Python: Support Flask subclasses#21869
Open
yoff wants to merge 4 commits into
Open
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -0,0 +1,8 @@ | |||
| import python | |||
| import semmle.python.frameworks.Flask | |||
| import semmle.python.ApiGraphs | |||
yoff
force-pushed
the
python/support-flask-subclasses
branch
from
7cd7958 to
575ece6
Compare
Contributor
Author
|
DCA showed a few new results which look fine. |
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the Python Flask framework models so FlaskApp::instance() also matches instances of user-defined Flask subclasses, aligning the library behavior with real-world Flask usage (fixing #21854) and adding/adjusting tests and documentation to cover the new behavior.
Changes:
- Extend the Flask app class reference to include subclasses and rename
classRef→subclassRef(with a deprecated alias). - Add an inline-instance meta test helper and corresponding Flask library-tests (including a new Flask-subclass test case).
- Update Flask library-test fixtures to tag Flask app instantiations as
# $ instance, and add a change note.
Show a summary per file
| File | Description |
|---|---|
| python/ql/lib/semmle/python/frameworks/Flask.qll | Adjusts Flask app class reference/instance modeling to include subclasses; introduces subclassRef and deprecates classRef. |
| python/ql/src/meta/ClassHierarchy/Find.ql | Updates class hierarchy spec to use the new subclassRef predicate name. |
| python/ql/test/experimental/meta/InlineInstanceTest.qll | Adds a reusable inline-expectations test helper for “instance” nodes. |
| python/ql/test/library-tests/frameworks/flask/InlineInstanceTest.ql | Adds a test driver query for validating Flask app instance detection via inline expectations. |
| python/ql/test/library-tests/frameworks/flask/InlineInstanceTest.expected | Adds expected output placeholder for the new inline instance test. |
| python/ql/test/library-tests/frameworks/flask/flask_subclass.py | Adds a minimal Flask subclass example to validate subclass instance tracking. |
| python/ql/test/library-tests/frameworks/flask/*.py (template_test.py, taint_test.py, save_uploaded_file.py, routing_test.py, response_test.py, old_test.py) | Adds # $ instance tags to existing Flask app instantiations for the new inline instance test coverage. |
| python/ql/lib/change-notes/2026-05-19-flask-subclasses.md | Documents the behavioral change and API rename/deprecation. |
Copilot's findings
- Files reviewed: 12/13 changed files
- Comments generated: 2
| --- | ||
| category: minorAnalysis | ||
| --- | ||
| * `Flask::instance` will now also return instances of subclasses defined in te source tree. Previously, these were filtered out. `Flask::classRef` has been deprecated in favor of `Flask::subclassRef` since it already returned some subclasses. No newline at end of file |
| @@ -0,0 +1,29 @@ | |||
| /** | |||
| * Defines a InlineExpectationsTest for class instances, that is, | |||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The pattern
already returns all the subclasses for which we have MaD models, so we may as well replace it with
The predicate has been renamed from
classReftosubclassRefwith a deprecated alias.This solves #21854