WIP: Flask View class modeling for restplus

RasmusWL · RasmusWL · commit 2f17d2f3ac25 · 2023-12-08T11:27:49.000+01:00
Based on some DBs I had that contained dependencies
diff --git a/python/ql/lib/semmle/python/frameworks/Flask.qll b/python/ql/lib/semmle/python/frameworks/Flask.qll
@@ -14,6 +14,7 @@ private import semmle.python.ApiGraphs
 private import semmle.python.frameworks.internal.InstanceTaintStepsHelper
 private import semmle.python.security.dataflow.PathInjectionCustomizations
 private import semmle.python.dataflow.new.FlowSummary
+private import semmle.python.frameworks.data.ModelsAsData
 
 /**
  * Provides models for the `flask` PyPI package.
@@ -39,6 +40,10 @@ module Flask {
                   "MethodView"
                 ])
               .getASubclass*()
+        or
+        result = ModelOutput::getATypeNode("flask.View~Subclass").getASubclass*()
+        or
+        result = ModelOutput::getATypeNode("flask.MethodView~Subclass").getASubclass*()
       }
     }
 
@@ -52,6 +57,8 @@ module Flask {
       API::Node subclassRef() {
         result =
           API::moduleImport("flask").getMember("views").getMember("MethodView").getASubclass*()
+        or
+        result = ModelOutput::getATypeNode("flask.MethodView~Subclass").getASubclass*()
       }
     }
   }
diff --git a/python/ql/lib/semmle/python/frameworks/data/internal/empty.model.yml b/python/ql/lib/semmle/python/frameworks/data/internal/empty.model.yml
@@ -23,7 +23,12 @@ extensions:
   - addsTo:
       pack: codeql/python-all
       extensible: typeModel
-    data: []
+    data:
+      - ["flask.MethodView~Subclass","flask_restplus","Member[api].Member[SwaggerView]"]
+      - ["flask.MethodView~Subclass","flask_restplus","Member[resource].Member[Resource]"]
+      - ["flask.MethodView~Subclass","flask_restplus","Member[api].Member[Resource]"]
+      - ["flask.MethodView~Subclass","flask_restplus","Member[resource].Member[MethodView]"]
+      - ["flask.MethodView~Subclass","flask_restplus","Member[Resource]"]
 
   - addsTo:
       pack: codeql/python-all
diff --git a/python/ql/lib/semmle/python/frameworks/internal/SubclassFinder.qll b/python/ql/lib/semmle/python/frameworks/internal/SubclassFinder.qll
@@ -11,28 +11,17 @@ private import semmle.python.ApiGraphs
 private import semmle.python.filters.Tests
 
 // very much inspired by the draft at https://github.com/github/codeql/pull/5632
-private module NotExposed {
+module NotExposed {
   // Instructions:
   // This needs to be automated better, but for this prototype, here are some rough instructions:
   // 0) get a database of the library you are about to model
   // 1) fill out the `getAlreadyModeledClass` body below
   // 2) quick-eval the `quickEvalMe` predicate below, and copy the output to your modeling predicate
-  class MySpec extends FindSubclassesSpec {
-    MySpec() { this = "MySpec" }
-
-    override API::Node getAlreadyModeledClass() {
-      // FILL ME OUT ! (but don't commit with any changes)
-      none()
-      // for example
-      // result = API::moduleImport("rest_framework").getMember("views").getMember("APIView")
-    }
-  }
-
   predicate quickEvalMe(string newImport) {
     newImport =
       "// imports generated by python/frameworks/internal/SubclassFinder.qll\n" + "this = API::" +
         concat(string newModelFullyQualified |
-          newModel(any(MySpec spec), newModelFullyQualified, _, _, _)
+          newModel(any(FindSubclassesSpec spec), newModelFullyQualified, _, _, _)
         |
           fullyQualifiedToApiGraphPath(newModelFullyQualified), " or this = API::"
         )
@@ -76,6 +65,8 @@ private module NotExposed {
   bindingset[this]
   abstract class FindSubclassesSpec extends string {
     abstract API::Node getAlreadyModeledClass();
+
+    FindSubclassesSpec getSuperClass() { none() }
   }
 
