From 85e4707e0c79f118976bde9bbf659ae28ee78dd4 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Thu, 16 Feb 2023 14:12:41 +0100 Subject: [PATCH 1/6] Util: Use end line instead of start line for actual results --- shared/util/codeql/util/test/InlineExpectationsTest.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/util/codeql/util/test/InlineExpectationsTest.qll b/shared/util/codeql/util/test/InlineExpectationsTest.qll index 0c4fd403f4f..c297e609a73 100644 --- a/shared/util/codeql/util/test/InlineExpectationsTest.qll +++ b/shared/util/codeql/util/test/InlineExpectationsTest.qll @@ -384,7 +384,7 @@ module Make { la = a.getLocation() and pragma[only_bind_into](lb) = b.getLocation() and pragma[only_bind_into](la).hasLocationInfo(fname, line, _, _, _) and - lb.hasLocationInfo(fname, line, _, _, _) + lb.hasLocationInfo(fname, _, _, line, _) ) } From e9bce9f8cd5a9bcfc6f7c59da154ce044a9665ed Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Fri, 17 Feb 2023 09:30:25 +0100 Subject: [PATCH 2/6] Ruby: Update test expectations --- .../dataflow/api-graphs/callbacks.rb | 28 +++++++++---------- .../dataflow/api-graphs/test1.rb | 4 +-- .../library-tests/dataflow/api-graphs/use.ql | 2 +- .../dataflow/flow-summaries/semantics.rb | 4 +-- .../improper_memoization.rb | 28 +++++++++---------- ...incomplete_multi_character_sanitization.rb | 8 +++--- 6 files changed, 37 insertions(+), 37 deletions(-) diff --git a/ruby/ql/test/library-tests/dataflow/api-graphs/callbacks.rb b/ruby/ql/test/library-tests/dataflow/api-graphs/callbacks.rb index 41383b7a212..34c4d17d212 100644 --- a/ruby/ql/test/library-tests/dataflow/api-graphs/callbacks.rb +++ b/ruby/ql/test/library-tests/dataflow/api-graphs/callbacks.rb @@ -1,30 +1,30 @@ -Something.foo.withCallback do |a, b| #$ use=getMember("Something").getMethod("foo").getReturn().getMethod("withCallback").getReturn() +Something.foo.withCallback do |a, b| #$ use=getMember("Something").getMethod("foo").getReturn() a.something #$ use=getMember("Something").getMethod("foo").getReturn().getMethod("withCallback").getBlock().getParameter(0).getMethod("something").getReturn() b.somethingElse #$ use=getMember("Something").getMethod("foo").getReturn().getMethod("withCallback").getBlock().getParameter(1).getMethod("somethingElse").getReturn() -end +end #$ use=getMember("Something").getMethod("foo").getReturn().getMethod("withCallback").getReturn() -Something.withNamedArg do |a:, b: nil| #$ use=getMember("Something").getMethod("withNamedArg").getReturn() +Something.withNamedArg do |a:, b: nil| #$ use=getMember("Something") a.something #$ use=getMember("Something").getMethod("withNamedArg").getBlock().getKeywordParameter("a").getMethod("something").getReturn() b.somethingElse #$ use=getMember("Something").getMethod("withNamedArg").getBlock().getKeywordParameter("b").getMethod("somethingElse").getReturn() -end +end #$ use=getMember("Something").getMethod("withNamedArg").getReturn() -Something.withLambda ->(a, b) { #$ use=getMember("Something").getMethod("withLambda").getReturn() +Something.withLambda ->(a, b) { #$ use=getMember("Something") a.something #$ use=getMember("Something").getMethod("withLambda").getParameter(0).getParameter(0).getMethod("something").getReturn() b.something #$ use=getMember("Something").getMethod("withLambda").getParameter(0).getParameter(1).getMethod("something").getReturn() -} +} #$ use=getMember("Something").getMethod("withLambda").getReturn() -Something.namedCallback( #$ use=getMember("Something").getMethod("namedCallback").getReturn() +Something.namedCallback( #$ use=getMember("Something") onEvent: ->(a, b) { a.something #$ use=getMember("Something").getMethod("namedCallback").getKeywordParameter("onEvent").getParameter(0).getMethod("something").getReturn() b.something #$ use=getMember("Something").getMethod("namedCallback").getKeywordParameter("onEvent").getParameter(1).getMethod("something").getReturn() } -) +) #$ use=getMember("Something").getMethod("namedCallback").getReturn() -Something.nestedCall1 do |a| #$ use=getMember("Something").getMethod("nestedCall1").getReturn() - a.nestedCall2 do |b:| #$ use=getMember("Something").getMethod("nestedCall1").getBlock().getParameter(0).getMethod("nestedCall2").getReturn() +Something.nestedCall1 do |a| #$ use=getMember("Something") + a.nestedCall2 do |b:| #$ use=getMember("Something").getMethod("nestedCall1").getBlock().getParameter(0) b.something #$ use=getMember("Something").getMethod("nestedCall1").getBlock().getParameter(0).getMethod("nestedCall2").getBlock().getKeywordParameter("b").getMethod("something").getReturn() - end -end + end #$ use=getMember("Something").getMethod("nestedCall1").getBlock().getParameter(0).getMethod("nestedCall2").getReturn() +end #$ use=getMember("Something").getMethod("nestedCall1").getReturn() def getCallback() ->(x) { @@ -33,7 +33,7 @@ def getCallback() end Something.indirectCallback(getCallback()) #$ use=getMember("Something").getMethod("indirectCallback").getReturn() -Something.withMixed do |a, *args, b| #$ use=getMember("Something").getMethod("withMixed").getReturn() +Something.withMixed do |a, *args, b| #$ use=getMember("Something") a.something #$ use=getMember("Something").getMethod("withMixed").getBlock().getParameter(0).getMethod("something").getReturn() # b.something # not currently handled correctly -end +end #$ use=getMember("Something").getMethod("withMixed").getReturn() diff --git a/ruby/ql/test/library-tests/dataflow/api-graphs/test1.rb b/ruby/ql/test/library-tests/dataflow/api-graphs/test1.rb index 34e2aa5f9cb..86b8bce9587 100644 --- a/ruby/ql/test/library-tests/dataflow/api-graphs/test1.rb +++ b/ruby/ql/test/library-tests/dataflow/api-graphs/test1.rb @@ -13,9 +13,9 @@ Unknown.new.run #$ use=getMember("Unknown").getMethod("new").getReturn().getMeth Foo::Bar::Baz #$ use=getMember("Foo").getMember("Bar").getMember("Baz") Const = [1, 2, 3] #$ use=getMember("Array").getMethod("[]").getReturn() -Const.each do |c| #$ use=getMember("Const").getMethod("each").getReturn() def=getMember("Const").getMethod("each").getBlock() +Const.each do |c| #$ use=getMember("Const") puts c #$ use=getMember("Const").getMethod("each").getBlock().getParameter(0) use=getMember("Const").getContent(element) -end +end #$ use=getMember("Const").getMethod("each").getReturn() def=getMember("Const").getMethod("each").getBlock() foo = Foo #$ use=getMember("Foo") foo::Bar::Baz #$ use=getMember("Foo").getMember("Bar").getMember("Baz") diff --git a/ruby/ql/test/library-tests/dataflow/api-graphs/use.ql b/ruby/ql/test/library-tests/dataflow/api-graphs/use.ql index 1f2780793ec..9eb450c01ea 100644 --- a/ruby/ql/test/library-tests/dataflow/api-graphs/use.ql +++ b/ruby/ql/test/library-tests/dataflow/api-graphs/use.ql @@ -44,7 +44,7 @@ class ApiUseTest extends InlineExpectationsTest { max(API::Node a2, Location l2, DataFlow::Node n2 | relevantNode(a2, n2, l2, tag) and l2.getFile() = location.getFile() and - l2.getStartLine() = location.getStartLine() + l2.getEndLine() = location.getEndLine() | a2.getPath() order by diff --git a/ruby/ql/test/library-tests/dataflow/flow-summaries/semantics.rb b/ruby/ql/test/library-tests/dataflow/flow-summaries/semantics.rb index 090791ddb20..4424893a9b5 100644 --- a/ruby/ql/test/library-tests/dataflow/flow-summaries/semantics.rb +++ b/ruby/ql/test/library-tests/dataflow/flow-summaries/semantics.rb @@ -44,9 +44,9 @@ end def m8 sink(s8 { source "a" }) # $ hasValueFlow=a - sink(s8 do # $hasValueFlow=a + sink(s8 do source "a" - end) + end) # $hasValueFlow=a end def m9 diff --git a/ruby/ql/test/query-tests/experimental/improper-memoization/improper_memoization.rb b/ruby/ql/test/query-tests/experimental/improper-memoization/improper_memoization.rb index 9b3bee6e663..e1e60209c79 100644 --- a/ruby/ql/test/query-tests/experimental/improper-memoization/improper_memoization.rb +++ b/ruby/ql/test/query-tests/experimental/improper-memoization/improper_memoization.rb @@ -47,54 +47,54 @@ def m6(arg1, arg2) end # Bad: method has parameter but only one result is memoized. -def m7(arg) # $result=BAD +def m7(arg) @m7 ||= begin arg += 3 end @m7 -end +end # $result=BAD # Bad: method has parameter but only one result is memoized. -def m8(arg) # $result=BAD +def m8(arg) @m8 ||= begin long_running_method(arg) end @m8 -end +end # $result=BAD # Bad: method has parameter but only one result is memoized. -def m9(arg) # $result=BAD +def m9(arg) @m9 ||= long_running_method(arg) -end +end # $result=BAD # Bad: method has parameter but only one result is memoized. -def m10(arg1, arg2) # $result=BAD +def m10(arg1, arg2) @m10 ||= long_running_method(arg1, arg2) -end +end # $result=BAD # Bad: `arg2` not used in key. -def m11(arg1, arg2) # $result=BAD +def m11(arg1, arg2) @m11 ||= {} @m11[arg1] ||= long_running_method(arg1, arg2) -end +end # $result=BAD # Bad: `arg2` not used in key. -def m12(arg1, arg2) # $result=BAD +def m12(arg1, arg2) @m12 ||= Hash.new do |h1, arg1| h1[arg1] = result(arg1, arg2) end @m12[arg1] -end +end # $result=BAD # Bad: arg not used in key. -def m13(id:) # $result=BAD +def m13(id:) @m13 ||= Rails.cache.fetch("product_sku/#{id}", expires_in: 30.minutes) do ActiveRecord::Base.transaction do ProductSku.find_by(id: id) end end @m13 -end +end # $result=BAD # Good (FP): arg is used in key via string interpolation. def m14(arg) diff --git a/ruby/ql/test/query-tests/security/cwe-116/IncompleteMultiCharacterSanitization/incomplete_multi_character_sanitization.rb b/ruby/ql/test/query-tests/security/cwe-116/IncompleteMultiCharacterSanitization/incomplete_multi_character_sanitization.rb index 3301b00e709..a9c61a29c21 100644 --- a/ruby/ql/test/query-tests/security/cwe-116/IncompleteMultiCharacterSanitization/incomplete_multi_character_sanitization.rb +++ b/ruby/ql/test/query-tests/security/cwe-116/IncompleteMultiCharacterSanitization/incomplete_multi_character_sanitization.rb @@ -80,9 +80,9 @@ def m9(x) x = x.gsub(/^(\.\.\/?)+/, "") # OK # NOT OK - x = x.gsub(/)<[^<]*)*<\/script>/) do |match| # $ hasResult=html + x = x.gsub(/)<[^<]*)*<\/script>/) do |match| if unknown then match else "" end - end + end # $ hasResult=html x = x.gsub(/<\/?([a-z][a-z0-9]*)\b[^>]*>/i, "") # NOT OK [INCONSISTENCY] $ hasResult=html @@ -113,10 +113,10 @@ def m9(x) x = x.gsub(//, "") # OK - x = x # $ hasResult=path + x = x .gsub(/^\.\//, "") .gsub(/\/\.\//, "/") - .gsub(/[^\/]*\/\.\.\//, "") + .gsub(/[^\/]*\/\.\.