Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit aea974e

Browse files
RasmusWLRasmusWL
committed
Python: Add redirect modeling for Flask
1 parent 501e510 commit aea974e

2 files changed

Lines changed: 29 additions & 2 deletions

File tree

python/ql/src/semmle/python/frameworks/Flask.qll

Lines changed: 28 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ private module FlaskModel {
3434
* WARNING: Only holds for a few predefined attributes.
3535
*/
3636
private DataFlow::Node flask_attr(DataFlow::TypeTracker t, string attr_name) {
37-
attr_name in ["request", "make_response", "Response", "views"] and
37+
attr_name in ["request", "make_response", "Response", "views", "redirect"] and
3838
(
3939
t.start() and
4040
result = DataFlow::importNode("flask" + "." + attr_name)
@@ -669,4 +669,31 @@ private module FlaskModel {
669669

670670
override string getMimetypeDefault() { result = "text/html" }
671671
}
672+
673+
/**
674+
* A call to the `flask.redirect` function.
675+
*
676+
* See https://flask.palletsprojects.com/en/1.1.x/api/#flask.redirect
677+
*/
678+
private class FlaskRedirectCall extends HTTP::Server::HttpRedirectResponse::Range,
679+
DataFlow::CfgNode {
680+
override CallNode node;
681+
682+
FlaskRedirectCall() { node.getFunction() = flask_attr("redirect").asCfgNode() }
683+
684+
override DataFlow::Node getRedirectLocation() {
685+
result.asCfgNode() in [node.getArg(0), node.getArgByName("location")]
686+
}
687+
688+
override DataFlow::Node getBody() { none() }
689+
690+
override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
691+
692+
override string getMimetypeDefault() {
693+
// note that while you're not able to set content yourself, the function will
694+
// actually fill out some default content, that is served with mimetype
695+
// `text/html`.
696+
result = "text/html"
697+
}
698+
}
672699
}

python/ql/test/experimental/library-tests/frameworks/flask/response_test.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -180,7 +180,7 @@ def app_response_class(): # $requestHandler
180180
@app.route("/redirect-simple") # $routeSetup="/redirect-simple"
181181
def redirect_simple(): # $requestHandler
182182
next = request.args['next']
183-
resp = redirect(next) # $ MISSING: HttpResponse mimetype=text/html HttpRedirectResponse redirectLocation=next
183+
resp = redirect(next) # $ HttpResponse mimetype=text/html HttpRedirectResponse redirectLocation=next
184184
return resp # $ SPURIOUS: HttpResponse mimetype=text/html responseBody=resp
185185

186186

0 commit comments

Comments
 (0)