Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 44ba346

Browse files
RasmusWLRasmusWL
committed
Python: Model response_class attribute of Flask class
1 parent 082e35c commit 44ba346

2 files changed

Lines changed: 20 additions & 5 deletions

File tree

python/ql/src/experimental/semmle/python/frameworks/Flask.qll

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -171,6 +171,21 @@ private module FlaskModel {
171171
// completely disallowed in QL. I added an underscore to move thing forwards for
172172
// now :(
173173
DataFlow::Node make_response_() { result = instance_attr("make_response") }
174+
175+
/** Gets a reference to the `response_class` attribute on the `flask.Flask` class or an instance. */
176+
private DataFlow::Node response_class(DataFlow::TypeTracker t) {
177+
t.startInAttr("response_class") and
178+
result in [classRef(), instance()]
179+
or
180+
exists(DataFlow::TypeTracker t2 | result = response_class(t2).track(t2, t))
181+
}
182+
183+
/**
184+
* Gets a reference to the `response_class` attribute on the `flask.Flask` class or an instance.
185+
*
186+
* See https://flask.palletsprojects.com/en/1.1.x/api/#flask.Flask.response_class
187+
*/
188+
DataFlow::Node response_class() { result = response_class(DataFlow::TypeTracker::end()) }
174189
}
175190
}
176191

@@ -183,7 +198,7 @@ private module FlaskModel {
183198
/** Gets a reference to the `flask.Response` class. */
184199
private DataFlow::Node classRef(DataFlow::TypeTracker t) {
185200
t.start() and
186-
result = flask_attr("Response")
201+
result in [flask_attr("Response"), flask::Flask::response_class()]
187202
or
188203
exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
189204
}

python/ql/test/experimental/library-tests/frameworks/flask/response_test.py

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -39,15 +39,15 @@ def html4(): # $routeHandler
3939
def html5(): # $routeHandler
4040
# note: flask.Flask.response_class is set to `flask.Response` by default.
4141
# it can be overridden, but we don't try to handle that right now.
42-
resp = Flask.response_class("<h1>hello</h1>") # $f-:HttpResponse $f-:mimetype=text/html $f-:responseBody="<h1>hello</h1>"
42+
resp = Flask.response_class("<h1>hello</h1>") # $HttpResponse $mimetype=text/html $responseBody="<h1>hello</h1>"
4343
return resp
4444

4545

4646
@app.route("/html6") # $routeSetup="/html6"
4747
def html6(): # $routeHandler
4848
# note: app.response_class (flask.Flask.response_class) is set to `flask.Response` by default.
4949
# it can be overridden, but we don't try to handle that right now.
50-
resp = app.response_class("<h1>hello</h1>") # $f-:HttpResponse $f-:mimetype=text/html $f-:responseBody="<h1>hello</h1>"
50+
resp = app.response_class("<h1>hello</h1>") # $HttpResponse $mimetype=text/html $responseBody="<h1>hello</h1>"
5151
return resp
5252

5353

@@ -127,15 +127,15 @@ def Response6(): # $routeHandler
127127
def Flask_response_class(): # $routeHandler
128128
# note: flask.Flask.response_class is set to `flask.Response` by default.
129129
# it can be overridden, but we don't try to handle that right now.
130-
resp = Flask.response_class("<h1>hello</h1>", mimetype="text/plain") # $f-:HttpResponse $f-:mimetype=text/plain $f-:responseBody="<h1>hello</h1>"
130+
resp = Flask.response_class("<h1>hello</h1>", mimetype="text/plain") # $HttpResponse $mimetype=text/plain $responseBody="<h1>hello</h1>"
131131
return resp
132132

133133

134134
@app.route("/content-type/app-response-class") # $routeSetup="/content-type/app-response-class"
135135
def app_response_class(): # $routeHandler
136136
# note: app.response_class (flask.Flask.response_class) is set to `flask.Response` by default.
137137
# it can be overridden, but we don't try to handle that right now.
138-
resp = app.response_class("<h1>hello</h1>", mimetype="text/plain") # $f-:HttpResponse $f-:mimetype=text/plain $f-:responseBody="<h1>hello</h1>"
138+
resp = app.response_class("<h1>hello</h1>", mimetype="text/plain") # $HttpResponse $mimetype=text/plain $responseBody="<h1>hello</h1>"
139139
return resp
140140

141141

0 commit comments

Comments
 (0)