hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

ensure consistent casing of names

Browse Source
This commit is contained in:
erik-krogh
2022-09-09 10:28:57 +02:00
parent 9893650f7c
commit 26d8553f6e
230 changed files with 702 additions and 657 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
python/ql/lib/semmle/python/Concepts.qll
View File

@@ -565,7 +565,7 @@ module XML {
}
/** Provides classes for modeling LDAP-related APIs. */
module LDAP {
module Ldap {
/**
* A data-flow node that executes an LDAP query.
*
@@ -598,6 +598,9 @@ module LDAP {
}
}
/** DEPRECATED: Alias for Ldap */
deprecated module LDAP = Ldap;
/**
* A data-flow node that escapes meta-characters, which could be used to prevent
* injection attacks.
@@ -706,7 +709,7 @@ class LdapFilterEscaping extends Escaping {
}
/** Provides classes for modeling HTTP-related APIs. */
module HTTP {
module Http {
/** Gets an HTTP verb, in upper case */
string httpVerb() { result in ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS", "HEAD"] }
@@ -917,7 +920,7 @@ module HTTP {
* Extend this class to model new APIs. If you want to refine existing API models,
* extend `HttpResponse` instead.
*/
abstract class Range extends HTTP::Server::HttpResponse::Range {
abstract class Range extends Http::Server::HttpResponse::Range {
/** Gets the data-flow node that specifies the location of this HTTP redirect response. */
abstract DataFlow::Node getRedirectLocation();
}
@@ -1051,6 +1054,9 @@ module HTTP {
// remote-flow-sources in general.
}
/** DEPRECATED: Alias for Http */
deprecated module HTTP = Http;
/**
* Provides models for cryptographic things.
*

26
python/ql/lib/semmle/python/frameworks/Aiohttp.qll
View File

@@ -59,7 +59,7 @@ module AiohttpWebModel {
* Extend this class to refine existing API models. If you want to model new APIs,
* extend `AiohttpRouteSetup::Range` instead.
*/
class AiohttpRouteSetup extends HTTP::Server::RouteSetup::Range {
class AiohttpRouteSetup extends Http::Server::RouteSetup::Range {
AiohttpRouteSetup::Range range;
AiohttpRouteSetup() { this = range }
@@ -161,7 +161,7 @@ module AiohttpWebModel {
AiohttpAddRouteCall() {
exists(string funcName |
funcName = HTTP::httpVerbLower() and
funcName = Http::httpVerbLower() and
routeArgsStart = 0
or
funcName = "view" and
@@ -192,7 +192,7 @@ module AiohttpWebModel {
AiohttpDecoratorRouteSetup() {
exists(string decoratorName |
decoratorName = HTTP::httpVerbLower() and
decoratorName = Http::httpVerbLower() and
routeArgsStart = 0
or
decoratorName = "view" and
@@ -237,7 +237,7 @@ module AiohttpWebModel {
// TODO: This doesn't handle attribute assignment. Should be OK, but analysis is not as complete as with
// points-to and `.lookup`, which would handle `post = my_post_handler` inside class def
result = this.getAMethod() and
result.getName() = HTTP::httpVerbLower()
result.getName() = Http::httpVerbLower()
}
}
@@ -252,7 +252,7 @@ module AiohttpWebModel {
}
/** A request handler defined in an `aiohttp.web` view class, that has no known route. */
private class AiohttpViewClassRequestHandlerWithoutKnownRoute extends HTTP::Server::RequestHandler::Range {
private class AiohttpViewClassRequestHandlerWithoutKnownRoute extends Http::Server::RequestHandler::Range {
AiohttpViewClassRequestHandlerWithoutKnownRoute() {
exists(AiohttpViewClass vc | vc.getARequestHandler() = this) and
not exists(AiohttpRouteSetup setup | setup.getARequestHandler() = this)
@@ -319,7 +319,7 @@ module AiohttpWebModel {
}
/** An attribute read on an `aiohttp.web.Request` that is a `MultiDictProxy` instance. */
class AiohttpRequestMultiDictProxyInstances extends Multidict::MultiDictProxy::InstanceSource {
class AiohttpRequestMultiDictProxyInstances extends MultiDict::MultiDictProxy::InstanceSource {
AiohttpRequestMultiDictProxyInstances() {
this.(DataFlow::AttrRead).getObject() = Request::instance() and
this.(DataFlow::AttrRead).getAttributeName() in ["query", "headers"]
@@ -493,7 +493,7 @@ module AiohttpWebModel {
* - https://docs.aiohttp.org/en/stable/web_reference.html#aiohttp.web.Response
* - https://docs.aiohttp.org/en/stable/web_quickstart.html#aiohttp-web-exceptions
*/
class AiohttpWebResponseInstantiation extends HTTP::Server::HttpResponse::Range,
class AiohttpWebResponseInstantiation extends Http::Server::HttpResponse::Range,
Response::InstanceSource, DataFlow::CallCfgNode {
API::Node apiNode;
@@ -562,7 +562,7 @@ module AiohttpWebModel {
* See the part about redirects at https://docs.aiohttp.org/en/stable/web_quickstart.html#aiohttp-web-exceptions
*/
class AiohttpRedirectExceptionInstantiation extends AiohttpWebResponseInstantiation,
HTTP::Server::HttpRedirectResponse::Range {
Http::Server::HttpRedirectResponse::Range {
AiohttpRedirectExceptionInstantiation() {
exists(string httpRedirectExceptionClassName |
httpRedirectExceptionClassName in [
@@ -585,7 +585,7 @@ module AiohttpWebModel {
/**
* A call to `set_cookie` on a HTTP Response.
*/
class AiohttpResponseSetCookieCall extends HTTP::Server::CookieWrite::Range, DataFlow::CallCfgNode {
class AiohttpResponseSetCookieCall extends Http::Server::CookieWrite::Range, DataFlow::CallCfgNode {
AiohttpResponseSetCookieCall() {
this = aiohttpResponseInstance().getMember("set_cookie").getACall()
}
@@ -600,7 +600,7 @@ module AiohttpWebModel {
/**
* A call to `del_cookie` on a HTTP Response.
*/
class AiohttpResponseDelCookieCall extends HTTP::Server::CookieWrite::Range, DataFlow::CallCfgNode {
class AiohttpResponseDelCookieCall extends Http::Server::CookieWrite::Range, DataFlow::CallCfgNode {
AiohttpResponseDelCookieCall() {
this = aiohttpResponseInstance().getMember("del_cookie").getACall()
}
@@ -616,7 +616,7 @@ module AiohttpWebModel {
* A dict-like write to an item of the `cookies` attribute on a HTTP response, such as
* `response.cookies[name] = value`.
*/
class AiohttpResponseCookieSubscriptWrite extends HTTP::Server::CookieWrite::Range {
class AiohttpResponseCookieSubscriptWrite extends Http::Server::CookieWrite::Range {
DataFlow::Node index;
DataFlow::Node value;
@@ -661,11 +661,11 @@ private module AiohttpClientModel {
private API::Node instance() { result = classRef().getReturn() }
/** A method call on a ClientSession that sends off a request */
private class OutgoingRequestCall extends HTTP::Client::Request::Range, API::CallNode {
private class OutgoingRequestCall extends Http::Client::Request::Range, API::CallNode {
string methodName;
OutgoingRequestCall() {
methodName in [HTTP::httpVerbLower(), "request"] and
methodName in [Http::httpVerbLower(), "request"] and
this = instance().getMember(methodName).getACall()
}

