Skip to content

Python: Multiple django improvements #5139

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Feb 14, 2021
Merged

Python: Multiple django improvements #5139

merged 9 commits into from
Feb 14, 2021

Conversation

RasmusWL
Copy link
Member

@RasmusWL RasmusWL commented Feb 10, 2021
edited
Loading

This PR covers 3 improvements to our django modeling, so we now handle:

  • view functions that have decorators
  • classes used with .as_view() in routing setup, but without known view super-type
  • taint of self.request, self.args, and self.kwargs on view class

I can be persuaded to split this into 3 PRs, I just found it easy to do them together. Will strongly recommend going through changes commit-by-commit

@RasmusWL RasmusWL requested a review from a team as a code owner February 10, 2021 16:51
yoff
yoff reviewed Feb 10, 2021
View reviewed changes
Copy link
Contributor

@yoff yoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks like nice improvements (good catch that djangoRouteHandlerFunctionTracker still tracks all functions).

python/ql/src/semmle/python/frameworks/Django.qll
@@ -2078,7 +2099,7 @@ private module Django {
DjangoRouteHandler() {
exists(DjangoRouteSetup route | route.getViewArg() = djangoRouteHandlerFunctionTracker(this))
or
any(DjangoViewClassDef vc).getARequestHandler() = this
any(DjangoViewClass vc).getARequestHandler() = this
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this (and below) use PossibleDjangoViewClass?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nope. PossibleDjangoViewClass might be a bit too strongly worded. Maybe it should have been called ProbablyNotDjangoViewClass 😆

python/ql/src/semmle/python/frameworks/Django.qll Outdated
}

/** A class that might be a django View class. */
class PossibleDjangoViewClass extends Class {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the name meant to make me think of the Range pattern?

Copy link
Member Author

@RasmusWL RasmusWL Feb 11, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nope.

@RasmusWL RasmusWL requested a review from yoff February 11, 2021 14:00
yoff
yoff reviewed Feb 11, 2021
View reviewed changes
Copy link
Contributor

@yoff yoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the explanations. I am still not quite sure of the role of/need for PossibleDjangoViewClass. It seems like a not-meant-to-use-further extension point.
Apart from this, I am happy to merge this.

@RasmusWL
Copy link
Member Author

The role of PossibleDjangoViewClass is to enable us to do this bit Improved modeling of django View classes. We now consider any class using in a routing setup with <class>.as_view() as django view class.

PossibleDjangoViewClass is not an extension point (and it is not abstract).

Since we no longer want to restrict the classes considered for tracking <class>.as_view(), We need a to include two sets of classes, to be considered a django view class (possibly with overlap):

  • the classes that have a known view class as a super-class
  • the classes that are used with <class>.as_view()

The sole purpose of PossibleDjangoViewClass is to provide tracking mechanisms for <class>.as_view() for all classes. Since it's all classes, this models all possible future django view classes.

Hopefully this makes things more clear. Otherwise let's talk on zoom. If you do get an aha moment, would probably be cool with a docs suggestion so it's more clear for the next person 🤷

@RasmusWL RasmusWL mentioned this pull request Feb 12, 2021
Merged
@RasmusWL RasmusWL requested a review from yoff February 12, 2021 11:22
yoff
yoff approved these changes Feb 12, 2021
View reviewed changes
Copy link
Contributor

@yoff yoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, LGTM

@codeql-ci codeql-ci merged commit 178c54e into github:main Feb 14, 2021
@RasmusWL RasmusWL deleted the django-improvements branch March 1, 2021 13:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yoff yoff yoff approved these changes

Assignees
No one assigned
Labels
documentation Python
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@RasmusWL @yoff @codeql-ci