mirror of
https://github.com/github/codeql.git
synced 2026-04-30 11:15:13 +02:00
Merge pull request #2603 from RasmusWL/python-fix-http-source-sink
Python: Make web libs use HttpRequestTaintSource and HttpResponseTaintSink
This commit is contained in:
Taus
@@ -21,7 +21,7 @@ class BottleRequestKind extends TaintKind {
|
||||
}
|
||||
}
|
||||
|
||||
private class RequestSource extends TaintSource {
|
||||
private class RequestSource extends HttpRequestTaintSource {
|
||||
RequestSource() { this.(ControlFlowNode).pointsTo(theBottleRequestObject()) }
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) { kind instanceof BottleRequestKind }
|
||||
@@ -69,7 +69,7 @@ class UntrustedFile extends TaintKind {
|
||||
// Move UntrustedFile to shared location
|
||||
//
|
||||
/** Parameter to a bottle request handler function */
|
||||
class BottleRequestParameter extends TaintSource {
|
||||
class BottleRequestParameter extends HttpRequestTaintSource {
|
||||
BottleRequestParameter() {
|
||||
exists(BottleRoute route | route.getNamedArgument() = this.(ControlFlowNode).getNode())
|
||||
}
|
||||
|
||||
@@ -25,7 +25,7 @@ class CherryPyRequest extends TaintKind {
|
||||
}
|
||||
}
|
||||
|
||||
class CherryPyExposedFunctionParameter extends TaintSource {
|
||||
class CherryPyExposedFunctionParameter extends HttpRequestTaintSource {
|
||||
CherryPyExposedFunctionParameter() {
|
||||
exists(Parameter p |
|
||||
p = any(CherryPyExposedFunction f).getAnArg() and
|
||||
@@ -39,7 +39,7 @@ class CherryPyExposedFunctionParameter extends TaintSource {
|
||||
override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
|
||||
class CherryPyRequestSource extends TaintSource {
|
||||
class CherryPyRequestSource extends HttpRequestTaintSource {
|
||||
CherryPyRequestSource() { this.(ControlFlowNode).pointsTo(Value::named("cherrypy.request")) }
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) { kind instanceof CherryPyRequest }
|
||||
|
||||
@@ -18,8 +18,8 @@ private ClassValue theDjangoHttpResponseClass() {
|
||||
not result = theDjangoHttpRedirectClass()
|
||||
}
|
||||
|
||||
/** Instantiation of a django response. */
|
||||
class DjangoResponseSource extends TaintSource {
|
||||
/** internal class used for tracking a django response. */
|
||||
private class DjangoResponseSource extends TaintSource {
|
||||
DjangoResponseSource() {
|
||||
exists(ClassValue cls |
|
||||
cls.getASuperType() = theDjangoHttpResponseClass() and
|
||||
|
||||
@@ -35,7 +35,7 @@ class FalconRequest extends TaintKind {
|
||||
}
|
||||
}
|
||||
|
||||
class FalconRequestParameter extends TaintSource {
|
||||
class FalconRequestParameter extends HttpRequestTaintSource {
|
||||
FalconRequestParameter() {
|
||||
exists(FalconHandlerFunction f | f.getRequest() = this.(ControlFlowNode).getNode())
|
||||
}
|
||||
|
||||
@@ -9,7 +9,8 @@ class FalconResponse extends TaintKind {
|
||||
FalconResponse() { this = "falcon.response" }
|
||||
}
|
||||
|
||||
class FalconResponseParameter extends TaintSource {
|
||||
/** Only used internally to track the response parameter */
|
||||
private class FalconResponseParameter extends TaintSource {
|
||||
FalconResponseParameter() {
|
||||
exists(FalconHandlerFunction f | f.getResponse() = this.(ControlFlowNode).getNode())
|
||||
}
|
||||
|
||||
@@ -47,7 +47,7 @@ class FlaskRequestArgs extends HttpRequestTaintSource {
|
||||
}
|
||||
|
||||
/** Source of dictionary whose values are externally controlled */
|
||||
class FlaskRequestJson extends TaintSource {
|
||||
class FlaskRequestJson extends HttpRequestTaintSource {
|
||||
FlaskRequestJson() { flask_request_attr(this, "json") }
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalJsonKind }
|
||||
|
||||
@@ -11,7 +11,7 @@ class PyramidRequest extends BaseWebobRequest {
|
||||
}
|
||||
|
||||
/** Source of pyramid request objects */
|
||||
class PyramidViewArgument extends TaintSource {
|
||||
class PyramidViewArgument extends HttpRequestTaintSource {
|
||||
PyramidViewArgument() {
|
||||
exists(Function view_func |
|
||||
is_pyramid_view_function(view_func) and
|
||||
|
||||
@@ -13,14 +13,16 @@ import Tornado
|
||||
/**
|
||||
* Represents an argument to the `tornado.redirect` function.
