Python: Fix Django class-based views

2026-05-05 05:35:13 +02:00 · 2019-10-21 16:44:35 +02:00
parent fb864b7262
commit fc851b46c3
6 changed files with 26 additions and 14 deletions
--- a/python/ql/test/library-tests/web/django/Sinks.expected
+++ b/python/ql/test/library-tests/web/django/Sinks.expected
@@ -10,6 +10,7 @@
 | views.py:7 | Attribute() | externally controlled string |
 | views.py:11 | Attribute() | externally controlled string |
 | views.py:15 | Attribute() | externally controlled string |
-| views.py:22 | Attribute() | externally controlled string |
-| views.py:27 | Attribute() | externally controlled string |
-| views.py:31 | Attribute() | externally controlled string |
+| views.py:23 | Attribute() | externally controlled string |
+| views.py:29 | Attribute() | externally controlled string |
+| views.py:34 | Attribute() | externally controlled string |
+| views.py:38 | Attribute() | externally controlled string |
--- a/python/ql/test/library-tests/web/django/Sources.expected
+++ b/python/ql/test/library-tests/web/django/Sources.expected
@@ -7,11 +7,13 @@
 | views.py:6 | request | django.request.HttpRequest |
 | views.py:10 | request | django.request.HttpRequest |
 | views.py:14 | request | django.request.HttpRequest |
-| views.py:25 | page_number | externally controlled string |
-| views.py:25 | request | django.request.HttpRequest |
-| views.py:30 | arg0 | externally controlled string |
-| views.py:30 | arg1 | externally controlled string |
-| views.py:30 | request | django.request.HttpRequest |
-| views.py:50 | request | django.request.HttpRequest |
-| views.py:50 | username | externally controlled string |
-| views.py:59 | request | django.request.HttpRequest |
+| views.py:22 | request | django.request.HttpRequest |
+| views.py:28 | request | django.request.HttpRequest |
+| views.py:32 | page_number | externally controlled string |
+| views.py:32 | request | django.request.HttpRequest |
+| views.py:37 | arg0 | externally controlled string |
+| views.py:37 | arg1 | externally controlled string |
+| views.py:37 | request | django.request.HttpRequest |
+| views.py:57 | request | django.request.HttpRequest |
+| views.py:57 | username | externally controlled string |
+| views.py:66 | request | django.request.HttpRequest |
--- a/python/ql/test/library-tests/web/django/views.py
+++ b/python/ql/test/library-tests/web/django/views.py
@@ -15,11 +15,18 @@ def post_params_xss(request):
    return HttpResponse(request.POST.get("untrusted"))


-class ClassView(View):
+class Foo(object):
+    # Note: since Foo is used as the super type in a class view, it will be able to handle requests.

+    # TODO: Currently we don't flag `untrusted` as a DjangoRequestParameter
+    def post(self, request, untrusted):
+        return HttpResponse('Foo post: {}'.format(untrusted))
+
+
+class ClassView(View, Foo):
    # TODO: Currently we don't flag `untrusted` as a DjangoRequestParameter
    def get(self, request, untrusted):
-        return HttpResponse('ClassView: {}'.format(untrusted))
+        return HttpResponse('ClassView get: {}'.format(untrusted))


 def show_articles(request, page_number=1):