Python: Model rest_framework.exceptions.APIException

tausbn · RasmusWL · commit 43fe9ca31d44 · 2023-12-08T11:27:52.000+01:00
Only models the subclasses of `APIException` that share the same interface as
`APIException` itself with regard to the `getBody` predicate.
diff --git a/python/ql/lib/semmle/python/frameworks/RestFramework.qll b/python/ql/lib/semmle/python/frameworks/RestFramework.qll
@@ -334,6 +334,23 @@ module RestFramework {
    * See https://www.django-rest-framework.org/api-guide/exceptions/#api-reference
    */
   module ApiException {
+    API::Node classRef() {
+      exists(string className |
+        className in [
+            "APIException", "ValidationError", "ParseError", "AuthenticationFailed",
+            "NotAuthenticated", "PermissionDenied", "NotFound", "NotAcceptable"
+          ] and
+        result =
+          API::moduleImport("rest_framework")
+              .getMember("exceptions")
+              .getMember(className)
+              .getASubclass*()
+      )
+      or
+      result =
+        ModelOutput::getATypeNode("rest_framework.exceptions.APIException~Subclass").getASubclass*()
+    }
+
     /** A direct instantiation of `rest_framework.exceptions.ApiException` or subclass. */
     private class ClassInstantiation extends Http::Server::HttpResponse::Range,
       DataFlow::CallCfgNode
@@ -351,6 +368,8 @@ module RestFramework {
               .getMember("exceptions")
               .getMember(className)
               .getACall()
+        or
+        this = classRef().getACall() and className = "APIException"
       }
 
       override DataFlow::Node getBody() {
diff --git a/python/ql/src/meta/ClassHierarchy/Find.ql b/python/ql/src/meta/ClassHierarchy/Find.ql
@@ -445,6 +445,12 @@ class DjangoFileField extends FindSubclassesSpec {
   }
 }
 
+class RestFrameworkApiException extends FindSubclassesSpec {
+  RestFrameworkApiException() { this = "rest_framework.exceptions.APIException~Subclass" }
+
+  override API::Node getAlreadyModeledClass() { result = RestFramework::ApiException::classRef() }
+}
+
 bindingset[fullyQualified]
 predicate fullyQualifiedToYamlFormat(string fullyQualified, string type2, string path) {
   exists(int firstDot | firstDot = fullyQualified.indexOf(".", 0, 0) |

Original file line number	Diff line number	Diff line change
`@@ -445,6 +445,12 @@ class DjangoFileField extends FindSubclassesSpec {`
`445`	`445`	`}`
`446`	`446`	`}`
`447`	`447`
	`448`	`+class RestFrameworkApiException extends FindSubclassesSpec {`
	`449`	`+ RestFrameworkApiException() { this = "rest_framework.exceptions.APIException~Subclass" }`
	`450`	`+`
	`451`	`+ override API::Node getAlreadyModeledClass() { result = RestFramework::ApiException::classRef() }`
	`452`	`+}`
	`453`	`+`
`448`	`454`	`bindingset[fullyQualified]`
`449`	`455`	`predicate fullyQualifiedToYamlFormat(string fullyQualified, string type2, string path) {`
`450`	`456`	`exists(int firstDot \| firstDot = fullyQualified.indexOf(".", 0, 0) \|`