hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Python: Rewrite py/flask-debug

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2022-10-04 20:41:18 +02:00
parent 05bca0249c
commit 2541af6587
1 changed files with 3 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
python/ql/src/Security/CWE-215/FlaskDebug.ql
View File

@@ -16,21 +16,10 @@ import semmle.python.dataflow.new.DataFlow
import semmle.python.ApiGraphs import semmle.python.ApiGraphs
import semmle.python.frameworks.Flask import semmle.python.frameworks.Flask
/** Gets a reference to a truthy literal. */ from API::CallNode call
private DataFlow::TypeTrackingNode truthyLiteral(DataFlow::TypeTracker t) {
t.start() and
result.asExpr().(ImmutableLiteral).booleanValue() = true
or
exists(DataFlow::TypeTracker t2 | result = truthyLiteral(t2).track(t2, t))
}
/** Gets a reference to a truthy literal. */
DataFlow::Node truthyLiteral() { truthyLiteral(DataFlow::TypeTracker::end()).flowsTo(result) }
from API::CallNode call, DataFlow::Node debugArg
where where
call = Flask::FlaskApp::instance().getMember("run").getACall() and call = Flask::FlaskApp::instance().getMember("run").getACall() and
debugArg in [call.getArg(2), call.getArgByName("debug")] and call.getParameter(2, "debug").getAValueReachingSink().asExpr().(ImmutableLiteral).booleanValue() =
debugArg = truthyLiteral() true
select call, select call,
"A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger." "A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger."