Merge branch 'main' into post-release-prep/codeql-cli-2.14.2

2026-04-30 03:05:15 +02:00 · 2023-08-11 13:54:55 +01:00
parent 432c21d4fb 5161cd1a3c
commit 1213eba630
264 changed files with 8332 additions and 5797 deletions
--- a/python/ql/lib/change-notes/2023-07-12-aiohttp-improvements.md
+++ b/python/ql/lib/change-notes/2023-07-12-aiohttp-improvements.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improvements of the `aiohttp` models including remote-flow-sources from type annotations, new path manipulation, and SSRF sinks.
--- a/python/ql/lib/semmle/python/frameworks/Aiohttp.qll
+++ b/python/ql/lib/semmle/python/frameworks/Aiohttp.qll
@@ -468,6 +468,27 @@ module AiohttpWebModel {
    override string getSourceType() { result = "aiohttp.web.Request" }
  }

+  /**
+   * A parameter that has a type annotation of `aiohttp.web.Request`, so with all
+   * likelihood will receive an `aiohttp.web.Request` instance at some point when a
+   * request handler is invoked.
+   */
+  class AiohttpRequestParamFromTypeAnnotation extends Request::InstanceSource,
+    DataFlow::ParameterNode, RemoteFlowSource::Range
+  {
+    AiohttpRequestParamFromTypeAnnotation() {
+      not this instanceof AiohttpRequestHandlerRequestParam and
+      this.getParameter().getAnnotation() =
+        API::moduleImport("aiohttp")
+            .getMember("web")
+            .getMember("Request")
+            .getAValueReachableFromSource()
+            .asExpr()
+    }
+
+    override string getSourceType() { result = "aiohttp.web.Request from type-annotation" }
+  }
+
  /**
   * A read of the `request` attribute on an instance of an aiohttp.web View class,
   * which is the request being processed currently.
@@ -498,14 +519,17 @@ module AiohttpWebModel {
   * - https://docs.aiohttp.org/en/stable/web_quickstart.html#aiohttp-web-exceptions
   */
  class AiohttpWebResponseInstantiation extends Http::Server::HttpResponse::Range,
-    Response::InstanceSource, DataFlow::CallCfgNode
+    Response::InstanceSource, API::CallNode
  {
    API::Node apiNode;

    AiohttpWebResponseInstantiation() {
      this = apiNode.getACall() and
      (
-        apiNode = API::moduleImport("aiohttp").getMember("web").getMember("Response")
+        apiNode =
+          API::moduleImport("aiohttp")
+              .getMember("web")
+              .getMember(["FileResponse", "Response", "StreamResponse"])
        or
        exists(string httpExceptionClassName |
          httpExceptionClassName in [
@@ -545,6 +569,10 @@ module AiohttpWebModel {

    override DataFlow::Node getMimetypeOrContentTypeArg() {
      result = this.getArgByName("content_type")
+      or
+      exists(string key | key.toLowerCase() = "content-type" |
+        result = this.getKeywordParameter("headers").getSubscript(key).getAValueReachingSink()
+      )
    }

    override string getMimetypeDefault() {
@@ -556,6 +584,37 @@ module AiohttpWebModel {
    }
  }

+  /**
+   * A call to the `aiohttp.web.FileResponse` constructor as a sink for Filesystem access.
+   */
+  class FileResponseCall extends FileSystemAccess::Range, API::CallNode {
+    FileResponseCall() {
+      this = API::moduleImport("aiohttp").getMember("web").getMember("FileResponse").getACall()
+    }
+
+    override DataFlow::Node getAPathArgument() { result = this.getParameter(0, "path").asSink() }
+  }
+
+  /**
+   * An instantiation of `aiohttp.web.StreamResponse`.
+   *
+   * See https://docs.aiohttp.org/en/stable/web_reference.html#aiohttp.web.StreamResponse
+   */
+  class StreamResponse extends AiohttpWebResponseInstantiation {
+    StreamResponse() {
+      this = API::moduleImport("aiohttp").getMember("web").getMember("StreamResponse").getACall()
+    }
+
+    override DataFlow::Node getBody() {
+      result =
+        this.getReturn()
+            .getMember(["write", "write_eof"])
+            .getACall()
+            .getParameter(0, "data")
+            .asSink()
+    }
+  }
+
  /** Gets an HTTP response instance. */
  private API::Node aiohttpResponseInstance() {
    result = any(AiohttpWebResponseInstantiation call).getApiNode().getReturn()
@@ -670,14 +729,14 @@ private module AiohttpClientModel {
      string methodName;

      OutgoingRequestCall() {
-        methodName in [Http::httpVerbLower(), "request"] and
+        methodName in [Http::httpVerbLower(), "request", "ws_connect"] and
        this = instance().getMember(methodName).getACall()
      }

      override DataFlow::Node getAUrlPart() {
        result = this.getArgByName("url")
        or
-        not methodName = "request" and
+        methodName in [Http::httpVerbLower(), "ws_connect"] and
        result = this.getArg(0)
        or
        methodName = "request" and