Manually specify subclasses for redirect models

joefarebrother · joefarebrother · commit ba054bd4283b · 2024-04-30T14:33:46.000+01:00
diff --git a/python/ql/lib/semmle/python/frameworks/Pyramid.qll b/python/ql/lib/semmle/python/frameworks/Pyramid.qll
@@ -183,10 +183,9 @@ module Pyramid {
       override string getMimetypeDefault() { result = "text/html" }
     }
 
-    /** Gets a reference to the class `pyramid.response.Response` or a subclass. */
-    API::Node subclassRef() {
-      result = API::moduleImport("pyramid").getMember("response").getMember("Response") or
-      result = ModelOutput::getATypeNode("pyramid.response.Response~Subclass").getASubclass*()
+    /** Gets a reference to the class `pyramid.response.Response`. */
+    API::Node classRef() {
+      result = API::moduleImport("pyramid").getMember("response").getMember("Response")
     }
 
     /**
@@ -215,7 +214,7 @@ module Pyramid {
 
     /** An instantiation of the class `pyramid.response.Response` or a subclass. */
     private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
-      ClassInstantiation() { this = subclassRef().getACall() }
+      ClassInstantiation() { this = classRef().getACall() }
 
       override DataFlow::Node getBody() { result = [this.getArg(0), this.getArgByName("body")] }
 
@@ -277,20 +276,20 @@ module Pyramid {
 
   /** Provides models for pyramid http redirects. */
   module Redirect {
-    /** Gets a reference to a subclass of `pyramid.httpexceptions._HTTPMove`, which each each exception class representing an HTTP redirect response is a subclass of. */
-    API::Node subclassRef() {
+    /** Gets a reference to a class that represents an HTTP redirect response.. */
+    API::Node classRef() {
       result =
         API::moduleImport("pyramid")
             .getMember("httpexceptions")
-            .getMember("_HTTPMove")
-            .getASubclass*() or
-      result =
-        ModelOutput::getATypeNode("pyramid.httpexceptions._HTTPMove~Subclass").getASubclass*()
+            .getMember([
+                "HTTPMultipleChoices", "HTTPMovedPermanently", "HTTPFound", "HTTPSeeOther",
+                "HTTPUseProxy", "HTTPTemporaryRedirect", "HTTPPermanentRedirect"
+              ])
     }
 
     /** Gets a call to a pyramid HTTP exception class that represents an HTTP redirect response. */
     class PyramidRedirect extends Http::Server::HttpRedirectResponse::Range, DataFlow::CallCfgNode {
-      PyramidRedirect() { this = subclassRef().getACall() }
+      PyramidRedirect() { this = classRef().getACall() }
 
       override DataFlow::Node getRedirectLocation() {
         result = [this.getArg(0), this.getArgByName("location")]
diff --git a/python/ql/test/library-tests/frameworks/pyramid/pyramid_test.py b/python/ql/test/library-tests/frameworks/pyramid/pyramid_test.py
@@ -1,6 +1,7 @@
 from pyramid.view import view_config
 from pyramid.config import Configurator
 from pyramid.response import Response
+from pyramid.httpexceptions import HTTPMultipleChoices, HTTPMovedPermanently, HTTPFound, HTTPSeeOther, HTTPUseProxy, HTTPTemporaryRedirect, HTTPPermanentRedirect
 from wsgiref.simple_server import make_server
 
 def ignore(*args, **kwargs): pass
@@ -45,6 +46,8 @@ def test1(request): # $ requestHandler
 
         request.text,               # $ tainted
 
+        request.matchdict,          # $ tainted
+
         request.path,               # $ tainted
         request.path_info,          # $ tainted
         request.path_info_peek(),   # $ tainted
@@ -87,12 +90,23 @@ def test3(ctx, req): # $ requestHandler
     resp.set_cookie(value="there", name="hi") # $ CookieWrite CookieName="hi" CookieValue="there"
     return "Ok" # $ HttpResponse responseBody="Ok" mimetype=text/html
 
+@view_config(route_name="test4", renderer="string") # $ routeSetup
+def test4(request): # $ requestHandler
+    a = HTTPMultipleChoices("redirect") # $HttpResponse mimetype=text/html HttpRedirectResponse redirectLocation="redirect"
+    b = HTTPMovedPermanently(location="redirect") # $HttpResponse mimetype=text/html HttpRedirectResponse redirectLocation="redirect"
+    c = HTTPFound(location="redirect") # $HttpResponse mimetype=text/html HttpRedirectResponse redirectLocation="redirect"
+    d = HTTPSeeOther(location="redirect") # $HttpResponse mimetype=text/html HttpRedirectResponse redirectLocation="redirect"
+    e = HTTPUseProxy(location="redirect") # $HttpResponse mimetype=text/html HttpRedirectResponse redirectLocation="redirect"
+    f = HTTPTemporaryRedirect(location="redirect") # $HttpResponse mimetype=text/html HttpRedirectResponse redirectLocation="redirect"
+    g = HTTPPermanentRedirect(location="redirect") # $HttpResponse mimetype=text/html HttpRedirectResponse redirectLocation="redirect"
+    raise a
+
 if __name__ == "__main__":
     with Configurator() as config:
-        for i in range(1,4):
+        for i in range(1,5):
             config.add_route(f"test{i}", f"/test{i}")
         config.add_view(test2, route_name="test2") # $ routeSetup
         config.scan()
-        server = make_server('127.0.0.1', 8000, config.make_wsgi_app())
+        server = make_server('127.0.0.1', 8080, config.make_wsgi_app())
         print("serving")
         server.serve_forever()
