Python: Fix Django class-based views

Author: RasmusWL

python/ql/src/semmle/python/web/django/Request.qll

@@ -67,7 +67,7 @@ private class DjangoView extends ClassValue {
 }
 
 private FunctionValue djangoViewHttpMethod() {
-    exists(DjangoView view | view.attr(httpVerbLower()) = result)
+    exists(DjangoView view | view.lookup(httpVerbLower()) = result)
 }
 
 class DjangoClassBasedViewRequestArgument extends DjangoRequestSource {

python/ql/test/library-tests/web/django/Sinks.expected

@@ -10,6 +10,7 @@
 | views.py:7 | Attribute() | externally controlled string |
 | views.py:11 | Attribute() | externally controlled string |
 | views.py:15 | Attribute() | externally controlled string |
-| views.py:22 | Attribute() | externally controlled string |
-| views.py:27 | Attribute() | externally controlled string |
-| views.py:31 | Attribute() | externally controlled string |
+| views.py:23 | Attribute() | externally controlled string |
+| views.py:29 | Attribute() | externally controlled string |
+| views.py:34 | Attribute() | externally controlled string |
+| views.py:38 | Attribute() | externally controlled string |

python/ql/test/library-tests/web/django/Sources.expected

@@ -7,11 +7,13 @@
 | views.py:6 | request | django.request.HttpRequest |
 | views.py:10 | request | django.request.HttpRequest |
 | views.py:14 | request | django.request.HttpRequest |
-| views.py:25 | page_number | externally controlled string |
-| views.py:25 | request | django.request.HttpRequest |
-| views.py:30 | arg0 | externally controlled string |
-| views.py:30 | arg1 | externally controlled string |
-| views.py:30 | request | django.request.HttpRequest |
-| views.py:50 | request | django.request.HttpRequest |
-| views.py:50 | username | externally controlled string |
-| views.py:59 | request | django.request.HttpRequest |
+| views.py:22 | request | django.request.HttpRequest |
+| views.py:28 | request | django.request.HttpRequest |
+| views.py:32 | page_number | externally controlled string |
+| views.py:32 | request | django.request.HttpRequest |
+| views.py:37 | arg0 | externally controlled string |
+| views.py:37 | arg1 | externally controlled string |
+| views.py:37 | request | django.request.HttpRequest |
+| views.py:57 | request | django.request.HttpRequest |
+| views.py:57 | username | externally controlled string |
+| views.py:66 | request | django.request.HttpRequest |

python/ql/test/library-tests/web/django/views.py

@@ -15,11 +15,18 @@ def post_params_xss(request):
     return HttpResponse(request.POST.get("untrusted"))
 
 
-class ClassView(View):
+class Foo(object):
+    # Note: since Foo is used as the super type in a class view, it will be able to handle requests.
 
+    # TODO: Currently we don't flag `untrusted` as a DjangoRequestParameter
+    def post(self, request, untrusted):
+        return HttpResponse('Foo post: {}'.format(untrusted))
+
+
+class ClassView(View, Foo):
     # TODO: Currently we don't flag `untrusted` as a DjangoRequestParameter
     def get(self, request, untrusted):
-        return HttpResponse('ClassView: {}'.format(untrusted))
+        return HttpResponse('ClassView get: {}'.format(untrusted))
 
 
 def show_articles(request, page_number=1):

python/ql/test/query-tests/Security/lib/django/views/__init__.py

@@ -0,0 +1,2 @@
+class View:
+    pass