Merge pull request #5742 from RasmusWL/django-3.2

Python: Add support for new features in Django 3.2

python/change-notes/2021-04-21-django-v3.2.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Modeling of Django has been updated to handle new 3.2 release, by supporting the new `QuerySet.alias()` method, which can be a sink for SQL injection.

python/ql/src/semmle/python/frameworks/Django.qll

@@ -366,7 +366,7 @@ private module PrivateDjango {
               "none", "all", "filter", "exclude", "complex_filter", "union", "intersection",
               "difference", "select_for_update", "select_related", "prefetch_related", "order_by",
               "distinct", "reverse", "defer", "only", "using", "annotate", "extra", "raw",
-              "datetimes", "dates", "values", "values_list"
+              "datetimes", "dates", "values", "values_list", "alias"
             ] and
           result = [manager(), querySet()].getMember(name)
         }
@@ -386,7 +386,8 @@ private module PrivateDjango {
           /** Provides models for the `django.db.models.expressions.RawSQL` class. */
           module RawSQL {
             /**
-             * Gets a reference to the `django.db.models.expressions.RawSQL` class.
+             * Gets an instance of the `django.db.models.expressions.RawSQL` class,
+             * that was initiated with the SQL represented by `sql`.
              */
             API::Node classRef() {
               result = expressions().getMember("RawSQL")
@@ -406,7 +407,10 @@ private module PrivateDjango {
               exists(DataFlow::TypeTracker t2 | result = instance(t2, sql).track(t2, t))
             }
 
-            /** Gets an instance of the `django.db.models.expressions.RawSQL` class. */
+            /**
+             * Gets an instance of the `django.db.models.expressions.RawSQL` class,
+             * that was initiated with the SQL represented by `sql`.
+             */
             DataFlow::Node instance(ControlFlowNode sql) {
               instance(DataFlow::TypeTracker::end(), sql).flowsTo(result)
             }
@@ -435,6 +439,24 @@ private module PrivateDjango {
       override DataFlow::Node getSql() { result.asCfgNode() = sql }
     }
 
+    /**
+     * A call to the `alias` function on a model using a `RawSQL` argument.
+     *
+     * See https://docs.djangoproject.com/en/3.2/ref/models/querysets/#alias
+     */
+    private class ObjectsAlias extends SqlExecution::Range, DataFlow::CallCfgNode {
+      ControlFlowNode sql;
+
+      ObjectsAlias() {
+        this = django::db::models::querySetReturningMethod("alias").getACall() and
+        django::db::models::expressions::RawSQL::instance(sql) in [
+            this.getArg(_), this.getArgByName(_)
+          ]
+      }
+
+      override DataFlow::Node getSql() { result.asCfgNode() = sql }
+    }
+
     /**
      * A call to the `raw` function on a model.
      *

python/ql/test/library-tests/frameworks/django-v2-v3/response_test.py

@@ -49,6 +49,15 @@ def redirect_through_normal_response(request):
     resp.content = private # $ MISSING: responseBody=private
     return resp
 
+def redirect_through_normal_response_new_headers_attr(request):
+    private = "private"
+    next = request.GET.get("next")
+
+    resp = HttpResponse() # $ HttpResponse mimetype=text/html
+    resp.status_code = 302
+    resp.headers['Location'] = next # $ MISSING: redirectLocation=next
+    resp.content = private # $ MISSING: responseBody=private
+    return resp
 
 def redirect_shortcut(request):
     next = request.GET.get("next")

python/ql/test/library-tests/frameworks/django/SqlExecution.py

@@ -19,9 +19,14 @@ class User(models.Model):
 
 def test_model():
     User.objects.raw("some sql")  # $getSql="some sql"
+
     User.objects.annotate(RawSQL("some sql"))  # $getSql="some sql"
     User.objects.annotate(RawSQL("foo"), RawSQL("bar"))  # $getSql="foo" getSql="bar"
     User.objects.annotate(val=RawSQL("some sql"))  # $getSql="some sql"
+
+    User.objects.alias(RawSQL("foo"), RawSQL("bar"))  # $getSql="foo" getSql="bar"
+    User.objects.alias(val=RawSQL("some sql"))  # $getSql="some sql"
+
     User.objects.extra("some sql")  # $getSql="some sql"
     User.objects.extra(select="select", where="where", tables="tables", order_by="order_by")  # $getSql="select" getSql="where" getSql="tables" getSql="order_by"