\//, "") # $ hasResult=path x end From 18c6b682329377fba5d9b05352527eae0cc89bd6 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Fri, 17 Feb 2023 09:33:03 +0100 Subject: [PATCH 3/6] Go: Update test expectations --- go/ql/test/library-tests/semmle/go/Types/variadicFunctions.go | 4 ++-- go/ql/test/library-tests/semmle/go/concepts/HTTP/main.go | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/go/ql/test/library-tests/semmle/go/Types/variadicFunctions.go b/go/ql/test/library-tests/semmle/go/Types/variadicFunctions.go index 427adeb9041..4cedb679b04 100644 --- a/go/ql/test/library-tests/semmle/go/Types/variadicFunctions.go +++ b/go/ql/test/library-tests/semmle/go/Types/variadicFunctions.go @@ -7,7 +7,7 @@ func testing() { nonvariadicDeclaredFunction([]int{}) } -func variadicDeclaredFunction(x ...int) int { // $ isVariadic +func variadicDeclaredFunction(x ...int) int { a := make([]int, 0, 10) y := append(x, a...) print(x[0], x[1]) @@ -15,7 +15,7 @@ func variadicDeclaredFunction(x ...int) int { // $ isVariadic fmt.Fprint(nil, nil, nil) variadicFunctionLiteral := func(z ...int) int { return z[1] } // $ isVariadic return variadicFunctionLiteral(y...) -} +} // $ isVariadic func nonvariadicDeclaredFunction(x []int) int { return 0 diff --git a/go/ql/test/library-tests/semmle/go/concepts/HTTP/main.go b/go/ql/test/library-tests/semmle/go/concepts/HTTP/main.go index 12a3929cec6..5bd6dbf185e 100644 --- a/go/ql/test/library-tests/semmle/go/concepts/HTTP/main.go +++ b/go/ql/test/library-tests/semmle/go/concepts/HTTP/main.go @@ -59,7 +59,7 @@ func main() { http.HandleFunc("/foo", handler) // $ handler="/foo" - http.HandleFunc("/bar", func(w http.ResponseWriter, r *http.Request) { // $ handler="/bar" + http.HandleFunc("/bar", func(w http.ResponseWriter, r *http.Request) { fmt.Fprintf(w, "Hello, %q", html.EscapeString(r.URL.Path)) - }) + }) // $ handler="/bar" } From 37fc8f5039e219dbaa521abf0cea411d6a4dc560 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Fri, 17 Feb 2023 09:33:54 +0100 Subject: [PATCH 4/6] Swift: Update test expectations --- swift/ql/test/library-tests/dataflow/taint/string.swift | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/swift/ql/test/library-tests/dataflow/taint/string.swift b/swift/ql/test/library-tests/dataflow/taint/string.swift index 5179d64c0fc..d1843d95ef2 100644 --- a/swift/ql/test/library-tests/dataflow/taint/string.swift +++ b/swift/ql/test/library-tests/dataflow/taint/string.swift @@ -244,9 +244,9 @@ func taintThroughSimpleStringOperations() { sink(arg: tainted.reversed()) // $ tainted=217 sink(arg: tainted.split(separator: ",")) // $ tainted=217 - sink(arg: tainted.split(whereSeparator: { // $ tainted=217 + sink(arg: tainted.split(whereSeparator: { c in return (c == ",") - })) + })) // $ tainted=217 sink(arg: tainted.trimmingCharacters(in: CharacterSet.whitespaces)) // $ tainted=217 sink(arg: tainted.padding(toLength: 20, withPad: " ", startingAt: 0)) // $ tainted=217 sink(arg: tainted.components(separatedBy: CharacterSet.whitespaces)) // $ tainted=217 From 0bceefc930a1ef8b0eda8f329cf6461c91c562fa Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Fri, 17 Feb 2023 09:39:26 +0100 Subject: [PATCH 5/6] Java: Update test expectations --- .../apache-commons-lang3/StrBuilderTest.java | 4 +- .../StrBuilderTextTest.java | 4 +- .../TextStringBuilderTest.java | 4 +- .../security/CWE-079/semmle/tests/JsfXSS.java | 4 +- .../debuggable-attribute/AndroidManifest.xml | 4 +- .../Testbuild/AndroidManifest.xml | 4 +- .../security/CWE-524/res/layout/Test.xml | 12 ++--- .../security/CWE-926/AndroidManifest.xml | 48 +++++++++---------- .../AndroidManifest.xml | 8 ++-- 9 files changed, 46 insertions(+), 46 deletions(-) diff --git a/java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTest.java b/java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTest.java index 0c0e386e9c2..35a118f8048 100644 --- a/java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTest.java +++ b/java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTest.java @@ -145,7 +145,7 @@ class StrBuilderTest { // Test all fluent methods are passing taint through to their result: StrBuilder fluentAllMethodsTest = new