|
||||
*/
|
||||
class TornadoRedirect extends HttpRedirectTaintSink {
|
||||
override string toString() { result = "tornado.redirect" }
|
||||
class TornadoHttpRequestHandlerRedirect extends HttpRedirectTaintSink {
|
||||
override string toString() { result = "tornado.HttpRequestHandler.redirect" }
|
||||
|
||||
TornadoRedirect() {
|
||||
TornadoHttpRequestHandlerRedirect() {
|
||||
exists(CallNode call, ControlFlowNode node |
|
||||
node = call.getFunction().(AttrNode).getObject("redirect") and
|
||||
isTornadoRequestHandlerInstance(node) and
|
||||
this = call.getAnArg()
|
||||
this = call.getArg(0)
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof StringKind }
|
||||
}
|
||||
|
||||
@@ -30,7 +30,7 @@ class TornadoRequest extends TaintKind {
|
||||
}
|
||||
}
|
||||
|
||||
class TornadoRequestSource extends TaintSource {
|
||||
class TornadoRequestSource extends HttpRequestTaintSource {
|
||||
TornadoRequestSource() { isTornadoRequestHandlerInstance(this.(AttrNode).getObject("request")) }
|
||||
|
||||
override string toString() { result = "Tornado request source" }
|
||||
@@ -38,7 +38,7 @@ class TornadoRequestSource extends TaintSource {
|
||||
override predicate isSourceOf(TaintKind kind) { kind instanceof TornadoRequest }
|
||||
}
|
||||
|
||||
class TornadoExternalInputSource extends TaintSource {
|
||||
class TornadoExternalInputSource extends HttpRequestTaintSource {
|
||||
TornadoExternalInputSource() {
|
||||
exists(string name |
|
||||
name = "get_argument" or
|
||||
@@ -55,7 +55,7 @@ class TornadoExternalInputSource extends TaintSource {
|
||||
override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
|
||||
class TornadoExternalInputListSource extends TaintSource {
|
||||
class TornadoExternalInputListSource extends HttpRequestTaintSource {
|
||||
TornadoExternalInputListSource() {
|
||||
exists(string name |
|
||||
name = "get_arguments" or
|
||||
|
||||
@@ -24,11 +24,8 @@ class TornadoConnectionWrite extends HttpResponseTaintSink {
|
||||
TornadoConnectionWrite() {
|
||||
exists(CallNode call, ControlFlowNode conn |
|
||||
conn = call.getFunction().(AttrNode).getObject("write") and
|
||||
this = call.getAnArg()
|
||||
|
|
||||
this = call.getAnArg() and
|
||||
exists(TornadoConnection tc | tc.taints(conn))
|
||||
or
|
||||
isTornadoRequestHandlerInstance(conn)
|
||||
)
|
||||
}
|
||||
|
||||
@@ -36,27 +33,13 @@ class TornadoConnectionWrite extends HttpResponseTaintSink {
|
||||
}
|
||||
|
||||
class TornadoHttpRequestHandlerWrite extends HttpResponseTaintSink {
|
||||
override string toString() { result = "tornado.HttpRequesHandler.write" }
|
||||
override string toString() { result = "tornado.HttpRequestHandler.write" }
|
||||
|
||||
TornadoHttpRequestHandlerWrite() {
|
||||
exists(CallNode call, ControlFlowNode node |
|
||||
node = call.getFunction().(AttrNode).getObject("write") and
|
||||
isTornadoRequestHandlerInstance(node) and
|
||||
this = call.getAnArg()
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof StringKind }
|
||||
}
|
||||
|
||||
class TornadoHttpRequestHandlerRedirect extends HttpResponseTaintSink {
|
||||
override string toString() { result = "tornado.HttpRequesHandler.redirect" }
|
||||
|
||||
TornadoHttpRequestHandlerRedirect() {
|
||||
exists(CallNode call, ControlFlowNode node |
|
||||
node = call.getFunction().(AttrNode).getObject("redirect") and
|
||||
isTornadoRequestHandlerInstance(node) and
|
||||
this = call.getArg(0)
|
||||
this = call.getAnArg() and
|
||||
isTornadoRequestHandlerInstance(node)
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
import python
|
||||
import semmle.python.security.strings.Untrusted
|
||||
import semmle.python.web.Http
|
||||
import TurboGears
|
||||
|
||||
private class ValidatedMethodParameter extends Parameter {
|
||||
@@ -11,7 +12,7 @@ private class ValidatedMethodParameter extends Parameter {
|
||||
}
|
||||
}
|
||||
|
||||
class UnvalidatedControllerMethodParameter extends TaintSource {
|
||||
class UnvalidatedControllerMethodParameter extends HttpRequestTaintSource {
|
||||
UnvalidatedControllerMethodParameter() {
|
||||
exists(Parameter p |
|
||||
any(TurboGearsControllerMethod m | not m.getName() = "onerror").getAnArg() = p and
|
||||
|
||||
@@ -5,6 +5,8 @@ import semmle.python.web.Http
|
||||
import TurboGears
|
||||
|
||||
class ControllerMethodReturnValue extends HttpResponseTaintSink {
|
||||
override string toString() { result = "TurboGears ControllerMethodReturnValue" }
|
||||
|
||||
ControllerMethodReturnValue() {
|
||||
exists(TurboGearsControllerMethod m |
|
||||
m.getAReturnValueFlowNode() = this and
|
||||
@@ -16,6 +18,8 @@ class ControllerMethodReturnValue extends HttpResponseTaintSink {
|
||||
}
|
||||
|
||||
class ControllerMethodTemplatedReturnValue extends HttpResponseTaintSink {
|
||||
override string toString() { result = "TurboGears ControllerMethodTemplatedReturnValue" }
|
||||
|
||||
ControllerMethodTemplatedReturnValue() {
|
||||
exists(TurboGearsControllerMethod m |
|
||||
m.getAReturnValueFlowNode() = this and
|
||||
|
||||
