Python: Add simpel model of a django path/re_path route setup

Also had to change the annotation to not include the `r` prefix for the
raw-string... not sure why that isn't replicated, but ¯\_(ツ)_/¯

Author: RasmusWL

python/ql/src/experimental/semmle/python/frameworks/Django.qll

@@ -1,10 +1,175 @@
 /**
- * Provides classes modeling security-relevant aspects of the `django` package.
+ * Provides classes modeling security-relevant aspects of the `django` PyPI package.
+ * See https://www.djangoproject.com/.
  */
 
 private import python
 private import experimental.dataflow.DataFlow
 private import experimental.dataflow.RemoteFlowSources
 private import experimental.semmle.python.Concepts
 
-private module Django { }
+/**
+ * Provides models for the `django` PyPI package.
+ * See https://www.djangoproject.com/.
+ */
+private module Django {
+  // ---------------------------------------------------------------------------
+  // django
+  // ---------------------------------------------------------------------------
+  /** Gets a reference to the `django` module. */
+  private DataFlow::Node django(DataFlow::TypeTracker t) {
+    t.start() and
+    result = DataFlow::importNode("django")
+    or
+    exists(DataFlow::TypeTracker t2 | result = django(t2).track(t2, t))
+  }
+
+  /** Gets a reference to the `django` module. */
+  DataFlow::Node django() { result = django(DataFlow::TypeTracker::end()) }
+
+  /**
+   * Gets a reference to the attribute `attr_name` of the `django` module.
+   * WARNING: Only holds for a few predefined attributes.
+   */
+  private DataFlow::Node django_attr(DataFlow::TypeTracker t, string attr_name) {
+    attr_name in ["urls"] and
+    (
+      t.start() and
+      result = DataFlow::importNode("django" + "." + attr_name)
+      or
+      t.startInAttr(attr_name) and
+      result = DataFlow::importNode("django")
+    )
+    or
+    // Due to bad performance when using normal setup with `django_attr(t2, attr_name).track(t2, t)`
+    // we have inlined that code and forced a join
+    exists(DataFlow::TypeTracker t2 |
+      exists(DataFlow::StepSummary summary |
+        django_attr_first_join(t2, attr_name, result, summary) and
+        t = t2.append(summary)
+      )
+    )
+  }
+
+  pragma[nomagic]
+  private predicate django_attr_first_join(
+    DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
+  ) {
+    DataFlow::StepSummary::step(django_attr(t2, attr_name), res, summary)
+  }
+
+  /**
+   * Gets a reference to the attribute `attr_name` of the `django` module.
+   * WARNING: Only holds for a few predefined attributes.
+   */
+  private DataFlow::Node django_attr(string attr_name) {
+    result = django_attr(DataFlow::TypeTracker::end(), attr_name)
+  }
+
+  /** Provides models for the `django` module. */
+  module django {
+    /** Gets a reference to the `django.urls` module. */
+    DataFlow::Node urls() { result = django_attr("urls") }
+
+    // -------------------------------------------------------------------------
+    // django.urls
+    // -------------------------------------------------------------------------
+    /** Provides models for the `django.urls` module */
+    module urls {
+      /**
+       * Gets a reference to the attribute `attr_name` of the `urls` module.