StrBuilder(taint()); - sink(fluentAllMethodsTest // $hasTaintFlow + sink(fluentAllMethodsTest .append("text") .appendAll("text") .appendFixedWidthPadLeft("text", 4, ' ') @@ -171,7 +171,7 @@ class StrBuilderTest { .setLength(500) .setNewLineText("newline") .setNullText("NULL") - .trim()); + .trim()); // $hasTaintFlow // Test all fluent methods are passing taint back to their qualifier: StrBuilder fluentAllMethodsTest2 = new StrBuilder(); diff --git a/java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTextTest.java b/java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTextTest.java index 74f0f1d17c9..43171647004 100644 --- a/java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTextTest.java +++ b/java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTextTest.java @@ -145,7 +145,7 @@ class StrBuilderTextTest { // Test all fluent methods are passing taint through to their result: StrBuilder fluentAllMethodsTest = new StrBuilder(taint()); - sink(fluentAllMethodsTest // $hasTaintFlow + sink(fluentAllMethodsTest .append("text") .appendAll("text") .appendFixedWidthPadLeft("text", 4, ' ') @@ -171,7 +171,7 @@ class StrBuilderTextTest { .setLength(500) .setNewLineText("newline") .setNullText("NULL") - .trim()); + .trim()); // $hasTaintFlow // Test all fluent methods are passing taint back to their qualifier: StrBuilder fluentAllMethodsTest2 = new StrBuilder(); diff --git a/java/ql/test/library-tests/frameworks/apache-commons-lang3/TextStringBuilderTest.java b/java/ql/test/library-tests/frameworks/apache-commons-lang3/TextStringBuilderTest.java index e490c11c7cb..41941cca223 100644 --- a/java/ql/test/library-tests/frameworks/apache-commons-lang3/TextStringBuilderTest.java +++ b/java/ql/test/library-tests/frameworks/apache-commons-lang3/TextStringBuilderTest.java @@ -146,7 +146,7 @@ class TextStringBuilderTest { // Test all fluent methods are passing taint through to their result: TextStringBuilder fluentAllMethodsTest = new TextStringBuilder(taint()); - sink(fluentAllMethodsTest // $hasTaintFlow + sink(fluentAllMethodsTest .append("text") .appendAll("text") .appendFixedWidthPadLeft("text", 4, ' ') @@ -172,7 +172,7 @@ class TextStringBuilderTest { .setLength(500) .setNewLineText("newline") .setNullText("NULL") - .trim()); + .trim()); // $hasTaintFlow // Test all fluent methods are passing taint back to their qualifier: TextStringBuilder fluentAllMethodsTest2 = new TextStringBuilder(); diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/JsfXSS.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/JsfXSS.java index 9fd7a1ffcae..281b89720d2 100644 --- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/JsfXSS.java +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/JsfXSS.java @@ -24,9 +24,9 @@ public class JsfXSS extends Renderer ResponseWriter writer = facesContext.getResponseWriter(); writer.write(""); diff --git a/java/ql/test/query-tests/security/CWE-489/debuggable-attribute/AndroidManifest.xml b/java/ql/test/query-tests/security/CWE-489/debuggable-attribute/AndroidManifest.xml index 78d85ecb7a5..9a915624e5e 100644 --- a/java/ql/test/query-tests/security/CWE-489/debuggable-attribute/AndroidManifest.xml +++ b/java/ql/test/query-tests/security/CWE-489/debuggable-attribute/AndroidManifest.xml @@ -3,7 +3,7 @@ xmlns:tools="http://schemas.android.com/tools" package="com.example.happybirthday"> - + tools:targetApi="31"> diff --git a/java/ql/test/query-tests/security/CWE-489/debuggable-attribute/Testbuild/AndroidManifest.xml b/java/ql/test/query-tests/security/CWE-489/debuggable-attribute/Testbuild/AndroidManifest.xml index 613bc8aeca1..cb8591f3a70 100644 --- a/java/ql/test/query-tests/security/CWE-489/debuggable-attribute/Testbuild/AndroidManifest.xml +++ b/java/ql/test/query-tests/security/CWE-489/debuggable-attribute/Testbuild/AndroidManifest.xml @@ -3,7 +3,7 @@ xmlns:tools="http://schemas.android.com/tools" package="com.example.happybirthday"> - + tools:targetApi="31"> diff --git a/java/ql/test/query-tests/security/CWE-524/res/layout/Test.xml b/java/ql/test/query-tests/security/CWE-524/res/layout/Test.xml index 107c13dd306..3446d530794 100644 --- a/java/ql/test/query-tests/security/CWE-524/res/layout/Test.xml +++ b/java/ql/test/query-tests/security/CWE-524/res/layout/Test.xml @@ -4,9 +4,9 @@ xmlns:app="http://schemas.android.com/apk/res-auto"> - + android:inputType="text"/> - + android:inputType="textMultiLine"/> - + diff --git a/java/ql/test/query-tests/security/CWE-926/AndroidManifest.xml b/java/ql/test/query-tests/security/CWE-926/AndroidManifest.xml index 210c97b26a2..c759d38e7dd 100644 --- a/java/ql/test/query-tests/security/CWE-926/AndroidManifest.xml +++ b/java/ql/test/query-tests/security/CWE-926/AndroidManifest.xml @@ -14,58 +14,58 @@ android:theme="@style/Theme.HappyBirthday" tools:targetApi="31"> - - + - - + - - + - - + - - + - - + - - + - @@ -73,41 +73,41 @@ - + - - + - - + - - + - - + diff --git a/java/ql/test/query-tests/security/CWE-926/incomplete_provider_permissions/AndroidManifest.xml b/java/ql/test/query-tests/security/CWE-926/incomplete_provider_permissions/AndroidManifest.xml index 928dc72a665..ba2bbbb006b 100644 --- a/java/ql/test/query-tests/security/CWE-926/incomplete_provider_permissions/AndroidManifest.xml +++ b/java/ql/test/query-tests/security/CWE-926/incomplete_provider_permissions/AndroidManifest.xml @@ -17,22 +17,22 @@ - + android:readPermission="android.permission.MANAGE_DOCUMENTS"> - + android:writePermission="android.permission.MANAGE_DOCUMENTS"> From 59efcd593adc3bafef5e888c0dff2667544d56ca Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Fri, 17 Feb 2023 09:41:15 +0100 Subject: [PATCH 6/6] Python: Update test expectations --- .../frameworks/django-v2-v3/testproj/settings.py | 4 ++-- python/ql/test/library-tests/frameworks/flask/old_test.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/python/ql/test/library-tests/frameworks/django-v2-v3/testproj/settings.py b/python/ql/test/library-tests/frameworks/django-v2-v3/testproj/settings.py index f376ae752d8..d88ce4c05e3 100644 --- a/python/ql/test/library-tests/frameworks/django-v2-v3/testproj/settings.py +++ b/python/ql/test/library-tests/frameworks/django-v2-v3/testproj/settings.py @@ -40,7 +40,7 @@ INSTALLED_APPS = [ 'django.contrib.staticfiles', ] -MIDDLEWARE = [ # $CsrfProtectionSetting=false +MIDDLEWARE = [ 'django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', @@ -48,7 +48,7 @@ MIDDLEWARE = [ # $CsrfProtectionSetting=false 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', -] +] # $CsrfProtectionSetting=false ROOT_URLCONF = 'testproj.urls' diff --git a/python/ql/test/library-tests/frameworks/flask/old_test.py b/python/ql/test/library-tests/frameworks/flask/old_test.py index d86c75019e5..556467fad9b 100644 --- a/python/ql/test/library-tests/frameworks/flask/old_test.py +++ b/python/ql/test/library-tests/frameworks/flask/old_test.py @@ -21,8 +21,8 @@ class MyView(MethodView): the_view = MyView.as_view('my_view') -app.add_url_rule('/the/', defaults={'user_id': None}, # $routeSetup="/the/" - view_func=the_view, methods=['GET',]) +app.add_url_rule('/the/', defaults={'user_id': None}, + view_func=the_view, methods=['GET',]) # $routeSetup="/the/" @app.route("/dangerous") # $routeSetup="/dangerous" def dangerous(): # $requestHandler