Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 35334cf

Browse files
RasmusWLRasmusWL
committed
Python: Remove status code modeling
I'm not even trying to model it properly right now, and don't have a specific use-case for it RIGHT NOW. I think we could want this in the future, but I think it's probably better to model it when we know what we want to use it for.
1 parent 19dc04d commit 35334cf

4 files changed

Lines changed: 18 additions & 50 deletions

File tree

python/ql/src/experimental/semmle/python/Concepts.qll

Lines changed: 0 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -239,9 +239,6 @@ module HTTP {
239239

240240
/** Gets the content-type of this HTTP response, if it can be statically determined. */
241241
string getContentType() { result = range.getContentType() }
242-
243-
/** Gets the status code of this HTTP response, if it can be statically determined. */
244-
int getStatusCode() { result = range.getStatusCode() }
245242
}
246243

247244
/** Provides a class for modeling new HTTP response APIs. */
@@ -275,23 +272,6 @@ module HTTP {
275272
not exists(this.getContentTypeArg()) and
276273
result = this.getContentTypeDefault()
277274
}
278-
279-
/** Gets the data-flow node that specifies the status code of this HTTP response, if any. */
280-
abstract DataFlow::Node getStatusCodeArg();
281-
282-
/** Gets the default status code that should be used if `getStatusCodeArg` has no results. */
283-
abstract int getStatusCodeDefault();
284-
285-
/** Gets the status code of this HTTP response, if it can be statically determined. */
286-
int getStatusCode() {
287-
exists(IntegerLiteral i |
288-
DataFlow::localFlow(DataFlow::exprNode(i), this.getStatusCodeArg()) and
289-
result = i.getValue()
290-
)
291-
or
292-
not exists(this.getStatusCodeArg()) and
293-
result = this.getStatusCodeDefault()
294-
}
295275
}
296276
}
297277
}

python/ql/src/experimental/semmle/python/frameworks/Flask.qll

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -394,9 +394,5 @@ private module FlaskModel {
394394
override string getContentTypeDefault() { result = "text/html" }
395395

396396
override DataFlow::Node getContentTypeArg() { none() }
397-
398-
override int getStatusCodeDefault() { result = 200 }
399-
400-
override DataFlow::Node getStatusCodeArg() { result.asCfgNode() = node.getArg(1) }
401397
}
402398
}

python/ql/test/experimental/library-tests/frameworks/flask/response_test.py

Lines changed: 17 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -7,21 +7,21 @@
77

88
@app.route("/html1") # $routeSetup="/html1"
99
def html1(): # $routeHandler
10-
return "<h1>hello</h1>" # $f-:HttpResponse $f-:contentType=text/html $f-:statusCode=200 $f-:responseBody="<h1>hello</h1>"
10+
return "<h1>hello</h1>" # $f-:HttpResponse $f-:contentType=text/html $f-:responseBody="<h1>hello</h1>"
1111

1212

1313
@app.route("/html2") # $routeSetup="/html2"
1414
def html2(): # $routeHandler
1515
# note that response saved in a variable intentionally -- we wan the annotations to
1616
# show that we recognize the response creation, and not the return (hopefully). (and
1717
# do the same in the following of the file)
18-
resp = make_response("<h1>hello</h1>") # $HttpResponse $contentType=text/html $statusCode=200 $responseBody="<h1>hello</h1>"
18+
resp = make_response("<h1>hello</h1>") # $HttpResponse $contentType=text/html $responseBody="<h1>hello</h1>"
1919
return resp
2020

2121

2222
@app.route("/html3") # $routeSetup="/html3"
2323
def html3(): # $routeHandler
24-
resp = app.make_response("<h1>hello</h1>") # $HttpResponse $contentType=text/html $statusCode=200 $responseBody="<h1>hello</h1>"
24+
resp = app.make_response("<h1>hello</h1>") # $HttpResponse $contentType=text/html $responseBody="<h1>hello</h1>"
2525
return resp
2626

2727

@@ -31,30 +31,30 @@ def html3(): # $routeHandler
3131

3232
@app.route("/html4") # $routeSetup="/html4"
3333
def html4(): # $routeHandler
34-
resp = Response("<h1>hello</h1>") # $f-:HttpResponse $f-:contentType=text/html $f-:statusCode=200 $f-:responseBody="<h1>hello</h1>"
34+
resp = Response("<h1>hello</h1>") # $f-:HttpResponse $f-:contentType=text/html $f-:responseBody="<h1>hello</h1>"
3535
return resp
3636

