Python: You can supply defaults for HTTP Response properties

RasmusWL · RasmusWL · commit e93c20a7a8b8 · 2020-10-23T14:31:28.000+02:00
diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -262,23 +262,35 @@ module HTTP {
         /** Gets the data-flow node that specifies the content-type of this HTTP response, if any. */
         abstract DataFlow::Node getContentTypeArg();
 
+        /** Gets the default content-type that should be used if `getContentTypeArg` has no results. */
+        abstract string getContentTypeDefault();
+
         /** Gets the content-type of this HTTP response, if it can be statically determined. */
         string getContentType() {
           exists(StrConst str |
             DataFlow::localFlow(DataFlow::exprNode(str), this.getContentTypeArg()) and
             result = str.getText()
           )
+          or
+          not exists(this.getContentTypeArg()) and
+          result = this.getContentTypeDefault()
         }
 
         /** Gets the data-flow node that specifies the status code of this HTTP response, if any. */
         abstract DataFlow::Node getStatusCodeArg();
 
+        /** Gets the default status code that should be used if `getStatusCodeArg` has no results. */
+        abstract int getStatusCodeDefault();
+
         /** Gets the status code of this HTTP response, if it can be statically determined. */
         int getStatusCode() {
           exists(IntegerLiteral i |
             DataFlow::localFlow(DataFlow::exprNode(i), this.getStatusCodeArg()) and
             result = i.getValue()
           )
+          or
+          not exists(this.getStatusCodeArg()) and
+          result = this.getStatusCodeDefault()
         }
       }
     }

Original file line number	Diff line number	Diff line change
`@@ -262,23 +262,35 @@ module HTTP {`
`262`	`262`	`/** Gets the data-flow node that specifies the content-type of this HTTP response, if any. */`
`263`	`263`	`abstract DataFlow::Node getContentTypeArg();`
`264`	`264`
	`265`	+ /** Gets the default content-type that should be used if `getContentTypeArg` has no results. */
	`266`	`+ abstract string getContentTypeDefault();`
	`267`	`+`
`265`	`268`	`/** Gets the content-type of this HTTP response, if it can be statically determined. */`
`266`	`269`	`string getContentType() {`
`267`	`270`	`exists(StrConst str \|`
`268`	`271`	`DataFlow::localFlow(DataFlow::exprNode(str), this.getContentTypeArg()) and`
`269`	`272`	`result = str.getText()`
`270`	`273`	`)`
	`274`	`+ or`
	`275`	`+ not exists(this.getContentTypeArg()) and`
	`276`	`+ result = this.getContentTypeDefault()`
`271`	`277`	`}`
`272`	`278`
`273`	`279`	`/** Gets the data-flow node that specifies the status code of this HTTP response, if any. */`
`274`	`280`	`abstract DataFlow::Node getStatusCodeArg();`
`275`	`281`
	`282`	+ /** Gets the default status code that should be used if `getStatusCodeArg` has no results. */
	`283`	`+ abstract int getStatusCodeDefault();`
	`284`	`+`
`276`	`285`	`/** Gets the status code of this HTTP response, if it can be statically determined. */`
`277`	`286`	`int getStatusCode() {`
`278`	`287`	`exists(IntegerLiteral i \|`
`279`	`288`	`DataFlow::localFlow(DataFlow::exprNode(i), this.getStatusCodeArg()) and`
`280`	`289`	`result = i.getValue()`
`281`	`290`	`)`
	`291`	`+ or`
	`292`	`+ not exists(this.getStatusCodeArg()) and`
	`293`	`+ result = this.getStatusCodeDefault()`
`282`	`294`	`}`
`283`	`295`	`}`
`284`	`296`	`}`