fix(python/django): FileSystemStorage call (#421)

Bearer · May 27, 2024 · 7d40d6c · 7d40d6c
1 parent e11b403
commit 7d40d6c
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 3 deletions.
diff --git a/rules/python/django/path_using_user_input.yml b/rules/python/django/path_using_user_input.yml
@@ -2,8 +2,12 @@ imports:
   - python_shared_common_user_input
   - python_shared_lang_import4
 patterns:
-  - pattern: $<FILE_SYSTEM_STORAGE>($<...>$<USER_INPUT>$<...>)
+  - pattern: $<FILE_SYSTEM_STORAGE>($<...>$<PARAM>=$<USER_INPUT>$<...>)
     filters:
+      - variable: PARAM
+        values:
+          - location
+          - base_url
       - variable: USER_INPUT
         detection: python_shared_common_user_input
         scope: result
@@ -21,6 +25,44 @@ patterns:
             values: [storage]
           - variable: NAME
             values: [FileSystemStorage]
+  - pattern: $<FILE_SYSTEM_STORAGE>($<LOCATION>$<...>)
+    filters:
+      - variable: LOCATION
+        detection: python_shared_common_user_input
+        scope: result
+      - variable: FILE_SYSTEM_STORAGE
+        detection: python_shared_lang_import4
+        scope: cursor
+        filters:
+          - variable: MODULE1
+            values: [django]
+          - variable: MODULE2
+            values: [core]
+          - variable: MODULE3
+            values: [files]
+          - variable: MODULE4
+            values: [storage]
+          - variable: NAME
+            values: [FileSystemStorage]
+  - pattern: $<FILE_SYSTEM_STORAGE>($<LOCATION>, $<BASE_URL>$<...>)
+    filters:
+      - variable: BASE_URL
+        detection: python_shared_common_user_input
+        scope: result
+      - variable: FILE_SYSTEM_STORAGE
+        detection: python_shared_lang_import4
+        scope: cursor
+        filters:
+          - variable: MODULE1
+            values: [django]
+          - variable: MODULE2
+            values: [core]
+          - variable: MODULE3
+            values: [files]
+          - variable: MODULE4
+            values: [storage]
+          - variable: NAME
+            values: [FileSystemStorage]
   - pattern: $<DEFAULT_STORAGE>.save($<USER_INPUT>, $<...>)
     filters:
       - variable: DEFAULT_STORAGE

diff --git a/tests/python/django/path_using_user_input/testdata/main.py b/tests/python/django/path_using_user_input/testdata/main.py
@@ -1,10 +1,16 @@
 from django.core.files.storage import FileSystemStorage as FSS
 
 # bearer:expected python_django_path_using_user_input
-fs = FSS(form.cleaned_data["storage_path"])
+fs = FSS(location=form.cleaned_data["storage_path"])
 request_file = request.FILES['document']
 file = fs.save(request_file)
 
+# bearer:expected python_django_path_using_user_input
+fs = FSS(form.cleaned_data["storage_path"])
+
+# bearer:expected python_django_path_using_user_input
+fs = FSS("some/safe/location", form.cleaned_data["base_url"])
+
 from django.core.files.storage import default_storage
 # bearer:expected python_django_path_using_user_input
-default_storage.save(form.cleaned_data["filepath"])
+default_storage.save(location=form.cleaned_data["filepath"])