Python: Add missing type-tracking step for django.views

RasmusWL · RasmusWL · commit 173012578e44 · 2021-01-28T12:10:42.000+01:00
Easy to overlook, and will onyl be caught by tests if they use `import
parent.thing` and not `from parent import thing`
diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -35,7 +35,7 @@ private module Django {
    * WARNING: Only holds for a few predefined attributes.
    */
   private DataFlow::Node django_attr(DataFlow::TypeTracker t, string attr_name) {
-    attr_name in ["db", "urls", "http", "conf"] and
+    attr_name in ["db", "urls", "http", "conf", "views"] and
     (
       t.start() and
       result = DataFlow::importNode("django" + "." + attr_name)
diff --git a/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/routing_test.py b/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/routing_test.py
@@ -39,7 +39,7 @@ def get(self, request, untrusted):  # $ requestHandler routedParameter=untrusted
 
 # direct import with full path to `View` class (previously not supported)
 class ClassView2(django.views.generic.base.View):
-    def get(self, request): # $ MISSING: requestHandler
+    def get(self, request): # $ requestHandler
         pass
 
 

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ private module Django {`
`35`	`35`	`* WARNING: Only holds for a few predefined attributes.`
`36`	`36`	`*/`
`37`	`37`	`private DataFlow::Node django_attr(DataFlow::TypeTracker t, string attr_name) {`
`38`		`- attr_name in ["db", "urls", "http", "conf"] and`
	`38`	`+ attr_name in ["db", "urls", "http", "conf", "views"] and`
`39`	`39`	`(`
`40`	`40`	`t.start() and`
`41`	`41`	`result = DataFlow::importNode("django" + "." + attr_name)`