Python: Model django request handlers without known route

2026-04-30 03:05:15 +02:00 · 2020-12-21 17:38:43 +01:00
parent 004ff38e22
commit d4d6f0ca0c
4 changed files with 21 additions and 2 deletions
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -1756,6 +1756,23 @@ private module Django {
    }
  }

+  /** A request handler defined in a django view class, that has no known route. */
+  private class DjangoViewClassHandlerWithoutKnownRoute extends HTTP::Server::RequestHandler::Range,
+    DjangoRouteHandler {
+    DjangoViewClassHandlerWithoutKnownRoute() {
+      exists(DjangoViewClassDef vc | vc.getARequestHandler() = this) and
+      not exists(DjangoRouteSetup setup | setup.getARequestHandler() = this)
+    }
+
+    override Parameter getARoutedParameter() {
+      // Since we don't know the URL pattern, we simply mark all parameters as a routed
+      // parameter. This should give us more RemoteFlowSources but could also lead to
+      // more FPs. If this turns out to be the wrong tradeoff, we can always change our mind.
+      result in [this.getArg(_), this.getArgByName(_)] and
+      not result = any(int i | i <= this.getRequestParamIndex() | this.getArg(i))
+    }
+  }
+
  /**
   * Gets the regex that is used by django to find routed parameters when using `django.urls.path`.
   *
--- a/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/routing_test.py
+++ b/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/routing_test.py
@@ -113,5 +113,5 @@ class PossiblyNotRouted(View):
    # Even if our analysis can't find a route-setup for this class, we should still
    # consider it to be a handle incoming HTTP requests

-    def get(self, request, possibly_not_routed=42):  # $ MISSING: requestHandler routedParameter=possibly_not_routed
+    def get(self, request, possibly_not_routed=42):  # $ requestHandler routedParameter=possibly_not_routed
        return HttpResponse('PossiblyNotRouted get: {}'.format(possibly_not_routed))  # $HttpResponse
--- a/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/testapp/views.py
+++ b/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/testapp/views.py
@@ -24,7 +24,7 @@ class MyBasicViewHandler(View):


 class MyCustomViewBaseClass(View):
-    def post(self, request: HttpRequest): # $ MISSING: requestHandler
+    def post(self, request: HttpRequest): # $ requestHandler
        return HttpResponse("MyCustomViewBaseClass: POST") # $ HttpResponse