Merge pull request #14341 from GeekMasher/py-django-restframework

Python - Add support for RestFramework ModelViewSet functions
2023-10-02 10:50:11 +02:00 · 2023-10-02 10:50:11 +02:00 · e7384da162
--- a/python/ql/lib/change-notes/2023-09-29-django-restframework-improvements.md
+++ b/python/ql/lib/change-notes/2023-09-29-django-restframework-improvements.md
@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Django Rest Framework better handles custom `ModelViewSet` classes functions
--- a/python/ql/lib/semmle/python/frameworks/RestFramework.qll
+++ b/python/ql/lib/semmle/python/frameworks/RestFramework.qll
@ -131,7 +131,10 @@ private module RestFramework {
          "initial", "http_method_not_allowed", "permission_denied", "throttled",
          "get_authenticate_header", "perform_content_negotiation", "perform_authentication",
          "check_permissions", "check_object_permissions", "check_throttles", "determine_version",
-          "initialize_request", "finalize_response", "dispatch", "options"
+          "initialize_request", "finalize_response", "dispatch", "options",
+          // ModelViewSet
+          // https://github.com/encode/django-rest-framework/blob/master/rest_framework/viewsets.py
+          "create", "retrieve", "update", "partial_update", "destroy", "list"
        ]
    }
  }
--- a/python/ql/test/library-tests/frameworks/rest_framework/ConceptsTest.expected
+++ b/python/ql/test/library-tests/frameworks/rest_framework/ConceptsTest.expected
@ -1,2 +1,2 @@
-failures
 testFailures
+failures
--- a/python/ql/test/library-tests/frameworks/rest_framework/ConceptsTest.ql
+++ b/python/ql/test/library-tests/frameworks/rest_framework/ConceptsTest.ql
@ -1,2 +1,8 @@
 import python
 import experimental.meta.ConceptsTest
+
+class DedicatedTest extends DedicatedResponseTest {
+  DedicatedTest() { this = "response_test.py" }
+
+  override predicate isDedicatedFile(File file) { file.getShortName() = this }
+}
--- a/python/ql/test/library-tests/frameworks/rest_framework/options
+++ b/python/ql/test/library-tests/frameworks/rest_framework/options
@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=1 -r testapp
--- a/python/ql/test/library-tests/frameworks/rest_framework/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/rest_framework/taint_test.py
@ -81,7 +81,7 @@ def test_taint(request: Request, routed_param): # $ requestHandler routedParamet
    )
    ensure_not_tainted(request.user.password)

-    return Response("ok") # $ HttpResponse responseBody="ok"
+    return Response("ok") # $ HttpResponse


 # class based view
@ -105,7 +105,7 @@ class MyClass(APIView):
        # same as for standard Django view
        ensure_tainted(self.args, self.kwargs) # $ tainted

-        return Response("ok") # $ HttpResponse responseBody="ok"
+        return Response("ok") # $ HttpResponse



--- a/python/ql/test/library-tests/frameworks/rest_framework/testapp/urls.py
+++ b/python/ql/test/library-tests/frameworks/rest_framework/testapp/urls.py
@ -9,10 +9,11 @@ router.register(r"foos", views.FooViewSet)
 router.register(r"bars", views.BarViewSet)