+       * WARNING: Only holds for a few predefined attributes.
+       */
+      private DataFlow::Node urls_attr(DataFlow::TypeTracker t, string attr_name) {
+        attr_name in ["path", "re_path"] and
+        (
+          t.start() and
+          result = DataFlow::importNode("django.urls" + "." + attr_name)
+          or
+          t.startInAttr(attr_name) and
+          result = DataFlow::importNode("django.urls")
+          or
+          t.startInAttr(attr_name) and
+          result = django::urls()
+        )
+        or
+        // Due to bad performance when using normal setup with `urls_attr(t2, attr_name).track(t2, t)`
+        // we have inlined that code and forced a join
+        exists(DataFlow::TypeTracker t2 |
+          exists(DataFlow::StepSummary summary |
+            urls_attr_first_join(t2, attr_name, result, summary) and
+            t = t2.append(summary)
+          )
+        )
+      }
+
+      pragma[nomagic]
+      private predicate urls_attr_first_join(
+        DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
+        DataFlow::StepSummary summary
+      ) {
+        DataFlow::StepSummary::step(urls_attr(t2, attr_name), res, summary)
+      }
+
+      /**
+       * Gets a reference to the attribute `attr_name` of the `urls` module.
+       * WARNING: Only holds for a few predefined attributes.
+       */
+      private DataFlow::Node urls_attr(string attr_name) {
+        result = urls_attr(DataFlow::TypeTracker::end(), attr_name)
+      }
+
+      /**
+       * Gets a reference to the `django.urls.path` function.
+       * See https://docs.djangoproject.com/en/3.0/ref/urls/#path
+       */
+      DataFlow::Node path() { result = urls_attr("path") }
+
+      /**
+       * Gets a reference to the `django.urls.re_path` function.
+       * See https://docs.djangoproject.com/en/3.0/ref/urls/#re_path
+       */
+      DataFlow::Node re_path() { result = urls_attr("re_path") }
+    }
+  }
+
+  private class DjangoPathRouteSetup extends HTTP::Server::RouteSetup::Range, DataFlow::CfgNode {
+    override CallNode node;
+
+    DjangoPathRouteSetup() { node.getFunction() = django::urls::path().asCfgNode() }
+
+    override string getUrlPattern() {
+      exists(StrConst str, ControlFlowNode urlPatternArg |
+        urlPatternArg = [node.getArg(0), node.getArgByName("route")]
+      |
+        DataFlow::localFlow(DataFlow::exprNode(str),
+          any(DataFlow::Node n | n.asCfgNode() = urlPatternArg)) and
+        result = str.getText()
+      )
+    }
+
+    override Function getARouteHandler() { none() }
+
+    override Parameter getARoutedParameter() { none() }
+  }
+
+  private class DjangoRePathRouteSetup extends HTTP::Server::RouteSetup::Range, DataFlow::CfgNode {
+    override CallNode node;
+
+    DjangoRePathRouteSetup() { node.getFunction() = django::urls::re_path().asCfgNode() }
+
+    override string getUrlPattern() {
+      exists(StrConst str, ControlFlowNode urlPatternArg |
+        urlPatternArg = [node.getArg(0), node.getArgByName("route")]
+      |
+        DataFlow::localFlow(DataFlow::exprNode(str),
+          any(DataFlow::Node n | n.asCfgNode() = urlPatternArg)) and
+        result = str.getText()
+      )
+    }
+
+    override Function getARouteHandler() { none() }
+
+    override Parameter getARoutedParameter() { none() }
+  }
+}

