Python: Refactor django library

Use General.qll for routing, like in other web libraries
2026-05-02 04:05:14 +02:00 · 2019-10-10 16:14:12 +02:00
parent fc8c1e195a
commit 49dd2216a6
2 changed files with 35 additions and 34 deletions
--- a/python/ql/src/semmle/python/web/django/General.qll
+++ b/python/ql/src/semmle/python/web/django/General.qll
@@ -0,0 +1,28 @@
+import python
+import semmle.python.regex
+import semmle.python.web.Http
+
+predicate django_route(CallNode call, ControlFlowNode regex, FunctionValue view) {
+    exists(FunctionValue url |
+        Value::named("django.conf.urls.url") = url and
+        url.getArgumentForCall(call, 0) = regex and
+        url.getArgumentForCall(call, 1).pointsTo(view)
+    )
+}
+
+class DjangoRouteRegex extends RegexString {
+    DjangoRouteRegex() { django_route(_, this.getAFlowNode(), _) }
+}
+
+class DjangoRoute extends CallNode {
+    DjangoRoute() { django_route(this, _, _) }
+
+    FunctionValue getViewFunction() { django_route(this, _, result) }
+
+    string getNamedArgument() {
+        exists(DjangoRouteRegex regex |
+            django_route(this, regex.getAFlowNode(), _) and
+            regex.getGroupName(_, _) = result
+        )
+    }
+}
--- a/python/ql/src/semmle/python/web/django/Request.qll
+++ b/python/ql/src/semmle/python/web/django/Request.qll
@@ -1,7 +1,7 @@
 import python
-import semmle.python.regex
 import semmle.python.security.TaintTracking
 import semmle.python.web.Http
+import semmle.python.web.django.General

 /** A django.request.HttpRequest object */
 class DjangoRequest extends TaintKind {
@@ -52,7 +52,7 @@ abstract class DjangoRequestSource extends HttpRequestTaintSource {
 private class DjangoFunctionBasedViewRequestArgument extends DjangoRequestSource {
    DjangoFunctionBasedViewRequestArgument() {
        exists(FunctionValue view |
-            url_dispatch(_, _, view) and
+            django_route(_, _, view) and
            this = view.getScope().getArg(0).asName().getAFlowNode()
        )
    }
@@ -76,41 +76,14 @@ class DjangoClassBasedViewRequestArgument extends DjangoRequestSource {
    }
 }

-/* ***********  Routing  ********* */
-/* Function based views */
-predicate url_dispatch(CallNode call, ControlFlowNode regex, FunctionValue view) {
-    exists(FunctionValue url |
-        Value::named("django.conf.urls.url") = url and
-        url.getArgumentForCall(call, 0) = regex and
-        url.getArgumentForCall(call, 1).pointsTo(view)
-    )
-}
-
-class UrlRegex extends RegexString {
-    UrlRegex() { url_dispatch(_, this.getAFlowNode(), _) }
-}
-
-class UrlRouting extends CallNode {
-    UrlRouting() { url_dispatch(this, _, _) }
-
-    FunctionValue getViewFunction() { url_dispatch(this, _, result) }
-
-    string getNamedArgument() {
-        exists(UrlRegex regex |
-            url_dispatch(this, regex.getAFlowNode(), _) and
-            regex.getGroupName(_, _) = result
-        )
-    }
-}
-
 /** An argument specified in a url routing table */
-class HttpRequestParameter extends HttpRequestTaintSource {
-    HttpRequestParameter() {
-        exists(UrlRouting url |
-            this.(ControlFlowNode).getNode() = url
+class DjangoRequestParameter extends HttpRequestTaintSource {
+    DjangoRequestParameter() {
+        exists(DjangoRoute route |
+            this.(ControlFlowNode).getNode() = route
                        .getViewFunction()
                        .getScope()
-                        .getArgByName(url.getNamedArgument())
+                        .getArgByName(route.getNamedArgument())
        )
    }