Python: Model RequestHandler from standard library explicitly

RasmusWL · RasmusWL · commit 71a6ef5b00c2 · 2020-12-21T18:02:31.000+01:00
diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -1616,6 +1616,20 @@ private module Stdlib {
         )
       }
     }
+
+    /**
+     * The entry-point for handling a request with a `BaseHTTPRequestHandler` subclass.
+     *
+     * Not essential for any functionality, but provides a consistent modeling.
+     */
+    private class RequestHandlerFunc extends HTTP::Server::RequestHandler::Range {
+      RequestHandlerFunc() {
+        this = any(HTTPRequestHandlerClassDef cls).getAMethod() and
+        this.getName() = "do_" + HTTP::httpVerb()
+      }
+
+      override Parameter getARoutedParameter() { none() }
+    }
   }
 
   // ---------------------------------------------------------------------------
diff --git a/python/ql/src/semmle/python/web/HttpConstants.qll b/python/ql/src/semmle/python/web/HttpConstants.qll
@@ -1,4 +1,4 @@
-/** Gets an HTTP verb */
+/** Gets an HTTP verb, in upper case */
 string httpVerb() {
   result = "GET" or
   result = "POST" or
diff --git a/python/ql/test/experimental/library-tests/frameworks/stdlib/http_server.py b/python/ql/test/experimental/library-tests/frameworks/stdlib/http_server.py
@@ -78,7 +78,7 @@ def taint_sources(self):
         ensure_tainted(form)
 
 
-    def do_GET(self): # $ MISSING: requestHandler
+    def do_GET(self): # $ requestHandler
         # send_response will log a line to stderr
         self.send_response(200)
         self.send_header("Content-type", "text/plain; charset=utf-8")
@@ -88,7 +88,7 @@ def do_GET(self): # $ MISSING: requestHandler
         print(self.headers)
 
 
-    def do_POST(self): # $ MISSING: requestHandler
+    def do_POST(self): # $ requestHandler
         form = cgi.FieldStorage(
             self.rfile,
             self.headers,

Original file line number	Diff line number	Diff line change
`@@ -1616,6 +1616,20 @@ private module Stdlib {`
`1616`	`1616`	`)`
`1617`	`1617`	`}`
`1618`	`1618`	`}`
	`1619`	`+`
	`1620`	`+ /**`
	`1621`	+ * The entry-point for handling a request with a `BaseHTTPRequestHandler` subclass.
	`1622`	`+ *`
	`1623`	`+ * Not essential for any functionality, but provides a consistent modeling.`
	`1624`	`+ */`
	`1625`	`+ private class RequestHandlerFunc extends HTTP::Server::RequestHandler::Range {`
	`1626`	`+ RequestHandlerFunc() {`
	`1627`	`+ this = any(HTTPRequestHandlerClassDef cls).getAMethod() and`
	`1628`	`+ this.getName() = "do_" + HTTP::httpVerb()`
	`1629`	`+ }`
	`1630`	`+`
	`1631`	`+ override Parameter getARoutedParameter() { none() }`
	`1632`	`+ }`
`1619`	`1633`	`}`
`1620`	`1634`
`1621`	`1635`	`// ---------------------------------------------------------------------------`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-/** Gets an HTTP verb */`
	`1`	`+/** Gets an HTTP verb, in upper case */`
`2`	`2`	`string httpVerb() {`
`3`	`3`	`result = "GET" or`
`4`	`4`	`result = "POST" or`