Python: Add HttpResponse concept

RasmusWL · RasmusWL · commit df6fd53a7e49 · 2020-10-23T14:31:25.000+02:00
We might need to rework this a bit when we also start to handle redirects. I
could see a world where we simply allow http redirects to be subclasses of http
responses, and need to manually exclude them from queries (or create
HttpContentResponse to model the HttpResponses that will contain a body). Let us
see where the wind will take us.

I looked through JS and Go libraries, but I didn't feel their modeling would map
very well to Python.
diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -219,5 +219,68 @@ module HTTP {
 
       override string getSourceType() { result = "RoutedParameter" }
     }
+
+    /**
+     * A data-flow node that creates a HTTP response on a server.
+     *
+     * Note: we don't require that this response must be sent to a client (a kind of
+     * "if a tree falls in a forest and nobody hears it" situation).
+     *
+     * Extend this class to refine existing API models. If you want to model new APIs,
+     * extend `HttpResponse::Range` instead.
+     */
+    class HttpResponse extends DataFlow::Node {
+      HttpResponse::Range range;
+
+      HttpResponse() { this = range }
+
+      /** Gets the data-flow node that specifies the body of this HTTP response. */
+      DataFlow::Node getBody() { result = range.getBody() }
+
+      /** Gets the content-type of this HTTP response, if it can be statically determined. */
+      string getContentType() { result = range.getContentType() }
+
+      /** Gets the status code of this HTTP response, if it can be statically determined. */
+      int getStatusCode() { result = range.getStatusCode() }
+    }
+
+    /** Provides a class for modeling new HTTP response APIs. */
+    module HttpResponse {
+      /**
+       * A data-flow node that creates a HTTP response on a server.
+       *
+       * Note: we don't require that this response must be sent to a client (a kind of
+       * "if a tree falls in a forest and nobody hears it" situation).
+       *
+       * Extend this class to model new APIs. If you want to refine existing API models,
+       * extend `HttpResponse` instead.
+       */
+      abstract class Range extends DataFlow::Node {
+        /** Gets the data-flow node that specifies the body of this HTTP response. */
+        abstract DataFlow::Node getBody();
+
+        /** Gets the data-flow node that specifies the content-type of this HTTP response, if any. */
+        abstract DataFlow::Node getContentTypeArg();
+
+        /** Gets the content-type of this HTTP response, if it can be statically determined. */
+        string getContentType() {
+          exists(StrConst str |
+            DataFlow::localFlow(DataFlow::exprNode(str), this.getContentTypeArg()) and
+            result = str.getText()
+          )
+        }
+
+        /** Gets the data-flow node that specifies the status code of this HTTP response, if any. */
+        abstract DataFlow::Node getStatusCodeArg();
+
+        /** Gets the status code of this HTTP response, if it can be statically determined. */
+        int getStatusCode() {
+          exists(IntegerLiteral i |
+            DataFlow::localFlow(DataFlow::exprNode(i), this.getStatusCodeArg()) and
+            result = i.getValue()
+          )
+        }
+      }
+    }
   }
 }
diff --git a/python/ql/test/experimental/meta/ConceptsTest.qll b/python/ql/test/experimental/meta/ConceptsTest.qll
@@ -142,3 +142,41 @@ class HttpServerRouteSetupTest extends InlineExpectationsTest {
     )
   }
 }
+
+class HttpServerHttpResponseTest extends InlineExpectationsTest {
+  HttpServerHttpResponseTest() { this = "HttpServerHttpResponseTest" }
+
+  override string getARelevantTag() {
+    result in ["HttpResponse", "responseBody", "contentType", "statusCode"]
+  }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(HTTP::Server::HttpResponse response |
+      location = response.getLocation() and
+      element = response.toString() and
+      value = "" and
+      tag = "HttpResponse"
+    )
+    or
+    exists(HTTP::Server::HttpResponse response |
+      location = response.getLocation() and
+      element = response.toString() and
+      value = value_from_expr(response.getBody().asExpr()) and
+      tag = "responseBody"
+    )
+    or
+    exists(HTTP::Server::HttpResponse response |
+      location = response.getLocation() and
+      element = response.toString() and
+      value = response.getContentType() and
+      tag = "contentType"
+    )
+    or
+    exists(HTTP::Server::HttpResponse response |
+      location = response.getLocation() and
+      element = response.toString() and
+      value = response.getStatusCode().toString() and
+      tag = "statusCode"
+    )
+  }
+}
