Python: Add rest_framework Response modeling

python/ql/test/library-tests/frameworks/rest_framework/response_test.py

@@ -0,0 +1,34 @@
+from rest_framework.decorators import api_view
+from rest_framework.response import Response
+
+@api_view()
+def normal_response(request): # $ requestHandler
+    # has no pre-defined content type, since that will be negotiated
+    # see https://www.django-rest-framework.org/api-guide/responses/
+    data = "data"
+    resp = Response(data) # $ HttpResponse responseBody=data
+    return resp
+
+@api_view()
+def plain_text_response(request): # $ requestHandler
+    # this response is not the standard way to use the Djagno REST framework, but it
+    # certainly is possible -- notice that the response contains double quotes
+    data = 'this response will contain double quotes since it was a string'
+    resp = Response(data, None, None, None, None, "text/plain") # $ HttpResponse mimetype=text/plain responseBody=data
+    resp = Response(data=data, content_type="text/plain") # $ HttpResponse mimetype=text/plain responseBody=data
+    return resp
+
+################################################################################
+# Cookies
+################################################################################
+
+@api_view
+def setting_cookie(request):
+    resp = Response() # $ HttpResponse
+    resp.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value"
+    resp.set_cookie(key="key4", value="value") # $ CookieWrite CookieName="key4" CookieValue="value"
+    resp.headers["Set-Cookie"] = "key2=value2" # $ MISSING: CookieWrite CookieRawHeader="key2=value2"
+    resp.cookies["key3"] = "value3" # $ CookieWrite CookieName="key3" CookieValue="value3"
+    resp.delete_cookie("key4") # $ CookieWrite CookieName="key4"
+    resp.delete_cookie(key="key4") # $ CookieWrite CookieName="key4"
+    return resp

python/ql/test/library-tests/frameworks/rest_framework/taint_test.py

@@ -81,7 +81,7 @@ def test_taint(request: Request, routed_param): # $ requestHandler routedParamet
     )
     ensure_not_tainted(request.user.password)
 
-    return Response("ok")
+    return Response("ok") # $ HttpResponse responseBody="ok"
 
 
 # class based view
@@ -105,7 +105,7 @@ class MyClass(APIView):
         # same as for standard Django view
         ensure_tainted(self.args, self.kwargs) # $ tainted
 
-        return Response("ok")
+        return Response("ok") # $ HttpResponse responseBody="ok"
 
 
 

python/ql/test/library-tests/frameworks/rest_framework/testapp/urls.py

@@ -13,4 +13,5 @@ urlpatterns = [
     path("api-auth/", include("rest_framework.urls", namespace="rest_framework")),
     path("class-based-view/", views.MyClass.as_view()),  # $routeSetup="lcass-based-view/"
     path("function-based-view/", views.function_based_view),  # $routeSetup="function-based-view/"
+    path("cookie-test/", views.cookie_test),  # $routeSetup="function-based-view/"
 ]

python/ql/test/library-tests/frameworks/rest_framework/testapp/views.py

@@ -40,3 +40,13 @@ class MyClass(APIView):
 @api_view(["GET", "POST"])
 def function_based_view(request: Request):
     return Response({"message": "Hello, world!"})
+
+
+@api_view(["GET", "POST"])
+def cookie_test(request: Request):
+    resp = Response("wat")
+    resp.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value"
+    resp.set_cookie(key="key4", value="value") # $ CookieWrite CookieName="key" CookieValue="value"
+    resp.headers["Set-Cookie"] = "key2=value2" # $ MISSING: CookieWrite CookieRawHeader="key2=value2"
+    resp.cookies["key3"] = "value3" # $ CookieWrite CookieName="key3" CookieValue="value3"
+    return resp