Add unit tests

Author: Takishima

tests/assert_test.py

@@ -0,0 +1,48 @@
+# -*- coding: utf-8 -*-
+# Copyright 2021 Damien Nguyen
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import astroid
+import pytest
+
+import pylint_secure_coding_standard as pylint_scs
+import pylint.testutils
+
+
+class TestSecureCodingStandardChecker(pylint.testutils.CheckerTestCase):
+    CHECKER_CLASS = pylint_scs.SecureCodingStandardChecker
+
+    def test_assert_ok(self):
+        call_node1, call_node2 = astroid.extract_node(
+            """
+        int(0) #@
+        foo() #@
+        """
+        )
+
+        with self.assertNoMessages():
+            self.checker.visit_call(call_node1)
+            self.checker.visit_call(call_node2)
+
+    @pytest.mark.parametrize(
+        's',
+        (
+            'assert len(s) > 0',
+            'assert (my_set and my_list), "Some message"',
+        ),
+    )
+    def test_assert_not_ok(self, s):
+        node = astroid.extract_node(s + ' #@')
+        with self.assertAddsMessages(pylint.testutils.Message(msg_id='avoid-assert', node=node)):
+            self.checker.visit_assert(node)

tests/eval_exec_test.py

@@ -0,0 +1,50 @@
+# -*- coding: utf-8 -*-
+# Copyright 2021 Damien Nguyen
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import astroid
+import pytest
+
+import pylint_secure_coding_standard as pylint_scs
+import pylint.testutils
+
+
+class TestSecureCodingStandardChecker(pylint.testutils.CheckerTestCase):
+    CHECKER_CLASS = pylint_scs.SecureCodingStandardChecker
+
+    def test_eval_exec_ok(self):
+        call_node1, call_node2 = astroid.extract_node(
+            """
+        int(0) #@
+        foo() #@
+        sympy.sqrt(8).evalf()
+        myvar.eval()
+        """
+        )
+
+        with self.assertNoMessages():
+            self.checker.visit_call(call_node1)
+            self.checker.visit_call(call_node2)
+
+    @pytest.mark.parametrize(
+        's',
+        (
+            'eval(input("Your input> "))',
+            r'exec("a = 5\nb=10\nprint(\"Sum =\", a+b)")',
+        ),
+    )
+    def test_eval_exec_call(self, s):
+        node = astroid.extract_node(s + ' #@')
+        with self.assertAddsMessages(pylint.testutils.Message(msg_id='avoid-eval-exec', node=node)):
+            self.checker.visit_call(node)

tests/jsonpickle_decode_test.py

@@ -0,0 +1,47 @@
+# -*- coding: utf-8 -*-
+# Copyright 2021 Damien Nguyen
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import astroid
+import pytest
+
+import pylint_secure_coding_standard as pylint_scs
+import pylint.testutils
+
+
+class TestSecureCodingStandardChecker(pylint.testutils.CheckerTestCase):
+    CHECKER_CLASS = pylint_scs.SecureCodingStandardChecker
+
+    def test_yaml_ok(self):
+        nodes = astroid.extract_node(
+            """
+            int(0) #@
+            foo() #@
+            jsonpickle.encode(pvars) #@
+            """
+        )
+
+        with self.assertNoMessages():
+            for node in nodes:
+                print(node)
+                self.checker.visit_call(node)
+
+    @pytest.mark.parametrize(
+        's',
+        ('jsonpickle.decode(payload)',),
+    )
+    def test_yaml_not_ok(self, s):
+        node = astroid.extract_node(s + ' #@')
+        with self.assertAddsMessages(pylint.testutils.Message(msg_id='avoid-jsonpickle-decode', node=node)):
+            self.checker.visit_call(node)

