Add test for vulnerabilities in recursive functions

bcaller · Ben Caller · commit 093f506dde3d · 2018-09-07T11:38:27.000+01:00
recur_but_no_propagation is actually safe, but it would be difficult to
reliably determine this, so we'll have to do with the false positive at
least for now (as recursive functions can call other recursive
functions).
diff --git a/examples/vulnerable_code/recursive.py b/examples/vulnerable_code/recursive.py
@@ -0,0 +1,32 @@
+from flask import Flask, request
+
+app = Flask(__name__)
+
+
+def recur_without_any_propagation(x):
+    if len(x) < 20:
+        return recur_without_any_propagation("a" * 24)
+    return "Done"
+
+
+def recur_no_propagation_false_positive(x):
+    if len(x) < 20:
+        return recur_no_propagation_false_positive(x + "!")
+    return "Done"
+
+
+def recur_with_propagation(x):
+    if len(x) < 20:
+        return recur_with_propagation(x + "!")
+    return x
+
+
+@app.route('/recursive')
+def route():
+    param = request.args.get('param', 'not set')
+    repeated_completely_untainted = recur_without_any_propagation(param)
+    app.db.execute(repeated_completely_untainted)
+    repeated_untainted = recur_no_propagation_false_positive(param)
+    app.db.execute(repeated_untainted)
+    repeated_tainted = recur_with_propagation(param)
+    app.db.execute(repeated_tainted)
diff --git a/tests/main_test.py b/tests/main_test.py
@@ -108,11 +108,11 @@ def test_targets_with_recursive(self):
         excluded_files = ""
 
         included_files = discover_files(targets, excluded_files, True)
-        self.assertEqual(len(included_files), 31)
+        self.assertEqual(len(included_files), 32)
 
     def test_targets_with_recursive_and_excluded(self):
         targets = ["examples/vulnerable_code/"]
         excluded_files = "inter_command_injection.py"
 
         included_files = discover_files(targets, excluded_files, True)
-        self.assertEqual(len(included_files), 30)
+        self.assertEqual(len(included_files), 31)
diff --git a/tests/vulnerabilities/vulnerabilities_test.py b/tests/vulnerabilities/vulnerabilities_test.py
@@ -465,6 +465,11 @@ def assert_vulnerable(fixture):
         assert_vulnerable('result = repr(str("%s" % TAINT.lower().upper()))')
         assert_vulnerable('result = repr(str("{}".format(TAINT.lower())))')
 
+    def test_recursion(self):
+        # Really this file only has one vulnerability, but for now it's safer to keep the false positive.
+        vulnerabilities = self.run_analysis('examples/vulnerable_code/recursive.py')
+        self.assert_length(vulnerabilities, expected_length=2)
+
 
 class EngineDjangoTest(VulnerabilitiesBaseTestCase):
     def run_analysis(self, path):
