SONARPY-3612 Rule S6863 Flask error handlers should set HTTP status code (#819)

GitOrigin-RevId: 747a09fb93c42aa56d835e8469ee17c0ae1a99ce

Author: guillaume-dequenne

python-checks/src/main/java/org/sonar/python/checks/FlaskErrorHandlerStatusCheck.java

@@ -0,0 +1,201 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Optional;
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.PythonSubscriptionCheck;
+import org.sonar.plugins.python.api.SubscriptionContext;
+import org.sonar.plugins.python.api.symbols.v2.SymbolV2;
+import org.sonar.plugins.python.api.symbols.v2.UsageV2;
+import org.sonar.plugins.python.api.tree.BaseTreeVisitor;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonar.plugins.python.api.tree.Decorator;
+import org.sonar.plugins.python.api.tree.Expression;
+import org.sonar.plugins.python.api.tree.FunctionDef;
+import org.sonar.plugins.python.api.tree.Name;
+import org.sonar.plugins.python.api.tree.QualifiedExpression;
+import org.sonar.plugins.python.api.tree.ReturnStatement;
+import org.sonar.plugins.python.api.tree.Tree;
+import org.sonar.plugins.python.api.tree.Tuple;
+import org.sonar.plugins.python.api.types.v2.matchers.TypeMatchers;
+import org.sonar.python.checks.utils.Expressions;
+import org.sonar.python.tree.TreeUtils;
+
+@Rule(key = "S6863")
+public class FlaskErrorHandlerStatusCheck extends PythonSubscriptionCheck {
+
+  private static final String MESSAGE = "Specify an explicit HTTP status code for this error handler.";
+
+  private static final String FLASK_APP_ERRORHANDLER_FQN = "flask.app.Flask.errorhandler";
+  private static final String BLUEPRINT_ERRORHANDLER_FQN = "flask.blueprints.Blueprint.errorhandler";
+  private static final String BLUEPRINT_APP_ERRORHANDLER_FQN = "flask.blueprints.Blueprint.app_errorhandler";
+
+  private static final String JSONIFY_FQN = "flask.json.jsonify";
+  private static final String RENDER_TEMPLATE_FQN = "flask.templating.render_template";
+  private static final String RENDER_TEMPLATE_STRING_FQN = "flask.templating.render_template_string";
+  private static final String MAKE_RESPONSE_FQN = "flask.helpers.make_response";
+  private static final String RESPONSE_FQN = "flask.wrappers.Response";
+
+  @Override
+  public void initialize(Context context) {
+    context.registerSyntaxNodeConsumer(Tree.Kind.FUNCDEF, FlaskErrorHandlerStatusCheck::checkErrorHandler);
+  }
+
+  private static void checkErrorHandler(SubscriptionContext ctx) {
+    FunctionDef functionDef = (FunctionDef) ctx.syntaxNode();
+    if (!isErrorHandlerFunction(functionDef, ctx)) {
+      return;
+    }
+    checkFunctionReturns(ctx, functionDef);
+  }
+
+  private static void checkFunctionReturns(SubscriptionContext ctx, FunctionDef functionDef) {
+    ReturnStatementVisitor visitor = new ReturnStatementVisitor(ctx);
+    functionDef.body().accept(visitor);
+    visitor.getProblematicReturns().forEach(returnStmt ->
+      ctx.addIssue(returnStmt, MESSAGE)
+    );
+  }
+
+  private static boolean isErrorHandlerFunction(FunctionDef functionDef, SubscriptionContext ctx) {
+    return functionDef.decorators().stream()
+      .anyMatch(decorator -> isErrorHandlerDecorator(decorator, ctx));
+  }
+
+  private static boolean isErrorHandlerDecorator(Decorator decorator, SubscriptionContext ctx) {
+    Expression expression = decorator.expression();
+    if (!(expression instanceof CallExpression callExpr)) {
+      return false;
+    }
+    return TypeMatchers.any(
+      TypeMatchers.isType(FLASK_APP_ERRORHANDLER_FQN),
+      TypeMatchers.isType(BLUEPRINT_ERRORHANDLER_FQN),
+      TypeMatchers.isType(BLUEPRINT_APP_ERRORHANDLER_FQN)
+    ).isTrueFor(callExpr.callee(), ctx);
+  }
+
+  private static class ReturnStatementVisitor extends BaseTreeVisitor {
+    private final SubscriptionContext ctx;