@@ -26,7 +26,7 @@ class TwistedRequest extends TaintKind {
|
||||
}
|
||||
}
|
||||
|
||||
class TwistedRequestSource extends TaintSource {
|
||||
class TwistedRequestSource extends HttpRequestTaintSource {
|
||||
TwistedRequestSource() { isTwistedRequestInstance(this) }
|
||||
|
||||
override string toString() { result = "Twisted request source" }
|
||||
|
||||
@@ -5,9 +5,9 @@ import semmle.python.security.strings.Basic
|
||||
import Twisted
|
||||
import Request
|
||||
|
||||
class TwistedResponse extends TaintSink {
|
||||
class TwistedResponse extends HttpResponseTaintSink {
|
||||
TwistedResponse() {
|
||||
exists(PythonFunctionValue func, string name, Return ret |
|
||||
exists(PythonFunctionValue func, string name |
|
||||
isKnownRequestHandlerMethodName(name) and
|
||||
name = func.getName() and
|
||||
func = getTwistedRequestHandlerMethod(name) and
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
| test.py:9:12:9:26 | bottle handler function result | externally controlled string |
|
||||
| test.py:13:12:13:24 | bottle handler function result | externally controlled string |
|
||||
| test.py:19:12:19:33 | bottle handler function result | externally controlled string |
|
||||
| test.py:36:21:36:51 | Taint sink | externally controlled string |
|
||||
@@ -0,0 +1,7 @@
|
||||
import python
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from HttpResponseTaintSink sink, TaintKind kind
|
||||
where sink.sinks(kind)
|
||||
select sink, kind
|
||||
@@ -0,0 +1,8 @@
|
||||
| ../../../query-tests/Security/lib/bottle.py:64:11:64:24 | LocalRequest() | bottle.request |
|
||||
| test.py:3:35:3:41 | ImportMember | bottle.request |
|
||||
| test.py:8:11:8:14 | name | externally controlled string |
|
||||
| test.py:12:9:12:12 | name | externally controlled string |
|
||||
| test.py:18:12:18:18 | request | bottle.request |
|
||||
| test.py:27:12:27:16 | where | externally controlled string |
|
||||
| test.py:32:14:32:20 | request | bottle.request |
|
||||
| test.py:36:34:36:40 | request | bottle.request |
|
||||
7
python/ql/test/library-tests/web/bottle/HttpSources.ql
Normal file
7
python/ql/test/library-tests/web/bottle/HttpSources.ql
Normal file
@@ -0,0 +1,7 @@
|
||||
import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from HttpRequestTaintSource source, TaintKind kind
|
||||
where source.isSourceOf(kind)
|
||||
select source.(ControlFlowNode).getNode(), kind
|
||||
@@ -1,7 +1,5 @@
|
||||
import python
|
||||
|
||||
import semmle.python.web.bottle.General
|
||||
|
||||
from BottleRoute route
|
||||
|
||||
select route.getUrl(), route.getFunction()
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
| test.py:9 | BinaryExpr | externally controlled string |
|
||||
| test.py:13 | BinaryExpr | externally controlled string |
|
||||
| test.py:19 | BinaryExpr | externally controlled string |
|
||||
| test.py:36 | BinaryExpr | externally controlled string |
|
||||
@@ -1,10 +0,0 @@
|
||||
|
||||
import python
|
||||
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from TaintSink sink, TaintKind kind
|
||||
where sink.sinks(kind)
|
||||
select sink.getLocation().toString(), sink.(ControlFlowNode).getNode().toString(), kind
|
||||
@@ -1,8 +0,0 @@
|
||||
| ../../../query-tests/Security/lib/bottle.py:64 | LocalRequest() | bottle.request |
|
||||
| test.py:3 | ImportMember | bottle.request |
|
||||
| test.py:8 | name | externally controlled string |
|
||||
| test.py:12 | name | externally controlled string |
|
||||
| test.py:18 | request | bottle.request |
|
||||
| test.py:27 | where | externally controlled string |
|
||||
| test.py:32 | request | bottle.request |
|
||||
| test.py:36 | request | bottle.request |
|
||||
@@ -1,10 +0,0 @@
|
||||
|
||||
import python
|
||||
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
|
||||
from TaintSource src, TaintKind kind
|
||||
where src.isSourceOf(kind) and not kind.matches("tornado%")
|
||||
select src.getLocation().toString(), src.(ControlFlowNode).getNode().toString(), kind
|
||||
@@ -1,13 +1,7 @@
|
||||
|
||||
import python
|
||||
|
||||
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
|
||||
from TaintedNode node
|
||||
|
||||
select node.getLocation().toString(), node.getAstNode().toString(), node.getTaintKind()
|
||||
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
| red.py:8:16:8:20 | cherrypy handler function result | externally controlled string |
|
||||
| test.py:11:16:11:29 | cherrypy handler function result | externally controlled string |
|
||||
| test.py:17:16:17:27 | cherrypy handler function result | externally controlled string |
|
||||
@@ -0,0 +1,7 @@
|
||||
import python
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from HttpResponseTaintSink sink, TaintKind kind
|
||||
where sink.sinks(kind)
|
||||
select sink, kind
|
||||
@@ -0,0 +1,3 @@
|
||||
| ../../../query-tests/Security/lib/cherrypy/__init__.py:10:11:10:38 | _ThreadLocalProxy() | cherrypy.request |
|
||||
| test.py:10:17:10:19 | arg | externally controlled string |
|
||||
| test.py:16:17:16:19 | arg | externally controlled string |
|