   /**
@@ -111,7 +102,7 @@ private module NotExposed {
   predicate isNonTestProjectCode(AstNode ast) {
     not ast.getScope*() instanceof TestScope and
     not ast.getLocation().getFile().getRelativePath().matches("tests/%") and
-    exists(ast.getLocation().getFile().getRelativePath())
+    not exists(ast.getLocation().getFile().getRelativePath())
   }
 
   predicate hasAllStatement(Module mod) {
diff --git a/python/ql/src/meta/ClassHierarchy/Find.ql b/python/ql/src/meta/ClassHierarchy/Find.ql
@@ -0,0 +1,44 @@
+import python
+import semmle.python.dataflow.new.DataFlow
+private import semmle.python.ApiGraphs
+import semmle.python.frameworks.internal.SubclassFinder::NotExposed
+private import semmle.python.frameworks.Flask
+private import semmle.python.frameworks.FastApi
+private import semmle.python.frameworks.Django
+import semmle.python.frameworks.data.internal.ApiGraphModelsExtensions as Extensions
+
+class FlaskViewClasses extends FindSubclassesSpec {
+  FlaskViewClasses() { this = "flask.View~Subclass" }
+
+  override API::Node getAlreadyModeledClass() { result = Flask::Views::View::subclassRef() }
+}
+
+class FlaskMethodViewClasses extends FindSubclassesSpec {
+  FlaskMethodViewClasses() { this = "flask.MethodView~Subclass" }
+
+  override API::Node getAlreadyModeledClass() { result = Flask::Views::MethodView::subclassRef() }
+
+  override FlaskViewClasses getSuperClass() { any() }
+}
+
+bindingset[fullyQualified]
+predicate fullyQualifiedToYamlFormat(string fullyQualified, string type2, string path) {
+  exists(int firstDot | firstDot = fullyQualified.indexOf(".", 0, 0) |
+    type2 = fullyQualified.prefix(firstDot) and
+    path =
+      ("Member[" + fullyQualified.suffix(firstDot + 1).replaceAll(".", "].Member[") + "]")
+          .replaceAll(".Member[__init__].", "")
+          .replaceAll("Member[__init__].", "")
+  )
+}
+
+from FindSubclassesSpec spec, string newModelFullyQualified, string type2, string path, Module mod
+where
+  newModel(spec, newModelFullyQualified, _, mod, _) and
+  not exists(FindSubclassesSpec subclass | subclass.getSuperClass() = spec |
+    newModel(subclass, newModelFullyQualified, _, mod, _)
+  ) and
+  not exists(mod.getLocation().getFile().getRelativePath()) and
+  fullyQualifiedToYamlFormat(newModelFullyQualified, type2, path) and
+  not Extensions::typeModel(spec, type2, path)
+select spec.(string), type2, path

Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,7 @@ private import semmle.python.ApiGraphs`
`14`	`14`	`private import semmle.python.frameworks.internal.InstanceTaintStepsHelper`
`15`	`15`	`private import semmle.python.security.dataflow.PathInjectionCustomizations`
`16`	`16`	`private import semmle.python.dataflow.new.FlowSummary`
	`17`	`+private import semmle.python.frameworks.data.ModelsAsData`
`17`	`18`
`18`	`19`	`/**`
`19`	`20`	* Provides models for the `flask` PyPI package.
`@@ -39,6 +40,10 @@ module Flask {`
`39`	`40`	`"MethodView"`
`40`	`41`	`])`
`41`	`42`	`.getASubclass*()`
	`43`	`+ or`
	`44`	`+ result = ModelOutput::getATypeNode("flask.View~Subclass").getASubclass*()`
	`45`	`+ or`
	`46`	`+ result = ModelOutput::getATypeNode("flask.MethodView~Subclass").getASubclass*()`
`42`	`47`	`}`
`43`	`48`	`}`
`44`	`49`
`@@ -52,6 +57,8 @@ module Flask {`
`52`	`57`	`API::Node subclassRef() {`
`53`	`58`	`result =`
`54`	`59`	`API::moduleImport("flask").getMember("views").getMember("MethodView").getASubclass*()`
	`60`	`+ or`
	`61`	`+ result = ModelOutput::getATypeNode("flask.MethodView~Subclass").getASubclass*()`
`55`	`62`	`}`
`56`	`63`	`}`
`57`	`64`	`}`