Python: Model view-classes in aiohttp.web

No taint modeling of them yet though
2026-04-30 19:26:02 +02:00 · 2021-06-01 17:21:41 +02:00
parent 8c039d5688
commit c4b618dcf5
3 changed files with 158 additions and 12 deletions
--- a/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py
@@ -83,20 +83,20 @@ if True:

    # `app.add_routes` with list
    class MyWebView1(web.View):
-        async def get(self):  # $ MISSING: requestHandler
+        async def get(self):  # $ requestHandler
            return web.Response(text="MyWebView1.get")

    app.add_routes([
-        web.view("/MyWebView1", MyWebView1)   # $ MISSING: routeSetup
+        web.view("/MyWebView1", MyWebView1)   # $ routeSetup="/MyWebView1"
    ])


    # using decorator
    routes = web.RouteTableDef()

-    @routes.view("/MyWebView2")  # $ MISSING: routeSetup
+    @routes.view("/MyWebView2")  # $ routeSetup="/MyWebView2"
    class MyWebView2(web.View):
-        async def get(self):  # $ MISSING: requestHandler
+        async def get(self):  # $ requestHandler
            return web.Response(text="MyWebView2.get")

    app.add_routes(routes)
@@ -104,23 +104,23 @@ if True:

    # `app.router.add_view`
    class MyWebView3(web.View):
-        async def get(self):  # $ MISSING: requestHandler
+        async def get(self):  # $ requestHandler
            return web.Response(text="MyWebView3.get")

-    app.router.add_view("/MyWebView3", MyWebView3)  # $ MISSING: routeSetup
+    app.router.add_view("/MyWebView3", MyWebView3)  # $ routeSetup="/MyWebView3"

    # no route-setup
    class MyWebViewNoRoute(web.View):
-        async def get(self):  # $ MISSING: requestHandler
+        async def get(self):  # $ requestHandler
            return web.Response(text="MyWebViewNoRoute.get")

    if len(__name__) < 0: # avoid running, but fool analysis to not consider dead code
        # no explicit-view subclass (but route-setup)
        class MyWebViewNoSubclassButRoute(somelib.someclass):
-            async def get(self):  # $ MISSING: requestHandler
+            async def get(self):  # $ requestHandler
                return web.Response(text="MyWebViewNoSubclassButRoute.get")

-        app.router.add_view("/MyWebViewNoSubclassButRoute", MyWebViewNoSubclassButRoute)  # $ MISSING: routeSetup
+        app.router.add_view("/MyWebViewNoSubclassButRoute", MyWebViewNoSubclassButRoute)  # $ routeSetup="/MyWebViewNoSubclassButRoute"

 ## =================== ##
 ## "Routed parameters" ##
--- a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
@@ -194,7 +194,7 @@ async def test_taint(request: web.Request): # $ requestHandler


 class TaintTestClass(web.View):
-    def get(self):
+    def get(self): # $ requestHandler
        ensure_tainted(
            self.request, # $ MISSING: tainted
        )