:36:13:36:16 | ControlFlowNode for data | provenance |  |
 | test.py:34:12:34:18 | ControlFlowNode for request | test.py:34:12:34:23 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
@@ -38,13 +44,17 @@ nodes
 | test.py:13:16:13:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | test.py:13:16:13:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | test.py:13:16:13:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| test.py:13:16:13:55 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | test.py:14:5:14:8 | ControlFlowNode for data | semmle.label | ControlFlowNode for data |
 | test.py:15:36:15:39 | ControlFlowNode for data | semmle.label | ControlFlowNode for data |
 | test.py:23:5:23:12 | ControlFlowNode for data_raw | semmle.label | ControlFlowNode for data_raw |
 | test.py:23:16:23:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | test.py:23:16:23:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | test.py:23:16:23:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| test.py:23:16:23:55 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | test.py:24:5:24:8 | ControlFlowNode for data | semmle.label | ControlFlowNode for data |
+| test.py:25:15:25:74 | SynthDictSplatArgumentNode | semmle.label | SynthDictSplatArgumentNode |
+| test.py:25:44:25:47 | ControlFlowNode for data | semmle.label | ControlFlowNode for data |
 | test.py:25:44:25:47 | ControlFlowNode for data | semmle.label | ControlFlowNode for data |
 | test.py:34:5:34:8 | ControlFlowNode for data | semmle.label | ControlFlowNode for data |
 | test.py:34:12:34:18 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
@@ -68,6 +78,7 @@ nodes
 subpaths
 #select
 | test.py:15:36:15:39 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:15:36:15:39 | ControlFlowNode for data | Call to hmac.new [position 1] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember |
+| test.py:25:15:25:74 | SynthDictSplatArgumentNode | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:25:15:25:74 | SynthDictSplatArgumentNode | Call to hmac.new [**] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember |
 | test.py:25:44:25:47 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:25:44:25:47 | ControlFlowNode for data | Call to hmac.new [keyword msg] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember |
 | test.py:35:10:35:13 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:35:10:35:13 | ControlFlowNode for data | Call to unknown.lib.func [position 0] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember |
 | test.py:36:13:36:16 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:36:13:36:16 | ControlFlowNode for data | Call to unknown.lib.func [keyword kw] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember |

python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.expected

@@ -1,12 +1,15 @@
 edges
 | test.py:9:5:9:8 | ControlFlowNode for cert | test.py:12:21:12:24 | ControlFlowNode for cert | provenance |  |
+| test.py:9:5:9:8 | ControlFlowNode for cert | test.py:13:22:13:25 | ControlFlowNode for cert | provenance |  |
 | test.py:9:5:9:8 | ControlFlowNode for cert | test.py:13:22:13:41 | ControlFlowNode for Attribute() | provenance |  |
 | test.py:9:5:9:8 | ControlFlowNode for cert | test.py:15:26:15:29 | ControlFlowNode for cert | provenance |  |
 | test.py:9:12:9:21 | ControlFlowNode for get_cert() | test.py:9:5:9:8 | ControlFlowNode for cert | provenance |  |
+| test.py:13:22:13:25 | ControlFlowNode for cert | test.py:13:22:13:41 | ControlFlowNode for Attribute() | provenance | string.encode |
 nodes
 | test.py:9:5:9:8 | ControlFlowNode for cert | semmle.label | ControlFlowNode for cert |
 | test.py:9:12:9:21 | ControlFlowNode for get_cert() | semmle.label | ControlFlowNode for get_cert() |
 | test.py:12:21:12:24 | ControlFlowNode for cert | semmle.label | ControlFlowNode for cert |
+| test.py:13:22:13:25 | ControlFlowNode for cert | semmle.label | ControlFlowNode for cert |
 | test.py:13:22:13:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | test.py:15:26:15:29 | ControlFlowNode for cert | semmle.label | ControlFlowNode for cert |
 subpaths