54
python/ql/lib/semmle/python/frameworks/Django.qll
View File

@@ -1155,11 +1155,11 @@ module PrivateDjango {
/** Gets a reference to the `django.http` module. */
API::Node http() { result = django().getMember("http") }
/** DEPRECATED: Alias for `Http` */
deprecated module http = Http;
/** DEPRECATED: Alias for `DjangoHttp` */
deprecated module http = DjangoHttp;
/** Provides models for the `django.http` module */
module Http {
module DjangoHttp {
// ---------------------------------------------------------------------------
// django.http.request
// ---------------------------------------------------------------------------
@@ -1251,7 +1251,7 @@ module PrivateDjango {
// special handling of the `build_absolute_uri` method, see
// https://docs.djangoproject.com/en/3.0/ref/request-response/#django.http.HttpRequest.build_absolute_uri
exists(DataFlow::AttrRead attr, DataFlow::CallCfgNode call, DataFlow::Node instance |
instance = DjangoImpl::Http::Request::HttpRequest::instance() and
instance = DjangoImpl::DjangoHttp::Request::HttpRequest::instance() and
attr.getObject() = instance
|
attr.getAttributeName() = "build_absolute_uri" and
@@ -1359,7 +1359,7 @@ module PrivateDjango {
*
* Use the predicate `HttpResponse::instance()` to get references to instances of `django.http.response.HttpResponse`.
*/
abstract class InstanceSource extends HTTP::Server::HttpResponse::Range, DataFlow::Node {
abstract class InstanceSource extends Http::Server::HttpResponse::Range, DataFlow::Node {
}
/** A direct instantiation of `django.http.response.HttpResponse`. */
@@ -1421,7 +1421,7 @@ module PrivateDjango {
* Use the predicate `HttpResponseRedirect::instance()` to get references to instances of `django.http.response.HttpResponseRedirect`.
*/
abstract class InstanceSource extends HttpResponse::InstanceSource,
HTTP::Server::HttpRedirectResponse::Range, DataFlow::Node { }
Http::Server::HttpRedirectResponse::Range, DataFlow::Node { }
/** A direct instantiation of `django.http.response.HttpResponseRedirect`. */
private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
@@ -1483,7 +1483,7 @@ module PrivateDjango {
* Use the predicate `HttpResponsePermanentRedirect::instance()` to get references to instances of `django.http.response.HttpResponsePermanentRedirect`.
*/
abstract class InstanceSource extends HttpResponse::InstanceSource,
HTTP::Server::HttpRedirectResponse::Range, DataFlow::Node { }
Http::Server::HttpRedirectResponse::Range, DataFlow::Node { }
/** A direct instantiation of `django.http.response.HttpResponsePermanentRedirect`. */
private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
@@ -2066,17 +2066,17 @@ module PrivateDjango {
/** Gets a reference to the `django.http.response.HttpResponse.write` function. */
private DataFlow::TypeTrackingNode write(
DjangoImpl::Http::Response::HttpResponse::InstanceSource instance, DataFlow::TypeTracker t
DjangoImpl::DjangoHttp::Response::HttpResponse::InstanceSource instance, DataFlow::TypeTracker t
) {
t.startInAttr("write") and
instance = DjangoImpl::Http::Response::HttpResponse::instance() and
instance = DjangoImpl::DjangoHttp::Response::HttpResponse::instance() and
result = instance
or
exists(DataFlow::TypeTracker t2 | result = write(instance, t2).track(t2, t))
}
/** Gets a reference to the `django.http.response.HttpResponse.write` function. */
DataFlow::Node write(DjangoImpl::Http::Response::HttpResponse::InstanceSource instance) {
DataFlow::Node write(DjangoImpl::DjangoHttp::Response::HttpResponse::InstanceSource instance) {
write(instance, DataFlow::TypeTracker::end()).flowsTo(result)
}
@@ -2085,8 +2085,8 @@ module PrivateDjango {
*
* See https://docs.djangoproject.com/en/3.1/ref/request-response/#django.http.HttpResponse.write
*/
class HttpResponseWriteCall extends HTTP::Server::HttpResponse::Range, DataFlow::CallCfgNode {
DjangoImpl::Http::Response::HttpResponse::InstanceSource instance;
class HttpResponseWriteCall extends Http::Server::HttpResponse::Range, DataFlow::CallCfgNode {
DjangoImpl::DjangoHttp::Response::HttpResponse::InstanceSource instance;
HttpResponseWriteCall() { this.getFunction() = write(instance) }
@@ -2104,10 +2104,10 @@ module PrivateDjango {
/**
* A call to `set_cookie` on a HTTP Response.
*/
class DjangoResponseSetCookieCall extends HTTP::Server::CookieWrite::Range,
class DjangoResponseSetCookieCall extends Http::Server::CookieWrite::Range,
DataFlow::MethodCallNode {
DjangoResponseSetCookieCall() {
this.calls(DjangoImpl::Http::Response::HttpResponse::instance(), "set_cookie")
this.calls(DjangoImpl::DjangoHttp::Response::HttpResponse::instance(), "set_cookie")
}
override DataFlow::Node getHeaderArg() { none() }
@@ -2124,10 +2124,10 @@ module PrivateDjango {
/**
* A call to `delete_cookie` on a HTTP Response.
*/
class DjangoResponseDeleteCookieCall extends HTTP::Server::CookieWrite::Range,
class DjangoResponseDeleteCookieCall extends Http::Server::CookieWrite::Range,
DataFlow::MethodCallNode {
DjangoResponseDeleteCookieCall() {
this.calls(DjangoImpl::Http::Response::HttpResponse::instance(), "delete_cookie")
this.calls(DjangoImpl::DjangoHttp::Response::HttpResponse::instance(), "delete_cookie")
}
override DataFlow::Node getHeaderArg() { none() }
@@ -2143,7 +2143,7 @@ module PrivateDjango {
* A dict-like write to an item of the `cookies` attribute on a HTTP response, such as
* `response.cookies[name] = value`.
*/
class DjangoResponseCookieSubscriptWrite extends HTTP::Server::CookieWrite::Range {
class DjangoResponseCookieSubscriptWrite extends Http::Server::CookieWrite::Range {
DataFlow::Node index;
DataFlow::Node value;
@@ -2154,7 +2154,7 @@ module PrivateDjango {
this.asCfgNode() = subscript
|
cookieLookup.getAttributeName() = "cookies" and
cookieLookup.getObject() = DjangoImpl::Http::Response::HttpResponse::instance() and
cookieLookup.getObject() = DjangoImpl::DjangoHttp::Response::HttpResponse::instance() and
exists(DataFlow::Node subscriptObj |
subscriptObj.asCfgNode() = subscript.getObject()
|
@@ -2315,7 +2315,7 @@ module PrivateDjango {
// points-to and `.lookup`, which would handle `post = my_post_handler` inside class def
result = this.getAMethod() and
(
result.getName() = HTTP::httpVerbLower()
result.getName() = Http::httpVerbLower()
or
result.getName() = "get_redirect_url"
)
@@ -2410,7 +2410,7 @@ module PrivateDjango {
}
/** A data-flow node that sets up a route on a server, using the django framework. */
abstract class DjangoRouteSetup extends HTTP::Server::RouteSetup::Range, DataFlow::CfgNode {
abstract class DjangoRouteSetup extends Http::Server::RouteSetup::Range, DataFlow::CfgNode {
/** Gets the data-flow node that is used as the argument for the view handler. */
abstract DataFlow::Node getViewArg();
@@ -2427,7 +2427,7 @@ module PrivateDjango {
}
/** A request handler defined in a django view class, that has no known route. */
private class DjangoViewClassHandlerWithoutKnownRoute extends HTTP::Server::RequestHandler::Range,
private class DjangoViewClassHandlerWithoutKnownRoute extends Http::Server::RequestHandler::Range,
DjangoRouteHandler {
DjangoViewClassHandlerWithoutKnownRoute() {
exists(DjangoViewClass vc | vc.getARequestHandler() = this) and
@@ -2586,7 +2586,7 @@ module PrivateDjango {
// HttpRequest taint modeling
// ---------------------------------------------------------------------------
/** A parameter that will receive the django `HttpRequest` instance when a request handler is invoked. */
private class DjangoRequestHandlerRequestParam extends DjangoImpl::Http::Request::HttpRequest::InstanceSource,
private class DjangoRequestHandlerRequestParam extends DjangoImpl::DjangoHttp::Request::HttpRequest::InstanceSource,
RemoteFlowSource::Range, DataFlow::ParameterNode {
DjangoRequestHandlerRequestParam() {
this.getParameter() = any(DjangoRouteSetup setup).getARequestHandler().getRequestParam()
@@ -2603,7 +2603,7 @@ module PrivateDjango {
*
* See https://docs.djangoproject.com/en/3.1/topics/class-based-views/generic-display/#dynamic-filtering
*/
private class DjangoViewClassRequestAttributeRead extends DjangoImpl::Http::Request::HttpRequest::InstanceSource,
private class DjangoViewClassRequestAttributeRead extends DjangoImpl::DjangoHttp::Request::HttpRequest::InstanceSource,
RemoteFlowSource::Range, DataFlow::Node {
DjangoViewClassRequestAttributeRead() {
exists(DataFlow::AttrRead read | this = read |
@@ -2678,7 +2678,7 @@ module PrivateDjango {
*
* See https://docs.djangoproject.com/en/3.1/topics/http/shortcuts/#redirect
*/
private class DjangoShortcutsRedirectCall extends HTTP::Server::HttpRedirectResponse::Range,
private class DjangoShortcutsRedirectCall extends Http::Server::HttpRedirectResponse::Range,
DataFlow::CallCfgNode {
DjangoShortcutsRedirectCall() { this = DjangoImpl::Shortcuts::redirect().getACall() }
@@ -2712,7 +2712,7 @@ module PrivateDjango {
*
* See https://docs.djangoproject.com/en/3.1/ref/class-based-views/base/#redirectview
*/
private class DjangoRedirectViewGetRedirectUrlReturn extends HTTP::Server::HttpRedirectResponse::Range,
private class DjangoRedirectViewGetRedirectUrlReturn extends Http::Server::HttpRedirectResponse::Range,
DataFlow::CfgNode {
DjangoRedirectViewGetRedirectUrlReturn() {
node = any(GetRedirectUrlFunction f).getAReturnValueFlowNode()
@@ -2751,7 +2751,7 @@ module PrivateDjango {
/**
* A custom middleware stack
*/
private class DjangoSettingsMiddlewareStack extends HTTP::Server::CsrfProtectionSetting::Range {
private class DjangoSettingsMiddlewareStack extends Http::Server::CsrfProtectionSetting::Range {
List list;
DjangoSettingsMiddlewareStack() {
@@ -2787,7 +2787,7 @@ module PrivateDjango {
}
}
private class DjangoCsrfDecorator extends HTTP::Server::CsrfLocalProtectionSetting::Range {
private class DjangoCsrfDecorator extends Http::Server::CsrfLocalProtectionSetting::Range {
string decoratorName;
Function function;

16
python/ql/lib/semmle/python/frameworks/FastApi.qll
View File

@@ -48,10 +48,10 @@ private module FastApi {
*
* See https://fastapi.tiangolo.com/tutorial/first-steps/#define-a-path-operation-decorator
*/
private class FastApiRouteSetup extends HTTP::Server::RouteSetup::Range, DataFlow::CallCfgNode {
private class FastApiRouteSetup extends Http::Server::RouteSetup::Range, DataFlow::CallCfgNode {
FastApiRouteSetup() {
exists(string routeAddingMethod |
routeAddingMethod = HTTP::httpVerbLower()
routeAddingMethod = Http::httpVerbLower()
or
routeAddingMethod in ["api_route", "websocket"]
|
@@ -195,7 +195,7 @@ private module FastApi {
abstract class InstanceSource extends DataFlow::LocalSourceNode { }
/** A direct instantiation of a response class. */
private class ResponseInstantiation extends InstanceSource, HTTP::Server::HttpResponse::Range,
private class ResponseInstantiation extends InstanceSource, Http::Server::HttpResponse::Range,
DataFlow::CallCfgNode {
API::Node baseApiNode;
API::Node responseClass;
@@ -223,7 +223,7 @@ private module FastApi {
* A direct instantiation of a redirect response.
*/
private class RedirectResponseInstantiation extends ResponseInstantiation,
HTTP::Server::HttpRedirectResponse::Range {
Http::Server::HttpRedirectResponse::Range {
RedirectResponseInstantiation() { baseApiNode = getModeledResponseClass("RedirectResponse") }
override DataFlow::Node getRedirectLocation() {
@@ -245,7 +245,7 @@ private module FastApi {
/**
* An implicit response from a return of FastAPI request handler.
*/
private class FastApiRequestHandlerReturn extends HTTP::Server::HttpResponse::Range,
private class FastApiRequestHandlerReturn extends Http::Server::HttpResponse::Range,
DataFlow::CfgNode {
FastApiRouteSetup routeSetup;
@@ -291,7 +291,7 @@ private module FastApi {
* `response_class` set to a `RedirectResponse`.
*/
private class FastApiRequestHandlerRedirectReturn extends FastApiRequestHandlerReturn,
HTTP::Server::HttpRedirectResponse::Range {
Http::Server::HttpRedirectResponse::Range {
FastApiRequestHandlerRedirectReturn() {
exists(API::Node responseClass |
responseClass.getAValueReachableFromSource() = routeSetup.getResponseClassArg() and
@@ -332,7 +332,7 @@ private module FastApi {
/**
* A call to `set_cookie` on a FastAPI Response.
*/
private class SetCookieCall extends HTTP::Server::CookieWrite::Range, DataFlow::MethodCallNode {
private class SetCookieCall extends Http::Server::CookieWrite::Range, DataFlow::MethodCallNode {
SetCookieCall() { this.calls(instance(), "set_cookie") }
override DataFlow::Node getHeaderArg() { none() }
@@ -348,7 +348,7 @@ private module FastApi {
* A call to `append` on a `headers` of a FastAPI Response, with the `Set-Cookie`
* header-key.
*/
private class HeadersAppendCookie extends HTTP::Server::CookieWrite::Range,
private class HeadersAppendCookie extends Http::Server::CookieWrite::Range,
DataFlow::MethodCallNode {
HeadersAppendCookie() {
exists(DataFlow::AttrRead headers, DataFlow::Node keyArg |

