Merge pull request #8601 from zbazztian/recognize-flask-named-body-param

Python: Flask: Identify body contents passed via named response parameter in invocations of Response constructor
2026-05-04 21:25:44 +02:00 · 2022-04-01 14:19:28 +02:00
parent 29a5bdb601 504e7e4a55
commit ba011fb13f
3 changed files with 17 additions and 5 deletions
--- a/python/ql/lib/change-notes/2022-03-30-flask-recognize-body-param.md
+++ b/python/ql/lib/change-notes/2022-03-30-flask-recognize-body-param.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improved modeling of Flask `Response` objects, so passing a response body with the keyword argument `response` is now recognized.
--- a/python/ql/lib/semmle/python/frameworks/Flask.qll
+++ b/python/ql/lib/semmle/python/frameworks/Flask.qll
@@ -122,7 +122,9 @@ module Flask {
    private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
      ClassInstantiation() { this = classRef().getACall() }

-      override DataFlow::Node getBody() { result = this.getArg(0) }
+      override DataFlow::Node getBody() {
+        result in [this.getArg(0), this.getArgByName("response")]
+      }

      override string getMimetypeDefault() { result = "text/html" }