hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 04:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Django: Handle Class-based views

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2020-03-11 12:37:53 +01:00
parent b760b1f1f2
commit 6d72e77cdf
5 changed files with 81 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
python/ql/test/library-tests/web/django/HttpSources.expected
View File

@@ -13,7 +13,9 @@
| views_1x.py:15:21:15:27 | request | django.request.HttpRequest |
| views_1x.py:19:21:19:27 | request | django.request.HttpRequest |
| views_1x.py:29:20:29:26 | request | django.request.HttpRequest |
| views_1x.py:29:29:29:37 | untrusted | externally controlled string |
| views_1x.py:35:19:35:25 | request | django.request.HttpRequest |
| views_1x.py:35:28:35:36 | untrusted | externally controlled string |
| views_1x.py:39:19:39:25 | request | django.request.HttpRequest |
| views_1x.py:39:28:39:38 | page_number | externally controlled string |
| views_1x.py:44:24:44:30 | request | django.request.HttpRequest |
@@ -29,7 +31,9 @@
| views_2x_3x.py:15:21:15:27 | request | django.request.HttpRequest |
| views_2x_3x.py:19:21:19:27 | request | django.request.HttpRequest |
| views_2x_3x.py:29:20:29:26 | request | django.request.HttpRequest |
| views_2x_3x.py:29:29:29:37 | untrusted | externally controlled string |
| views_2x_3x.py:35:19:35:25 | request | django.request.HttpRequest |
| views_2x_3x.py:35:28:35:36 | untrusted | externally controlled string |
| views_2x_3x.py:39:19:39:25 | request | django.request.HttpRequest |
| views_2x_3x.py:39:28:39:38 | page_number | externally controlled string |
| views_2x_3x.py:44:24:44:30 | request | django.request.HttpRequest |

4
python/ql/test/library-tests/web/django/views_1x.py
View File

@@ -25,13 +25,13 @@ def http_resp_write(request):
class Foo(object):
# Note: since Foo is used as the super type in a class view, it will be able to handle requests.
# TODO: Currently we don't flag `untrusted` as a DjangoRequestParameter
def post(self, request, untrusted):
return HttpResponse('Foo post: {}'.format(untrusted))
class ClassView(View, Foo):
# TODO: Currently we don't flag `untrusted` as a DjangoRequestParameter
def get(self, request, untrusted):
return HttpResponse('ClassView get: {}'.format(untrusted))

4
python/ql/test/library-tests/web/django/views_2x_3x.py
View File

@@ -25,13 +25,13 @@ def http_resp_write(request):
class Foo(object):
# Note: since Foo is used as the super type in a class view, it will be able to handle requests.
# TODO: Currently we don't flag `untrusted` as a DjangoRequestParameter
def post(self, request, untrusted):
return HttpResponse('Foo post: {}'.format(untrusted))
class ClassView(View, Foo):
# TODO: Currently we don't flag `untrusted` as a DjangoRequestParameter
def get(self, request, untrusted):
return HttpResponse('ClassView get: {}'.format(untrusted))