Python: Add models for websocket handlers for Tornado #20877
Python: Add models for websocket handlers for Tornado #20877yoff merged 4 commits intogithub:mainfrom
Conversation
There was a problem hiding this comment.
Pull Request Overview
This pull request adds support for modeling WebSocket handlers in the Tornado framework, specifically adding remote flow source models for tornado.websocket.WebSocketHandler.
- Added modeling for
tornado.websocket.WebSocketHandlerclass and its event handler methods - Created
TornadoWebSocketEventHandlerclass to identify WebSocket event handlers as request handlers with routed parameters - Added test cases for WebSocket handler methods including
open,on_message,on_ping,on_pong,select_subprotocol, andcheck_origin
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| python/ql/lib/semmle/python/frameworks/Tornado.qll | Added WebSocket module modeling including WebSocketHandler class reference, WebSocketHandlerClass extending RequestHandlerClass, and TornadoWebSocketEventHandler for treating WebSocket event handlers as request handlers |
| python/ql/test/library-tests/frameworks/tornado/routing_test.py | Added test class WebSocket extending tornado.websocket.WebSocketHandler with test methods for various WebSocket event handlers and corresponding route setup |
| python/ql/lib/change-notes/2025-11-22-tornado-websockets.md | Added change note documenting the addition of remote flow source models for tornado.websocket.WebSocketHandler |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
python/ql/test/library-tests/frameworks/tornado/routing_test.py
Outdated
Show resolved
Hide resolved
python/ql/test/library-tests/frameworks/tornado/routing_test.py
Outdated
Show resolved
Hide resolved
yoff
left a comment
yoff
left a comment
There was a problem hiding this comment.
We could possibly do additional modeling like write_message and set_default_headers (perhaps even prepare), but this is still an improvement on its own.
|
|
||
| class WebSocket(tornado.websocket.WebSocketHandler): | ||
| def open(self, x): # $ requestHandler routedParameter=x | ||
| self.write_message("WebSocket open {}".format(x)) |
There was a problem hiding this comment.
Should we expect # $ HttpResponse here? (and below)
There was a problem hiding this comment.
Possibly is reasonable to, if write_message should be considered an HttpResponse write
There was a problem hiding this comment.
Added as expectations that are MISSING as write_message is not modeled.
|
DCA run looks good, merging. |
2 participants
Adds models for
WebSocketHandlerremote flow sources.