 urlpatterns = [
-    path("", include(router.urls)),
-    path("api-auth/", include("rest_framework.urls", namespace="rest_framework")),
-    path("class-based-view/", views.MyClass.as_view()),  # $routeSetup="lcass-based-view/"
-    path("function-based-view/", views.function_based_view),  # $routeSetup="function-based-view/"
-    path("cookie-test/", views.cookie_test),  # $routeSetup="function-based-view/"
-    path("exception-test/", views.exception_test),  # $routeSetup="exception-test/"
+    path("", include(router.urls)), # $ routeSetup=""
+    path("api-auth/", include("rest_framework.urls", namespace="rest_framework")), # $ routeSetup="api-auth/"
+    path("class-based-view/", views.MyClass.as_view()),  # $ routeSetup="class-based-view/"
+    path("function-based-view/", views.function_based_view),  # $ routeSetup="function-based-view/"
+    path("cookie-test/", views.cookie_test),  # $ routeSetup="cookie-test/"
+    path("exception-test/", views.exception_test),  # $ routeSetup="exception-test/"
+    path("viewset-entrypoints-test/", views.EntrypointViewSet.as_view()) # $ routeSetup="viewset-entrypoints-test/"
 ]
--- a/python/ql/test/library-tests/frameworks/rest_framework/testapp/views.py
+++ b/python/ql/test/library-tests/frameworks/rest_framework/testapp/views.py
@ -19,19 +19,41 @@ class BarViewSet(viewsets.ModelViewSet):
    queryset = Bar.objects.all()
    serializer_class = BarSerializer

+class EntrypointViewSet(viewsets.ModelViewSet):
+    queryset = Bar.objects.all()
+    serializer_class = BarSerializer
+
+    def create(self, request, *args, **kwargs): # $ requestHandler
+        return Response("create") # $ HttpResponse
+
+    def retrieve(self, request, *args, **kwargs): # $ requestHandler
+        return Response("retrieve") # $ HttpResponse
+
+    def update(self, request, *args, **kwargs): # $ requestHandler
+        return Response("update") # $ HttpResponse
+
+    def partial_update(self, request, *args, **kwargs): # $ requestHandler
+        return Response("partial_update") # $ HttpResponse
+
+    def destroy(self, request, *args, **kwargs): # $ requestHandler
+        return Response("destroy") # $ HttpResponse
+
+    def list(self, request, *args, **kwargs): # $ requestHandler
+        return Response("list") # $ HttpResponse
+
 # class based view
 # see https://www.django-rest-framework.org/api-guide/views/#class-based-views

 class MyClass(APIView):
-    def initial(self, request, *args, **kwargs):
+    def initial(self, request, *args, **kwargs): # $ requestHandler
        # this method will be called before processing any request
        super().initial(request, *args, **kwargs)

-    def get(self, request):
-        return Response("GET request")
+    def get(self, request): # $ requestHandler
+        return Response("GET request") # $ HttpResponse

-    def post(self, request):
-        return Response("POST request")
+    def post(self, request): # $ requestHandler
+        return Response("POST request") # $ HttpResponse


 # function based view
@ -39,21 +61,21 @@ class MyClass(APIView):


@api_view(["GET", "POST"])
-def function_based_view(request: Request):
-    return Response({"message": "Hello, world!"})
+def function_based_view(request: Request): # $ requestHandler
+    return Response({"message": "Hello, world!"}) # $ HttpResponse


@api_view(["GET", "POST"])
-def cookie_test(request: Request):
-    resp = Response("wat")
+def cookie_test(request: Request): # $ requestHandler
+    resp = Response("wat") # $ HttpResponse
    resp.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value"
-    resp.set_cookie(key="key4", value="value") # $ CookieWrite CookieName="key" CookieValue="value"
+    resp.set_cookie(key="key4", value="value") # $ CookieWrite CookieName="key4" CookieValue="value"
    resp.headers["Set-Cookie"] = "key2=value2" # $ MISSING: CookieWrite CookieRawHeader="key2=value2"
    resp.cookies["key3"] = "value3" # $ CookieWrite CookieName="key3" CookieValue="value3"
    return resp

@api_view(["GET", "POST"])
-def exception_test(request: Request):
+def exception_test(request: Request): # $ requestHandler
    # see https://www.django-rest-framework.org/api-guide/exceptions/
    # note: `code details` not exposed by default
-    raise APIException("exception details", "code details")
+    raise APIException("exception details", "code details") # $ HttpResponse
				`@ -0,0 +1 @@`
				`semmle-extractor-options: --max-import-depth=1 -r testapp`