||||
7
python/ql/test/library-tests/web/cherrypy/HttpSources.ql
Normal file
7
python/ql/test/library-tests/web/cherrypy/HttpSources.ql
Normal file
@@ -0,0 +1,7 @@
|
||||
import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from HttpRequestTaintSource source, TaintKind kind
|
||||
where source.isSourceOf(kind)
|
||||
select source.(ControlFlowNode).getNode(), kind
|
||||
@@ -1,3 +0,0 @@
|
||||
| red.py:8 | Str | externally controlled string |
|
||||
| test.py:11 | BinaryExpr | externally controlled string |
|
||||
| test.py:17 | BinaryExpr | externally controlled string |
|
||||
@@ -1,10 +0,0 @@
|
||||
|
||||
import python
|
||||
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from TaintSink sink, TaintKind kind
|
||||
where sink.sinks(kind)
|
||||
select sink.getLocation().toString(), sink.(ControlFlowNode).getNode().toString(), kind
|
||||
@@ -1,3 +0,0 @@
|
||||
| ../../../query-tests/Security/lib/cherrypy/__init__.py:10 | _ThreadLocalProxy() | cherrypy.request |
|
||||
| test.py:10 | arg | externally controlled string |
|
||||
| test.py:16 | arg | externally controlled string |
|
||||
@@ -1,10 +0,0 @@
|
||||
|
||||
import python
|
||||
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
|
||||
from TaintSource src, TaintKind kind
|
||||
where src.isSourceOf(kind) and not kind.matches("tornado%")
|
||||
select src.getLocation().toString(), src.(ControlFlowNode).getNode().toString(), kind
|
||||
@@ -0,0 +1,7 @@
|
||||
| views.py:7:25:7:63 | django.Response(...) | externally controlled string |
|
||||
| views.py:11:25:11:52 | django.Response(...) | externally controlled string |
|
||||
| views.py:15:25:15:53 | django.Response(...) | externally controlled string |
|
||||
| views.py:23:29:23:60 | django.Response(...) | externally controlled string |
|
||||
| views.py:29:29:29:65 | django.Response(...) | externally controlled string |
|
||||
| views.py:34:25:34:63 | django.Response(...) | externally controlled string |
|
||||
| views.py:38:25:38:70 | django.Response(...) | externally controlled string |
|
||||
@@ -0,0 +1,7 @@
|
||||
import python
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from HttpResponseTaintSink sink, TaintKind kind
|
||||
where sink.sinks(kind)
|
||||
select sink, kind
|
||||
19
python/ql/test/library-tests/web/django/HttpSources.expected
Normal file
19
python/ql/test/library-tests/web/django/HttpSources.expected
Normal file
@@ -0,0 +1,19 @@
|
||||
| test.py:5:19:5:25 | request | django.request.HttpRequest |
|
||||
| test.py:5:28:5:31 | path | externally controlled string |
|
||||
| test.py:11:19:11:25 | request | django.request.HttpRequest |
|
||||
| test.py:11:28:11:31 | path | externally controlled string |
|
||||
| views.py:6:19:6:25 | request | django.request.HttpRequest |
|
||||
| views.py:6:28:6:30 | foo | externally controlled string |
|
||||
| views.py:6:33:6:35 | bar | externally controlled string |
|
||||
| views.py:10:20:10:26 | request | django.request.HttpRequest |
|
||||
| views.py:14:21:14:27 | request | django.request.HttpRequest |
|
||||
| views.py:22:20:22:26 | request | django.request.HttpRequest |
|
||||
| views.py:28:19:28:25 | request | django.request.HttpRequest |
|
||||
| views.py:32:19:32:25 | request | django.request.HttpRequest |
|
||||
| views.py:32:28:32:38 | page_number | externally controlled string |
|
||||
| views.py:37:24:37:30 | request | django.request.HttpRequest |
|
||||
| views.py:37:33:37:36 | arg0 | externally controlled string |
|
||||
| views.py:37:39:37:42 | arg1 | externally controlled string |
|
||||
| views.py:57:15:57:21 | request | django.request.HttpRequest |
|
||||
| views.py:57:24:57:31 | username | externally controlled string |
|
||||
| views.py:66:30:66:36 | request | django.request.HttpRequest |
|
||||
7
python/ql/test/library-tests/web/django/HttpSources.ql
Normal file
7
python/ql/test/library-tests/web/django/HttpSources.ql
Normal file
@@ -0,0 +1,7 @@
|
||||
import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from HttpRequestTaintSource source, TaintKind kind
|
||||
where source.isSourceOf(kind)
|
||||
select source.(ControlFlowNode).getNode(), kind
|
||||
@@ -1,16 +0,0 @@
|
||||
| sql.py:13 | Str | externally controlled string |
|
||||
| sql.py:14 | Str | externally controlled string |
|
||||
| sql.py:17 | BinaryExpr | externally controlled string |
|
||||
| sql.py:20 | BinaryExpr | externally controlled string |
|
||||
| sql.py:21 | BinaryExpr | externally controlled string |
|
||||
| sql.py:22 | BinaryExpr | externally controlled string |
|
||||
| sql.py:36 | Str | externally controlled string |
|
||||
| sql.py:42 | BinaryExpr | externally controlled string |
|
||||
| sql.py:47 | BinaryExpr | externally controlled string |
|
||||
| views.py:7 | Attribute() | externally controlled string |
|
||||
| views.py:11 | Attribute() | externally controlled string |
|
||||
| views.py:15 | Attribute() | externally controlled string |
|
||||
| views.py:23 | Attribute() | externally controlled string |
|
||||
| views.py:29 | Attribute() | externally controlled string |
