11import python
2- import semmle.python.regex
32import semmle.python.security.TaintTracking
43import semmle.python.web.Http
4+ import semmle.python.web.django.General
55
66/** A django.request.HttpRequest object */
77class DjangoRequest extends TaintKind {
@@ -52,7 +52,7 @@ abstract class DjangoRequestSource extends HttpRequestTaintSource {
5252private class DjangoFunctionBasedViewRequestArgument extends DjangoRequestSource {
5353 DjangoFunctionBasedViewRequestArgument ( ) {
5454 exists ( FunctionValue view |
55- url_dispatch ( _, _, view ) and
55+ django_route ( _, _, view ) and
5656 this = view .getScope ( ) .getArg ( 0 ) .asName ( ) .getAFlowNode ( )
5757 )
5858 }
@@ -76,41 +76,14 @@ class DjangoClassBasedViewRequestArgument extends DjangoRequestSource {
7676 }
7777}
7878
79- /* *********** Routing ********* */
80- /* Function based views */
81- predicate url_dispatch ( CallNode call , ControlFlowNode regex , FunctionValue view ) {
82- exists ( FunctionValue url |
83- Value:: named ( "django.conf.urls.url" ) = url and
84- url .getArgumentForCall ( call , 0 ) = regex and
85- url .getArgumentForCall ( call , 1 ) .pointsTo ( view )
86- )
87- }
88-
89- class UrlRegex extends RegexString {
90- UrlRegex ( ) { url_dispatch ( _, this .getAFlowNode ( ) , _) }
91- }
92-
93- class UrlRouting extends CallNode {
94- UrlRouting ( ) { url_dispatch ( this , _, _) }
95-
96- FunctionValue getViewFunction ( ) { url_dispatch ( this , _, result ) }
97-
98- string getNamedArgument ( ) {
99- exists ( UrlRegex regex |
100- url_dispatch ( this , regex .getAFlowNode ( ) , _) and
101- regex .getGroupName ( _, _) = result
102- )
103- }
104- }
105-
10679/** An argument specified in a url routing table */
107- class HttpRequestParameter extends HttpRequestTaintSource {
108- HttpRequestParameter ( ) {
109- exists ( UrlRouting url |
110- this .( ControlFlowNode ) .getNode ( ) = url
80+ class DjangoRequestParameter extends HttpRequestTaintSource {
81+ DjangoRequestParameter ( ) {
82+ exists ( DjangoRoute route |
83+ this .( ControlFlowNode ) .getNode ( ) = route
11184 .getViewFunction ( )
11285 .getScope ( )
113- .getArgByName ( url .getNamedArgument ( ) )
86+ .getArgByName ( route .getNamedArgument ( ) )
11487 )
11588 }
11689
0 commit comments