Merge pull request github#14341 from GeekMasher/py-django-restframework

Python - Add support for RestFramework ModelViewSet functions

Author: RasmusWL

python/ql/lib/change-notes/2023-09-29-django-restframework-improvements.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Django Rest Framework better handles custom `ModelViewSet` classes functions

python/ql/lib/semmle/python/frameworks/RestFramework.qll

@@ -131,7 +131,10 @@ private module RestFramework {
           "initial", "http_method_not_allowed", "permission_denied", "throttled",
           "get_authenticate_header", "perform_content_negotiation", "perform_authentication",
           "check_permissions", "check_object_permissions", "check_throttles", "determine_version",
-          "initialize_request", "finalize_response", "dispatch", "options"
+          "initialize_request", "finalize_response", "dispatch", "options",
+          // ModelViewSet
+          // https://github.com/encode/django-rest-framework/blob/master/rest_framework/viewsets.py
+          "create", "retrieve", "update", "partial_update", "destroy", "list"
         ]
     }
   }

python/ql/test/library-tests/frameworks/rest_framework/ConceptsTest.expected

@@ -1,2 +1,2 @@
-failures
 testFailures
+failures

python/ql/test/library-tests/frameworks/rest_framework/ConceptsTest.ql

@@ -1,2 +1,8 @@
 import python
 import experimental.meta.ConceptsTest
+
+class DedicatedTest extends DedicatedResponseTest {
+  DedicatedTest() { this = "response_test.py" }
+
+  override predicate isDedicatedFile(File file) { file.getShortName() = this }
+}

python/ql/test/library-tests/frameworks/rest_framework/options

@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=1 -r testapp

python/ql/test/library-tests/frameworks/rest_framework/taint_test.py

@@ -81,7 +81,7 @@ def test_taint(request: Request, routed_param): # $ requestHandler routedParamet
     )
     ensure_not_tainted(request.user.password)
 
-    return Response("ok") # $ HttpResponse responseBody="ok"
+    return Response("ok") # $ HttpResponse
 
 
 # class based view
@@ -105,7 +105,7 @@ def get(self, request: Request, routed_param): # $ requestHandler routedParamete
         # same as for standard Django view
         ensure_tainted(self.args, self.kwargs) # $ tainted
 
-        return Response("ok") # $ HttpResponse responseBody="ok"
+        return Response("ok") # $ HttpResponse
 
 
 

python/ql/test/library-tests/frameworks/rest_framework/testapp/urls.py

@@ -9,10 +9,11 @@
 router.register(r"bars", views.BarViewSet)
 
 urlpatterns = [
-    path("", include(router.urls)),
-    path("api-auth/", include("rest_framework.urls", namespace="rest_framework")),
-    path("class-based-view/", views.MyClass.as_view()),  # $routeSetup="lcass-based-view/"
-    path("function-based-view/", views.function_based_view),  # $routeSetup="function-based-view/"
-    path("cookie-test/", views.cookie_test),  # $routeSetup="function-based-view/"
-    path("exception-test/", views.exception_test),  # $routeSetup="exception-test/"
+    path("", include(router.urls)), # $ routeSetup=""
+    path("api-auth/", include("rest_framework.urls", namespace="rest_framework")), # $ routeSetup="api-auth/"
+    path("class-based-view/", views.MyClass.as_view()),  # $ routeSetup="class-based-view/"
+    path("function-based-view/", views.function_based_view),  # $ routeSetup="function-based-view/"
+    path("cookie-test/", views.cookie_test),  # $ routeSetup="cookie-test/"
+    path("exception-test/", views.exception_test),  # $ routeSetup="exception-test/"
+    path("viewset-entrypoints-test/", views.EntrypointViewSet.as_view()) # $ routeSetup="viewset-entrypoints-test/"
 ]

python/ql/test/library-tests/frameworks/rest_framework/testapp/views.py

@@ -19,41 +19,63 @@ class BarViewSet(viewsets.ModelViewSet):
     queryset = Bar.objects.all()
     serializer_class = BarSerializer
 
+class EntrypointViewSet(viewsets.ModelViewSet):
+    queryset = Bar.objects.all()
+    serializer_class = BarSerializer
+
+    def create(self, request, *args, **kwargs): # $ requestHandler
+        return Response("create") # $ HttpResponse
+
+    def retrieve(self, request, *args, **kwargs): # $ requestHandler
+        return Response("retrieve") # $ HttpResponse
+
+    def update(self, request, *args, **kwargs): # $ requestHandler
+        return Response("update") # $ HttpResponse
+
+    def partial_update(self, request, *args, **kwargs): # $ requestHandler
+        return Response("partial_update") # $ HttpResponse
+
+    def destroy(self, request, *args, **kwargs): # $ requestHandler
+        return Response("destroy") # $ HttpResponse
+
+    def list(self, request, *args, **kwargs): # $ requestHandler
+        return Response("list") # $ HttpResponse
+
 # class based view
 # see https://www.django-rest-framework.org/api-guide/views/#class-based-views
 
 class MyClass(APIView):
-    def initial(self, request, *args, **kwargs):
+    def initial(self, request, *args, **kwargs): # $ requestHandler
         # this method will be called before processing any request
         super().initial(request, *args, **kwargs)
 
-    def get(self, request):
-        return Response("GET request")
+    def get(self, request): # $ requestHandler
+        return Response("GET request") # $ HttpResponse
 
-    def post(self, request):
-        return Response("POST request")
+    def post(self, request): # $ requestHandler
+        return Response("POST request") # $ HttpResponse
 
 
 # function based view
 # see https://www.django-rest-framework.org/api-guide/views/#function-based-views
 
 
 @api_view(["GET", "POST"])
-def function_based_view(request: Request):
-    return Response({"message": "Hello, world!"})
+def function_based_view(request: Request): # $ requestHandler
+    return Response({"message": "Hello, world!"}) # $ HttpResponse
 
 
 @api_view(["GET", "POST"])
-def cookie_test(request: Request):
-    resp = Response("wat")
+def cookie_test(request: Request): # $ requestHandler
+    resp = Response("wat") # $ HttpResponse
     resp.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value"
-    resp.set_cookie(key="key4", value="value") # $ CookieWrite CookieName="key" CookieValue="value"
+    resp.set_cookie(key="key4", value="value") # $ CookieWrite CookieName="key4" CookieValue="value"
     resp.headers["Set-Cookie"] = "key2=value2" # $ MISSING: CookieWrite CookieRawHeader="key2=value2"
     resp.cookies["key3"] = "value3" # $ CookieWrite CookieName="key3" CookieValue="value3"
     return resp
 
 @api_view(["GET", "POST"])
-def exception_test(request: Request):
+def exception_test(request: Request): # $ requestHandler
     # see https://www.django-rest-framework.org/api-guide/exceptions/
     # note: `code details` not exposed by default
-    raise APIException("exception details", "code details")
+    raise APIException("exception details", "code details") # $ HttpResponse