3737

3838
@app.route("/html5") # $routeSetup="/html5"
3939
def html5(): # $routeHandler
4040
# note: flask.Flask.response_class is set to `flask.Response` by default.
4141
# it can be overridden, but we don't try to handle that right now.
42-
resp = Flask.response_class("<h1>hello</h1>") # $f-:HttpResponse $f-:contentType=text/html $f-:statusCode=200 $f-:responseBody="<h1>hello</h1>"
42+
resp = Flask.response_class("<h1>hello</h1>") # $f-:HttpResponse $f-:contentType=text/html $f-:responseBody="<h1>hello</h1>"
4343
return resp
4444

4545

4646
@app.route("/html6") # $routeSetup="/html6"
4747
def html6(): # $routeHandler
4848
# note: app.response_class (flask.Flask.response_class) is set to `flask.Response` by default.
4949
# it can be overridden, but we don't try to handle that right now.
50-
resp = app.response_class("<h1>hello</h1>") # $f-:HttpResponse $f-:contentType=text/html $f-:statusCode=200 $f-:responseBody="<h1>hello</h1>"
50+
resp = app.response_class("<h1>hello</h1>") # $f-:HttpResponse $f-:contentType=text/html $f-:responseBody="<h1>hello</h1>"
5151
return resp
5252

5353

5454
@app.route("/jsonify") # $routeSetup="/jsonify"
5555
def jsonify_route(): # $routeHandler
5656
data = {"foo": "bar"}
57-
response = jsonify(data) # $f-:HttpResponse $f-:contentType=application/json $f-:statusCode=200 $f-:responseBody=data
57+
response = jsonify(data) # $f-:HttpResponse $f-:contentType=application/json $f-:responseBody=data
5858
return response
5959

6060

@@ -65,14 +65,14 @@ def jsonify_route(): # $routeHandler
6565

6666
@app.route("/content-type/response-modification1") # $routeSetup="/content-type/response-modification1"
6767
def response_modification1(): # $routeHandler
68-
resp = make_response("<h1>hello</h1>") # $HttpResponse $contentType=text/html $statusCode=200 $responseBody="<h1>hello</h1>"
68+
resp = make_response("<h1>hello</h1>") # $HttpResponse $contentType=text/html $responseBody="<h1>hello</h1>"
6969
resp.content_type = "text/plain" # $f-:HttpResponse $f-:contentType=text/plain
7070
return resp
7171

7272

7373
@app.route("/content-type/response-modification2") # $routeSetup="/content-type/response-modification2"
7474
def response_modification2(): # $routeHandler
75-
resp = make_response("<h1>hello</h1>") # $HttpResponse $contentType=text/html $statusCode=200 $responseBody="<h1>hello</h1>"
75+
resp = make_response("<h1>hello</h1>") # $HttpResponse $contentType=text/html $responseBody="<h1>hello</h1>"
7676
resp.headers["content-type"] = "text/plain" # $f-:HttpResponse $f-:contentType=text/plain
7777
return resp
7878

@@ -83,13 +83,13 @@ def response_modification2(): # $routeHandler
8383

8484
@app.route("/content-type/Response1") # $routeSetup="/content-type/Response1"
8585
def Response1(): # $routeHandler
86-
resp = Response("<h1>hello</h1>", mimetype="text/plain") # $f-:HttpResponse $f-:contentType=text/plain $f-:statusCode=200 $f-:responseBody="<h1>hello</h1>"
86+
resp = Response("<h1>hello</h1>", mimetype="text/plain") # $f-:HttpResponse $f-:contentType=text/plain $f-:responseBody="<h1>hello</h1>"
8787
return resp
8888

8989

9090
@app.route("/content-type/Response2") # $routeSetup="/content-type/Response2"
9191
def Response2(): # $routeHandler
92-
resp = Response("<h1>hello</h1>", content_type="text/plain; charset=utf-8") # $f-:HttpResponse $f-:contentType=text/plain $f-:statusCode=200 $f-:responseBody="<h1>hello</h1>"
92+
resp = Response("<h1>hello</h1>", content_type="text/plain; charset=utf-8") # $f-:HttpResponse $f-:contentType=text/plain $f-:responseBody="<h1>hello</h1>"
9393
return resp
9494

