All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.sonar.python.checks.DjangoNonDictSerializationCheck Maven / Gradle / Ivy

There is a newer version: 4.23.0.17664
Show newest version
/*
 * SonarQube Python Plugin
 * Copyright (C) 2011-2024 SonarSource SA
 * mailto:info AT sonarsource DOT com
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 * See the Sonar Source-Available License for more details.
 *
 * You should have received a copy of the Sonar Source-Available License
 * along with this program; if not, see https://sonarsource.com/license/ssal/
 */
package org.sonar.python.checks;

import java.util.List;
import java.util.Objects;
import javax.annotation.CheckForNull;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.PythonSubscriptionCheck;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.symbols.Symbol;
import org.sonar.plugins.python.api.symbols.Usage;
import org.sonar.plugins.python.api.tree.AnnotatedAssignment;
import org.sonar.plugins.python.api.tree.AssignmentExpression;
import org.sonar.plugins.python.api.tree.AssignmentStatement;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.Name;
import org.sonar.plugins.python.api.tree.RegularArgument;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.python.tree.TreeUtils;

@Rule(key = "S6560")
public class DjangoNonDictSerializationCheck extends PythonSubscriptionCheck {

  private static final String MESSAGE = "Use a dictionary object here, or set the \"safe\" flag to False.";
  private static final String JSON_RESPONSE_FUNCTION_NAME = "django.http.JsonResponse";

  private static final int MAX_RECURSION = 5;

  @Override
  public void initialize(Context context) {

    context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, ctx -> {
      CallExpression callExpression = (CallExpression) ctx.syntaxNode();
      Symbol symbol = callExpression.calleeSymbol();
      if (symbol != null && JSON_RESPONSE_FUNCTION_NAME.equals(symbol.fullyQualifiedName())) {
        checkForDictSerialization(ctx, callExpression);
      }
    });
  }

  private static void checkForDictSerialization(SubscriptionContext ctx, CallExpression callExpression) {
    RegularArgument safe = TreeUtils.nthArgumentOrKeyword(2, "safe", callExpression.arguments());
    if (safe == null || (safe.expression().is(Tree.Kind.NAME) && "True".equals(((Name) safe.expression()).name()))) {
      RegularArgument dataArg = TreeUtils.nthArgumentOrKeyword(0, "data", callExpression.arguments());
      if (dataArg != null && !couldExpressionBeADict(dataArg.expression())) {
        ctx.addIssue(dataArg, MESSAGE);
      }
    }
  }

  private static boolean couldExpressionBeADict(Expression expression) {
    if (expression.is(Tree.Kind.NAME)) {
      return couldDictBeAssignedToDataArg((Name) expression, 0);
    }
    return couldTypeBeADict(expression);
  }

  private static boolean couldDictBeAssignedToDataArg(Name dataArg, int recursiveCount) {
    Symbol dataArgSymbol = dataArg.symbol();
    if (recursiveCount <= MAX_RECURSION && dataArgSymbol != null) {
      List assignmentStmts = dataArgSymbol.usages().stream()
        .filter(usage -> usage.kind() == Usage.Kind.ASSIGNMENT_LHS)
        .map(Usage::tree)
        .map(usage -> TreeUtils.firstAncestorOfKind(usage, Tree.Kind.ASSIGNMENT_STMT, Tree.Kind.ANNOTATED_ASSIGNMENT, Tree.Kind.ASSIGNMENT_EXPRESSION))
        .filter(Objects::nonNull)
        .toList();
      if (assignmentStmts.size() == 1) {
        Tree assignment = assignmentStmts.get(0);
        Expression assignedValue = getAssignedValue(assignment);
        // We do not yet support checking the types from call expressions
        if (assignedValue != null) {
          if (assignedValue.is(Tree.Kind.NAME)) {
            return couldDictBeAssignedToDataArg((Name) assignedValue, recursiveCount + 1);
          } else {
            return couldTypeBeADict(assignedValue);
          }
        }
      }
    }
    return true;
  }

  private static boolean couldTypeBeADict(Expression expression) {
    return expression.is(Tree.Kind.DICTIONARY_LITERAL) || expression.is(Tree.Kind.DICT_COMPREHENSION) || expression.type().canBeOrExtend("dict");
  }

  @CheckForNull
  private static Expression getAssignedValue(Tree assignment) {
    if (assignment.is(Tree.Kind.ASSIGNMENT_STMT)) {
      return ((AssignmentStatement) assignment).assignedValue();
    } else if (assignment.is(Tree.Kind.ANNOTATED_ASSIGNMENT)) {
      return ((AnnotatedAssignment) assignment).assignedValue();
    } else {
      return ((AssignmentExpression) assignment).expression();
    }
  }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy