Python: Model CookieWrite for twisted

RasmusWL · RasmusWL · commit 7017beca47d1 · 2021-06-24T17:34:43.000+02:00
Had to split the call to `request.cookies.append` since inline
expectation tests didn't like the expectation that contained `=` :(
diff --git a/python/ql/src/semmle/python/frameworks/Twisted.qll b/python/ql/src/semmle/python/frameworks/Twisted.qll
@@ -247,4 +247,42 @@ private module Twisted {
 
     override string getMimetypeDefault() { result = "text/html" }
   }
+
+  /**
+   * A call to the `addCookie` function on a twisted request.
+   *
+   * See https://twistedmatrix.com/documents/21.2.0/api/twisted.web.http.Request.html#addCookie
+   */
+  class TwistedRequestAddCookieCall extends HTTP::Server::CookieWrite::Range,
+    DataFlow::MethodCallNode {
+    TwistedRequestAddCookieCall() { this.calls(Twisted::Request::instance(), "addCookie") }
+
+    override DataFlow::Node getHeaderArg() { none() }
+
+    override DataFlow::Node getNameArg() { result in [this.getArg(0), this.getArgByName("k")] }
+
+    override DataFlow::Node getValueArg() { result in [this.getArg(1), this.getArgByName("v")] }
+  }
+
+  /**
+   * A call to `append` on the `cookies` attribute of a twisted request.
+   *
+   * See https://twistedmatrix.com/documents/21.2.0/api/twisted.web.http.Request.html#cookies
+   */
+  class TwistedRequestCookiesAppendCall extends HTTP::Server::CookieWrite::Range,
+    DataFlow::MethodCallNode {
+    TwistedRequestCookiesAppendCall() {
+      exists(DataFlow::AttrRead cookiesLookup |
+        cookiesLookup.getObject() = Twisted::Request::instance() and
+        cookiesLookup.getAttributeName() = "cookies" and
+        this.calls(cookiesLookup, "append")
+      )
+    }
+
+    override DataFlow::Node getHeaderArg() { result = this.getArg(0) }
+
+    override DataFlow::Node getNameArg() { none() }
+
+    override DataFlow::Node getValueArg() { none() }
+  }
 }
diff --git a/python/ql/test/library-tests/frameworks/twisted/response_test.py b/python/ql/test/library-tests/frameworks/twisted/response_test.py
@@ -51,9 +51,10 @@ class CookieWriting(Resource):
     """Examples of providing values in response that is not in the body
     """
     def render_GET(self, request: Request): # $ requestHandler
-        request.addCookie("key", "value") # $ MISSING: CookieWrite CookieName="key" CookieValue="value"
-        request.addCookie(k="key", v="value") # $ MISSING: CookieWrite CookieName="key" CookieValue="value"
-        request.cookies.append("key2=value") # $ MISSING: CookieWrite CookieRawHeader="key2=value2"
+        request.addCookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value"
+        request.addCookie(k="key", v="value") # $ CookieWrite CookieName="key" CookieValue="value"
+        val = "key2=value"
+        request.cookies.append(val) # $ CookieWrite CookieRawHeader=val
 
         request.responseHeaders.addRawHeader("key", "value")
         request.setHeader("Set-Cookie", "key3=value3") # $ MISSING: CookieWrite CookieRawHeader="key3=value3"