16
python/ql/lib/semmle/python/frameworks/Flask.qll
View File

@@ -116,7 +116,7 @@ module Flask {
*
* Use the predicate `Response::instance()` to get references to instances of `flask.Response`.
*/
abstract class InstanceSource extends HTTP::Server::HttpResponse::Range, DataFlow::Node { }
abstract class InstanceSource extends Http::Server::HttpResponse::Range, DataFlow::Node { }
/** A direct instantiation of `flask.Response`. */
private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
@@ -229,7 +229,7 @@ module Flask {
// TODO: This doesn't handle attribute assignment. Should be OK, but analysis is not as complete as with
// points-to and `.lookup`, which would handle `post = my_post_handler` inside class def
result = this.getAMethod() and
result.getName() = HTTP::httpVerbLower()
result.getName() = Http::httpVerbLower()
}
}
@@ -241,7 +241,7 @@ module Flask {
}
/** A route setup made by flask (sharing handling of URL patterns). */
abstract class FlaskRouteSetup extends HTTP::Server::RouteSetup::Range {
abstract class FlaskRouteSetup extends Http::Server::RouteSetup::Range {
override Parameter getARoutedParameter() {
// If we don't know the URL pattern, we simply mark all parameters as a routed
// parameter. This should give us more RemoteFlowSources but could also lead to
@@ -312,7 +312,7 @@ module Flask {
}
/** A request handler defined in a django view class, that has no known route. */
private class FlaskViewClassHandlerWithoutKnownRoute extends HTTP::Server::RequestHandler::Range {
private class FlaskViewClassHandlerWithoutKnownRoute extends Http::Server::RequestHandler::Range {
FlaskViewClassHandlerWithoutKnownRoute() {
exists(FlaskViewClass vc | vc.getARequestHandler() = this) and
not exists(FlaskRouteSetup setup | setup.getARequestHandler() = this)
@@ -439,7 +439,7 @@ module Flask {
// ---------------------------------------------------------------------------
// Implicit response from returns of flask request handlers
// ---------------------------------------------------------------------------
private class FlaskRouteHandlerReturn extends HTTP::Server::HttpResponse::Range, DataFlow::CfgNode {
private class FlaskRouteHandlerReturn extends Http::Server::HttpResponse::Range, DataFlow::CfgNode {
FlaskRouteHandlerReturn() {
exists(Function routeHandler |
routeHandler = any(FlaskRouteSetup rs).getARequestHandler() and
@@ -462,7 +462,7 @@ module Flask {
*
* See https://flask.palletsprojects.com/en/1.1.x/api/#flask.redirect
*/
private class FlaskRedirectCall extends HTTP::Server::HttpRedirectResponse::Range,
private class FlaskRedirectCall extends Http::Server::HttpRedirectResponse::Range,
DataFlow::CallCfgNode {
FlaskRedirectCall() { this = API::moduleImport("flask").getMember("redirect").getACall() }
@@ -490,7 +490,7 @@ module Flask {
*
* See https://flask.palletsprojects.com/en/2.0.x/api/#flask.Response.set_cookie
*/
class FlaskResponseSetCookieCall extends HTTP::Server::CookieWrite::Range,
class FlaskResponseSetCookieCall extends Http::Server::CookieWrite::Range,
DataFlow::MethodCallNode {
FlaskResponseSetCookieCall() { this.calls(Flask::Response::instance(), "set_cookie") }
@@ -506,7 +506,7 @@ module Flask {
*
* See https://flask.palletsprojects.com/en/2.0.x/api/#flask.Response.delete_cookie
*/
class FlaskResponseDeleteCookieCall extends HTTP::Server::CookieWrite::Range,
class FlaskResponseDeleteCookieCall extends Http::Server::CookieWrite::Range,
DataFlow::MethodCallNode {
FlaskResponseDeleteCookieCall() { this.calls(Flask::Response::instance(), "delete_cookie") }

8
python/ql/lib/semmle/python/frameworks/Httpx.qll
View File

@@ -23,11 +23,11 @@ private module HttpxModel {
*
* See https://www.python-httpx.org/api/
*/
private class RequestCall extends HTTP::Client::Request::Range, API::CallNode {
private class RequestCall extends Http::Client::Request::Range, API::CallNode {
string methodName;
RequestCall() {
methodName in [HTTP::httpVerbLower(), "request", "stream"] and
methodName in [Http::httpVerbLower(), "request", "stream"] and
this = API::moduleImport("httpx").getMember(methodName).getACall()
}
@@ -64,11 +64,11 @@ private module HttpxModel {
}
/** A method call on a Client that sends off a request */
private class OutgoingRequestCall extends HTTP::Client::Request::Range, DataFlow::CallCfgNode {
private class OutgoingRequestCall extends Http::Client::Request::Range, DataFlow::CallCfgNode {
string methodName;
OutgoingRequestCall() {
methodName in [HTTP::httpVerbLower(), "request", "stream"] and
methodName in [Http::httpVerbLower(), "request", "stream"] and
this = classRef().getReturn().getMember(methodName).getACall()
}

4
python/ql/lib/semmle/python/frameworks/Ldap.qll
View File

@@ -13,13 +13,13 @@ private import semmle.python.ApiGraphs
*
* See https://www.python-ldap.org/en/python-ldap-3.3.0/index.html
*/
private module Ldap {
private module PythonLdap {
/**
* The execution of an `ldap` query.
*
* See https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html#functions
*/
private class LdapQueryExecution extends DataFlow::CallCfgNode, LDAP::LdapExecution::Range {
private class LdapQueryExecution extends DataFlow::CallCfgNode, Ldap::LdapExecution::Range {
LdapQueryExecution() {
this =
API::moduleImport("ldap")

2
python/ql/lib/semmle/python/frameworks/Ldap3.qll
View File

@@ -15,7 +15,7 @@ private import semmle.python.ApiGraphs
*/
private module Ldap3 {
/** The execution of an `ldap` query. */
private class LdapQueryExecution extends DataFlow::CallCfgNode, LDAP::LdapExecution::Range {
private class LdapQueryExecution extends DataFlow::CallCfgNode, Ldap::LdapExecution::Range {
LdapQueryExecution() {
this =
API::moduleImport("ldap3")