python/ql/test/experimental/library-tests/frameworks/django-v2-v3/ConceptsTest.expected

@@ -13,15 +13,9 @@
 | routing_test.py:44:62:44:120 | Comment # $routeHandler $routedParameter=arg0 $routedParameter=arg1 | Missing result:routeHandler= |
 | routing_test.py:44:62:44:120 | Comment # $routeHandler $routedParameter=arg0 $routedParameter=arg1 | Missing result:routedParameter=arg0 |
 | routing_test.py:44:62:44:120 | Comment # $routeHandler $routedParameter=arg0 $routedParameter=arg1 | Missing result:routedParameter=arg1 |
-| routing_test.py:49:75:49:131 | Comment # $routeSetup=r"^url_match/(?P<foo>[^/]+)/(?P<bar>[^/]+)" | Missing result:routeSetup=r"^url_match/(?P<foo>[^/]+)/(?P<bar>[^/]+)" |
-| routing_test.py:50:47:50:74 | Comment # $routeSetup=r"^get_params" | Missing result:routeSetup=r"^get_params" |
-| routing_test.py:51:49:51:77 | Comment # $routeSetup=r"^post_params" | Missing result:routeSetup=r"^post_params" |
-| routing_test.py:52:53:52:85 | Comment # $routeSetup=r"^http_resp_write" | Missing result:routeSetup=r"^http_resp_write" |
-| routing_test.py:53:70:53:115 | Comment # $routeSetup=r"^class_view/(?P<untrusted>.+)" | Missing result:routeSetup=r"^class_view/(?P<untrusted>.+)" |
-| routing_test.py:56:76:56:133 | Comment # $routeSetup=r"articles/^(?:page-(?P<page_number>\\d+)/)?" | Missing result:routeSetup=r"articles/^(?:page-(?P<page_number>\\d+)/)?" |
-| routing_test.py:59:95:59:139 | Comment # $routeSetup=r"^([^/]+)/(?:foo\|bar)/([^/]+)" | Missing result:routeSetup=r"^([^/]+)/(?:foo\|bar)/([^/]+)" |
 | routing_test.py:65:31:65:45 | Comment # $routeHandler | Missing result:routeHandler= |
-| routing_test.py:70:84:70:138 | Comment # $routeSetup=r"^specifying-as-kwargs-is-not-a-problem" | Missing result:routeSetup=r"^specifying-as-kwargs-is-not-a-problem" |
+| routing_test.py:70:5:70:81 | ControlFlowNode for re_path() | Unexpected result: routeSetup= |
+| routing_test.py:70:84:70:137 | Comment # $routeSetup="^specifying-as-kwargs-is-not-a-problem" | Missing result:routeSetup="^specifying-as-kwargs-is-not-a-problem" |
 | routing_test.py:78:43:78:86 | Comment # $routeHandler $routedParameter=page_number | Missing result:routeHandler= |
 | routing_test.py:78:43:78:86 | Comment # $routeHandler $routedParameter=page_number | Missing result:routedParameter=page_number |
 | routing_test.py:81:43:81:120 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar $routedParameter=baz | Missing result:routeHandler= |
@@ -32,12 +26,5 @@
 | routing_test.py:84:38:84:94 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar | Missing result:routedParameter=bar |
 | routing_test.py:84:38:84:94 | Comment # $routeHandler $routedParameter=foo $routedParameter=bar | Missing result:routedParameter=foo |
 | routing_test.py:87:37:87:51 | Comment # $routeHandler | Missing result:routeHandler= |
-| routing_test.py:91:38:91:62 | Comment # $routeSetup="articles/" | Missing result:routeSetup="articles/" |
-| routing_test.py:92:60:92:106 | Comment # $routeSetup="articles/page-<int:page_number>" | Missing result:routeSetup="articles/page-<int:page_number>" |
-| routing_test.py:93:74:93:114 | Comment # $routeSetup="<int:foo>/<str:bar>/<baz>" | Missing result:routeSetup="<int:foo>/<str:bar>/<baz>" |
-| routing_test.py:95:51:95:77 | Comment # $routeSetup="<foo>/<bar>" | Missing result:routeSetup="<foo>/<bar>" |
-| routing_test.py:98:60:98:97 | Comment # $routeSetup="not_valid/<not_valid!>" | Missing result:routeSetup="not_valid/<not_valid!>" |
-| testapp/urls.py:6:31:6:50 | Comment # $routeSetup="foo/" | Missing result:routeSetup="foo/" |
-| testapp/urls.py:10:43:10:67 | Comment # $routeSetup=r"^ba[rz]/" | Missing result:routeSetup=r"^ba[rz]/" |
 | testapp/views.py:3:33:3:47 | Comment # $routeHandler | Missing result:routeHandler= |
 | testapp/views.py:6:37:6:51 | Comment # $routeHandler | Missing result:routeHandler= |

python/ql/test/experimental/library-tests/frameworks/django-v2-v3/dummy_import.py

@@ -4,3 +4,7 @@
 
 from testproj import *
 from testapp import *
+
+import os.path as pth
+
+pth.join("foo", "bar")

python/ql/test/experimental/library-tests/frameworks/django-v2-v3/routing_test.py

