Coverage for demo_server/api/blog/business.py: 85%

47 statements  

« prev     ^ index     » next       coverage.py v7.10.6, created at 2025-12-05 15:44 +0000

1# Copyright (c) Microsoft Corporation. 

2# Licensed under the MIT License. 

3 

4from demo_server.database.models import Post, Category, db 1K

5from flask import abort 1K

6from flask import request 1K

7import json 1K

8 

9def get_query(): 1K

10 # Gets the query string from the request 

11 query = urllib.parse.urlparse(request.url).query 1W0DQRG12SCwzgHabtBhui7xcjdEMNOIPk3FlATyJmn4eofpq56rUsv

12 if query: 12 ↛ 13line 12 didn't jump to line 13 because the condition on line 12 was never true1W0DQRG12SCwzgHabtBhui7xcjdEMNOIPk3FlATyJmn4eofpq56rUsv

13 return urllib.parse.unquote(query) 

14 return None 1W0DQRG12SCwzgHabtBhui7xcjdEMNOIPk3FlATyJmn4eofpq56rUsv

15 

16def check_double_query_bug(): 1K

17 # Responds with '500' error if the query string is a '?' 

18 if get_query() == '?': 18 ↛ 19line 18 didn't jump to line 19 because the condition on line 18 was never true10G12SCwzgabtBhuixcjdMNOPk3lyJmn4eofpq56rsv

19 abort(500) 

20 

21def check_no_id_bug(): 1K

22 # Responds with '500' error if 'id' is missing from the body 

23 if request.json.get('id') == None: 18S-9./%:;!#=V?'$(@CLwzgabtBhuixcjdklAXYZymneofpqrsv

24 abort(500) 18S-9./:;!#=V?$@CgabhcdAyef

25 

26def check_unexpected_query_string(): 1K

27 # Responds with '400' if a query string exists 

28 if get_query() is not None: 28 ↛ 29line 28 didn't jump to line 29 because the condition on line 28 was never true1WDQRGwzgHabthui7xcjdEIkFlATyJmneofpqrUsv

29 abort(400) 

30 

31def get_post(postId): 1K

32 # PLANTED_BUG to be detected by invalid dynamic object checker 

33 check_double_query_bug() 10G12SCwzgabtBhuixcjdMNOPk3lyJmn4eofpq56rsv

34 # PLANTED_BUG - 

35 # Intentionally ignore unexpected query, so the invalid dynamic 

36 # object checker throws a bug due to '200' response. 

37 

38 post = Post.query.filter(Post.id == postId).one_or_none() 10G12SCwzgabtBhuixcjdMNOPk3lyJmn4eofpq56rsv

39 return post or abort(404) 10G12SCwzgabtBhuixcjdMNOPk3lyJmn4eofpq56rsv

40 

41def create_blog_post(): 1K

42 body = request.json.get('body') 1)DCLwzgHabtBhuixcjdEMNOIPkFlAymneo*fpq+,rsv

43 post = Post(body) 1)DCLwzgHabtBhuixcjdEMNOIPkFlAymneo*fpq+,rsv

44 db.session.add(post) 1)DCLwzgHabtBhuixcjdEMNOIPkFlAymneo*fpq+,rsv

45 db.session.commit() 1)DCLwzgHabtBhuixcjdEMNOIPkFlAymneo*fpq+,rsv

46 return post 1)DCLwzgHabtBhuixcjdEMNOIPkFlAymneo*fpq+,rsv

47 

48import urllib 1K

49def update_post(post_id): 1K

50 # PLANTED_BUG to be detected by payload body checker 

51 check_no_id_bug() 18S-9./%:;!#=V?'$(@CLwzgabtBhuixcjdklAXYZymneofpqrsv

52 

53 post = Post.query.filter(Post.id == post_id).one_or_none() 189%!#V'$(CLwzgabtBhuixcjdklAXYZymneofpqrsv

54 if not post: 189%!#V'$(CLwzgabtBhuixcjdklAXYZymneofpqrsv

55 abort(404) 189%!#'$(CzabicjdklAymneofpqrs

56 checksum = request.json.get('checksum', '') 1VLwgabtBhuixcjdklXYZmneofpqrsv

57 if post.checksum == checksum: 57 ↛ 58line 57 didn't jump to line 58 because the condition on line 57 was never true1VLwgabtBhuixcjdklXYZmneofpqrsv

58 post.body = request.json.get('body') 

59 raise Exception 

60 db.session.add(post) 1VLwgabtBhuixcjdklXYZmneofpqrsv

61 db.session.commit() 1VLwgabtBhuixcjdklXYZmneofpqrsv

62 

63 

64def delete_post(post_id): 1K

65 # Throw 400 if query string exists, to avoid triggering an 

66 # invalid dynamic object checker bug. 

67 check_unexpected_query_string() 1WDQRGwzgHabthui7xcjdEIkFlATyJmneofpqrUsv

68 

69 post = Post.query.filter(Post.id == post_id).one_or_none() 1WDQRGwzgHabthui7xcjdEIkFlATyJmneofpqrUsv

70 if post: 1WDQRGwzgHabthuixcjdEIkFlATyJmneofpqrUsv

71 db.session.delete(post) 1DQRGwzgHabthuixcjdEIkFlATyJmneofpqrUsv

72 db.session.commit() 1DQRGwzgHabthuixcjdEIkFlATyJmneofpqrUsv

73 else: 

74 abort(404) 1WDQRGzgabthuicjdEkFlATyJmneofpqrUsv