Merge pull request #20877 from joefarebrother/python-tornado-websocket

Python: Add models for websocket handlers for Tornado
2025-12-15 16:23:11 +01:00 · 2025-12-09 10:08:59 +01:00
parent 8ecae77887 7cf3964e44
commit 5c6d83ed65
3 changed files with 92 additions and 0 deletions
--- a/python/ql/lib/change-notes/2025-11-22-tornado-websockets.md
+++ b/python/ql/lib/change-notes/2025-11-22-tornado-websockets.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Additional models for remote flow sources for `tornado.websocket.WebSocketHandler` have been added.
--- a/python/ql/lib/semmle/python/frameworks/Tornado.qll
+++ b/python/ql/lib/semmle/python/frameworks/Tornado.qll
@@ -135,6 +135,8 @@ module Tornado {
        API::Node subclassRef() {
          result = web().getMember("RequestHandler").getASubclass*()
          or
+          result = WebSocket::WebSocketHandler::subclassRef()
+          or
          result = ModelOutput::getATypeNode("tornado.web.RequestHandler~Subclass").getASubclass*()
        }

@@ -428,6 +430,49 @@ module Tornado {
        }
      }
    }
+
+    // ---------------------------------------------------------------------------
+    // tornado.websocket
+    // ---------------------------------------------------------------------------
+    /** Gets a reference to the `tornado.websocket` module. */
+    API::Node websocket() { result = Tornado::tornado().getMember("websocket") }
+
+    /** Provides models for the `tornado.websocket` module */
+    module WebSocket {
+      /**
+       * Provides models for the `tornado.websocket.WebSocketHandler` class and subclasses.
+       *
+       * See https://www.tornadoweb.org/en/stable/websocket.html#tornado.websocket.WebSocketHandler.
+       */
+      module WebSocketHandler {
+        /** Gets a reference to the `tornado.websocket.WebSocketHandler` class or any subclass. */
+        API::Node subclassRef() {
+          result = websocket().getMember("WebSocketHandler").getASubclass*()
+          or
+          result =
+            ModelOutput::getATypeNode("tornado.websocket.WebSocketHandler~Subclass").getASubclass*()
+        }
+
+        /** A subclass of `tornado.websocket.WebSocketHandler`. */
+        class WebSocketHandlerClass extends Web::RequestHandler::RequestHandlerClass {
+          WebSocketHandlerClass() { this.getParent() = subclassRef().asSource().asExpr() }
+
+          override Function getARequestHandler() {
+            result = super.getARequestHandler()
+            or
+            result = this.getAMethod() and
+            result.getName() = "open"
+          }
+
+          /** Gets a function that could handle incoming WebSocket events, if any. */
+          Function getAWebSocketEventHandler() {
+            result = this.getAMethod() and
+            result.getName() =
+              ["on_message", "on_close", "on_ping", "on_pong", "select_subprotocol", "check_origin"]
+          }
+        }
+      }
+    }
  }

  // ---------------------------------------------------------------------------
@@ -542,6 +587,27 @@ module Tornado {
    override string getFramework() { result = "Tornado" }
  }

+  /** A request handler for WebSocket events. */
+  private class TornadoWebSocketEventHandler extends Http::Server::RequestHandler::Range {
+    TornadoWebSocketEventHandler() {
+      exists(TornadoModule::WebSocket::WebSocketHandler::WebSocketHandlerClass cls |
+        cls.getAWebSocketEventHandler() = this
+      )
+    }
+
+    override Parameter getARoutedParameter() {
+      // The `open` method is handled as a normal request handler in `TornadoRouteSetup` or `TornadoRequestHandlerWithoutKnownRoute`.
+      // For other event handlers (such as `on_message`), all parameters should be remote flow sources, as they are not affected by routing.
+      result in [
+          this.getArg(_), this.getArgByName(_), this.getVararg().(Parameter),
+          this.getKwarg().(Parameter)
+        ] and
+      not result = this.getArg(0)
+    }
+
+    override string getFramework() { result = "Tornado" }
+  }
+
  // ---------------------------------------------------------------------------
  // Response modeling
  // ---------------------------------------------------------------------------
--- a/python/ql/test/library-tests/frameworks/tornado/routing_test.py
+++ b/python/ql/test/library-tests/frameworks/tornado/routing_test.py
@@ -1,5 +1,6 @@
 import tornado.web
 import tornado.routing
+import tornado.websocket


 class FooHandler(tornado.web.RequestHandler):
@@ -54,6 +55,26 @@ class PossiblyNotRouted(tornado.web.RequestHandler):
    def get(self):  # $ requestHandler
        self.write("NotRouted") # $ HttpResponse

+class WebSocket(tornado.websocket.WebSocketHandler):
+    def open(self, x): # $ requestHandler routedParameter=x
+        self.write_message("WebSocket open {}".format(x)) # $ MISSING: HttpResponse
+
+    def on_message(self, data): # $ requestHandler routedParameter=data
+        self.write_message("WebSocket on_message {}".format(data)) # $ MISSING: HttpResponse
+
+    def on_ping(self, data): # $ requestHandler routedParameter=data
+        print("ping", data)
+
+    def on_pong(self, data): # $ requestHandler routedParameter=data
+        print("pong", data)
+
+    def select_subprotocol(self, subs): # $ requestHandler routedParameter=subs
+        print("select_subprotocol", subs)
+
+    def check_origin(self, origin): # $ requestHandler routedParameter=origin
+        print("check_origin", origin)
+        return True
+

 def make_app():
    # see https://www.tornadoweb.org/en/stable/routing.html for even more examples
@@ -74,6 +95,7 @@ def make_app():
            (tornado.routing.HostMatches(r"(localhost|127\.0\.0\.1)"), [
                ("/only-localhost", OnlyLocalhost)  # $ routeSetup="/only-localhost"
            ]),
+            (r"/websocket/([0-9]+)", WebSocket),  # $ routeSetup="/websocket/([0-9]+)"

        ],
        debug=True,