Python: Add models for websocket handlers for Tornado #20877
Conversation
There was a problem hiding this comment.
Pull Request Overview
This pull request adds support for modeling WebSocket handlers in the Tornado framework, specifically adding remote flow source models for tornado.websocket.WebSocketHandler.
- Added modeling for
tornado.websocket.WebSocketHandlerclass and its event handler methods - Created
TornadoWebSocketEventHandlerclass to identify WebSocket event handlers as request handlers with routed parameters - Added test cases for WebSocket handler methods including
open,on_message,on_ping,on_pong,select_subprotocol, andcheck_origin
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| python/ql/lib/semmle/python/frameworks/Tornado.qll | Added WebSocket module modeling including WebSocketHandler class reference, WebSocketHandlerClass extending RequestHandlerClass, and TornadoWebSocketEventHandler for treating WebSocket event handlers as request handlers |
| python/ql/test/library-tests/frameworks/tornado/routing_test.py | Added test class WebSocket extending tornado.websocket.WebSocketHandler with test methods for various WebSocket event handlers and corresponding route setup |
| python/ql/lib/change-notes/2025-11-22-tornado-websockets.md | Added change note documenting the addition of remote flow source models for tornado.websocket.WebSocketHandler |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| override string getFramework() { result = "Tornado" } | ||
| } | ||
|
|
||
| /** A request handler for WebSocket events */ |
There was a problem hiding this comment.
The comment should end with a period for consistency with other similar comments in the file, such as the comment on line 560.
| result.getName() = "open" | ||
| } | ||
|
|
||
| /** Gets a function that could handle incoming websocket events, if any. */ |
There was a problem hiding this comment.
The term "websocket" should be capitalized as "WebSocket" to maintain consistency with line 583 and adhere to the standard capitalization of the WebSocket protocol name.
| def get(self): # $ requestHandler | ||
| self.write("NotRouted") # $ HttpResponse | ||
|
|
||
| class WebSocket(tornado.websocket.WebSocketHandler): |
There was a problem hiding this comment.
The WebSocket class inherits from tornado.websocket.WebSocketHandler on line 57, but the module tornado.websocket is not imported. An import statement should be added at the top of the file, e.g., import tornado.websocket.
|
|
||
| class WebSocket(tornado.websocket.WebSocketHandler): | ||
| def open(self, x): # $ requestHandler routedParameter=x | ||
| self.write_message("WebSocket open {}".format(x)) |
There was a problem hiding this comment.
Trailing whitespace should be removed from this line.
| self.write_message("WebSocket open {}".format(x)) | |
| self.write_message("WebSocket open {}".format(x)) |
|
|
||
|
|
There was a problem hiding this comment.
Trailing whitespace should be removed from this blank line.
Adds models for
WebSocketHandlerremote flow sources.