SONARPY-3768 Create rule S8438: Django view functions should declare URL parameters explicitly (#872)

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
GitOrigin-RevId: 3976c172a3fe0f38fbdef787ebf2e8471cc8d84d

Author: 2 people

python-checks/src/main/java/org/sonar/python/checks/FastAPIPathParametersCheck.java

@@ -31,12 +31,11 @@
 import org.sonar.plugins.python.api.tree.Expression;
 import org.sonar.plugins.python.api.tree.FunctionDef;
 import org.sonar.plugins.python.api.tree.Tree;
-import org.sonar.plugins.python.api.types.v2.FunctionType;
-import org.sonar.plugins.python.api.types.v2.ParameterV2;
-import org.sonar.plugins.python.api.types.v2.PythonType;
 import org.sonar.plugins.python.api.types.v2.matchers.TypeMatcher;
 import org.sonar.plugins.python.api.types.v2.matchers.TypeMatchers;
 import org.sonar.python.checks.utils.Expressions;
+import org.sonar.python.checks.utils.FunctionParameterUtils;
+import org.sonar.python.checks.utils.FunctionParameterUtils.FunctionParameterInfo;
 import org.sonar.python.tree.TreeUtils;
 
 @Rule(key = "S8411")
@@ -57,12 +56,6 @@ public class FastAPIPathParametersCheck extends PythonSubscriptionCheck {
         TypeMatchers.isType("fastapi.APIRouter." + method)))
   );
 
-  private record FunctionParameterInfo(Set<String> allParams, Set<String> positionalOnlyParams, boolean hasVariadicKeyword) {
-    static FunctionParameterInfo empty() {
-      return new FunctionParameterInfo(Set.of(), Set.of(), false);
-    }
-  }
-
   @Override
   public void initialize(Context context) {
     context.registerSyntaxNodeConsumer(Tree.Kind.FUNCDEF, FastAPIPathParametersCheck::checkFunction);
@@ -90,7 +83,7 @@ private static void checkDecorator(SubscriptionContext ctx, Decorator decorator,
       return;
     }
 
-    FunctionParameterInfo paramInfo = extractFunctionParameters(functionDef);
+    FunctionParameterInfo paramInfo = FunctionParameterUtils.extractFunctionParameters(functionDef);
     reportIssues(ctx, functionDef, pathParams, paramInfo);
   }
 
@@ -114,54 +107,13 @@ private static Optional<String> extractStringValue(Expression expression) {
       .map(Expressions::unescape);
   }
 
-  private static FunctionParameterInfo extractFunctionParameters(FunctionDef functionDef) {
-    return getFunctionType(functionDef)
-      .map(FastAPIPathParametersCheck::buildParameterInfo)
-      .orElse(FunctionParameterInfo.empty());
-  }
-
-  private static Optional<FunctionType> getFunctionType(FunctionDef functionDef) {
-    PythonType functionType = functionDef.name().typeV2();
-    if (functionType instanceof FunctionType funcType) {
-      return Optional.of(funcType);
-    }
-    return Optional.empty();
-  }
-
-  private static FunctionParameterInfo buildParameterInfo(FunctionType functionType) {
-    Set<String> allParams = new HashSet<>();
-    Set<String> positionalOnlyParams = new HashSet<>();
-    boolean hasVariadicKeyword = functionType.parameters().stream()
-      .anyMatch(param -> param.isVariadic() && param.isKeywordVariadic());
-
-    functionType.parameters().stream()
-      .filter(param -> !param.isVariadic())
-      .forEach(param -> addParameter(param, allParams, positionalOnlyParams));
-
-    return new FunctionParameterInfo(allParams, positionalOnlyParams, hasVariadicKeyword);
-  }
-
-  private static void addParameter(ParameterV2 param, Set<String> allParams, Set<String> positionalOnlyParams) {
-    String paramName = param.name();
-    if (paramName != null) {
-      allParams.add(paramName);
-      if (param.isPositionalOnly()) {
-        positionalOnlyParams.add(paramName);
-      }
-    }
-  }
-
   private static void reportIssues(SubscriptionContext ctx, FunctionDef functionDef, Set<String> pathParams, FunctionParameterInfo paramInfo) {
     pathParams.stream()
-      .filter(param -> isMissingFromSignature(param, paramInfo))
+      .filter(paramInfo::isMissingFromSignature)
       .forEach(param -> ctx.addIssue(functionDef.name(), String.format(MISSING_PARAM_MESSAGE, param)));
 
     pathParams.stream()
-      .filter(paramInfo.positionalOnlyParams::contains)
+      .filter(paramInfo.positionalOnlyParams()::contains)
       .forEach(param -> ctx.addIssue(functionDef.name(), String.format(POSITIONAL_ONLY_MESSAGE, param)));
   }
-
-  private static boolean isMissingFromSignature(String pathParam, FunctionParameterInfo paramInfo) {
-    return !paramInfo.allParams.contains(pathParam) && !paramInfo.hasVariadicKeyword;
-  }
 }

python-checks/src/main/java/org/sonar/python/checks/utils/FunctionParameterUtils.java