|
||||
| views.py:34 | Attribute() | externally controlled string |
|
||||
| views.py:38 | Attribute() | externally controlled string |
|
||||
@@ -1,13 +0,0 @@
|
||||
|
||||
import python
|
||||
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.web.django.Db
|
||||
import semmle.python.web.django.Model
|
||||
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from TaintSink sink, TaintKind kind
|
||||
where sink.sinks(kind)
|
||||
select sink.getLocation().toString(), sink.(ControlFlowNode).getNode().toString(), kind
|
||||
@@ -1,19 +0,0 @@
|
||||
| test.py:5 | path | externally controlled string |
|
||||
| test.py:5 | request | django.request.HttpRequest |
|
||||
| test.py:11 | path | externally controlled string |
|
||||
| test.py:11 | request | django.request.HttpRequest |
|
||||
| views.py:6 | bar | externally controlled string |
|
||||
| views.py:6 | foo | externally controlled string |
|
||||
| views.py:6 | request | django.request.HttpRequest |
|
||||
| views.py:10 | request | django.request.HttpRequest |
|
||||
| views.py:14 | request | django.request.HttpRequest |
|
||||
| views.py:22 | request | django.request.HttpRequest |
|
||||
| views.py:28 | request | django.request.HttpRequest |
|
||||
| views.py:32 | page_number | externally controlled string |
|
||||
| views.py:32 | request | django.request.HttpRequest |
|
||||
| views.py:37 | arg0 | externally controlled string |
|
||||
| views.py:37 | arg1 | externally controlled string |
|
||||
| views.py:37 | request | django.request.HttpRequest |
|
||||
| views.py:57 | request | django.request.HttpRequest |
|
||||
| views.py:57 | username | externally controlled string |
|
||||
| views.py:66 | request | django.request.HttpRequest |
|
||||
@@ -1,10 +0,0 @@
|
||||
|
||||
import python
|
||||
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
|
||||
from TaintSource src, TaintKind kind
|
||||
where src.isSourceOf(kind)
|
||||
select src.getLocation().toString(), src.(ControlFlowNode).getNode().toString(), kind
|
||||
@@ -0,0 +1,9 @@
|
||||
| sql.py:13:24:13:64 | db.connection.execute | externally controlled string |
|
||||
| sql.py:14:26:14:66 | django.models.QuerySet.raw(sink,...) | externally controlled string |
|
||||
| sql.py:17:24:17:77 | db.connection.execute | externally controlled string |
|
||||
| sql.py:20:38:20:95 | django.db.models.expressions.RawSQL(sink,...) | externally controlled string |
|
||||
| sql.py:21:26:21:83 | django.models.QuerySet.raw(sink,...) | externally controlled string |
|
||||
| sql.py:22:28:22:85 | django.models.QuerySet.extra(sink,...) | externally controlled string |
|
||||
| sql.py:36:26:36:68 | django.models.QuerySet.raw(sink,...) | externally controlled string |
|
||||
| sql.py:42:11:42:52 | django.models.QuerySet.raw(sink,...) | externally controlled string |
|
||||
| sql.py:47:13:47:54 | django.models.QuerySet.extra(sink,...) | externally controlled string |
|
||||
@@ -0,0 +1,9 @@
|
||||
import python
|
||||
import semmle.python.security.injection.Sql
|
||||
import semmle.python.web.django.Db
|
||||
import semmle.python.web.django.Model
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from SqlInjectionSink sink, TaintKind kind
|
||||
where sink.sinks(kind)
|
||||
select sink, kind
|
||||
@@ -0,0 +1 @@
|
||||
| FIXME: temporarily disabled since it's not working |
|
||||
@@ -0,0 +1,8 @@
|
||||
import python
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
// from HttpResponseTaintSink sink, TaintKind kind
|
||||
// where sink.sinks(kind)
|
||||
// select sink, kind
|
||||
select "FIXME: temporarily disabled since it's not working"
|
||||
@@ -0,0 +1,3 @@
|
||||
| test.py:9:22:9:24 | req | falcon.request |
|
||||
| test.py:19:23:19:25 | req | falcon.request |
|
||||
| test.py:22:25:22:27 | req | falcon.request |
|
||||
7
python/ql/test/library-tests/web/falcon/HttpSources.ql
Normal file
7
python/ql/test/library-tests/web/falcon/HttpSources.ql
Normal file
@@ -0,0 +1,7 @@
|
||||
import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from HttpRequestTaintSource source, TaintKind kind
|
||||
where source.isSourceOf(kind)
|
||||
select source.(ControlFlowNode).getNode(), kind
|
||||
@@ -1,8 +1,5 @@
|
||||
import python
|
||||
|
||||
import semmle.python.web.falcon.General
|
||||
|
||||
from FalconRoute route, string method
|
||||
|
||||
select route.getUrl(), method, route.getHandlerFunction(method)
|
||||
|
||||
|
||||
@@ -1,6 +1,4 @@
|
||||
|
||||
import python
|
||||
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
| test.py:9 | req | falcon.request |
|
||||
| test.py:19 | req | falcon.request |
|
||||
| test.py:22 | req | falcon.request |
|
||||
@@ -1,10 +0,0 @@
|
||||
|
||||
import python
|
||||
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
|
||||
from TaintSource src, TaintKind kind
|
||||
where src.isSourceOf(kind) and not kind.matches("tornado%")
|
||||
select src.getLocation().toString(), src.(ControlFlowNode).getNode().toString(), kind
|
||||
@@ -1,12 +1,8 @@
|
||||
|
||||
import python
|
||||
|
||||
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
