hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Accept any arg to flask.jsonify

Browse Source 
Thanks @tausbn 👍
This commit is contained in:
Rasmus Wriedt Larsen
2022-09-22 14:59:06 +02:00
parent 8174120916
commit d3f811cab3
2 changed files with 4 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
python/ql/lib/semmle/python/frameworks/Flask.qll
View File

@@ -178,11 +178,9 @@ module Flask {
* - https://flask.palletsprojects.com/en/2.2.x/api/#flask.json.jsonify
*/
private class FlaskJsonifyCall extends InstanceSource, DataFlow::CallCfgNode {
FlaskJsonifyCall() {
this = API::moduleImport("flask").getMember("jsonify").getACall()
}
FlaskJsonifyCall() { this = API::moduleImport("flask").getMember("jsonify").getACall() }
override DataFlow::Node getBody() { result = this.getArg(0) }
override DataFlow::Node getBody() { result in [this.getArg(_), this.getArgByName(_)] }
override string getMimetypeDefault() { result = "application/json" }

4
python/ql/test/library-tests/frameworks/flask/response_test.py
View File

@@ -66,8 +66,8 @@ def html8(): # $requestHandler
@app.route("/jsonify") # $routeSetup="/jsonify"
def jsonify_route(): # $requestHandler
data = {"foo": "bar"}
resp = jsonify(data) # $ HttpResponse mimetype=application/json responseBody=data
x = "x"; y = "y"; z = "z"
resp = jsonify(x, y, z=z) # $ HttpResponse mimetype=application/json responseBody=x responseBody=y responseBody=z
return resp # $ SPURIOUS: HttpResponse mimetype=text/html responseBody=resp
################################################################################