+    private final List<ReturnStatement> problematicReturns = new ArrayList<>();
+
+    public ReturnStatementVisitor(SubscriptionContext ctx) {
+      this.ctx = ctx;
+    }
+
+    @Override
+    public void visitReturnStatement(ReturnStatement returnStatement) {
+      List<Expression> expressions = returnStatement.expressions();
+
+      if (expressions.isEmpty()) {
+        problematicReturns.add(returnStatement);
+        return;
+      }
+
+      if (expressions.size() >= 2) {
+        // Has status code
+        return;
+      }
+
+      Expression returnValue = expressions.get(0);
+
+      checkReturnedValue(returnStatement, returnValue);
+    }
+
+    private void checkReturnedValue(ReturnStatement returnStatement, Expression returnValue) {
+      if (returnValue.is(Tree.Kind.NAME)) {
+        Name nameExpr = (Name) returnValue;
+
+        // Check if status_code is set on this variable via attribute assignment
+        if (hasStatusCodeSet(nameExpr)) {
+          return;
+        }
+
+        Optional<Expression> assignedValue = Expressions.singleAssignedNonNameValue(nameExpr);
+        if (assignedValue.isEmpty()) {
+          return;
+        }
+
+        returnValue = assignedValue.get();
+        if (returnValue instanceof Tuple tuple && tuple.elements().size() >= 2) {
+          return;
+        }
+      }
+
+      if (returnValue instanceof CallExpression callExpr) {
+        if (isProblematicFlaskFunction(callExpr)) {
+          problematicReturns.add(returnStatement);
+        }
+        return;
+      }
+
+      problematicReturns.add(returnStatement);
+    }
+
+    private boolean isProblematicFlaskFunction(CallExpression callExpr) {
+      // Functions that don't create proper Response objects
+      if (TypeMatchers.any(
+        TypeMatchers.isType(JSONIFY_FQN),
+        TypeMatchers.isType(RENDER_TEMPLATE_FQN),
+        TypeMatchers.isType(RENDER_TEMPLATE_STRING_FQN)
+      ).isTrueFor(callExpr.callee(), ctx)) {
+        return true;
+      }
+
+      // make_response and Response can have status as second positional arg or 'status' kwarg
+      if (TypeMatchers.any(
+        TypeMatchers.isType(MAKE_RESPONSE_FQN),
+        TypeMatchers.isType(RESPONSE_FQN)
+      ).isTrueFor(callExpr.callee(), ctx)) {
+        return TreeUtils.nthArgumentOrKeyword(1, "status", callExpr.arguments()) == null;
+      }
+
+      return false;
+    }
+
+    @Override
+    public void visitFunctionDef(FunctionDef pyFunctionDefTree) {
+      // Don't visit nested functions
+    }
+
+    public List<ReturnStatement> getProblematicReturns() {
+      return problematicReturns;
+    }
+
+    /**
+     * Check if status_code is set on the given variable via attribute assignment.
+     * Example: response.status_code = 404
+     */
+    private static boolean hasStatusCodeSet(Name nameExpr) {
+      SymbolV2 symbol = nameExpr.symbolV2();
+      if (symbol == null) {
+        return false;
+      }
+
+      return symbol.usages().stream()
+        .map(UsageV2::tree)
+        .filter(Name.class::isInstance)
+        .map(Tree::parent)
+        .filter(QualifiedExpression.class::isInstance)
+        .map(QualifiedExpression.class::cast)
+        .filter(qualifiedExpr -> "status_code".equals(qualifiedExpr.name().name()))
+        .anyMatch(qualifiedExpr -> TreeUtils.firstAncestorOfKind(qualifiedExpr, Tree.Kind.ASSIGNMENT_STMT) != null);
+    }
+  }
+}

python-checks/src/main/java/org/sonar/python/checks/OpenSourceCheckList.java

@@ -233,6 +233,7 @@ public Stream<Class<?>> getChecks() {
       FilePermissionsCheck.class,
       FileHeaderCopyrightCheck.class,
       FixmeCommentCheck.class,
+      FlaskErrorHandlerStatusCheck.class,
       FlaskHardCodedJWTSecretKeyCheck.class,
       FlaskHardCodedSecretKeyCheck.class,
       FlaskHeadersDictAccessCheck.class,