|
||||
from TaintedNode node
|
||||
where node.getLocation().getFile().getShortName() = "test.py"
|
||||
select node.getLocation().toString(), node.getAstNode().toString(), node.getTaintKind()
|
||||
|
||||
@@ -0,0 +1,8 @@
|
||||
| test.py:8:12:8:25 | flask.routed.response | externally controlled string |
|
||||
| test.py:29:12:29:38 | flask.routed.response | externally controlled string |
|
||||
| test.py:35:16:35:37 | flask.routed.response | externally controlled string |
|
||||
| test.py:36:12:36:15 | flask.routed.response | externally controlled string |
|
||||
| test.py:41:12:41:54 | flask.routed.response | externally controlled string |
|
||||
| test.py:41:26:41:53 | flask.response.argument | externally controlled string |
|
||||
| test.py:46:12:46:62 | flask.routed.response | externally controlled string |
|
||||
| test.py:46:26:46:61 | flask.response.argument | externally controlled string |
|
||||
@@ -0,0 +1,7 @@
|
||||
import python
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from HttpResponseTaintSink sink, TaintKind kind
|
||||
where sink.sinks(kind)
|
||||
select sink, kind
|
||||
@@ -0,0 +1,5 @@
|
||||
| test.py:29:12:29:23 | Attribute | {externally controlled string} |
|
||||
| test.py:33:9:33:20 | Attribute | {externally controlled string} |
|
||||
| test.py:35:16:35:27 | Attribute | {externally controlled string} |
|
||||
| test.py:40:18:40:29 | Attribute | {externally controlled string} |
|
||||
| test.py:45:18:45:29 | Attribute | {externally controlled string} |
|
||||
7
python/ql/test/library-tests/web/flask/HttpSources.ql
Normal file
7
python/ql/test/library-tests/web/flask/HttpSources.ql
Normal file
@@ -0,0 +1,7 @@
|
||||
import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from HttpRequestTaintSource source, TaintKind kind
|
||||
where source.isSourceOf(kind)
|
||||
select source.(ControlFlowNode).getNode(), kind
|
||||
@@ -1,9 +1,6 @@
|
||||
import python
|
||||
|
||||
import semmle.python.web.flask.General
|
||||
|
||||
from ControlFlowNode regex, Function func
|
||||
|
||||
where flask_routing(regex, func)
|
||||
|
||||
select regex.getNode().(StrConst).getText(), func.toString()
|
||||
|
||||
@@ -1,8 +0,0 @@
|
||||
| test.py:8 | Str | externally controlled string |
|
||||
| test.py:29 | Attribute() | externally controlled string |
|
||||
| test.py:35 | Subscript | externally controlled string |
|
||||
| test.py:36 | None | externally controlled string |
|
||||
| test.py:41 | BinaryExpr | externally controlled string |
|
||||
| test.py:41 | make_response() | externally controlled string |
|
||||
| test.py:46 | BinaryExpr | externally controlled string |
|
||||
| test.py:46 | make_response() | externally controlled string |
|
||||
@@ -1,10 +0,0 @@
|
||||
|
||||
import python
|
||||
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from TaintSink sink, TaintKind kind
|
||||
where sink.sinks(kind)
|
||||
select sink.getLocation().toString(), sink.(ControlFlowNode).getNode().toString(), kind
|
||||
@@ -1,6 +0,0 @@
|
||||
| test.py:22 | Attribute() | flask/MyView.as.view |
|
||||
| test.py:29 | Attribute | {externally controlled string} |
|
||||
| test.py:33 | Attribute | {externally controlled string} |
|
||||
| test.py:35 | Attribute | {externally controlled string} |
|
||||
| test.py:40 | Attribute | {externally controlled string} |
|
||||
| test.py:45 | Attribute | {externally controlled string} |
|
||||
@@ -1,11 +0,0 @@
|
||||
|
||||
import python
|
||||
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
|
||||
from TaintSource src, TaintKind kind
|
||||
where src.isSourceOf(kind)
|
||||
select src.getLocation().toString(), src.(ControlFlowNode).getNode().toString(), kind
|
||||
@@ -1,12 +1,8 @@
|
||||
|
||||
import python
|
||||
|
||||
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
|
||||
from TaintedNode node
|
||||
where node.getLocation().getFile().getShortName() = "test.py"
|
||||
select node.getLocation().toString(), node.getAstNode().toString(), node.getTaintKind()
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
| test.py:8:12:8:31 | pyramid.routed.response | externally controlled string |
|
||||
| test.py:17:12:17:41 | pyramid.routed.response | externally controlled string |
|
||||
| test.py:25:12:25:43 | pyramid.routed.response | externally controlled string |
|
||||
@@ -0,0 +1,7 @@
|
||||
import python
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from HttpResponseTaintSink sink, TaintKind kind
|
||||
where sink.sinks(kind)
|
||||
select sink, kind
|
||||
@@ -0,0 +1,3 @@
|
||||
| test.py:7:10:7:16 | request | pyramid.request |
|
||||
| test.py:15:11:15:17 | request | pyramid.request |
|
||||
| test.py:24:11:24:17 | request | pyramid.request |
|
||||
7
python/ql/test/library-tests/web/pyramid/HttpSources.ql
Normal file
7
python/ql/test/library-tests/web/pyramid/HttpSources.ql
Normal file
@@ -0,0 +1,7 @@
|
||||
import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from HttpRequestTaintSource source, TaintKind kind
|
||||
where source.isSourceOf(kind)
|
||||
