Python: Add RemoteFlowSource for django handler without route

RasmusWL · RasmusWL · commit 05ab6cd54a80 · 2020-12-21T18:02:30.000+01:00
A bit scary that we don't have any tests to indicate that I forgot to add this :O
diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -1909,6 +1909,8 @@ private module Django {
     RemoteFlowSource::Range, DataFlow::ParameterNode {
     DjangoRouteHandlerRequestParam() {
       this.getParameter() = any(DjangoRouteSetup setup).getARequestHandler().getRequestParam()
+      or
+      this.getParameter() = any(DjangoViewClassHandlerWithoutKnownRoute setup).getRequestParam()
     }
 
     override string getSourceType() { result = "django.http.request.HttpRequest" }

Original file line number	Diff line number	Diff line change
`@@ -1909,6 +1909,8 @@ private module Django {`
`1909`	`1909`	`RemoteFlowSource::Range, DataFlow::ParameterNode {`
`1910`	`1910`	`DjangoRouteHandlerRequestParam() {`
`1911`	`1911`	`this.getParameter() = any(DjangoRouteSetup setup).getARequestHandler().getRequestParam()`
	`1912`	`+ or`
	`1913`	`+ this.getParameter() = any(DjangoViewClassHandlerWithoutKnownRoute setup).getRequestParam()`
`1912`	`1914`	`}`
`1913`	`1915`
`1914`	`1916`	`override string getSourceType() { result = "django.http.request.HttpRequest" }`