|
| 1 | +/** |
| 2 | + * Provides classes modeling security-relevant aspects of the `djangorestframework` PyPI package |
| 3 | + * (imported as `rest_framework`) |
| 4 | + * |
| 5 | + * See |
| 6 | + * - https://www.django-rest-framework.org/ |
| 7 | + * - https://pypi.org/project/djangorestframework/ |
| 8 | + */ |
| 9 | + |
| 10 | +private import python |
| 11 | +private import semmle.python.dataflow.new.DataFlow |
| 12 | +private import semmle.python.dataflow.new.RemoteFlowSources |
| 13 | +private import semmle.python.dataflow.new.TaintTracking |
| 14 | +private import semmle.python.Concepts |
| 15 | +private import semmle.python.ApiGraphs |
| 16 | +private import semmle.python.frameworks.internal.InstanceTaintStepsHelper |
| 17 | +private import semmle.python.frameworks.Django |
| 18 | +private import semmle.python.frameworks.Stdlib |
| 19 | + |
| 20 | +/** |
| 21 | + * INTERNAL: Do not use. |
| 22 | + * |
| 23 | + * Provides models for the `djangorestframework` PyPI package |
| 24 | + * (imported as `rest_framework`) |
| 25 | + * |
| 26 | + * See |
| 27 | + * - https://www.django-rest-framework.org/ |
| 28 | + * - https://pypi.org/project/djangorestframework/ |
| 29 | + */ |
| 30 | +private module RestFramework { |
| 31 | + /** |
| 32 | + * An `API::Node` representing the `rest_framework.views.APIView` class or any subclass |
| 33 | + * that has explicitly been modeled in the CodeQL libraries. |
| 34 | + */ |
| 35 | + private class ModeledApiViewClasses extends Django::Views::View::ModeledSubclass { |
| 36 | + ModeledApiViewClasses() { |
| 37 | + this = API::moduleImport("rest_framework").getMember("views").getMember("APIView") |
| 38 | + // TODO: Need to model all known subclasses |
| 39 | + } |
| 40 | + } |
| 41 | + |
| 42 | + /** |
| 43 | + * A class that has a super-type which is a rest_framework APIView class, therefore also |
| 44 | + * becoming a APIView class. |
| 45 | + */ |
| 46 | + class RestFrameworkApiViewClass extends PrivateDjango::DjangoViewClassFromSuperClass { |
| 47 | + RestFrameworkApiViewClass() { |
| 48 | + this.getABase() = any(ModeledApiViewClasses c).getASubclass*().getAUse().asExpr() |
| 49 | + } |
| 50 | + |
| 51 | + override Function getARequestHandler() { |
| 52 | + result = super.getARequestHandler() |
| 53 | + or |
| 54 | + // TODO: This doesn't handle attribute assignment. Should be OK, but analysis is not as complete as with |
| 55 | + // points-to and `.lookup`, which would handle `post = my_post_handler` inside class def |
| 56 | + result = this.getAMethod() and |
| 57 | + result.getName() in [ |
| 58 | + // these method names where found by looking through the APIView |
| 59 | + // implementation in |
| 60 | + // https://github.com/encode/django-rest-framework/blob/master/rest_framework/views.py#L104 |
| 61 | + "initial", "http_method_not_allowed", "permission_denied", "throttled", |
| 62 | + "get_authenticate_header", "perform_content_negotiation", "perform_authentication", |
| 63 | + "check_permissions", "check_object_permissions", "check_throttles", "determine_version", |
| 64 | + "initialize_request", "finalize_response", "dispatch", "options" |
| 65 | + ] |
| 66 | + } |
| 67 | + } |
| 68 | +} |
0 commit comments