2
python/ql/lib/semmle/python/frameworks/Libtaxii.qll
View File

@@ -22,7 +22,7 @@ private module Libtaxii {
* A call to `libtaxii.common.parse`.
* When the `allow_url` parameter value is set to `True`, there is an SSRF vulnerability..
*/
private class ParseCall extends HTTP::Client::Request::Range, DataFlow::CallCfgNode {
private class ParseCall extends Http::Client::Request::Range, DataFlow::CallCfgNode {
ParseCall() {
this = API::moduleImport("libtaxii").getMember("common").getMember("parse").getACall() and
this.getArgByName("allow_url").getALocalSource().asExpr() = any(True t)

5
python/ql/lib/semmle/python/frameworks/Multidict.qll
View File

@@ -16,7 +16,7 @@ private import semmle.python.frameworks.internal.InstanceTaintStepsHelper
* Provides models for the `multidict` PyPI package.
* See https://multidict.readthedocs.io/en/stable/.
*/
module Multidict {
module MultiDict {
/**
* Provides models for a `MultiDictProxy` class:
* - `multidict.MultiDictProxy`
@@ -88,3 +88,6 @@ module Multidict {
}
}
}
/** DEPRECATED: Alias for MultiDict */
deprecated module Multidict = MultiDict;

2
python/ql/lib/semmle/python/frameworks/Pycurl.qll
View File

@@ -36,7 +36,7 @@ private module Pycurl {
*
* See http://pycurl.io/docs/latest/curlobject.html#pycurl.Curl.setopt.
*/
private class OutgoingRequestCall extends HTTP::Client::Request::Range, DataFlow::CallCfgNode {
private class OutgoingRequestCall extends Http::Client::Request::Range, DataFlow::CallCfgNode {
OutgoingRequestCall() {
this = instance().getMember("setopt").getACall() and
this.getArg(0).asCfgNode().(AttrNode).getName() = "URL"

4
python/ql/lib/semmle/python/frameworks/Requests.qll
View File

@@ -28,11 +28,11 @@ private module Requests {
*
* See https://requests.readthedocs.io/en/latest/api/#requests.request
*/
private class OutgoingRequestCall extends HTTP::Client::Request::Range, API::CallNode {
private class OutgoingRequestCall extends Http::Client::Request::Range, API::CallNode {
string methodName;
OutgoingRequestCall() {
methodName in [HTTP::httpVerbLower(), "request"] and
methodName in [Http::httpVerbLower(), "request"] and
(
this = API::moduleImport("requests").getMember(methodName).getACall()
or

8
python/ql/lib/semmle/python/frameworks/RestFramework.qll
View File

@@ -158,7 +158,7 @@ private module RestFramework {
* `HTTP::Server::RequestHandler`. We only need this for the ones that doesn't have a
* known route setup.
*/
class RestFrameworkFunctionBasedViewWithoutKnownRoute extends HTTP::Server::RequestHandler::Range,
class RestFrameworkFunctionBasedViewWithoutKnownRoute extends Http::Server::RequestHandler::Range,
PrivateDjango::DjangoRouteHandler instanceof RestFrameworkFunctionBasedView {
RestFrameworkFunctionBasedViewWithoutKnownRoute() {
not exists(PrivateDjango::DjangoRouteSetup setup | setup.getARequestHandler() = this)
@@ -220,7 +220,7 @@ private module RestFramework {
*
* Use the predicate `Request::instance()` to get references to instances of `rest_framework.request.Request`.
*/
abstract class InstanceSource extends PrivateDjango::DjangoImpl::Http::Request::HttpRequest::InstanceSource {
abstract class InstanceSource extends PrivateDjango::DjangoImpl::DjangoHttp::Request::HttpRequest::InstanceSource {
}
/** A direct instantiation of `rest_framework.request.Request`. */
@@ -296,7 +296,7 @@ private module RestFramework {
}
/** A direct instantiation of `rest_framework.response.Response`. */
private class ClassInstantiation extends PrivateDjango::DjangoImpl::Http::Response::HttpResponse::InstanceSource,
private class ClassInstantiation extends PrivateDjango::DjangoImpl::DjangoHttp::Response::HttpResponse::InstanceSource,
DataFlow::CallCfgNode {
ClassInstantiation() { this = classRef().getACall() }
@@ -320,7 +320,7 @@ private module RestFramework {
*/
module ApiException {
/** A direct instantiation of `rest_framework.exceptions.ApiException` or subclass. */
private class ClassInstantiation extends HTTP::Server::HttpResponse::Range,
private class ClassInstantiation extends Http::Server::HttpResponse::Range,
DataFlow::CallCfgNode {
string className;

7
python/ql/lib/semmle/python/frameworks/Starlette.qll
View File

@@ -85,7 +85,7 @@ module Starlette {
}
/** An attribute read on a `starlette.websockets.WebSocket` instance that is a `starlette.requests.URL` instance. */
private class UrlInstances extends URL::InstanceSource {
private class UrlInstances extends Url::InstanceSource {
UrlInstances() {
this.(DataFlow::AttrRead).getObject() = instance() and
this.(DataFlow::AttrRead).getAttributeName() = "url"
@@ -98,7 +98,7 @@ module Starlette {
*
* See the URL part of https://www.starlette.io/websockets/.
*/
module URL {
module Url {
/** Gets a reference to the `starlette.requests.URL` class. */
private API::Node classRef() {
result = API::moduleImport("starlette").getMember("requests").getMember("URL")
@@ -159,4 +159,7 @@ module Starlette {
}
}
}
/** DEPRECATED: Alias for Url */
deprecated module URL = Url;
}

