Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
"""Regression test for F9: USER_INPUT_PATTERNS FastAPI alternation needs a word boundary.

The pattern ``(Query|Body|Form|File|Header|Cookie)\\s*\\(`` (no leading ``\\b``)
matches any identifier *ending* in one of those words, so ordinary library
calls like ``setCookie(``, ``PQsendQuery(`` or ``getHeader(`` were flagged as
user-input sources and seeded as false remote-web entry points across C/Go/
PHP/Python repos. The fix anchors the alternation with ``\\b`` so only the
standalone FastAPI dependency symbols match.
"""

from __future__ import annotations

import re

from utilities.agentic_enhancer.entry_point_detector import USER_INPUT_PATTERNS


def _fastapi_pattern():
"""The FastAPI Query/Body/.../Cookie alternation from USER_INPUT_PATTERNS."""
for p in USER_INPUT_PATTERNS:
if "Cookie" in p and "Query" in p:
return re.compile(p)
raise AssertionError("FastAPI input pattern not found in USER_INPUT_PATTERNS")


FALSE_POSITIVES = [
"res.setCookie(token)",
"PQsendQuery(conn, sql)",
"req.getHeader('X')",
"parseMultipartFile(x)",
"renderBody(html)",
"buildForm(fields)",
]

TRUE_POSITIVES = [
"def handler(c: str = Cookie(None)): ...",
"def handler(q: str = Query(...)): ...",
"def handler(b: Item = Body(...)): ...",
"def handler(h: str = Header(None)): ...",
]


def test_input_pattern_rejects_substring_false_positives():
pat = _fastapi_pattern()
for code in FALSE_POSITIVES:
assert pat.search(code) is None, f"false positive: {code!r} matched {pat.pattern!r}"


def test_input_pattern_still_matches_standalone_symbols():
pat = _fastapi_pattern()
for code in TRUE_POSITIVES:
assert pat.search(code) is not None, f"regressed: {code!r} no longer matches"
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@
r'request\.environ',
# FastAPI
r'request\.(query_params|body|json)',
r'(Query|Body|Form|File|Header|Cookie)\s*\(',
r'\b(Query|Body|Form|File|Header|Cookie)\s*\(',
# Django
r'request\.(GET|POST|data|FILES|body)',
r'self\.request\.(GET|POST|data)',
Expand All @@ -72,7 +72,7 @@
# CLI arguments
r'sys\.argv',
r'argparse\.',
r'ArgumentParser\s*\(',
r'\bArgumentParser\s*\(',
r'click\.(argument|option)',
# Standard input
r'\binput\s*\(',
Expand Down
Loading