Python: Improve aiohttp FileResponse/StreamResponse modeling

However, notice that the concepts tests use the HttpResponse location for the `responseBody` tag, which seems a little odd in this situation, where they are actually separate. Will fix in next commit.
2026-04-25 16:55:19 +02:00 · 2023-07-13 13:53:32 +02:00
parent 15269c9166
commit 64a7206f3e
3 changed files with 27 additions and 4 deletions
--- a/python/ql/lib/semmle/python/frameworks/Aiohttp.qll
+++ b/python/ql/lib/semmle/python/frameworks/Aiohttp.qll
@@ -518,7 +518,7 @@ module AiohttpWebModel {
   * - https://docs.aiohttp.org/en/stable/web_quickstart.html#aiohttp-web-exceptions
   */
  class AiohttpWebResponseInstantiation extends Http::Server::HttpResponse::Range,
-    Response::InstanceSource, DataFlow::CallCfgNode
+    Response::InstanceSource, API::CallNode
  {
    API::Node apiNode;

@@ -590,12 +590,32 @@ module AiohttpWebModel {
  /**
   * A call to the `aiohttp.web.FileResponse` constructor as a sink for Filesystem access.
   */
-  class FileResponseCall extends FileSystemAccess::Range, DataFlow::CallCfgNode {
+  class FileResponseCall extends FileSystemAccess::Range, API::CallNode {
    FileResponseCall() {
      this = API::moduleImport("aiohttp").getMember("web").getMember("FileResponse").getACall()
    }

-    override DataFlow::Node getAPathArgument() { result = this.getArg(0) }
+    override DataFlow::Node getAPathArgument() { result = this.getParameter(0, "path").asSink() }
+  }
+
+  /**
+   * An instantiation of `aiohttp.web.StreamResponse`.
+   *
+   * See https://docs.aiohttp.org/en/stable/web_reference.html#aiohttp.web.StreamResponse
+   */
+  class StreamResponse extends AiohttpWebResponseInstantiation {
+    StreamResponse() {
+      this = API::moduleImport("aiohttp").getMember("web").getMember("StreamResponse").getACall()
+    }
+
+    override DataFlow::Node getBody() {
+      result =
+        this.getReturn()
+            .getMember(["write", "write_eof"])
+            .getACall()
+            .getParameter(0, "data")
+            .asSink()
+    }
  }

  /** Gets an HTTP response instance. */
--- a/python/ql/test/library-tests/frameworks/aiohttp/ConceptsTest.expected
+++ b/python/ql/test/library-tests/frameworks/aiohttp/ConceptsTest.expected
@@ -1,2 +1,5 @@
 failures
 testFailures
+| response_test.py:82:12:82:31 | ControlFlowNode for Attribute() | Unexpected result: responseBody=b"bar" |
+| response_test.py:82:12:82:31 | ControlFlowNode for Attribute() | Unexpected result: responseBody=b"baz" |
+| response_test.py:82:12:82:31 | ControlFlowNode for Attribute() | Unexpected result: responseBody=b"foo" |
--- a/python/ql/test/library-tests/frameworks/aiohttp/response_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/response_test.py
@@ -73,7 +73,7 @@ async def redirect_302(request): # $ requestHandler
 async def file_response(request): # $ requestHandler
    filename = "foo.txt"
    resp = web.FileResponse(filename) # $ HttpResponse mimetype=application/octet-stream getAPathArgument=filename
-    resp = web.FileResponse(path=filename) # $ HttpResponse mimetype=application/octet-stream MISSING: getAPathArgument=filename
+    resp = web.FileResponse(path=filename) # $ HttpResponse mimetype=application/octet-stream getAPathArgument=filename
    return resp