20
python/ql/lib/semmle/python/frameworks/Stdlib.qll
View File

@@ -1877,7 +1877,7 @@ private module StdlibPrivate {
API::Node http() { result = API::moduleImport("http") }
/** Provides models for the `http` module. */
module Http {
module StdHttp {
// -------------------------------------------------------------------------
// http.server
// -------------------------------------------------------------------------
@@ -1944,9 +1944,9 @@ private module StdlibPrivate {
SimpleHttpServer::SimpleHttpRequestHandler::classRef(),
CgiHttpServer::CgiHttpRequestHandler::classRef(),
// Python 3
Http::Server::BaseHttpRequestHandler::classRef(),
Http::Server::SimpleHttpRequestHandler::classRef(),
Http::Server::CgiHttpRequestHandler::classRef()
StdHttp::Server::BaseHttpRequestHandler::classRef(),
StdHttp::Server::SimpleHttpRequestHandler::classRef(),
StdHttp::Server::CgiHttpRequestHandler::classRef()
].getASubclass*()
}
@@ -2026,10 +2026,10 @@ private module StdlibPrivate {
*
* Not essential for any functionality, but provides a consistent modeling.
*/
private class RequestHandlerFunc extends HTTP::Server::RequestHandler::Range {
private class RequestHandlerFunc extends Http::Server::RequestHandler::Range {
RequestHandlerFunc() {
this = any(HttpRequestHandlerClassDef cls).getAMethod() and
this.getName() = "do_" + HTTP::httpVerb()
this.getName() = "do_" + Http::httpVerb()
}
override Parameter getARoutedParameter() { none() }
@@ -2064,7 +2064,7 @@ private module StdlibPrivate {
* See https://github.com/python/cpython/blob/b567b9d74bd9e476a3027335873bb0508d6e450f/Lib/wsgiref/handlers.py#L137
* for how a request is processed and given to an application.
*/
class WsgirefSimpleServerApplication extends HTTP::Server::RequestHandler::Range {
class WsgirefSimpleServerApplication extends Http::Server::RequestHandler::Range {
WsgirefSimpleServerApplication() {
exists(DataFlow::Node appArg, DataFlow::CallCfgNode setAppCall |
(
@@ -2166,7 +2166,7 @@ private module StdlibPrivate {
*
* See https://github.com/python/cpython/blob/b567b9d74bd9e476a3027335873bb0508d6e450f/Lib/wsgiref/handlers.py#L276
*/
class WsgirefSimpleServerApplicationWriteCall extends HTTP::Server::HttpResponse::Range,
class WsgirefSimpleServerApplicationWriteCall extends Http::Server::HttpResponse::Range,
DataFlow::CallCfgNode {
WsgirefSimpleServerApplicationWriteCall() { this.getFunction() = writeFunction() }
@@ -2180,7 +2180,7 @@ private module StdlibPrivate {
/**
* A return from a `WsgirefSimpleServerApplication`, which is included in the response body.
*/
class WsgirefSimpleServerApplicationReturn extends HTTP::Server::HttpResponse::Range,
class WsgirefSimpleServerApplicationReturn extends Http::Server::HttpResponse::Range,
DataFlow::CfgNode {
WsgirefSimpleServerApplicationReturn() {
exists(WsgirefSimpleServerApplication requestHandler |
@@ -2267,7 +2267,7 @@ private module StdlibPrivate {
}
/** A method call on a HttpConnection that sends off a request */
private class RequestCall extends HTTP::Client::Request::Range, DataFlow::MethodCallNode {
private class RequestCall extends Http::Client::Request::Range, DataFlow::MethodCallNode {
RequestCall() { this.calls(instance(_), ["request", "_send_request", "putrequest"]) }
DataFlow::Node getUrlArg() { result in [this.getArg(1), this.getArgByName("url")] }

4
python/ql/lib/semmle/python/frameworks/Stdlib/Urllib.qll
View File

@@ -30,7 +30,7 @@ private module Urllib {
* See
* - https://docs.python.org/3.9/library/urllib.request.html#urllib.request.Request
*/
private class RequestCall extends HTTP::Client::Request::Range, DataFlow::CallCfgNode {
private class RequestCall extends Http::Client::Request::Range, DataFlow::CallCfgNode {
RequestCall() {
this = API::moduleImport("urllib").getMember("request").getMember("Request").getACall()
}
@@ -52,7 +52,7 @@ private module Urllib {
* See
* - https://docs.python.org/3.9/library/urllib.request.html#urllib.request.urlopen
*/
private class UrlOpenCall extends HTTP::Client::Request::Range, DataFlow::CallCfgNode {
private class UrlOpenCall extends Http::Client::Request::Range, DataFlow::CallCfgNode {
UrlOpenCall() {
this = API::moduleImport("urllib").getMember("request").getMember("urlopen").getACall()
}

4
python/ql/lib/semmle/python/frameworks/Stdlib/Urllib2.qll
View File

@@ -20,7 +20,7 @@ private module Urllib2 {
* See
* - https://docs.python.org/2/library/urllib2.html#urllib2.Request
*/
private class RequestCall extends HTTP::Client::Request::Range, DataFlow::CallCfgNode {
private class RequestCall extends Http::Client::Request::Range, DataFlow::CallCfgNode {
RequestCall() { this = API::moduleImport("urllib2").getMember("Request").getACall() }
override DataFlow::Node getAUrlPart() { result in [this.getArg(0), this.getArgByName("url")] }
@@ -40,7 +40,7 @@ private module Urllib2 {
* See
* - https://docs.python.org/2/library/urllib2.html#urllib2.urlopen
*/
private class UrlOpenCall extends HTTP::Client::Request::Range, DataFlow::CallCfgNode {
private class UrlOpenCall extends Http::Client::Request::Range, DataFlow::CallCfgNode {
UrlOpenCall() { this = API::moduleImport("urllib2").getMember("urlopen").getACall() }
override DataFlow::Node getAUrlPart() { result in [this.getArg(0), this.getArgByName("url")] }

12
python/ql/lib/semmle/python/frameworks/Tornado.qll
View File

@@ -99,7 +99,7 @@ private module Tornado {
// TODO: This doesn't handle attribute assignment. Should be OK, but analysis is not as complete as with
// points-to and `.lookup`, which would handle `post = my_post_handler` inside class def
result = this.getAMethod() and
result.getName() = HTTP::httpVerbLower()
result.getName() = Http::httpVerbLower()
}
/** Gets a reference to this class. */
@@ -375,7 +375,7 @@ private module Tornado {
}
/** A tornado route setup. */
abstract class TornadoRouteSetup extends HTTP::Server::RouteSetup::Range {
abstract class TornadoRouteSetup extends Http::Server::RouteSetup::Range {
override string getFramework() { result = "Tornado" }
}
@@ -437,7 +437,7 @@ private module Tornado {
}
/** A request handler defined in a tornado RequestHandler class, that has no known route. */
private class TornadoRequestHandlerWithoutKnownRoute extends HTTP::Server::RequestHandler::Range {
private class TornadoRequestHandlerWithoutKnownRoute extends Http::Server::RequestHandler::Range {
TornadoRequestHandlerWithoutKnownRoute() {
exists(TornadoModule::Web::RequestHandler::RequestHandlerClass cls |
cls.getARequestHandler() = this
@@ -464,7 +464,7 @@ private module Tornado {
*
* See https://www.tornadoweb.org/en/stable/web.html#tornado.web.RequestHandler.redirect
*/
private class TornadoRequestHandlerRedirectCall extends HTTP::Server::HttpRedirectResponse::Range,
private class TornadoRequestHandlerRedirectCall extends Http::Server::HttpRedirectResponse::Range,
DataFlow::CallCfgNode {
TornadoRequestHandlerRedirectCall() {
this.getFunction() = TornadoModule::Web::RequestHandler::redirectMethod()
@@ -486,7 +486,7 @@ private module Tornado {
*
* See https://www.tornadoweb.org/en/stable/web.html#tornado.web.RequestHandler.write
*/
private class TornadoRequestHandlerWriteCall extends HTTP::Server::HttpResponse::Range,
private class TornadoRequestHandlerWriteCall extends Http::Server::HttpResponse::Range,
DataFlow::CallCfgNode {
TornadoRequestHandlerWriteCall() {
this.getFunction() = TornadoModule::Web::RequestHandler::writeMethod()
@@ -504,7 +504,7 @@ private module Tornado {
*
* See https://www.tornadoweb.org/en/stable/web.html#tornado.web.RequestHandler.set_cookie
*/
class TornadoRequestHandlerSetCookieCall extends HTTP::Server::CookieWrite::Range,
class TornadoRequestHandlerSetCookieCall extends Http::Server::CookieWrite::Range,
DataFlow::MethodCallNode {
TornadoRequestHandlerSetCookieCall() {
this.calls(TornadoModule::Web::RequestHandler::instance(), "set_cookie")

