Python: subclas of known subclasses

Rasmus Lerchedahl Petersen · Rasmus Lerchedahl Petersen · commit 37ad59a92a9f · 2020-10-30T17:37:54.000+01:00
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Django.qll b/python/ql/src/experimental/semmle/python/frameworks/Django.qll
@@ -781,6 +781,9 @@ private module Django {
             t.start() and
             result = http_attr("HttpResponseRedirect")
             or
+            // subclass
+            result.asExpr().(ClassExpr).getABase() = classRef(t.continue()).asExpr()
+            or
             exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
           }
 
@@ -842,6 +845,9 @@ private module Django {
             t.start() and
             result = http_attr("HttpResponsePermanentRedirect")
             or
+            // subclass
+            result.asExpr().(ClassExpr).getABase() = classRef(t.continue()).asExpr()
+            or
             exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
           }
 
@@ -903,6 +909,9 @@ private module Django {
             t.start() and
             result = http_attr("HttpResponseNotModified")
             or
+            // subclass
+            result.asExpr().(ClassExpr).getABase() = classRef(t.continue()).asExpr()
+            or
             exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
           }
 
@@ -962,6 +971,9 @@ private module Django {
             t.start() and
             result = http_attr("HttpResponseBadRequest")
             or
+            // subclass
+            result.asExpr().(ClassExpr).getABase() = classRef(t.continue()).asExpr()
+            or
             exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
           }
 
@@ -1023,6 +1035,9 @@ private module Django {
             t.start() and
             result = http_attr("HttpResponseNotFound")
             or
+            // subclass
+            result.asExpr().(ClassExpr).getABase() = classRef(t.continue()).asExpr()
+            or
             exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
           }
 
@@ -1084,6 +1099,9 @@ private module Django {
             t.start() and
             result = http_attr("HttpResponseForbidden")
             or
+            // subclass
+            result.asExpr().(ClassExpr).getABase() = classRef(t.continue()).asExpr()
+            or
             exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
           }
 
@@ -1145,6 +1163,9 @@ private module Django {
             t.start() and
             result = http_attr("HttpResponseNotAllowed")
             or
+            // subclass
+            result.asExpr().(ClassExpr).getABase() = classRef(t.continue()).asExpr()
+            or
             exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
           }
 
@@ -1207,6 +1228,9 @@ private module Django {
             t.start() and
             result = http_attr("HttpResponseGone")
             or
+            // subclass
+            result.asExpr().(ClassExpr).getABase() = classRef(t.continue()).asExpr()
+            or
             exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
           }
 
@@ -1268,6 +1292,9 @@ private module Django {
             t.start() and
             result = http_attr("HttpResponseServerError")
             or
+            // subclass
+            result.asExpr().(ClassExpr).getABase() = classRef(t.continue()).asExpr()
+            or
             exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
           }
 
@@ -1329,6 +1356,9 @@ private module Django {
             t.start() and
             result = http_attr("JsonResponse")
             or
+            // subclass
+            result.asExpr().(ClassExpr).getABase() = classRef(t.continue()).asExpr()
+            or
             exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
           }
 
@@ -1393,6 +1423,9 @@ private module Django {
             t.start() and
             result = http_attr("StreamingHttpResponse")
             or
+            // subclass
+            result.asExpr().(ClassExpr).getABase() = classRef(t.continue()).asExpr()
+            or
             exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
           }
 
@@ -1454,6 +1487,9 @@ private module Django {
             t.start() and
             result = http_attr("FileResponse")
             or
+            // subclass
+            result.asExpr().(ClassExpr).getABase() = classRef(t.continue()).asExpr()
+            or
             exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
           }
 
diff --git a/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py b/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py
@@ -50,4 +50,4 @@ def __init__(self, banner, content, *args, **kwargs):
         super().__init__(content, *args, content_type="text/html", **kwargs)
 
 def safe__custom_json_response(request):
-    return CustomJsonResponse("ACME Responses", {"foo": request.GET.get("foo")})  # $f-:HttpResponse $f-:mimetype=application/json $f-:responseBody=Dict
+    return CustomJsonResponse("ACME Responses", {"foo": request.GET.get("foo")})  # $HttpResponse $mimetype=application/json $f-:responseBody=Dict $f+:responseBody="ACME Responses"
