Python: Refactor RouteSetup with default impl for getUrlPattern

RasmusWL · RasmusWL · commit 8803fb277807 · 2020-10-16T11:12:15.000+02:00
Having multiple copies of the StrConst data-flow tracking code means that if we
need to update this to be more sophisticated, we could easily forget to do it
somewhere :|

Until we have a proper `.getAPossibleStringValue` helper, this refactoring
should be nice :)
diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -163,8 +163,16 @@ module HTTP {
        * extend `RouteSetup` instead.
        */
       abstract class Range extends DataFlow::Node {
+        /** Gets the argument used to set the URL pattern. */
+        abstract DataFlow::Node getUrlPatternArg();
+
         /** Gets the URL pattern for this route, if it can be statically determined. */
-        abstract string getUrlPattern();
+        string getUrlPattern() {
+          exists(StrConst str |
+            DataFlow::localFlow(DataFlow::exprNode(str), this.getUrlPatternArg()) and
+            result = str.getText()
+          )
+        }
 
         /** Gets a function that will handle incoming requests for this route, if any. */
         abstract Function getARouteHandler();
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Django.qll b/python/ql/src/experimental/semmle/python/frameworks/Django.qll
@@ -170,14 +170,8 @@ private module Django {
 
     DjangoUrlsPathCall() { node.getFunction() = django::urls::path().asCfgNode() }
 
-    override string getUrlPattern() {
-      exists(StrConst str, ControlFlowNode urlPatternArg |
-        urlPatternArg = [node.getArg(0), node.getArgByName("route")]
-      |
-        DataFlow::localFlow(DataFlow::exprNode(str),
-          any(DataFlow::Node n | n.asCfgNode() = urlPatternArg)) and
-        result = str.getText()
-      )
+    override DataFlow::Node getUrlPatternArg() {
+      result.asCfgNode() = [node.getArg(0), node.getArgByName("route")]
     }
 
     override Function getARouteHandler() {
@@ -200,14 +194,8 @@ private module Django {
 
     DjangoUrlsRePathCall() { node.getFunction() = django::urls::re_path().asCfgNode() }
 
-    override string getUrlPattern() {
-      exists(StrConst str, ControlFlowNode urlPatternArg |
-        urlPatternArg = [node.getArg(0), node.getArgByName("route")]
-      |
-        DataFlow::localFlow(DataFlow::exprNode(str),
-          any(DataFlow::Node n | n.asCfgNode() = urlPatternArg)) and
-        result = str.getText()
-      )
+    override DataFlow::Node getUrlPatternArg() {
+      result.asCfgNode() = [node.getArg(0), node.getArgByName("route")]
     }
 
     override Function getARouteHandler() {
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Flask.qll b/python/ql/src/experimental/semmle/python/frameworks/Flask.qll
@@ -131,16 +131,6 @@ private module Flask {
         )
       )
     }
-
-    /** Gets the argument used to pass in the URL pattern. */
-    abstract DataFlow::Node getUrlPatternArg();
-
-    override string getUrlPattern() {
-      exists(StrConst str |
-        DataFlow::localFlow(DataFlow::exprNode(str), this.getUrlPatternArg()) and
-        result = str.getText()
-      )
-    }
   }
 
   /**

Original file line number	Diff line number	Diff line change
`@@ -131,16 +131,6 @@ private module Flask {`
`131`	`131`	`)`
`132`	`132`	`)`
`133`	`133`	`}`
`134`		`-`
`135`		`- /** Gets the argument used to pass in the URL pattern. */`
`136`		`- abstract DataFlow::Node getUrlPatternArg();`
`137`		`-`
`138`		`- override string getUrlPattern() {`
`139`		`- exists(StrConst str \|`
`140`		`- DataFlow::localFlow(DataFlow::exprNode(str), this.getUrlPatternArg()) and`
`141`		`- result = str.getText()`
`142`		`- )`
`143`		`- }`
`144`	`134`	`}`
`145`	`135`
`146`	`136`	`/**`