12
python/ql/lib/semmle/python/frameworks/Twisted.qll
View File

@@ -60,7 +60,7 @@ private module Twisted {
}
/** A method that handles incoming requests, on a `twisted.web.resource.Resource` subclass. */
class TwistedResourceRequestHandler extends HTTP::Server::RequestHandler::Range {
class TwistedResourceRequestHandler extends Http::Server::RequestHandler::Range {
TwistedResourceRequestHandler() { this = any(TwistedResourceSubclass cls).getARequestHandler() }
Parameter getRequestParameter() { result = this.getArg(getRequestParamIndex(this.getName())) }
@@ -176,7 +176,7 @@ private module Twisted {
/**
* Implicit response from returns of render methods.
*/
private class TwistedResourceRenderMethodReturn extends HTTP::Server::HttpResponse::Range,
private class TwistedResourceRenderMethodReturn extends Http::Server::HttpResponse::Range,
DataFlow::CfgNode {
TwistedResourceRenderMethodReturn() {
this.asCfgNode() = any(TwistedResourceRenderMethod meth).getAReturnValueFlowNode()
@@ -194,7 +194,7 @@ private module Twisted {
*
* See https://twistedmatrix.com/documents/21.2.0/api/twisted.web.server.Request.html#write
*/
class TwistedRequestWriteCall extends HTTP::Server::HttpResponse::Range, DataFlow::MethodCallNode {
class TwistedRequestWriteCall extends Http::Server::HttpResponse::Range, DataFlow::MethodCallNode {
TwistedRequestWriteCall() { this.calls(Request::instance(), "write") }
override DataFlow::Node getBody() {
@@ -211,7 +211,7 @@ private module Twisted {
*
* See https://twistedmatrix.com/documents/21.2.0/api/twisted.web.http.Request.html#redirect
*/
class TwistedRequestRedirectCall extends HTTP::Server::HttpRedirectResponse::Range,
class TwistedRequestRedirectCall extends Http::Server::HttpRedirectResponse::Range,
DataFlow::MethodCallNode {
TwistedRequestRedirectCall() { this.calls(Request::instance(), "redirect") }
@@ -231,7 +231,7 @@ private module Twisted {
*
* See https://twistedmatrix.com/documents/21.2.0/api/twisted.web.http.Request.html#addCookie
*/
class TwistedRequestAddCookieCall extends HTTP::Server::CookieWrite::Range,
class TwistedRequestAddCookieCall extends Http::Server::CookieWrite::Range,
DataFlow::MethodCallNode {
TwistedRequestAddCookieCall() { this.calls(Twisted::Request::instance(), "addCookie") }
@@ -247,7 +247,7 @@ private module Twisted {
*
* See https://twistedmatrix.com/documents/21.2.0/api/twisted.web.http.Request.html#cookies
*/
class TwistedRequestCookiesAppendCall extends HTTP::Server::CookieWrite::Range,
class TwistedRequestCookiesAppendCall extends Http::Server::CookieWrite::Range,
DataFlow::MethodCallNode {
TwistedRequestCookiesAppendCall() {
exists(DataFlow::AttrRead cookiesLookup |

2
python/ql/lib/semmle/python/frameworks/Urllib3.qll
View File

@@ -49,7 +49,7 @@ private module Urllib3 {
* - https://urllib3.readthedocs.io/en/stable/reference/urllib3.request.html#urllib3.request.RequestMethods
* - https://urllib3.readthedocs.io/en/stable/reference/urllib3.connectionpool.html#urllib3.HTTPConnectionPool.urlopen
*/
private class RequestCall extends HTTP::Client::Request::Range, API::CallNode {
private class RequestCall extends Http::Client::Request::Range, API::CallNode {
RequestCall() {
this =
classRef()

2
python/ql/lib/semmle/python/frameworks/Yarl.qll
View File

@@ -102,7 +102,7 @@ module Yarl {
}
/** An attribute read on a `yarl.URL` that is a `MultiDictProxy` instance. */
class YarlUrlMultiDictProxyInstance extends Multidict::MultiDictProxy::InstanceSource {
class YarlUrlMultiDictProxyInstance extends MultiDict::MultiDictProxy::InstanceSource {
YarlUrlMultiDictProxyInstance() {
this.(DataFlow::AttrRead).getObject() = Yarl::Url::instance() and
this.(DataFlow::AttrRead).getAttributeName() = "query"

2
python/ql/lib/semmle/python/security/dataflow/CleartextStorageCustomizations.qll
View File

@@ -56,7 +56,7 @@ module CleartextStorage {
/** The data written to a cookie on a HTTP response, considered as a flow sink. */
class CookieWriteAsSink extends Sink {
CookieWriteAsSink() {
exists(HTTP::Server::CookieWrite write |
exists(Http::Server::CookieWrite write |
this = write.getValueArg()
or
this = write.getHeaderArg()

4
python/ql/lib/semmle/python/security/dataflow/LdapInjectionCustomizations.qll
View File

@@ -64,14 +64,14 @@ module LdapInjection {
* A logging operation, considered as a flow sink.
*/
class LdapExecutionAsDnSink extends DnSink {
LdapExecutionAsDnSink() { this = any(LDAP::LdapExecution ldap).getBaseDn() }
LdapExecutionAsDnSink() { this = any(Ldap::LdapExecution ldap).getBaseDn() }
}
/**
* A logging operation, considered as a flow sink.
*/
class LdapExecutionAsFilterSink extends FilterSink {
LdapExecutionAsFilterSink() { this = any(LDAP::LdapExecution ldap).getFilter() }
LdapExecutionAsFilterSink() { this = any(Ldap::LdapExecution ldap).getFilter() }
}
/**

2
python/ql/lib/semmle/python/security/dataflow/ReflectedXSSCustomizations.qll
View File

@@ -48,7 +48,7 @@ module ReflectedXss {
*/
class ServerHttpResponseBodyAsSink extends Sink {
ServerHttpResponseBodyAsSink() {
exists(HTTP::Server::HttpResponse response |
exists(Http::Server::HttpResponse response |
response.getMimetype().toLowerCase() = "text/html" and
this = response.getBody()
)