9595

@@ -98,14 +98,14 @@ def Response3(): # $routeHandler
9898
# content_type argument takes priority (and result is text/plain)
9999
resp = Response(
100100
"<h1>hello</h1>", content_type="text/plain; charset=utf-8", mimetype="text/html"
101-
) # $f-:HttpResponse $f-:contentType=text/plain $f-:statusCode=200 $f-:responseBody="<h1>hello</h1>"
101+
) # $f-:HttpResponse $f-:contentType=text/plain $f-:responseBody="<h1>hello</h1>"
102102
return resp
103103

104104

105105
@app.route("/content-type/Response4") # $routeSetup="/content-type/Response4"
106106
def Response4(): # $routeHandler
107107
# note: capitalization of Content-Type does not matter
108-
resp = Response("<h1>hello</h1>", headers={"Content-TYPE": "text/plain"}) # $f-:HttpResponse $f-:contentType=text/plain $f-:statusCode=200 $f-:responseBody="<h1>hello</h1>"
108+
resp = Response("<h1>hello</h1>", headers={"Content-TYPE": "text/plain"}) # $f-:HttpResponse $f-:contentType=text/plain $f-:responseBody="<h1>hello</h1>"
109109
return resp
110110

111111

@@ -115,25 +115,26 @@ def Response5(): # $routeHandler
115115
# note: capitalization of Content-Type does not matter
116116
resp = Response(
117117
"<h1>hello</h1>", headers={"Content-TYPE": "text/html"}, content_type="text/plain; charset=utf-8"
118-
) # $f-:HttpResponse $f-:contentType=text/plain $f-:statusCode=200 $f-:responseBody="<h1>hello</h1>"
118+
) # $f-:HttpResponse $f-:contentType=text/plain $f-:responseBody="<h1>hello</h1>"
119119
return resp
120120

121121

122122
@app.route("/content-type/Flask-response-class") # $routeSetup="/content-type/Flask-response-class"
123123
def Flask_response_class(): # $routeHandler
124124
# note: flask.Flask.response_class is set to `flask.Response` by default.
125125
# it can be overridden, but we don't try to handle that right now.
126-
resp = Flask.response_class("<h1>hello</h1>", mimetype="text/plain") # $f-:HttpResponse $f-:contentType=text/plain $f-:statusCode=200 $f-:responseBody="<h1>hello</h1>"
126+
resp = Flask.response_class("<h1>hello</h1>", mimetype="text/plain") # $f-:HttpResponse $f-:contentType=text/plain $f-:responseBody="<h1>hello</h1>"
127127
return resp
128128

129129

130130
@app.route("/content-type/app-response-class") # $routeSetup="/content-type/app-response-class"
131131
def app_response_class(): # $routeHandler
132132
# note: app.response_class (flask.Flask.response_class) is set to `flask.Response` by default.
133133
# it can be overridden, but we don't try to handle that right now.
134-
resp = app.response_class("<h1>hello</h1>", mimetype="text/plain") # $f-:HttpResponse $f-:contentType=text/plain $f-:statusCode=200 $f-:responseBody="<h1>hello</h1>"
134+
resp = app.response_class("<h1>hello</h1>", mimetype="text/plain") # $f-:HttpResponse $f-:contentType=text/plain $f-:responseBody="<h1>hello</h1>"
135135
return resp
136136

137+
137138
# TODO: add tests for setting status code
138139
# TODO: add test that manually creates a redirect by setting status code and suitable header.
139140

python/ql/test/experimental/meta/ConceptsTest.qll

Lines changed: 1 addition & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -148,9 +148,7 @@ class HttpServerHttpResponseTest extends InlineExpectationsTest {
148148

149149
HttpServerHttpResponseTest() { this = "HttpServerHttpResponseTest: " + file }
150150

151-
override string getARelevantTag() {
152-
result in ["HttpResponse", "responseBody", "contentType", "statusCode"]
153-
}
151+
override string getARelevantTag() { result in ["HttpResponse", "responseBody", "contentType"] }
154152

155153
override predicate hasActualResult(Location location, string element, string tag, string value) {
156154
// By adding `file` as a class field, and these two restrictions, it's possible to
@@ -180,13 +178,6 @@ class HttpServerHttpResponseTest extends InlineExpectationsTest {
180178
value = response.getContentType() and
181179
tag = "contentType"
182180
)
183-
or
184-
exists(HTTP::Server::HttpResponse response |
185-
location = response.getLocation() and
186-
element = response.toString() and
187-
value = response.getStatusCode().toString() and
188-
tag = "statusCode"
189-
)
190181
)
191182
}
192183
}

0 commit comments

Comments
 (0)