Python: Improve aiohttp FileResponse/StreamResponse modeling

RasmusWL · RasmusWL · commit 64a7206f3e92 · 2023-07-13T13:57:08.000+02:00
However, notice that the concepts tests use the HttpResponse location
for the `responseBody` tag, which seems a little odd in this situation,
where they are actually separate. Will fix in next commit.
diff --git a/python/ql/lib/semmle/python/frameworks/Aiohttp.qll b/python/ql/lib/semmle/python/frameworks/Aiohttp.qll
@@ -518,7 +518,7 @@ module AiohttpWebModel {
    * - https://docs.aiohttp.org/en/stable/web_quickstart.html#aiohttp-web-exceptions
    */
   class AiohttpWebResponseInstantiation extends Http::Server::HttpResponse::Range,
-    Response::InstanceSource, DataFlow::CallCfgNode
+    Response::InstanceSource, API::CallNode
   {
     API::Node apiNode;
 
@@ -590,12 +590,32 @@ module AiohttpWebModel {
   /**
    * A call to the `aiohttp.web.FileResponse` constructor as a sink for Filesystem access.
    */
-  class FileResponseCall extends FileSystemAccess::Range, DataFlow::CallCfgNode {
+  class FileResponseCall extends FileSystemAccess::Range, API::CallNode {
     FileResponseCall() {
       this = API::moduleImport("aiohttp").getMember("web").getMember("FileResponse").getACall()
     }
 
-    override DataFlow::Node getAPathArgument() { result = this.getArg(0) }
+    override DataFlow::Node getAPathArgument() { result = this.getParameter(0, "path").asSink() }
+  }
+
+  /**
+   * An instantiation of `aiohttp.web.StreamResponse`.
+   *
+   * See https://docs.aiohttp.org/en/stable/web_reference.html#aiohttp.web.StreamResponse
+   */
+  class StreamResponse extends AiohttpWebResponseInstantiation {
+    StreamResponse() {
+      this = API::moduleImport("aiohttp").getMember("web").getMember("StreamResponse").getACall()
+    }
+
+    override DataFlow::Node getBody() {
+      result =
+        this.getReturn()
+            .getMember(["write", "write_eof"])
+            .getACall()
+            .getParameter(0, "data")
+            .asSink()
+    }
   }
 
   /** Gets an HTTP response instance. */
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/aiohttp/ConceptsTest.expected
@@ -1,2 +1,5 @@
 failures
 testFailures
+| response_test.py:82:12:82:31 | ControlFlowNode for Attribute() | Unexpected result: responseBody=b"bar" |
+| response_test.py:82:12:82:31 | ControlFlowNode for Attribute() | Unexpected result: responseBody=b"baz" |
+| response_test.py:82:12:82:31 | ControlFlowNode for Attribute() | Unexpected result: responseBody=b"foo" |
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/response_test.py b/python/ql/test/library-tests/frameworks/aiohttp/response_test.py
@@ -73,7 +73,7 @@ async def redirect_302(request): # $ requestHandler
 async def file_response(request): # $ requestHandler
     filename = "foo.txt"
     resp = web.FileResponse(filename) # $ HttpResponse mimetype=application/octet-stream getAPathArgument=filename
-    resp = web.FileResponse(path=filename) # $ HttpResponse mimetype=application/octet-stream MISSING: getAPathArgument=filename
+    resp = web.FileResponse(path=filename) # $ HttpResponse mimetype=application/octet-stream getAPathArgument=filename
     return resp
 
 
