hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

Python: Add file-like modeling to werkzeug FileStorage

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2021-07-20 11:09:02 +02:00
parent 5f5c0b11c7
commit 04190ea308
2 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
python/ql/src/semmle/python/frameworks/Werkzeug.qll
View File

@@ -9,6 +9,7 @@ private import python
private import semmle.python.dataflow.new.DataFlow
private import semmle.python.dataflow.new.TaintTracking
private import semmle.python.ApiGraphs
private import semmle.python.frameworks.Stdlib
/**
* Provides models for the `Werkzeug` PyPI package.
@@ -107,6 +108,21 @@ module Werkzeug {
)
}
}
/** A file-like object instance that originates from a `FileStorage`. */
class FileStorageFileLikeInstances extends Stdlib::FileLikeObject::InstanceSource {
FileStorageFileLikeInstances() {
this.(DataFlow::AttrRead).accesses(instance(), "stream")
or
// All the attributes of the wrapper stream are proxied by the file storage
// so its possible to do storage.read() instead of the long form
// storage.stream.read().
//
// due to the `InstanceSourceApiNode` stuff, we can't just make
// `InstanceSource` extend `Stdlib::FileLikeObject::InstanceSource`
this = any(InstanceSourceApiNode api).getAnImmediateUse()
}
}
}
}
}