select source.(ControlFlowNode).getNode(), kind
|
||||
@@ -1,9 +1,6 @@
|
||||
import python
|
||||
|
||||
import semmle.python.web.pyramid.View
|
||||
|
||||
from Function func
|
||||
|
||||
where is_pyramid_view_function(func)
|
||||
|
||||
select func.getLocation().toString(), func.toString()
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
| test.py:8 | Response() | externally controlled string |
|
||||
| test.py:17 | Response() | externally controlled string |
|
||||
| test.py:25 | Dict | externally controlled string |
|
||||
@@ -1,11 +0,0 @@
|
||||
|
||||
import python
|
||||
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
|
||||
from TaintSink sink, TaintKind kind
|
||||
where sink.sinks(kind) and sink.getLocation().getFile().getShortName() = "test.py"
|
||||
select sink.getLocation().toString(), sink.(ControlFlowNode).getNode().toString(), kind
|
||||
@@ -1,3 +0,0 @@
|
||||
| test.py:7 | request | pyramid.request |
|
||||
| test.py:15 | request | pyramid.request |
|
||||
| test.py:24 | request | pyramid.request |
|
||||
@@ -1,11 +0,0 @@
|
||||
|
||||
import python
|
||||
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
|
||||
from TaintSource src, TaintKind kind
|
||||
where src.isSourceOf(kind)
|
||||
select src.getLocation().toString(), src.(ControlFlowNode).getNode().toString(), kind
|
||||
@@ -1,11 +1,8 @@
|
||||
|
||||
import python
|
||||
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from TaintedNode node
|
||||
where node.getLocation().getFile().getShortName() = "test.py"
|
||||
|
||||
select node.getLocation().toString(), node.getAstNode().toString(), node.getTaintKind()
|
||||
|
||||
@@ -1,9 +1,7 @@
|
||||
|
||||
import python
|
||||
|
||||
import semmle.python.TestUtils
|
||||
|
||||
import semmle.python.web.tornado.Tornado
|
||||
|
||||
from ClassValue cls
|
||||
where cls = aTornadoRequestHandlerClass()
|
||||
select remove_library_prefix(cls.getScope().getLocation()), cls.toString()
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
| test.py:20:23:20:25 | tornado.HttpRequestHandler.redirect | externally controlled string |
|
||||
@@ -0,0 +1,7 @@
|
||||
import python
|
||||
import semmle.python.web.HttpRedirect
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from HttpRedirectTaintSink sink, TaintKind kind
|
||||
where sink.sinks(kind)
|
||||
select sink, kind
|
||||
@@ -0,0 +1,3 @@
|
||||
| test.py:6:20:6:43 | tornado.HttpRequestHandler.write | externally controlled string |
|
||||
| test.py:12:20:12:23 | tornado.HttpRequestHandler.write | externally controlled string |
|
||||
| test.py:26:20:26:48 | tornado.HttpRequestHandler.write | externally controlled string |
|
||||
@@ -0,0 +1,7 @@
|
||||
import python
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from HttpResponseTaintSink sink, TaintKind kind
|
||||
where sink.sinks(kind)
|
||||
select sink, kind
|
||||
@@ -0,0 +1,4 @@
|
||||
| test.py:6:20:6:43 | Attribute() | externally controlled string |
|
||||
| test.py:10:16:10:40 | Attribute() | [externally controlled string] |
|
||||
| test.py:17:15:17:26 | Attribute | tornado.request.HttpRequest |
|
||||
| test.py:26:20:26:48 | Attribute() | externally controlled string |
|
||||
7
python/ql/test/library-tests/web/tornado/HttpSources.ql
Normal file
7
python/ql/test/library-tests/web/tornado/HttpSources.ql
Normal file
@@ -0,0 +1,7 @@
|
||||
import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from HttpRequestTaintSource source, TaintKind kind
|
||||
where source.isSourceOf(kind)
|
||||
select source.(ControlFlowNode).getNode(), kind
|
||||
@@ -1,4 +0,0 @@
|
||||
| test.py:6 | Attribute() | externally controlled string |
|
||||
| test.py:12 | name | externally controlled string |
|
||||
| test.py:20 | url | externally controlled string |
|
||||
| test.py:26 | Attribute() | externally controlled string |
|
||||
@@ -1,11 +0,0 @@
|
||||
|
||||
import python
|
||||
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
import semmle.python.TestUtils
|
||||
|
||||
from TaintSink sink, TaintKind kind
|
||||
where sink.sinks(kind)
|
||||
select remove_library_prefix(sink.getLocation()), sink.(ControlFlowNode).getNode().toString(), kind
|
||||
@@ -1,4 +0,0 @@
|
||||
| test.py:6 | Attribute() | externally controlled string |
|
||||
| test.py:10 | Attribute() | [externally controlled string] |
|
||||
| test.py:17 | Attribute | tornado.request.HttpRequest |
|
||||
| test.py:26 | Attribute() | externally controlled string |
|
||||
@@ -1,13 +0,0 @@
|
||||
|
||||
import python
|
||||
|
||||
import semmle.python.TestUtils
|
||||
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
|
||||
from TaintSource src, TaintKind kind
|
||||
where src.isSourceOf(kind)
|
||||
select remove_library_prefix(src.getLocation()), src.(ControlFlowNode).getNode().toString(), kind
|
||||
@@ -1,8 +1,5 @@
|
||||
|
||||
import python
|
||||
|
||||
import semmle.python.TestUtils
|
||||
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
@@ -11,4 +8,3 @@ from TaintedNode node
|
||||
// Add this restriction to keep Python2 and 3 results the same.