tests/os_realpath_test.py

@@ -0,0 +1,71 @@
+# -*- coding: utf-8 -*-
+# Copyright 2021 Damien Nguyen
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import astroid
+import pytest
+
+import pylint_secure_coding_standard as pylint_scs
+import pylint.testutils
+
+
+class TestSecureCodingStandardChecker(pylint.testutils.CheckerTestCase):
+    CHECKER_CLASS = pylint_scs.SecureCodingStandardChecker
+
+    def test_shell_true_ok(self):
+        import_node1, call_node1, call_node2, call_node3 = astroid.extract_node(
+            """
+            from os import realpath #@
+            os.path.realpath(variable) #@
+            os.path.realpath("/opt/file.txt") #@
+            os.path.realpath("../file.txt") #@
+            """
+        )
+
+        with self.assertNoMessages():
+            self.checker.visit_importfrom(import_node1)
+            self.checker.visit_call(call_node1)
+            self.checker.visit_call(call_node2)
+            self.checker.visit_call(call_node3)
+
+    @pytest.mark.parametrize(
+        's',
+        (
+            'from os.path import abspath',
+            'from os.path import relpath',
+            'from os.path import join, relpath',
+        ),
+    )
+    def test_shell_true_importfrom(self, s):
+        node = astroid.extract_node(s + ' #@')
+        with self.assertAddsMessages(pylint.testutils.Message(msg_id='replace-os-relpath-abspath', node=node)):
+            self.checker.visit_importfrom(node)
+
+    @pytest.mark.parametrize(
+        's',
+        (
+            'os.path.abspath("/opt/file.txt")',
+            'os.path.abspath("../file.txt")',
+            'os.path.relpath("file.txt")',
+            'os.path.relpath("file.txt", start="/")',
+            'op.abspath("/opt/file.txt")',
+            'op.abspath("../file.txt")',
+            'op.relpath("file.txt")',
+            'op.relpath("file.txt", start="/")',
+        ),
+    )
+    def test_shell_true_call(self, s):
+        node = astroid.extract_node(s + ' #@')
+        with self.assertAddsMessages(pylint.testutils.Message(msg_id='replace-os-relpath-abspath', node=node)):
+            self.checker.visit_call(node)

tests/pdb_test.py

@@ -0,0 +1,71 @@
+# -*- coding: utf-8 -*-
+# Copyright 2021 Damien Nguyen
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import astroid
+import pytest
+
+import pylint_secure_coding_standard as pylint_scs
+import pylint.testutils
+
+
+class TestSecureCodingStandardChecker(pylint.testutils.CheckerTestCase):
+    CHECKER_CLASS = pylint_scs.SecureCodingStandardChecker
+
+    def test_pdb_ok(self):
+        call_node1, call_node2 = astroid.extract_node(
+            """
+        int(0) #@
+        foo() #@
+        """
+        )
+
+        with self.assertNoMessages():
+            self.checker.visit_call(call_node1)
+            self.checker.visit_call(call_node2)
+
+    @pytest.mark.parametrize(
+        's',
+        (
+            'import pdb',
+            'import pdb, six',
+        ),
+    )
+    def test_pdb_import(self, s):
+        node = astroid.extract_node(s + ' #@')
+        with self.assertAddsMessages(pylint.testutils.Message(msg_id='avoid-debug-stmt', node=node)):
+            self.checker.visit_import(node)
+
+    @pytest.mark.parametrize(
+        's',
+        ('from pdb import set_trace',),
+    )
+    def test_pdb_importfrom(self, s):
+        node = astroid.extract_node(s + ' #@')
+        with self.assertAddsMessages(pylint.testutils.Message(msg_id='avoid-debug-stmt', node=node)):
+            self.checker.visit_importfrom(node)
+
+    @pytest.mark.parametrize(
+        's',
+        (
+            'pdb.set_trace()',
+            'pdb.post_mortem(traceback=None)',
+            'pdb.Pdb(skip=["django.*"])',
+            'Pdb(skip=["django.*"])',
+        ),
+    )
+    def test_pdb_call(self, s):
+        node = astroid.extract_node(s + ' #@')
+        with self.assertAddsMessages(pylint.testutils.Message(msg_id='avoid-debug-stmt', node=node)):
+            self.checker.visit_call(node)

