Python: Fix Flask jsonify XSS regression

The reason the result was found before, is that `jsonify(data)` was modeled as TWO separate subclasses of `Http::Server::HttpResponse`, one because of the implicit construction in return (FlaskRouteHandlerReturn), and one from the `jsonify` call (FlaskJsonifyCall). Due to the QL evaluation, we got a combination from the two, meaning mime-type from FlaskRouteHandlerReturn and body from FlaskJsonifyCall...
2025-12-19 10:23:15 +01:00 · 2023-08-29 10:39:53 +02:00
parent b36fd9fdab
commit 26319bfc04
2 changed files with 2 additions and 8 deletions
--- a/python/ql/lib/semmle/python/frameworks/Flask.qll
+++ b/python/ql/lib/semmle/python/frameworks/Flask.qll
@@ -453,7 +453,8 @@ module Flask {
    FlaskRouteHandlerReturn() {
      exists(Function routeHandler |
        routeHandler = any(FlaskRouteSetup rs).getARequestHandler() and
-        node = routeHandler.getAReturnValueFlowNode()
+        node = routeHandler.getAReturnValueFlowNode() and
+        not this instanceof Flask::Response::InstanceSource
      )
    }

--- a/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/ReflectedXss.expected
+++ b/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/ReflectedXss.expected
@@ -3,7 +3,6 @@ edges
 | reflected_xss.py:2:26:2:32 | GSSA Variable request | reflected_xss.py:9:18:9:24 | ControlFlowNode for request |
 | reflected_xss.py:2:26:2:32 | GSSA Variable request | reflected_xss.py:21:23:21:29 | ControlFlowNode for request |
 | reflected_xss.py:2:26:2:32 | GSSA Variable request | reflected_xss.py:27:23:27:29 | ControlFlowNode for request |
-| reflected_xss.py:2:26:2:32 | GSSA Variable request | reflected_xss.py:33:12:33:18 | ControlFlowNode for request |
 | reflected_xss.py:9:5:9:14 | SSA variable first_name | reflected_xss.py:10:26:10:53 | ControlFlowNode for BinaryExpr |
 | reflected_xss.py:9:18:9:24 | ControlFlowNode for request | reflected_xss.py:9:18:9:29 | ControlFlowNode for Attribute |
 | reflected_xss.py:9:18:9:29 | ControlFlowNode for Attribute | reflected_xss.py:9:18:9:45 | ControlFlowNode for Attribute() |
@@ -12,8 +11,6 @@ edges
 | reflected_xss.py:21:23:21:29 | ControlFlowNode for request | reflected_xss.py:21:5:21:8 | SSA variable data |
 | reflected_xss.py:27:5:27:8 | SSA variable data | reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() |
 | reflected_xss.py:27:23:27:29 | ControlFlowNode for request | reflected_xss.py:27:5:27:8 | SSA variable data |
-| reflected_xss.py:33:5:33:8 | SSA variable data | reflected_xss.py:34:20:34:23 | ControlFlowNode for data |
-| reflected_xss.py:33:12:33:18 | ControlFlowNode for request | reflected_xss.py:33:5:33:8 | SSA variable data |
 nodes
 | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
 | reflected_xss.py:2:26:2:32 | GSSA Variable request | semmle.label | GSSA Variable request |
@@ -28,12 +25,8 @@ nodes
 | reflected_xss.py:27:5:27:8 | SSA variable data | semmle.label | SSA variable data |
 | reflected_xss.py:27:23:27:29 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| reflected_xss.py:33:5:33:8 | SSA variable data | semmle.label | SSA variable data |
-| reflected_xss.py:33:12:33:18 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| reflected_xss.py:34:20:34:23 | ControlFlowNode for data | semmle.label | ControlFlowNode for data |
 subpaths
 #select
 | reflected_xss.py:10:26:10:53 | ControlFlowNode for BinaryExpr | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:10:26:10:53 | ControlFlowNode for BinaryExpr | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |
 | reflected_xss.py:22:26:22:41 | ControlFlowNode for Attribute() | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:22:26:22:41 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |
 | reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |
-| reflected_xss.py:34:20:34:23 | ControlFlowNode for data | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:34:20:34:23 | ControlFlowNode for data | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |