Python: Add self.request as RemoteFlowSource for aiohttp View

Just like we do for Django in
https://github.com/github/codeql/blob/7393443f8ca0b51a55f2aa5cca9595ab35fb92dc/python/ql/src/semmle/python/frameworks/Django.qll#L1786-L1804

Author: RasmusWL

python/ql/src/semmle/python/frameworks/Aiohttp.qll

@@ -10,6 +10,7 @@ private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
 private import semmle.python.frameworks.internal.PoorMansFunctionResolution
+private import semmle.python.frameworks.internal.SelfRefMixin
 private import semmle.python.frameworks.Multidict
 private import semmle.python.frameworks.Yarl
 
@@ -251,7 +252,7 @@ module AiohttpWebModel {
   }
 
   /** A class that we consider a aiohttp.web View class. */
-  abstract class AiohttpViewClass extends Class {
+  abstract class AiohttpViewClass extends Class, SelfRefMixin {
     /** Gets a function that could handle incoming requests, if any. */
     Function getARequestHandler() {
       // TODO: This doesn't handle attribute assignment. Should be OK, but analysis is not as complete as with
@@ -341,16 +342,23 @@ module AiohttpWebModel {
         this.getParameter() =
           max(Parameter param, int i | param = requestHandler.getArg(i) | param order by i)
       )
-      or
-      exists(AiohttpViewClass vc |
-        // TODO
-        none()
-      )
     }
 
     override string getSourceType() { result = "aiohttp.web.Request" }
   }
 
+  class AiohttpViewClassRequestAttributeRead extends Request::InstanceSource,
+    RemoteFlowSource::Range, DataFlow::Node {
+    AiohttpViewClassRequestAttributeRead() {
+      this.(DataFlow::AttrRead).getObject() = any(AiohttpViewClass vc).getASelfRef() and
+      this.(DataFlow::AttrRead).getAttributeName() = "request"
+    }
+
+    override string getSourceType() {
+      result = "aiohttp.web.Request from self.request in View class"
+    }
+  }
+
   /**
    * Taint propagation for `aiohttp.web.Request`.
    *

python/ql/src/semmle/python/frameworks/Django.qll

@@ -12,6 +12,7 @@ private import semmle.python.ApiGraphs
 private import semmle.python.frameworks.PEP249
 private import semmle.python.regex
 private import semmle.python.frameworks.internal.PoorMansFunctionResolution
+private import semmle.python.frameworks.internal.SelfRefMixin
 
 /**
  * Provides models for the `django` PyPI package.
@@ -1388,31 +1389,7 @@ private module PrivateDjango {
   // Helpers
   // ---------------------------------------------------------------------------
 
-  /** Adds the `getASelfRef` member predicate when modeling a class. */
-  abstract private class SelfRefMixin extends Class {
-    /**
-     * Gets a reference to instances of this class, originating from a self parameter of
-     * a method defined on this class.
-     *
-     * Note: TODO: This doesn't take MRO into account
-     * Note: TODO: This doesn't take staticmethod/classmethod into account
-     */
-    private DataFlow::LocalSourceNode getASelfRef(DataFlow::TypeTracker t) {
-      t.start() and
-      result.(DataFlow::ParameterNode).getParameter() = this.getAMethod().getArg(0)
-      or
-      exists(DataFlow::TypeTracker t2 | result = this.getASelfRef(t2).track(t2, t))
-    }
 
-    /**
-     * Gets a reference to instances of this class, originating from a self parameter of
-     * a method defined on this class.
-     *
-     * Note: TODO: This doesn't take MRO into account
-     * Note: TODO: This doesn't take staticmethod/classmethod into account
-     */
-    DataFlow::Node getASelfRef() { this.getASelfRef(DataFlow::TypeTracker::end()).flowsTo(result) }
-  }
 
   // ---------------------------------------------------------------------------
   // Form and form field modeling

python/ql/src/semmle/python/frameworks/internal/SelfRefMixin.qll

@@ -0,0 +1,38 @@
+/**
+ * INTERNAL: Do not use.
+ *
+ * Provides the `SelfRefMixin` class.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+
+/**
+ * INTERNAL: Do not use.
+ *
+ * Adds the `getASelfRef` member predicate when modeling a class.
+ */
+abstract class SelfRefMixin extends Class {
+  /**
+   * Gets a reference to instances of this class, originating from a self parameter of
+   * a method defined on this class.
+   *
+   * Note: TODO: This doesn't take MRO into account
+   * Note: TODO: This doesn't take staticmethod/classmethod into account
+   */
+  private DataFlow::LocalSourceNode getASelfRef(DataFlow::TypeTracker t) {
+    t.start() and
+    result.(DataFlow::ParameterNode).getParameter() = this.getAMethod().getArg(0)
+    or
+    exists(DataFlow::TypeTracker t2 | result = this.getASelfRef(t2).track(t2, t))
+  }
+
+  /**
+   * Gets a reference to instances of this class, originating from a self parameter of
+   * a method defined on this class.
+   *
+   * Note: TODO: This doesn't take MRO into account
+   * Note: TODO: This doesn't take staticmethod/classmethod into account
+   */
+  DataFlow::Node getASelfRef() { this.getASelfRef(DataFlow::TypeTracker::end()).flowsTo(result) }
+}

python/ql/test/library-tests/frameworks/aiohttp/taint_test.py

@@ -196,7 +196,8 @@ async def test_taint(request: web.Request): # $ requestHandler
 class TaintTestClass(web.View):
     def get(self): # $ requestHandler
         ensure_tainted(
-            self.request, # $ MISSING: tainted
+            self.request, # $ tainted
+            self.request.url # $ tainted
         )