@@ -11,6 +11,7 @@ private import semmle.python.Concepts
1111private import semmle.python.ApiGraphs
1212private import semmle.python.frameworks.PEP249
1313private import semmle.python.regex
14+ private import semmle.python.frameworks.internal.PoorMansFunctionResolution
1415
1516/**
1617 * Provides models for the `django` PyPI package.
@@ -1386,13 +1387,6 @@ private module PrivateDjango {
13861387 // ---------------------------------------------------------------------------
13871388 // Helpers
13881389 // ---------------------------------------------------------------------------
1389- /**
1390- * Gets the last decorator call for the function `func`, if `func` has decorators.
1391- */
1392- private Expr lastDecoratorCall ( Function func ) {
1393- result = func .getDefinition ( ) .( FunctionExpr ) .getADecoratorCall ( ) and
1394- not exists ( Call other_decorator | other_decorator .getArg ( 0 ) = result )
1395- }
13961390
13971391 /** Adds the `getASelfRef` member predicate when modeling a class. */
13981392 abstract private class SelfRefMixin extends Class {
@@ -1487,45 +1481,6 @@ private module PrivateDjango {
14871481 // ---------------------------------------------------------------------------
14881482 // routing modeling
14891483 // ---------------------------------------------------------------------------
1490- /**
1491- * Gets a reference to the Function `func`.
1492- *
1493- * The idea is that this function should be used as a route handler when setting up a
1494- * route, but currently it just tracks all functions, since we can't do type-tracking
1495- * backwards yet (TODO).
1496- */
1497- private DataFlow:: LocalSourceNode djangoRouteHandlerFunctionTracker (
1498- DataFlow:: TypeTracker t , Function func
1499- ) {
1500- t .start ( ) and
1501- (
1502- not exists ( func .getADecorator ( ) ) and
1503- result .asExpr ( ) = func .getDefinition ( )
1504- or
1505- // If the function has decorators, we still want to model the function as being
1506- // the request handler for a route setup. In such situations, we must track the
1507- // last decorator call instead of the function itself.
1508- //
1509- // Note that this means that we blindly ignore what the decorator actually does to
1510- // the function, which seems like an OK tradeoff.
1511- result .asExpr ( ) = lastDecoratorCall ( func )
1512- )
1513- or
1514- exists ( DataFlow:: TypeTracker t2 |
1515- result = djangoRouteHandlerFunctionTracker ( t2 , func ) .track ( t2 , t )
1516- )
1517- }
1518-
1519- /**
1520- * Gets a reference to the Function `func`.
1521- *
1522- * The idea is that this function should be used as a route handler when setting up a
1523- * route, but currently it just tracks all functions, since we can't do type-tracking
1524- * backwards yet (TODO).
1525- */
1526- private DataFlow:: Node djangoRouteHandlerFunctionTracker ( Function func ) {
1527- djangoRouteHandlerFunctionTracker ( DataFlow:: TypeTracker:: end ( ) , func ) .flowsTo ( result )
1528- }
15291484
15301485 /**
15311486 * In order to recognize a class as being a django view class, based on the `as_view`
@@ -1613,7 +1568,7 @@ private module PrivateDjango {
16131568 */
16141569 private class DjangoRouteHandler extends Function {
16151570 DjangoRouteHandler ( ) {
1616- exists ( DjangoRouteSetup route | route .getViewArg ( ) = djangoRouteHandlerFunctionTracker ( this ) )
1571+ exists ( DjangoRouteSetup route | route .getViewArg ( ) = poorMansFunctionTracker ( this ) )
16171572 or
16181573 any ( DjangoViewClass vc ) .getARequestHandler ( ) = this
16191574 }
@@ -1663,7 +1618,7 @@ private module PrivateDjango {
16631618 abstract DataFlow:: Node getViewArg ( ) ;
16641619
16651620 final override DjangoRouteHandler getARequestHandler ( ) {
1666- djangoRouteHandlerFunctionTracker ( result ) = getViewArg ( )
1621+ poorMansFunctionTracker ( result ) = getViewArg ( )
16671622 or
16681623 exists ( DjangoViewClass vc |
16691624 getViewArg ( ) = vc .asViewResult ( ) and
0 commit comments