Python: ORM: Handle <Model>.objects.create and friends

RasmusWL · RasmusWL · commit fea46b642d83 · 2022-02-28T16:38:40.000+01:00
diff --git a/python/ql/lib/semmle/python/frameworks/Django.qll b/python/ql/lib/semmle/python/frameworks/Django.qll
@@ -836,6 +836,35 @@ module PrivateDjango {
                 nodeTo = call
               )
               or
+              // attribute store in `<Model>.objects.create`, `get_or_create`, and `update_or_create`
+              // see https://docs.djangoproject.com/en/4.0/ref/models/querysets/#create
+              // see https://docs.djangoproject.com/en/4.0/ref/models/querysets/#get-or-create
+              // see https://docs.djangoproject.com/en/4.0/ref/models/querysets/#update-or-create
+              // TODO: This does currently not handle values passed in the `defaults` dictionary
+              exists(
+                DataFlow::CallCfgNode call, API::Node modelClass, string fieldName,
+                string methodName
+              |
+                modelClass = Model::subclassRef() and
+                methodName in ["create", "get_or_create", "update_or_create"] and
+                call = modelClass.getMember("objects").getMember(methodName).getACall() and
+                nodeFrom = call.getArgByName(fieldName) and
+                c.(DataFlow::AttributeContent).getAttribute() = fieldName and
+                (
+                  // -> object created
+                  (
+                    methodName = "create" and nodeTo = call
+                    or
+                    // TODO: for these two methods, the result is a tuple `(<Model>, bool)`,
+                    // which we need flow-summaries to model properly
+                    methodName in ["get_or_create", "update_or_create"] and none()
+                  )
+                  or
+                  // -> DB store on synthetic node
+                  nodeTo.(SyntheticDjangoOrmModelNode).getModelClass() = modelClass
+                )
+              )
+              or
               // synthetic -> method-call that returns collection of ORM models (all/filter/...)
               exists(API::Node modelClass |
                 nodeFrom.(SyntheticDjangoOrmModelNode).getModelClass() = modelClass and
diff --git a/python/ql/test/library-tests/frameworks/django-orm/testapp/orm_tests.py b/python/ql/test/library-tests/frameworks/django-orm/testapp/orm_tests.py
@@ -113,11 +113,11 @@ class TestSave5(models.Model):
 def test_save5_store():
     # note: positional args not possible
     obj = TestSave5.objects.create(text=SOURCE)
-    SINK(obj.text) # $ MISSING: flow
+    SINK(obj.text) # $ flow="SOURCE, l:-1 -> obj.text"
 
 def test_save5_load():
     obj = TestSave5.objects.first()
-    SINK(obj.text) # $ MISSING: flow
+    SINK(obj.text) # $ flow="SOURCE, l:-5 -> obj.text"
 
 # --------------------------------------
 # <Model>.objects.get_or_create()
@@ -135,7 +135,7 @@ def test_save6_store():
 def test_save6_load():
     obj = TestSave6.objects.first()
     SINK(obj.text) # $ MISSING: flow
-    SINK(obj.email) # $ MISSING: flow
+    SINK(obj.email) # $ flow="SOURCE, l:-7 -> obj.email"
 
 # --------------------------------------
 # <Model>.objects.update_or_create()
@@ -153,7 +153,7 @@ def test_save7_store():
 def test_save7_load():
     obj = TestSave7.objects.first()
     SINK(obj.text) # $ MISSING: flow
-    SINK(obj.email) # $ MISSING: flow
+    SINK(obj.email) # $ flow="SOURCE, l:-7 -> obj.email"
 
 # --------------------------------------
 # <Model>.objects.[<QuerySet>].update()
