Add additional header write models for aiohttp and tornado + added qldoc

Author: joefarebrother

python/ql/lib/semmle/python/frameworks/Aiohttp.qll

@@ -706,6 +706,33 @@ module AiohttpWebModel {
 
     override DataFlow::Node getValueArg() { result = value }
   }
+
+  /**
+   * A dict-like write to an item of the `headers` attribute on a HTTP response, such as
+   * `response.headers[name] = value`.
+   */
+  class AiohttpResponseHeaderSubscriptWrite extends Http::Server::ResponseHeaderWrite::Range {
+    DataFlow::Node index;
+    DataFlow::Node value;
+
+    AiohttpResponseHeaderSubscriptWrite() {
+      exists(API::Node i |
+        value = aiohttpResponseInstance().getMember("headers").getSubscriptAt(i).asSink() and
+        index = i.asSink() and
+        // To give `this` a value, we need to choose between either LHS or RHS,
+        // and just go with the RHS as it is readily available
+        this = value
+      )
+    }
+
+    override DataFlow::Node getNameArg() { result = index }
+
+    override DataFlow::Node getValueArg() { result = value }
+
+    override predicate nameAllowsNewline() { none() }
+
+    override predicate valueAllowsNewline() { none() }
+  }
 }
 
 /**

python/ql/lib/semmle/python/frameworks/Django.qll

@@ -2240,6 +2240,10 @@ module PrivateDjango {
           override DataFlow::Node getValueArg() { result = value }
         }
 
+        /**
+         * A dict-like write to an item of the `headers` attribute on a HTTP response, such as
+         * `response.headers[name] = value`.
+         */
         class DjangoResponseHeaderSubscriptWrite extends Http::Server::ResponseHeaderWrite::Range {
           DataFlow::Node index;
           DataFlow::Node value;

python/ql/lib/semmle/python/frameworks/FastApi.qll

@@ -384,6 +384,10 @@ module FastApi {
       override predicate valueAllowsNewline() { none() }
     }
 
+    /**
+     * A dict-like write to an item of the `headers` attribute on a HTTP response, such as
+     * `response.headers[name] = value`.
+     */
     class HeaderSubscriptWrite extends Http::Server::ResponseHeaderWrite::Range {
       DataFlow::Node index;
       DataFlow::Node value;

python/ql/lib/semmle/python/frameworks/Tornado.qll

@@ -63,6 +63,50 @@ module Tornado {
 
       override string getAsyncMethodName() { none() }
     }
+
+    /**
+     * A dict-like write to an item of an `HTTPHeaders` object.
+     */
+    private class TornadoHeaderSubscriptWrite extends Http::Server::ResponseHeaderWrite::Range {
+      DataFlow::Node index;
+      DataFlow::Node value;
+
+      TornadoHeaderSubscriptWrite() {
+        exists(SubscriptNode subscript |
+          subscript.getObject() = instance().asCfgNode() and
+          value.asCfgNode() = subscript.(DefinitionNode).getValue() and
+          index.asCfgNode() = subscript.getIndex() and
+          this.asCfgNode() = subscript
+        )
+      }
+
+      override DataFlow::Node getNameArg() { result = index }
+
+      override DataFlow::Node getValueArg() { result = value }
+
+      override predicate nameAllowsNewline() { none() }
+
+      override predicate valueAllowsNewline() { none() }
+    }
+
+    /**
+     * A call to `HTTPHeaders.add`.
+     */
+    private class TornadoHeadersAppendCall extends Http::Server::ResponseHeaderWrite::Range,
+      DataFlow::MethodCallNode
+    {
+      TornadoHeadersAppendCall() { this.calls(instance(), "append") }
+
+      override DataFlow::Node getNameArg() { result = [this.getArg(0), this.getArgByName("name")] }
+
+      override DataFlow::Node getValueArg() {
+        result in [this.getArg(1), this.getArgByName("value")]
+      }
+
+      override predicate nameAllowsNewline() { none() }
+
+      override predicate valueAllowsNewline() { none() }
+    }
   }
 