@@ -0,0 +1,86 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks.utils;
+
+import java.util.HashSet;
+import java.util.Optional;
+import java.util.Set;
+import org.sonar.plugins.python.api.tree.FunctionDef;
+import org.sonar.plugins.python.api.types.v2.FunctionType;
+import org.sonar.plugins.python.api.types.v2.ParameterV2;
+import org.sonar.plugins.python.api.types.v2.PythonType;
+
+/**
+ * Utility class for extracting function parameter information.
+ * Shared between FastAPIPathParametersCheck and DjangoViewUrlParametersCheck.
+ */
+public final class FunctionParameterUtils {
+
+  private FunctionParameterUtils() {
+    // Utility class
+  }
+
+  /**
+   * Information about a function's parameters for path/URL parameter checks.
+   */
+  public record FunctionParameterInfo(Set<String> allParams, Set<String> positionalOnlyParams, boolean hasVariadicKeyword) {
+    public static FunctionParameterInfo empty() {
+      return new FunctionParameterInfo(Set.of(), Set.of(), false);
+    }
+
+    public boolean isMissingFromSignature(String param) {
+      return !allParams.contains(param) && !hasVariadicKeyword;
+    }
+  }
+
+  public static FunctionParameterInfo extractFunctionParameters(FunctionDef functionDef) {
+    return getFunctionType(functionDef)
+      .map(FunctionParameterUtils::buildParameterInfo)
+      .orElse(FunctionParameterInfo.empty());
+  }
+
+  public static Optional<FunctionType> getFunctionType(FunctionDef functionDef) {
+    PythonType functionType = functionDef.name().typeV2();
+    if (functionType instanceof FunctionType funcType) {
+      return Optional.of(funcType);
+    }
+    return Optional.empty();
+  }
+
+  private static FunctionParameterInfo buildParameterInfo(FunctionType functionType) {
+    Set<String> allParams = new HashSet<>();
+    Set<String> positionalOnlyParams = new HashSet<>();
+    boolean hasVariadicKeyword = functionType.parameters().stream()
+      .anyMatch(param -> param.isVariadic() && param.isKeywordVariadic());
+
+    functionType.parameters().stream()
+      .filter(param -> !param.isVariadic())
+      .forEach(param -> addParameter(param, allParams, positionalOnlyParams));
+
+    return new FunctionParameterInfo(allParams, positionalOnlyParams, hasVariadicKeyword);
+  }
+
+  private static void addParameter(ParameterV2 param, Set<String> allParams, Set<String> positionalOnlyParams) {
+    String paramName = param.name();
+    if (paramName != null) {
+      allParams.add(paramName);
+      if (param.isPositionalOnly()) {
+        positionalOnlyParams.add(paramName);
+      }
+    }
+  }
+}

python-frontend/src/main/java/org/sonar/plugins/python/api/DjangoViewInfo.java

@@ -0,0 +1,45 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.plugins.python.api;
+
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * Holds metadata about a Django view function discovered during project analysis.
+ */
+public record DjangoViewInfo(Set<String> urlPatterns) {
+
+  public DjangoViewInfo {
+    // Defensive copy to ensure immutability
+    urlPatterns = Set.copyOf(urlPatterns);
+  }
+
+  public static DjangoViewInfo withoutPatterns() {
+    return new DjangoViewInfo(Set.of());
+  }
+
+  public static DjangoViewInfo withPattern(String urlPattern) {
+    return new DjangoViewInfo(Set.of(urlPattern));
+  }
+
+  public DjangoViewInfo addPattern(String urlPattern) {
+    var newPatterns = new HashSet<>(urlPatterns);
+    newPatterns.add(urlPattern);
+    return new DjangoViewInfo(newPatterns);
+  }
+}

python-frontend/src/main/java/org/sonar/plugins/python/api/PythonInputFileContext.java

@@ -74,4 +74,8 @@ public File workingDirectory() {
   public SonarProduct sonarProduct() {
     return sonarProduct;
   }
+
+  protected ProjectLevelSymbolTable projectLevelSymbolTable() {
+    return projectLevelSymbolTable;
+  }
 }

python-frontend/src/main/java/org/sonar/plugins/python/api/PythonVisitorContext.java

