python: require local protection to be absent

for CSRF to be likely
2026-05-04 21:25:44 +02:00 · 2022-03-22 13:42:52 +01:00
parent f5b53083ae
commit 0f2c21c8bd
4 changed files with 59 additions and 3 deletions
--- a/python/ql/lib/semmle/python/Concepts.qll
+++ b/python/ql/lib/semmle/python/Concepts.qll
@@ -106,7 +106,8 @@ module FileSystemWriteAccess {
 }

 /**
- * A data-flow node that may set or unset Cross-site request forgery protection.
+ * A data-flow node that may set or unset Cross-site request forgery protection
+ * in a global manner.
 *
 * Extend this class to refine existing API models. If you want to model new APIs,
 * extend `CSRFProtectionSetting::Range` instead.
@@ -122,7 +123,8 @@ class CSRFProtectionSetting extends DataFlow::Node instanceof CSRFProtectionSett
 /** Provides a class for modeling new CSRF protection setting APIs. */
 module CSRFProtectionSetting {
  /**
-   * A data-flow node that may set or unset Cross-site request forgery protection.
+   * A data-flow node that may set or unset Cross-site request forgery protection
+   * in a global manner.
   *
   * Extend this class to model new APIs. If you want to refine existing API models,
   * extend `CSRFProtectionSetting` instead.
@@ -136,6 +138,39 @@ module CSRFProtectionSetting {
  }
 }

+/**
+ * A data-flow node that provides Cross-site request forgery protection
+ * for a specific part of an application.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `CSRFProtection::Range` instead.
+ */
+class CSRFProtection extends DataFlow::Node instanceof CSRFProtection::Range {
+  /**
+   * Gets a `Function` representing the protected interaction
+   * (probably a request handler).
+   */
+  Function getProtected() { result = super.getProtected() }
+}
+
+/** Provides a class for modeling new CSRF protection setting APIs. */
+module CSRFProtection {
+  /**
+   * A data-flow node that provides Cross-site request forgery protection
+   * for a specific part of an application.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `CSRFProtection` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /**
+     * Gets a `Function` representing the protected interaction
+     * (probably a request handler).
+     */
+    abstract Function getProtected();
+  }
+}
+
 /** Provides classes for modeling path-related APIs. */
 module Path {
  /**
--- a/python/ql/lib/semmle/python/frameworks/Django.qll
+++ b/python/ql/lib/semmle/python/frameworks/Django.qll
@@ -2346,3 +2346,20 @@ module PrivateDjango {
    }
  }
 }
+
+private class DjangoCSRFDecorator extends CSRFProtection::Range {
+  Function function;
+
+  DjangoCSRFDecorator() {
+    this =
+      API::moduleImport("django")
+          .getMember("views")
+          .getMember("decorators")
+          .getMember("csrf")
+          .getMember("csrf_protect")
+          .getAUse() and
+    this.asExpr() = function.getADecorator()
+  }
+
+  override Function getProtected() { result = function }
+}