Restrain the source and add two steps.

2025-12-18 01:33:15 +01:00 · 2023-01-26 17:07:59 +01:00
parent 51b11de44a
commit 1a211485a4
1 changed files with 8 additions and 10 deletions
--- a/python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpackQuery.qll
+++ b/python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpackQuery.qll
@@ -50,17 +50,9 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
      )
    )
    or
-    // catch the uploaded files as a source
-    exists(Subscript s, Attribute at |
-      at = s.getObject() and at.getAttr() = "FILES" and source.asExpr() = s
-    )
-    or
-    // Retrieve Django uploaded files
+    // catch the Django uploaded files as a source
    // see HttpRequest.FILES: https://docs.djangoproject.com/en/4.1/ref/request-response/#django.http.HttpRequest.FILES
-    exists(Node obj, AttrRead ar |
-      ar.getAMethodCall(["getlist", "get"]).flowsTo(source) and
-      ar.accesses(obj, "FILES")
-    )
+    source.(AttrRead).getAttributeName() = "FILES"
  }

  override predicate isSink(DataFlow::Node sink) {
@@ -107,6 +99,12 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
      nodeFrom = cn.getArg(0)
    )
    or
+    // Retrieve Django uploaded files
+    // see HttpRequest.FILES.getlist(): https://docs.djangoproject.com/en/4.1/ref/request-response/#django.http.QueryDict.getlist
+    exists(MethodCallNode mc |
+      nodeFrom = mc.getObject() and mc.getMethodName() = ["getlist", "get"] and nodeTo = mc
+    )
+    or
    // Accessing the name or raw content
    exists(AttrRead ar | ar.accesses(nodeFrom, ["name", "raw"]) and ar.flowsTo(nodeTo))
    or