Python: Refactor RouteSetup with default impl for getUrlPattern

Having multiple copies of the StrConst data-flow tracking code means that if we need to update this to be more sophisticated, we could easily forget to do it somewhere :| Until we have a proper `.getAPossibleStringValue` helper, this refactoring should be nice :)
2025-12-20 02:44:30 +01:00 · 2020-10-15 19:48:08 +02:00
parent 44683f2959
commit 8803fb2778
3 changed files with 13 additions and 27 deletions
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -163,8 +163,16 @@ module HTTP {
       * extend `RouteSetup` instead.
       */
      abstract class Range extends DataFlow::Node {
+        /** Gets the argument used to set the URL pattern. */
+        abstract DataFlow::Node getUrlPatternArg();
+
        /** Gets the URL pattern for this route, if it can be statically determined. */
-        abstract string getUrlPattern();
+        string getUrlPattern() {
+          exists(StrConst str |
+            DataFlow::localFlow(DataFlow::exprNode(str), this.getUrlPatternArg()) and
+            result = str.getText()
+          )
+        }

        /** Gets a function that will handle incoming requests for this route, if any. */
        abstract Function getARouteHandler();
--- a/python/ql/src/experimental/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Django.qll
@@ -170,14 +170,8 @@ private module Django {

    DjangoUrlsPathCall() { node.getFunction() = django::urls::path().asCfgNode() }

-    override string getUrlPattern() {
-      exists(StrConst str, ControlFlowNode urlPatternArg |
-        urlPatternArg = [node.getArg(0), node.getArgByName("route")]
-      |
-        DataFlow::localFlow(DataFlow::exprNode(str),
-          any(DataFlow::Node n | n.asCfgNode() = urlPatternArg)) and
-        result = str.getText()
-      )
+    override DataFlow::Node getUrlPatternArg() {
+      result.asCfgNode() = [node.getArg(0), node.getArgByName("route")]
    }

    override Function getARouteHandler() {
@@ -200,14 +194,8 @@ private module Django {

    DjangoUrlsRePathCall() { node.getFunction() = django::urls::re_path().asCfgNode() }

-    override string getUrlPattern() {
-      exists(StrConst str, ControlFlowNode urlPatternArg |
-        urlPatternArg = [node.getArg(0), node.getArgByName("route")]
-      |
-        DataFlow::localFlow(DataFlow::exprNode(str),
-          any(DataFlow::Node n | n.asCfgNode() = urlPatternArg)) and
-        result = str.getText()
-      )
+    override DataFlow::Node getUrlPatternArg() {
+      result.asCfgNode() = [node.getArg(0), node.getArgByName("route")]
    }

    override Function getARouteHandler() {
--- a/python/ql/src/experimental/semmle/python/frameworks/Flask.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Flask.qll
@@ -131,16 +131,6 @@ private module Flask {
        )
      )
    }
-
-    /** Gets the argument used to pass in the URL pattern. */
-    abstract DataFlow::Node getUrlPatternArg();
-
-    override string getUrlPattern() {
-      exists(StrConst str |
-        DataFlow::localFlow(DataFlow::exprNode(str), this.getUrlPatternArg()) and
-        result = str.getText()
-      )
-    }
  }

  /**