search

python-security / pyt

A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications
GNU General Public License v2.0
2.18k stars 238 forks source link

Support class-based views #162

Open KevinHock opened 6 years ago

KevinHock commented 6 years ago

I wrote some of the code to do this in a branch https://github.com/python-security/pyt/compare/class_based_views, but since I'm working on other things and this feature seems cool and important I'm making this issue 👍

Let me know if you would like any help in implementing.

KevinHock commented 6 years ago

cc @davidoc

nightwarriorftw commented 6 years ago

Hi @KevinHock , I am new to projects ,how can i contribute to this issue? Need some help to start

KevinHock commented 6 years ago

Hi @nightwarrior-xxx, nice to meet you. Let me know if this helps, it's a rough idea on how to do this:

Read the framework part of the docs

__usage__.py Making https://github.com/python-security/pyt/blob/master/pyt/usage.py#L34 'Flask(Default), Django, Every or Pylons' -> 'Flask(Default), Class-Based Views, Django, Every or Pylons'

__main__.py Adding

    elif args.adaptor and args.adaptor.lower().startswith('c'):
        framework_route_criteria = is_class_based_view_function

See https://github.com/python-security/pyt/pull/75/files for something similar

The part I will leave up to you, unless you would like me to try to figure it out: framework_adaptor.py Use my _get_class_nodes function to iterate through all classes in FrameworkAdaptor. when the is_class_based_view_function function is passed

framework_helper.py Make an is_class_based_view_function function with something that checks endswith, similar to if definition.name.endswith('.get') or definition.name.endswith('.post'):

Extra/Optional, check the class being inherited from ends in View. Do this in _get_class_nodes (to check if it is MethodView/TemplateView etc.) (Or find a counter-example, a base view class that does not end in View, from Flask or Django etc.)

Use my examples/class_based_views/flask_bb.py test file or something similar to write tests

Update the framework part of the docs

adrianbn commented 5 years ago

It may be possible to look at the class hierarchy of a ClassDef node recursively until you find the View class (or object) since it seems like every view type in Flask ends up inheriting from flask.views.View.

Then if the class does not have flask.views.MethodView in their base classes, look for a method called dispatch_request. On the other hand, if it is a descendant of MethodView then you need to look for methods named as HTTP verbs (as per https://github.com/pallets/flask/blob/master/flask/views.py#L16).

I'm not very familiar with pyt so I'm not sure if this idea fits its current design.