Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Python: Bottle Framework Header Support #17370

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Python: Bottle Framework Header Support #17370

wants to merge 5 commits into from

Conversation

Kwstubbs
Copy link
Contributor

@Kwstubbs Kwstubbs commented Sep 3, 2024

Add Bottle Header support

@Kwstubbs Kwstubbs requested a review from a team as a code owner September 3, 2024 21:01
@Kwstubbs Kwstubbs changed the title Python: Bottle Header support Python: Bottle Framework Header Support Sep 3, 2024
RasmusWL
RasmusWL requested changes Sep 13, 2024
View reviewed changes
Copy link
Member

@RasmusWL RasmusWL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks 🎉

Overall the code looks OK to me, but to accept this PR I need you to write some tests 😊 (good start by copying over the ConceptsTest, but we also need some code using bottle to show that the modeling works as intended) See flask tests as an inspiration.

python/ql/lib/semmle/python/frameworks/Bottle.qll
Comment on lines +97 to +103
HeaderWriteSubscript() {
exists(API::Node holder |
holder = headers() and
this = holder.asSource() and
value = holder.getSubscriptAt(name)
)
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This code looks like it will work for both reads and writes to bottle.response.headers?

might want to just do the same as we do for flask/werkzeug:

codeql/python/ql/lib/semmle/python/frameworks/Werkzeug.qll

Lines 216 to 239 in d4a0728

/** A dict-like write to a header, assumed to be a response header. */
private class HeaderWriteSubscript extends Http::Server::ResponseHeaderWrite::Range,
DataFlow::Node
{
DataFlow::Node name;
DataFlow::Node value;
HeaderWriteSubscript() {
exists(SubscriptNode subscript |
this.asCfgNode() = subscript and
value.asCfgNode() = subscript.(DefinitionNode).getValue() and
name.asCfgNode() = subscript.getIndex() and
subscript.getObject() = instance().asCfgNode()
)
}
override DataFlow::Node getNameArg() { result = name }
override DataFlow::Node getValueArg() { result = value }
override predicate nameAllowsNewline() { any() }
override predicate valueAllowsNewline() { none() }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RasmusWL RasmusWL RasmusWL requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
documentation Python
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Kwstubbs @RasmusWL