Skip to content

Python: Add models for websocket handlers for Tornado #20877

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Python: Add models for websocket handlers for Tornado #20877

wants to merge 3 commits into from
+92 −0

Conversation

@joefarebrother
Copy link
Contributor

@joefarebrother joefarebrother commented Nov 20, 2025

Adds models for WebSocketHandler remote flow sources.

@joefarebrother joefarebrother requested a review from a team as a code owner November 20, 2025 10:59
Copilot AI review requested due to automatic review settings November 20, 2025 10:59
Copilot finished reviewing on behalf of joefarebrother November 20, 2025 11:02
Copilot AI reviewed Nov 20, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request adds support for modeling WebSocket handlers in the Tornado framework, specifically adding remote flow source models for tornado.websocket.WebSocketHandler.

  • Added modeling for tornado.websocket.WebSocketHandler class and its event handler methods
  • Created TornadoWebSocketEventHandler class to identify WebSocket event handlers as request handlers with routed parameters
  • Added test cases for WebSocket handler methods including open, on_message, on_ping, on_pong, select_subprotocol, and check_origin

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

File Description
python/ql/lib/semmle/python/frameworks/Tornado.qll Added WebSocket module modeling including WebSocketHandler class reference, WebSocketHandlerClass extending RequestHandlerClass, and TornadoWebSocketEventHandler for treating WebSocket event handlers as request handlers
python/ql/test/library-tests/frameworks/tornado/routing_test.py Added test class WebSocket extending tornado.websocket.WebSocketHandler with test methods for various WebSocket event handlers and corresponding route setup
python/ql/lib/change-notes/2025-11-22-tornado-websockets.md Added change note documenting the addition of remote flow source models for tornado.websocket.WebSocketHandler

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

yoff
yoff approved these changes Nov 25, 2025
View reviewed changes
Copy link
Contributor

@yoff yoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could possibly do additional modeling like write_message and set_default_headers (perhaps even prepare), but this is still an improvement on its own.

python/ql/test/library-tests/frameworks/tornado/routing_test.py

class WebSocket(tornado.websocket.WebSocketHandler):
def open(self, x): # $ requestHandler routedParameter=x
self.write_message("WebSocket open {}".format(x))
Copy link
Contributor

@yoff yoff Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we expect # $ HttpResponse here? (and below)

Copy link
Contributor Author

@joefarebrother joefarebrother Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Possibly is reasonable to, if write_message should be considered an HttpResponse write

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@yoff yoff yoff approved these changes

Assignees

No one assigned

Labels

documentation Python

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@joefarebrother @yoff