fix: add patterns for positional arguments

Bearer · May 27, 2024 · 6cc1c59 · 6cc1c59
1 parent fc75a0c
commit 6cc1c59
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 0 deletions.
diff --git a/rules/python/django/path_using_user_input.yml b/rules/python/django/path_using_user_input.yml
@@ -25,6 +25,44 @@ patterns:
             values: [storage]
           - variable: NAME
             values: [FileSystemStorage]
+  - pattern: $<FILE_SYSTEM_STORAGE>($<LOCATION>$<...>)
+    filters:
+      - variable: LOCATION
+        detection: python_shared_common_user_input
+        scope: result
+      - variable: FILE_SYSTEM_STORAGE
+        detection: python_shared_lang_import4
+        scope: cursor
+        filters:
+          - variable: MODULE1
+            values: [django]
+          - variable: MODULE2
+            values: [core]
+          - variable: MODULE3
+            values: [files]
+          - variable: MODULE4
+            values: [storage]
+          - variable: NAME
+            values: [FileSystemStorage]
+  - pattern: $<FILE_SYSTEM_STORAGE>($<LOCATION>, $<BASE_URL>$<...>)
+    filters:
+      - variable: BASE_URL
+        detection: python_shared_common_user_input
+        scope: result
+      - variable: FILE_SYSTEM_STORAGE
+        detection: python_shared_lang_import4
+        scope: cursor
+        filters:
+          - variable: MODULE1
+            values: [django]
+          - variable: MODULE2
+            values: [core]
+          - variable: MODULE3
+            values: [files]
+          - variable: MODULE4
+            values: [storage]
+          - variable: NAME
+            values: [FileSystemStorage]
   - pattern: $<DEFAULT_STORAGE>.save($<USER_INPUT>, $<...>)
     filters:
       - variable: DEFAULT_STORAGE

diff --git a/tests/python/django/path_using_user_input/testdata/main.py b/tests/python/django/path_using_user_input/testdata/main.py
@@ -5,6 +5,12 @@
 request_file = request.FILES['document']
 file = fs.save(request_file)
 
+# bearer:expected python_django_path_using_user_input
+fs = FSS(form.cleaned_data["storage_path"])
+
+# bearer:expected python_django_path_using_user_input
+fs = FSS("some/safe/location", form.cleaned_data["base_url"])
+
 from django.core.files.storage import default_storage
 # bearer:expected python_django_path_using_user_input
 default_storage.save(location=form.cleaned_data["filepath"])