From 14c50e993ba44893eef2e38ae2da957c4b62a906 Mon Sep 17 00:00:00 2001 From: jorgectf Date: Sat, 16 Oct 2021 13:10:48 +0200 Subject: [PATCH] Add django `GET.get` RFS --- .../semmle/python/frameworks/Django.qll | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/python/ql/src/experimental/semmle/python/frameworks/Django.qll b/python/ql/src/experimental/semmle/python/frameworks/Django.qll index c525b73b40e..27ec7f6bd75 100644 --- a/python/ql/src/experimental/semmle/python/frameworks/Django.qll +++ b/python/ql/src/experimental/semmle/python/frameworks/Django.qll @@ -8,16 +8,27 @@ private import semmle.python.frameworks.Django private import semmle.python.dataflow.new.DataFlow private import experimental.semmle.python.Concepts private import semmle.python.ApiGraphs +import semmle.python.dataflow.new.RemoteFlowSources private module PrivateDjango { - API::Node django() { result = API::moduleImport("django") } - private module django { - API::Node http() { result = django().getMember("http") } + API::Node http() { result = API::moduleImport("django").getMember("http") } module http { API::Node response() { result = http().getMember("response") } + API::Node request() { result = http().getMember("request") } + + module request { + module HttpRequest { + class DjangoGETParameter extends DataFlow::Node, RemoteFlowSource::Range { + DjangoGETParameter() { this = request().getMember("GET").getMember("get").getACall() } + + override string getSourceType() { result = "django.http.request.GET.get" } + } + } + } + module response { module HttpResponse { API::Node baseClassRef() {