@@ -46,17 +46,17 @@ def xxs_positional_arg(request, arg0, arg1, no_taint=None):  # $routeHandler $ro
 
 
 urlpatterns = [
-    re_path(r"^url_match/(?P<foo>[^/]+)/(?P<bar>[^/]+)", url_match_xss),  # $routeSetup=r"^url_match/(?P<foo>[^/]+)/(?P<bar>[^/]+)"
-    re_path(r"^get_params", get_params_xss),  # $routeSetup=r"^get_params"
-    re_path(r"^post_params", post_params_xss),  # $routeSetup=r"^post_params"
-    re_path(r"^http_resp_write", http_resp_write),  # $routeSetup=r"^http_resp_write"
-    re_path(r"^class_view/(?P<untrusted>.+)", ClassView.as_view()),  # $routeSetup=r"^class_view/(?P<untrusted>.+)"
+    re_path(r"^url_match/(?P<foo>[^/]+)/(?P<bar>[^/]+)", url_match_xss),  # $routeSetup="^url_match/(?P<foo>[^/]+)/(?P<bar>[^/]+)"
+    re_path(r"^get_params", get_params_xss),  # $routeSetup="^get_params"
+    re_path(r"^post_params", post_params_xss),  # $routeSetup="^post_params"
+    re_path(r"^http_resp_write", http_resp_write),  # $routeSetup="^http_resp_write"
+    re_path(r"^class_view/(?P<untrusted>.+)", ClassView.as_view()),  # $routeSetup="^class_view/(?P<untrusted>.+)"
 
     # one pattern to support `articles/page-<n>` and ensuring that articles/ goes to page-1
-    re_path(r"articles/^(?:page-(?P<page_number>\d+)/)?", show_articles),  # $routeSetup=r"articles/^(?:page-(?P<page_number>\d+)/)?"
+    re_path(r"articles/^(?:page-(?P<page_number>\d+)/)?", show_articles),  # $routeSetup="articles/^(?:page-(?P<page_number>\d+)/)?"
     # passing as positional argument is not the recommended way of doing things, but it is certainly
     # possible
-    re_path(r"^([^/]+)/(?:foo|bar)/([^/]+)", xxs_positional_arg, name='xxs_positional_arg'),  # $routeSetup=r"^([^/]+)/(?:foo|bar)/([^/]+)"
+    re_path(r"^([^/]+)/(?:foo|bar)/([^/]+)", xxs_positional_arg, name='xxs_positional_arg'),  # $routeSetup="^([^/]+)/(?:foo|bar)/([^/]+)"
 ]
 
 
@@ -67,7 +67,7 @@ def re_path_kwargs(request):  # $routeHandler
 
 
 urlpatterns = [
-    re_path(view=re_path_kwargs, regex=r"^specifying-as-kwargs-is-not-a-problem")  # $routeSetup=r"^specifying-as-kwargs-is-not-a-problem"
+    re_path(view=re_path_kwargs, regex=r"^specifying-as-kwargs-is-not-a-problem")  # $routeSetup="^specifying-as-kwargs-is-not-a-problem"
 ]
 
 ################################################################################

python/ql/test/experimental/library-tests/frameworks/django-v2-v3/testapp/urls.py

@@ -7,5 +7,5 @@
     # TODO: Doesn't include standard `$` to mark end of string, due to problems with
     # inline expectation tests (which thinks the `$` would mark the beginning of a new
     # line)
-    re_path(r"^ba[rz]/", views.bar_baz),  # $routeSetup=r"^ba[rz]/"
+    re_path(r"^ba[rz]/", views.bar_baz),  # $routeSetup="^ba[rz]/"
 ]

python/ql/test/experimental/library-tests/frameworks/django-v2-v3/testproj/urls.py

@@ -17,6 +17,6 @@
 from django.urls import path, include
 
 urlpatterns = [
-    path('admin/', admin.site.urls),
-    path("app/", include("testapp.urls")),
+    path("admin/", admin.site.urls),  # $routeSetup="admin/"
+    path("app/", include("testapp.urls")),  # $routeSetup="app/"
 ]