Skip to content

Commit d3f811c

Browse files
committed
Python: Accept any arg to flask.jsonify
Thanks @tausbn 👍
1 parent 8174120 commit d3f811c

File tree

2 files changed

+4
-6
lines changed

2 files changed

+4
-6
lines changed

python/ql/lib/semmle/python/frameworks/Flask.qll

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -178,11 +178,9 @@ module Flask {
178178
* - https://flask.palletsprojects.com/en/2.2.x/api/#flask.json.jsonify
179179
*/
180180
private class FlaskJsonifyCall extends InstanceSource, DataFlow::CallCfgNode {
181-
FlaskJsonifyCall() {
182-
this = API::moduleImport("flask").getMember("jsonify").getACall()
183-
}
181+
FlaskJsonifyCall() { this = API::moduleImport("flask").getMember("jsonify").getACall() }
184182

185-
override DataFlow::Node getBody() { result = this.getArg(0) }
183+
override DataFlow::Node getBody() { result in [this.getArg(_), this.getArgByName(_)] }
186184

187185
override string getMimetypeDefault() { result = "application/json" }
188186

python/ql/test/library-tests/frameworks/flask/response_test.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -66,8 +66,8 @@ def html8(): # $requestHandler
6666

6767
@app.route("/jsonify") # $routeSetup="/jsonify"
6868
def jsonify_route(): # $requestHandler
69-
data = {"foo": "bar"}
70-
resp = jsonify(data) # $ HttpResponse mimetype=application/json responseBody=data
69+
x = "x"; y = "y"; z = "z"
70+
resp = jsonify(x, y, z=z) # $ HttpResponse mimetype=application/json responseBody=x responseBody=y responseBody=z
7171
return resp # $ SPURIOUS: HttpResponse mimetype=text/html responseBody=resp
7272

7373
################################################################################

0 commit comments

Comments
 (0)