Polish FlaskMail qldocs

2025-12-22 11:46:32 +01:00 · 2021-10-28 14:21:43 +02:00
parent c9634f3c6f
commit bf68495102
1 changed files with 29 additions and 1 deletions
--- a/python/ql/src/experimental/semmle/python/libraries/FlaskMail.qll
+++ b/python/ql/src/experimental/semmle/python/libraries/FlaskMail.qll
@@ -8,18 +8,25 @@ private import semmle.python.dataflow.new.DataFlow
 private import experimental.semmle.python.Concepts
 private import semmle.python.ApiGraphs

+/** https://pythonhosted.org/Flask-Mail/#module-flask_mail */
 private module FlaskMail {
-  /** https://pythonhosted.org/Flask-Mail/#module-flask_mail */
+  /** Gets a reference to `flask_mail`, `flask_sendmail` and `flask.ext.sendmail`. */
  private API::Node flaskMail() {
    result = API::moduleImport(["flask_mail", "flask_sendmail", "flask.ext.sendmail"])
  }

+  /** Gets a reference to `flask_mail.Mail()`, `flask_sendmail.Mail()` and `flask.ext.sendmail.Mail()`. */
  private API::Node flaskMailInstance() { result = flaskMail().getMember("Mail").getReturn() }

+  /** Gets a reference to `flask_mail.Message`, `flask_sendmail.Message` and `flask.ext.sendmail.Message`. */
  private API::Node flaskMessageInstance() { result = flaskMail().getMember("Message") }

+  /** Gets a call to `flask_mail.Message`, `flask_sendmail.Message` and `flask.ext.sendmail.Message`. */
  private DataFlow::CallCfgNode flaskMessageCall() { result = flaskMessageInstance().getACall() }

+  /**
+   * Gets a reference to an argument from `flask_mail.Message`, `flask_sendmail.Message` and `flask.ext.sendmail.Message`.
+   */
  bindingset[argumentPosition, argumentName]
  private DataFlow::Node getFlaskMailArgument(int argumentPosition, string argumentName) {
    result in [
@@ -33,6 +40,27 @@ private module FlaskMail {
    )
  }

+  /**
+   * Gets a call to `mail.send()`.
+   *
+   * Given the following example:
+   *
+   * ```py
+   * msg = Message(subject="Subject",
+   *                sender="from@example.com",
+   *                recipients=["to@example.com"],
+   *                body="plain-text body",
+   *                html=request.args["html"])
+   * mail.send(msg)
+   *  ```
+   *
+   * * `this` would be `mail.send(msg)`.
+   * * `getPlainTextBody()`'s result would be `"plain-text body"`.
+   * * `getHtmlBody()`'s result would be `request.args["html"]`.
+   * * `getTo()`'s result would be `["to@example.com"]`.
+   * * `getFrom()`'s result would be `"from@example.com"`.
+   * * `getSubject()`'s result would be `"Subject"`.
+   */
  private class FlaskMail extends DataFlow::CallCfgNode, EmailSender {
    FlaskMail() {
      this =