@@ -124,6 +124,10 @@ public CallGraph callGraph() {
     return callGraph;
   }
 
+  public Optional<DjangoViewInfo> getDjangoViewInfo(String fqn) {
+    return projectLevelSymbolTable().getDjangoViewInfo(fqn);
+  }
+
   public static class Builder {
     private final PythonFile pythonFile;
     private final FileInput rootTree;

python-frontend/src/main/java/org/sonar/plugins/python/api/SubscriptionContext.java

@@ -19,6 +19,7 @@
 import com.google.common.annotations.Beta;
 import java.io.File;
 import java.util.Collection;
+import java.util.Optional;
 import java.util.Set;
 import javax.annotation.CheckForNull;
 import javax.annotation.Nullable;
@@ -76,4 +77,11 @@ public interface SubscriptionContext {
   ProjectConfiguration projectConfiguration();
 
   CallGraph callGraph();
+
+  /**
+   * Returns Django view information for the given fully qualified function name.
+   * @param fqn the fully qualified name of a function
+   * @return Optional containing DjangoViewInfo if the function is a Django view, empty otherwise
+   */
+  Optional<DjangoViewInfo> getDjangoViewInfo(String fqn);
 }

python-frontend/src/main/java/org/sonar/python/SubscriptionVisitor.java

@@ -25,10 +25,12 @@
 import java.util.EnumMap;
 import java.util.HashMap;
 import java.util.List;
+import java.util.Optional;
 import java.util.Set;
 import java.util.function.Consumer;
 import javax.annotation.CheckForNull;
 import javax.annotation.Nullable;
+import org.sonar.plugins.python.api.DjangoViewInfo;
 import org.sonar.plugins.python.api.IssueLocation;
 import org.sonar.plugins.python.api.LocationInFile;
 import org.sonar.plugins.python.api.ProjectPythonVersion;
@@ -207,5 +209,10 @@ public RegexParseResult regexForStringElement(StringElement stringElement, FlagS
       return regexCache.computeIfAbsent(stringElement.hashCode() + "-" + flagSet.getMask(),
         s -> new RegexParser(new PythonAnalyzerRegexSource(stringElement), flagSet).parse());
     }
+
+    @Override
+    public Optional<DjangoViewInfo> getDjangoViewInfo(String fqn) {
+      return pythonVisitorContext.getDjangoViewInfo(fqn);
+    }
   }
 }

python-frontend/src/main/java/org/sonar/python/semantic/FunctionSymbolImpl.java

@@ -24,6 +24,7 @@
 import java.util.Optional;
 import javax.annotation.CheckForNull;
 import javax.annotation.Nullable;
+import org.sonar.plugins.python.api.DjangoViewInfo;
 import org.sonar.plugins.python.api.LocationInFile;
 import org.sonar.plugins.python.api.PythonFile;
 import org.sonar.plugins.python.api.symbols.FunctionSymbol;
@@ -64,7 +65,8 @@ public class FunctionSymbolImpl extends SymbolImpl implements FunctionSymbol {
   private Symbol owner;
   private static final String CLASS_METHOD_DECORATOR = "classmethod";
   private static final String STATIC_METHOD_DECORATOR = "staticmethod";
-  private boolean isDjangoView = false;
+  @Nullable
+  private DjangoViewInfo djangoViewInfo = null;
   private boolean hasReadDeclaredReturnType = false;
 
   FunctionSymbolImpl(FunctionDef functionDef, @Nullable String fullyQualifiedName, PythonFile pythonFile) {
@@ -121,7 +123,6 @@ public FunctionSymbolImpl(SymbolsProtos.FunctionSymbol functionSymbolProto, @Nul
     functionDefinitionLocation = null;
     declaredReturnType = anyType();
     isStub = true;
-    isDjangoView = false;
     this.validForPythonVersions = new HashSet<>(validFor);
   }
 
@@ -168,7 +169,7 @@ public void addParameter(ParameterImpl parameter) {
       declaredReturnType = functionSymbolImpl.declaredReturnType();
     }
     isStub = functionSymbol.isStub();
-    isDjangoView = functionSymbolImpl.isDjangoView();
+    djangoViewInfo = functionSymbolImpl.djangoViewInfo;
     validForPythonVersions = functionSymbolImpl.validForPythonVersions;
 
   }
@@ -361,11 +362,11 @@ public void setOwner(Symbol owner) {
   }
 
   public boolean isDjangoView() {
-    return isDjangoView;
+    return djangoViewInfo != null;
   }
 
-  public void setIsDjangoView(boolean isDjangoView) {
-    this.isDjangoView = isDjangoView;
+  public void setDjangoViewInfo(@Nullable DjangoViewInfo djangoViewInfo) {
+    this.djangoViewInfo = djangoViewInfo;
   }
 
   public static class ParameterImpl implements Parameter {