|
||||
where not exists(node.getContext().getCaller())
|
||||
select remove_library_prefix(node.getLocation()), node.getAstNode().toString(), node.getTaintKind()
|
||||
|
||||
|
||||
@@ -1,9 +1,5 @@
|
||||
|
||||
|
||||
import python
|
||||
|
||||
import semmle.python.web.turbogears.TurboGears
|
||||
|
||||
from TurboGearsControllerMethod m
|
||||
select m
|
||||
|
||||
|
||||
@@ -0,0 +1,5 @@
|
||||
| test.py:8:16:8:69 | TurboGears ControllerMethodReturnValue | externally controlled string |
|
||||
| test.py:14:16:14:50 | TurboGears ControllerMethodReturnValue | externally controlled string |
|
||||
| test.py:19:16:19:50 | TurboGears ControllerMethodReturnValue | externally controlled string |
|
||||
| test.py:23:16:23:50 | TurboGears ControllerMethodReturnValue | externally controlled string |
|
||||
| test.py:27:16:27:38 | TurboGears ControllerMethodTemplatedReturnValue | {externally controlled string} |
|
||||
@@ -0,0 +1,7 @@
|
||||
import python
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from HttpResponseTaintSink sink, TaintKind kind
|
||||
where sink.sinks(kind)
|
||||
select sink, kind
|
||||
@@ -0,0 +1,3 @@
|
||||
| test.py:18:43:18:43 | b | externally controlled string |
|
||||
| test.py:22:29:22:29 | a | externally controlled string |
|
||||
| test.py:22:37:22:37 | b | externally controlled string |
|
||||
@@ -0,0 +1,7 @@
|
||||
import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from HttpRequestTaintSource source, TaintKind kind
|
||||
where source.isSourceOf(kind)
|
||||
select source.(ControlFlowNode).getNode(), kind
|
||||
@@ -1,5 +0,0 @@
|
||||
| test.py:8 | BinaryExpr | externally controlled string |
|
||||
| test.py:14 | BinaryExpr | externally controlled string |
|
||||
| test.py:19 | BinaryExpr | externally controlled string |
|
||||
| test.py:23 | BinaryExpr | externally controlled string |
|
||||
| test.py:27 | Dict | {externally controlled string} |
|
||||
@@ -1,10 +0,0 @@
|
||||
|
||||
import python
|
||||
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from TaintSink sink, TaintKind kind
|
||||
where sink.sinks(kind)
|
||||
select sink.getLocation().toString(), sink.(ControlFlowNode).getNode().toString(), kind
|
||||
@@ -1,3 +0,0 @@
|
||||
| test.py:18 | b | externally controlled string |
|
||||
| test.py:22 | a | externally controlled string |
|
||||
| test.py:22 | b | externally controlled string |
|
||||
@@ -1,10 +0,0 @@
|
||||
|
||||
import python
|
||||
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
|
||||
from TaintSource src, TaintKind kind
|
||||
where src.isSourceOf(kind)
|
||||
select src.getLocation().toString(), src.(ControlFlowNode).getNode().toString(), kind
|
||||
@@ -1,13 +1,7 @@
|
||||
|
||||
import python
|
||||
|
||||
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
|
||||
from TaintedNode node
|
||||
|
||||
select node.getLocation().toString(), node.getAstNode().toString(), node.getTaintKind()
|
||||
|
||||
|
||||
@@ -0,0 +1,10 @@
|
||||
| test.py:7:16:7:23 | Twisted response | externally controlled string |
|
||||
| test.py:14:16:14:23 | Twisted response | externally controlled string |
|
||||
| test.py:21:16:21:23 | Twisted response | externally controlled string |
|
||||
| test.py:36:16:36:37 | Twisted response | externally controlled string |
|
||||
| test.py:40:23:40:30 | Twisted request setter | externally controlled string |
|
||||
| test.py:44:27:44:31 | Twisted request setter | externally controlled string |
|
||||
| test.py:44:34:44:38 | Twisted request setter | externally controlled string |
|
||||
| test.py:45:27:45:31 | Twisted request setter | externally controlled string |
|
||||
| test.py:45:34:45:40 | Twisted request setter | externally controlled string |
|
||||
| test.py:46:16:46:37 | Twisted response | externally controlled string |
|
||||
@@ -0,0 +1,7 @@
|
||||
import python
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from HttpResponseTaintSink sink, TaintKind kind
|
||||
where sink.sinks(kind)
|
||||
select sink, kind
|
||||
@@ -0,0 +1,8 @@
|
||||
| test.py:4:22:4:28 | request | twisted.request.http.Request |
|
||||
| test.py:9:26:9:32 | request | twisted.request.http.Request |
|
||||
| test.py:16:27:16:33 | request | twisted.request.http.Request |
|
||||
| test.py:24:24:24:30 | request | twisted.request.http.Request |
|
||||
| test.py:28:22:28:30 | myrequest | twisted.request.http.Request |
|
||||
| test.py:31:27:31:37 | postrequest | twisted.request.http.Request |
|
||||
| test.py:39:22:39:28 | request | twisted.request.http.Request |
|
||||
| test.py:43:22:43:28 | request | twisted.request.http.Request |
|
||||
7
python/ql/test/library-tests/web/twisted/HttpSources.ql
Normal file
7
python/ql/test/library-tests/web/twisted/HttpSources.ql
Normal file
@@ -0,0 +1,7 @@
|
||||
import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from HttpRequestTaintSource source, TaintKind kind
|
||||
where source.isSourceOf(kind)
|
||||
select source.(ControlFlowNode).getNode(), kind
|
||||
@@ -1,8 +0,0 @@
|
||||
| test.py:7 | response | externally controlled string |
|
||||
| test.py:14 | response | externally controlled string |
|
||||
| test.py:21 | response | externally controlled string |
|
||||
| test.py:36 | do_stuff_with() | externally controlled string |
|
||||
| test.py:40 | Str | externally controlled string |
|
||||
| test.py:44 | Str | externally controlled string |
|
||||
| test.py:45 | Str | externally controlled string |
|
||||
| test.py:46 | Str | externally controlled string |
|
||||
@@ -1,10 +0,0 @@
|
||||
import python
|
||||
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
import semmle.python.TestUtils
|
||||
|
||||
from TaintSink sink, TaintKind kind
|
||||
where sink.sinks(kind)
|
||||
select remove_library_prefix(sink.getLocation()), sink.(ControlFlowNode).getNode().toString(), kind
|
||||
@@ -1,8 +0,0 @@
|
||||
| test.py:4 | request | twisted.request.http.Request |
|
||||
| test.py:9 | request | twisted.request.http.Request |
|
||||
| test.py:16 | request | twisted.request.http.Request |
|
||||
| test.py:24 | request | twisted.request.http.Request |
|
||||
| test.py:28 | myrequest | twisted.request.http.Request |
|
||||
| test.py:31 | postrequest | twisted.request.http.Request |
|
||||
| test.py:39 | request | twisted.request.http.Request |
|
||||
| test.py:43 | request | twisted.request.http.Request |
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user