Change fastapi raw cookie header models to header write models

Author: joefarebrother

python/ql/lib/semmle/python/Concepts.qll

@@ -1239,7 +1239,7 @@ module Http {
     {
       CookieHeaderWrite() {
         exists(StringLiteral str |
-          str.getText() = "Set-Cookie" and
+          str.getText().toLowerCase() = "set-cookie" and
           DataFlow::exprNode(str)
               .(DataFlow::LocalSourceNode)
               .flowsTo(this.(Http::Server::ResponseHeaderWrite).getNameArg())

python/ql/lib/semmle/python/frameworks/FastApi.qll

@@ -361,28 +361,27 @@ module FastApi {
     }
 
     /**
-     * A call to `append` on a `headers` of a FastAPI Response, with the `Set-Cookie`
-     * header-key.
+     * A call to `append` on a `headers` of a FastAPI Response.
      */
-    private class HeadersAppendCookie extends Http::Server::CookieWrite::Range,
+    private class HeadersAppend extends Http::Server::ResponseHeaderWrite::Range,
       DataFlow::MethodCallNode
     {
-      HeadersAppendCookie() {
-        exists(DataFlow::AttrRead headers, DataFlow::Node keyArg |
+      HeadersAppend() {
+        exists(DataFlow::AttrRead headers |
           headers.accesses(instance(), "headers") and
-          this.calls(headers, "append") and
-          keyArg in [this.getArg(0), this.getArgByName("key")] and
-          keyArg.getALocalSource().asExpr().(StringLiteral).getText().toLowerCase() = "set-cookie"
+          this.calls(headers, "append")
         )
       }
 
-      override DataFlow::Node getHeaderArg() {
+      override DataFlow::Node getNameArg() { result = [this.getArg(0), this.getArgByName("key")] }
+
+      override DataFlow::Node getValueArg() {
         result in [this.getArg(1), this.getArgByName("value")]
       }
 
-      override DataFlow::Node getNameArg() { none() }
+      override predicate nameAllowsNewline() { none() }
 
-      override DataFlow::Node getValueArg() { none() }
+      override predicate valueAllowsNewline() { none() }
     }
   }
 }

python/ql/test/library-tests/frameworks/fastapi/response_test.py

@@ -11,9 +11,9 @@
 async def response_parameter(response: Response): # $ requestHandler
     response.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value"
     response.set_cookie(key="key", value="value") # $ CookieWrite CookieName="key" CookieValue="value"
-    response.headers.append("Set-Cookie", "key2=value2") # $ CookieWrite CookieRawHeader="key2=value2"
-    response.headers.append(key="Set-Cookie", value="key2=value2") # $ CookieWrite CookieRawHeader="key2=value2"
-    response.headers["X-MyHeader"] = "header-value"
+    response.headers.append("Set-Cookie", "key2=value2") # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2"
+    response.headers.append(key="Set-Cookie", value="key2=value2") # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2"
+    response.headers["X-MyHeader"] = "header-value" # $ MISSING: headerWriteName="X-MyHeader" headerWriteValue="header-value"
     response.status_code = 418
     return {"message": "response as parameter"} # $ HttpResponse mimetype=application/json responseBody=Dict
 
@@ -45,7 +45,7 @@ async def response_parameter_custom_type(response: MyXmlResponse): # $ requestHa
     print(type(response))
     assert type(response) == fastapi.responses.Response
     response.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value"
-    response.headers["Custom-Response-Type"] = "yes, but only after function has run"
+    response.headers["Custom-Response-Type"] = "yes, but only after function has run" # $ MISSING: headerWriteName="Custom-Response-Typer" headerWriteValue="yes, but only after function has run"
     xml_data = "<foo>FOO</foo>"
     return xml_data # $ HttpResponse responseBody=xml_data mimetype=application/xml