Python: Model await request.post() as MultiDictProxy

as highlight as being quite easy to do by @yoff 👍
2025-12-18 18:10:39 +01:00 · 2021-06-11 14:53:30 +02:00
parent 97486b448a
commit 53f7633662
2 changed files with 13 additions and 1 deletions
--- a/python/ql/src/semmle/python/frameworks/Aiohttp.qll
+++ b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
@@ -444,6 +444,18 @@ module AiohttpWebModel {
    AiohttpRequestMultiDictProxyInstances() {
      this.(DataFlow::AttrRead).getObject() = Request::instance() and
      this.(DataFlow::AttrRead).getAttributeName() in ["query", "headers"]
+      or
+      // Handle the common case of `x = await request.post()`
+      // but don't try to handle anything else, since we don't have an easy way to do this yet.
+      // TODO: more complete handling of `await request.post()`
+      exists(Await await, DataFlow::CallCfgNode call, DataFlow::AttrRead read |
+        this.asExpr() = await
+      |
+        read.(DataFlow::AttrRead).getObject() = Request::instance() and
+        read.(DataFlow::AttrRead).getAttributeName() = "post" and
+        call.getFunction() = read and
+        await.getValue() = call.asExpr()
+      )
    }
  }