   // ---------------------------------------------------------------------------
@@ -209,6 +253,25 @@ module Tornado {
             this.(DataFlow::AttrRead).getAttributeName() = "request"
           }
         }
+
+        /** A call to `RequestHandler.set_header` or `RequestHandler.add_header` */
+        private class TornadoSetHeaderCall extends Http::Server::ResponseHeaderWrite::Range,
+          DataFlow::MethodCallNode
+        {
+          TornadoSetHeaderCall() { this.calls(instance(), ["set_header", "add_header"]) }
+
+          override DataFlow::Node getNameArg() {
+            result = [this.getArg(0), this.getArgByName("name")]
+          }
+
+          override DataFlow::Node getValueArg() {
+            result in [this.getArg(1), this.getArgByName("value")]
+          }
+
+          override predicate nameAllowsNewline() { none() }
+
+          override predicate valueAllowsNewline() { none() }
+        }
       }
 
       /**

python/ql/test/library-tests/frameworks/aiohttp/response_test.py

@@ -96,7 +96,7 @@ async def streaming_response(request): # $ requestHandler
 async def setting_cookie(request): # $ requestHandler
     resp = web.Response(text="foo") # $ HttpResponse mimetype=text/plain responseBody="foo"
     resp.cookies["key"] = "value" # $ CookieWrite CookieName="key" CookieValue="value"
-    resp.headers["Set-Cookie"] = "key2=value2" # $ MISSING: CookieWrite CookieRawHeader="key2=value2"
+    resp.headers["Set-Cookie"] = "key2=value2" # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2"
     resp.set_cookie("key3", "value3") # $ CookieWrite CookieName="key3" CookieValue="value3"
     resp.set_cookie(name="key3", value="value3") # $ CookieWrite CookieName="key3" CookieValue="value3"
     resp.del_cookie("key4") # $ CookieWrite CookieName="key4"

python/ql/test/library-tests/frameworks/tornado/response_test.py

@@ -24,10 +24,10 @@ def get(self):  # $ requestHandler
         # what matters.
 
         self.write("foo") # $ HttpResponse mimetype=text/html responseBody="foo"
-        self.set_header("Content-Type", "text/plain; charset=utf-8")
+        self.set_header("Content-Type", "text/plain; charset=utf-8") # $ headerWriteName="Content-Type" headerWriteValue="text/plain; charset=utf-8"
 
     def post(self): # $ requestHandler
-        self.set_header("Content-Type", "text/plain; charset=utf-8")
+        self.set_header("Content-Type", "text/plain; charset=utf-8") # $ headerWriteName="Content-Type" headerWriteValue="text/plain; charset=utf-8"
         self.write("foo") # $ HttpResponse responseBody="foo" MISSING: mimetype=text/plain SPURIOUS: mimetype=text/html
 
 
@@ -67,7 +67,10 @@ def get(self):  # $ requestHandler
         self.write("foo") # $ HttpResponse mimetype=text/html responseBody="foo"
         self.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value"
         self.set_cookie(name="key", value="value") # $ CookieWrite CookieName="key" CookieValue="value"
-        self.set_header("Set-Cookie", "key2=value2") # $ MISSING: CookieWrite CookieRawHeader="key2=value2"
+        self.set_header("Set-Cookie", "key2=value2") # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2"
+        self.add_header("Set-Cookie", "key3=value3") # $ headerWriteName="Set-Cookie" headerWriteValue="key3=value3" CookieWrite CookieRawHeader="key3=value3"
+        self.request.headers.append("Set-Cookie", "key4=value4") # $ headerWriteName="Set-Cookie" headerWriteValue="key4=value4" CookieWrite CookieRawHeader="key4=value4"
+        self.request.headers["Set-Cookie"] = "key5=value5" # $ headerWriteName="Set-Cookie" headerWriteValue="key5=value5" CookieWrite CookieRawHeader="key5=value5"
 
 
 def make_app():