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6863.html

@@ -0,0 +1,62 @@
+<p>This is an issue when a Flask error handler returns a response without explicitly specifying the HTTP status code.</p>
+<h2>Why is this an issue?</h2>
+<p>Flask error handlers do not automatically set the HTTP status code based on the error type they handle. When you register an error handler with
+<code>@app.errorhandler(404)</code>, Flask does not automatically return a 404 status code from that handler.</p>
+<p>Instead, Flask will return a 200 OK status code by default, unless you explicitly specify the correct status code in the response. This creates a
+mismatch between the intended error condition and the actual HTTP response.</p>
+<p>This behavior can break client applications that rely on HTTP status codes to handle different error scenarios. For example, a client expecting a
+404 status code to handle "not found" cases will not work correctly if the server returns 200 OK instead.</p>
+<p>The Flask documentation explicitly states: "The status code of the response will not be set to the handler’s code. Make sure to provide the
+appropriate HTTP status code when returning a response from a handler."</p>
+<h3>What is the potential impact?</h3>
+<p>Client applications may not handle errors correctly, leading to unexpected behavior. API consumers might not recognize error conditions, and
+automated tools or frameworks that depend on proper HTTP status codes may malfunction.</p>
+<h2>How to fix it in Flask</h2>
+<p>Add the appropriate HTTP status code as a second element in the return tuple. The status code should match the error type handled by the
+decorator.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+@app.errorhandler(404)
+def page_not_found(e):
+    return render_template('404.html')  # Noncompliant
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+@app.errorhandler(404)
+def page_not_found(e):
+    return render_template('404.html'), 404
+</pre>
+<p>For error handlers returning JSON responses, also include the status code explicitly.</p>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="2" data-diff-type="noncompliant">
+@app.errorhandler(500)
+def internal_error(e):
+    return jsonify(error="Internal server error")  # Noncompliant
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="2" data-diff-type="compliant">
+@app.errorhandler(500)
+def internal_error(e):
+    return jsonify(error="Internal server error"), 500
+</pre>
+<p>When using <code>register_error_handler()</code>, the same principle applies - always specify the status code.</p>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="3" data-diff-type="noncompliant">
+def handle_bad_request(e):
+    return 'Bad request!'  # Noncompliant
+
+app.register_error_handler(400, handle_bad_request)
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="3" data-diff-type="compliant">
+def handle_bad_request(e):
+    return 'Bad request!', 400
+
+app.register_error_handler(400, handle_bad_request)
+</pre>
+<h2>Resources</h2>
+<h3>Documentation</h3>
+<p>Flask Error Handling Documentation - <a href="https://flask.palletsprojects.com/en/stable/errorhandling/">Official Flask documentation on handling
+application errors and registering error handlers</a></p>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6863.json

@@ -0,0 +1,24 @@
+{
+  "title": "Flask error handlers should set HTTP status code",
+  "type": "BUG",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+    "flask",
+    "best-practice"
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-6863",
+  "sqKey": "S6863",
+  "scope": "Main",
+  "quickfix": "infeasible",
+  "code": {
+    "impacts": {
+      "RELIABILITY": "MEDIUM"
+    },
+    "attribute": "DISTINCT"
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -233,6 +233,7 @@
     "S6795",
     "S6796",
     "S6799",
+    "S6863",
     "S6882",
     "S6883",
     "S6887",

python-checks/src/test/java/org/sonar/python/checks/FlaskErrorHandlerStatusCheckTest.java

@@ -0,0 +1,28 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks;
+
+import org.junit.jupiter.api.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+class FlaskErrorHandlerStatusCheckTest {
+
+  @Test
+  void test() {
+    PythonCheckVerifier.verify("src/test/resources/checks/flaskErrorHandlerStatus.py", new FlaskErrorHandlerStatusCheck());
+  }
+}