tests/shell_exec_test.py

@@ -0,0 +1,80 @@
+# -*- coding: utf-8 -*-
+# Copyright 2021 Damien Nguyen
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import astroid
+import pytest
+
+import pylint_secure_coding_standard as pylint_scs
+import pylint.testutils
+
+
+class TestSecureCodingStandardChecker(pylint.testutils.CheckerTestCase):
+    CHECKER_CLASS = pylint_scs.SecureCodingStandardChecker
+
+    def test_shell_true_ok(self):
+        nodes = astroid.extract_node(
+            """
+            subprocess.Popen(["cat", "/etc/passwd"], b, e, i, o, e, pre, c) #@
+            subprocess.Popen(["cat", "/etc/passwd"], b, e, i, o, e, pre, c, False) #@
+            subprocess.Popen(["cat", "/etc/passwd"], b, e, i, o, e, pre, c, False, cwd) #@
+            subprocess.Popen(["cat", "/etc/passwd"], shell=False) #@
+            sp.Popen(["cat", "/etc/passwd"], shell=False) #@
+            subprocess.run(["cat", "/etc/passwd"], shell=False) #@
+            sp.run(["cat", "/etc/passwd"], shell=False) #@
+            subprocess.call(["cat", "/etc/passwd"], shell=False) #@
+            sp.call(["cat", "/etc/passwd"], shell=False) #@
+            subprocess.check_call(["cat", "/etc/passwd"], shell=False) #@
+            sp.check_call(["cat", "/etc/passwd"], shell=False) #@
+            subprocess.check_output(["cat", "/etc/passwd"], shell=False) #@
+            sp.check_output(["cat", "/etc/passwd"], shell=False) #@
+            """
+        )
+
+        with self.assertNoMessages():
+            for node in nodes:
+                self.checker.visit_call(node)
+
+    @pytest.mark.parametrize(
+        's, msg_id',
+        (
+            ('from os import system', 'avoid-os-system'),
+            ('from os import system as os_system', 'avoid-os-system'),
+        ),
+    )
+    def test_shell_true_importfrom(self, s, msg_id):
+        node = astroid.extract_node(s + ' #@')
+        with self.assertAddsMessages(pylint.testutils.Message(msg_id=msg_id, node=node)):
+            self.checker.visit_importfrom(node)
+
+    @pytest.mark.parametrize(
+        's, msg_id',
+        (
+            ('os.system("ls -l")', 'avoid-os-system'),
+            ('subprocess.Popen(["cat", "/etc/passwd"], b, e, i, o, e, pre, c, True)', 'avoid-shell-true'),
+            ('subprocess.Popen(["cat", "/etc/passwd"], b, e, i, o, e, pre, c, True, cwd)', 'avoid-shell-true'),
+            ('subprocess.run(["cat", "/etc/passwd"], shell=True)', 'avoid-shell-true'),
+            ('sp.run(["cat", "/etc/passwd"], shell=True)', 'avoid-shell-true'),
+            ('subprocess.call(["cat", "/etc/passwd"], shell=True)', 'avoid-shell-true'),
+            ('sp.call(["cat", "/etc/passwd"], shell=True)', 'avoid-shell-true'),
+            ('subprocess.check_call(["cat", "/etc/passwd"], shell=True)', 'avoid-shell-true'),
+            ('sp.check_call(["cat", "/etc/passwd"], shell=True)', 'avoid-shell-true'),
+            ('subprocess.check_output(["cat", "/etc/passwd"], shell=True)', 'avoid-shell-true'),
+            ('sp.check_output(["cat", "/etc/passwd"], shell=True)', 'avoid-shell-true'),
+        ),
+    )
+    def test_shell_true_call(self, s, msg_id):
+        node = astroid.extract_node(s + ' #@')
+        with self.assertAddsMessages(pylint.testutils.Message(msg_id=msg_id, node=node)):
+            self.checker.visit_call(node)