Python: Model django request handlers without known route

RasmusWL · RasmusWL · commit d4d6f0ca0c55 · 2020-12-21T18:02:22.000+01:00
diff --git a/python/change-notes/2020-12-21-django-with-unknown-route.md b/python/change-notes/2020-12-21-django-with-unknown-route.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Improved modeling of `django` to recognize request handlers on `View` classes without known route, thereby leading to more sources of remote user input (`RemoteFlowSource`).
diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -1756,6 +1756,23 @@ private module Django {
     }
   }
 
+  /** A request handler defined in a django view class, that has no known route. */
+  private class DjangoViewClassHandlerWithoutKnownRoute extends HTTP::Server::RequestHandler::Range,
+    DjangoRouteHandler {
+    DjangoViewClassHandlerWithoutKnownRoute() {
+      exists(DjangoViewClassDef vc | vc.getARequestHandler() = this) and
+      not exists(DjangoRouteSetup setup | setup.getARequestHandler() = this)
+    }
+
+    override Parameter getARoutedParameter() {
+      // Since we don't know the URL pattern, we simply mark all parameters as a routed
+      // parameter. This should give us more RemoteFlowSources but could also lead to
+      // more FPs. If this turns out to be the wrong tradeoff, we can always change our mind.
+      result in [this.getArg(_), this.getArgByName(_)] and
+      not result = any(int i | i <= this.getRequestParamIndex() | this.getArg(i))
+    }
+  }
+
   /**
    * Gets the regex that is used by django to find routed parameters when using `django.urls.path`.
    *
diff --git a/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/routing_test.py b/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/routing_test.py
@@ -113,5 +113,5 @@ class PossiblyNotRouted(View):
     # Even if our analysis can't find a route-setup for this class, we should still
     # consider it to be a handle incoming HTTP requests
 
-    def get(self, request, possibly_not_routed=42):  # $ MISSING: requestHandler routedParameter=possibly_not_routed
+    def get(self, request, possibly_not_routed=42):  # $ requestHandler routedParameter=possibly_not_routed
         return HttpResponse('PossiblyNotRouted get: {}'.format(possibly_not_routed))  # $HttpResponse
diff --git a/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/testapp/views.py b/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/testapp/views.py
@@ -24,7 +24,7 @@ def post(self, request: HttpRequest): # $ requestHandler
 
 
 class MyCustomViewBaseClass(View):
-    def post(self, request: HttpRequest): # $ MISSING: requestHandler
+    def post(self, request: HttpRequest): # $ requestHandler
         return HttpResponse("MyCustomViewBaseClass: POST") # $ HttpResponse
 
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+lgtm,codescanning`
	`2`	+* Improved modeling of `django` to recognize request handlers on `View` classes without known route, thereby leading to more sources of remote user input (`RemoteFlowSource`).