Python: Model RequestHandler from standard library explicitly

2026-04-30 03:05:15 +02:00 · 2020-12-21 17:55:33 +01:00
parent 05ab6cd54a
commit 71a6ef5b00
3 changed files with 17 additions and 3 deletions
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -1616,6 +1616,20 @@ private module Stdlib {
        )
      }
    }
+
+    /**
+     * The entry-point for handling a request with a `BaseHTTPRequestHandler` subclass.
+     *
+     * Not essential for any functionality, but provides a consistent modeling.
+     */
+    private class RequestHandlerFunc extends HTTP::Server::RequestHandler::Range {
+      RequestHandlerFunc() {
+        this = any(HTTPRequestHandlerClassDef cls).getAMethod() and
+        this.getName() = "do_" + HTTP::httpVerb()
+      }
+
+      override Parameter getARoutedParameter() { none() }
+    }
  }

  // ---------------------------------------------------------------------------
--- a/python/ql/src/semmle/python/web/HttpConstants.qll
+++ b/python/ql/src/semmle/python/web/HttpConstants.qll
@@ -1,4 +1,4 @@
-/** Gets an HTTP verb */
+/** Gets an HTTP verb, in upper case */
 string httpVerb() {
  result = "GET" or
  result = "POST" or
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib/http_server.py
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib/http_server.py
@@ -78,7 +78,7 @@ class MyHandler(BaseHTTPRequestHandler):
        ensure_tainted(form)


-    def do_GET(self): # $ MISSING: requestHandler
+    def do_GET(self): # $ requestHandler
        # send_response will log a line to stderr
        self.send_response(200)
        self.send_header("Content-type", "text/plain; charset=utf-8")
@@ -88,7 +88,7 @@ class MyHandler(BaseHTTPRequestHandler):
        print(self.headers)


-    def do_POST(self): # $ MISSING: requestHandler
+    def do_POST(self): # $ requestHandler
        form = cgi.FieldStorage(
            self.rfile,
            self.headers,