Merge branch 'main' into python-cookie-concept-promote

2026-04-29 02:35:15 +02:00 · 2024-07-29 10:26:03 +01:00
parent d997eee6e6 58689c90fb
commit 1127b08635
302 changed files with 78830 additions and 1821 deletions
--- a/python/ql/lib/CHANGELOG.md
+++ b/python/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 1.0.4
+
+### Minor Analysis Improvements
+
+* Additional modelling to detect direct writes to the `Set-Cookie` header has been added for several web frameworks.
+
 ## 1.0.3

 ### Minor Analysis Improvements
--- a/python/ql/lib/change-notes/2024-06-24-cookie-header-writes.md
+++ b/python/ql/lib/change-notes/2024-06-24-cookie-header-writes.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Additional modelling has been added to detect cookie writes from direct writes to the `Set-Cookie` header have been added for several web frameworks.
--- a/python/ql/lib/change-notes/released/1.0.4.md
+++ b/python/ql/lib/change-notes/released/1.0.4.md
@@ -0,0 +1,5 @@
+## 1.0.4
+
+### Minor Analysis Improvements
+
+* Additional modelling to detect direct writes to the `Set-Cookie` header has been added for several web frameworks.
--- a/python/ql/lib/codeql-pack.release.yml
+++ b/python/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.3
+lastReleaseVersion: 1.0.4
--- a/python/ql/lib/qlpack.yml
+++ b/python/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/python-all
-version: 1.0.4-dev
+version: 1.0.5-dev
 groups: python
 dbscheme: semmlecode.python.dbscheme
 extractor: python
--- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
@@ -534,7 +534,7 @@ newtype TDataFlowType = TAnyFlow()

 class DataFlowType extends TDataFlowType {
  /** Gets a textual representation of this element. */
-  string toString() { result = "DataFlowType" }
+  string toString() { result = "" }
 }

 /** A node that performs a type cast. */
@@ -578,9 +578,6 @@ DataFlowType getNodeType(Node node) {
  exists(node)
 }

-/** Gets a string representation of a type returned by `getErasedRepr`. */
-string ppReprType(DataFlowType t) { none() }
-
 //--------
 // Extra flow
 //--------
--- a/python/ql/lib/semmle/python/security/dataflow/CookieInjectionCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/CookieInjectionCustomizations.qll
@@ -0,0 +1,48 @@
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "cookie injection"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.RemoteFlowSources
+
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "cookie injection"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+module CookieInjection {
+  /**
+   * A data flow source for "cookie injection" vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for "cookie injection" vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for "cookie injection" vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A source of remote user input, considered as a flow source.
+   */
+  class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
+
+  /**
+   * A write to a cookie, considered as a sink.
+   */
+  class CookieWriteSink extends Sink {
+    CookieWriteSink() {
+      exists(Http::Server::CookieWrite cw |
+        this = [cw.getNameArg(), cw.getValueArg(), cw.getHeaderArg()]
+      )
+    }
+  }
+}
--- a/python/ql/lib/semmle/python/security/dataflow/CookieInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/CookieInjectionQuery.qll
@@ -0,0 +1,26 @@
+/**
+ * Provides a taint-tracking configuration for detecting "cookie injection" vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `CookieInjectionFlow` is needed, otherwise
+ * `CookieInjectionCustomizations` should be imported instead.
+ */
+
+private import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import CookieInjectionCustomizations::CookieInjection
+
+/**
+ * A taint-tracking configuration for detecting "cookie injection" vulnerabilities.
+ */
+module CookieInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "cookie injection" vulnerabilities. */
+module CookieInjectionFlow = TaintTracking::Global<CookieInjectionConfig>;