6
python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll
View File

@@ -28,7 +28,7 @@ module ServerSideRequestForgery {
/**
* Gets the request this sink belongs to.
*/
abstract HTTP::Client::Request getRequest();
abstract Http::Client::Request getRequest();
}
/**
@@ -57,7 +57,7 @@ module ServerSideRequestForgery {
/** The URL of an HTTP request, considered as a sink. */
class HttpRequestUrlAsSink extends Sink {
HTTP::Client::Request req;
Http::Client::Request req;
HttpRequestUrlAsSink() {
req.getAUrlPart() = this and
@@ -74,7 +74,7 @@ module ServerSideRequestForgery {
not req.getScope().getEnclosingModule().getName() in ["http.client", "httplib"]
}
override HTTP::Client::Request getRequest() { result = req }
override Http::Client::Request getRequest() { result = req }
}
/**

2
python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll
View File

@@ -42,7 +42,7 @@ class FullServerSideRequestForgeryConfiguration extends TaintTracking::Configura
/**
* Holds if all URL parts of `request` is fully user controlled.
*/
predicate fullyControlledRequest(HTTP::Client::Request request) {
predicate fullyControlledRequest(Http::Client::Request request) {
exists(FullServerSideRequestForgeryConfiguration fullConfig |
forall(DataFlow::Node urlPart | urlPart = request.getAUrlPart() |
fullConfig.hasFlow(_, urlPart)

2
python/ql/lib/semmle/python/security/dataflow/StackTraceExposureCustomizations.qll
View File

@@ -49,6 +49,6 @@ module StackTraceExposure {
* The body of a HTTP response that will be returned from a server, considered as a flow sink.
*/
class ServerHttpResponseBodyAsSink extends Sink {
ServerHttpResponseBodyAsSink() { this = any(HTTP::Server::HttpResponse response).getBody() }
ServerHttpResponseBodyAsSink() { this = any(Http::Server::HttpResponse response).getBody() }
}
}

2
python/ql/lib/semmle/python/security/dataflow/UrlRedirectCustomizations.qll
View File

@@ -48,7 +48,7 @@ module UrlRedirect {
*/
class RedirectLocationAsSink extends Sink {
RedirectLocationAsSink() {
this = any(HTTP::Server::HttpRedirectResponse e).getRedirectLocation()
this = any(Http::Server::HttpRedirectResponse e).getRedirectLocation()
}
}

2
python/ql/src/Security/CWE-295/RequestWithoutValidation.ql
View File

@@ -15,7 +15,7 @@ private import semmle.python.dataflow.new.DataFlow
private import semmle.python.Concepts
from
HTTP::Client::Request request, DataFlow::Node disablingNode, DataFlow::Node origin, string ending
Http::Client::Request request, DataFlow::Node disablingNode, DataFlow::Node origin, string ending
where
request.disablesCertificateValidation(disablingNode, origin) and
// Showing the origin is only useful when it's a different node than the one disabling

10
python/ql/src/Security/CWE-352/CSRFProtectionDisabled.ql
View File

@@ -14,24 +14,24 @@
import python
import semmle.python.Concepts
predicate relevantSetting(HTTP::Server::CsrfProtectionSetting s) {
predicate relevantSetting(Http::Server::CsrfProtectionSetting s) {
// rule out test code as this is a common place to turn off CSRF protection.
// We don't use normal `TestScope` to find test files, since we also want to match
// a settings file such as `.../integration-tests/settings.py`
not s.getLocation().getFile().getAbsolutePath().matches("%test%")
}
predicate vulnerableSetting(HTTP::Server::CsrfProtectionSetting s) {
predicate vulnerableSetting(Http::Server::CsrfProtectionSetting s) {
s.getVerificationSetting() = false and
not exists(HTTP::Server::CsrfLocalProtectionSetting p | p.csrfEnabled()) and
not exists(Http::Server::CsrfLocalProtectionSetting p | p.csrfEnabled()) and
relevantSetting(s)
}
from HTTP::Server::CsrfProtectionSetting setting
from Http::Server::CsrfProtectionSetting setting
where
vulnerableSetting(setting) and
// We have seen examples of dummy projects with vulnerable settings alongside a main
// project with a protecting settings file. We want to rule out this scenario, so we
// require all non-test settings to be vulnerable.
forall(HTTP::Server::CsrfProtectionSetting s | relevantSetting(s) | vulnerableSetting(s))
forall(Http::Server::CsrfProtectionSetting s | relevantSetting(s) | vulnerableSetting(s))
select setting, "Potential CSRF vulnerability due to forgery protection being disabled or weakened."

2
python/ql/src/Security/CWE-918/FullServerSideRequestForgery.ql
View File

@@ -16,7 +16,7 @@ import DataFlow::PathGraph
from
FullServerSideRequestForgeryConfiguration fullConfig, DataFlow::PathNode source,
DataFlow::PathNode sink, HTTP::Client::Request request
DataFlow::PathNode sink, Http::Client::Request request
where
request = sink.getNode().(Sink).getRequest() and
fullConfig.hasFlowPath(source, sink) and

2
python/ql/src/Security/CWE-918/PartialServerSideRequestForgery.ql
View File

@@ -16,7 +16,7 @@ import DataFlow::PathGraph
from
PartialServerSideRequestForgeryConfiguration partialConfig, DataFlow::PathNode source,
DataFlow::PathNode sink, HTTP::Client::Request request
DataFlow::PathNode sink, Http::Client::Request request
where
request = sink.getNode().(Sink).getRequest() and
partialConfig.hasFlowPath(source, sink) and

4
python/ql/src/experimental/semmle/python/Concepts.qll
View File

@@ -416,7 +416,7 @@ class CsvWriter extends DataFlow::Node {
* Extend this class to refine existing API models. If you want to model new APIs,
* extend `Cookie::Range` instead.
*/
class Cookie extends HTTP::Server::CookieWrite instanceof Cookie::Range {
class Cookie extends Http::Server::CookieWrite instanceof Cookie::Range {
/**
* Holds if this cookie is secure.
*/
@@ -441,7 +441,7 @@ module Cookie {
* Extend this class to model new APIs. If you want to refine existing API models,
* extend `Cookie` instead.
*/
abstract class Range extends HTTP::Server::CookieWrite::Range {
abstract class Range extends Http::Server::CookieWrite::Range {
/**
* Holds if this cookie is secure.
*/

6
python/ql/src/experimental/semmle/python/frameworks/Django.qll
View File

@@ -15,7 +15,7 @@ private module ExperimentalPrivateDjango {
private module DjangoMod {
API::Node http() { result = API::moduleImport("django").getMember("http") }
module Http {
module DjangoHttp {
API::Node response() { result = http().getMember("response") }
API::Node request() { result = http().getMember("request") }
@@ -54,7 +54,7 @@ private module ExperimentalPrivateDjango {
*
* Use the predicate `HttpResponse::instance()` to get references to instances of `django.http.response.HttpResponse`.
*/
abstract class InstanceSource extends HTTP::Server::HttpResponse::Range, DataFlow::Node {
abstract class InstanceSource extends Http::Server::HttpResponse::Range, DataFlow::Node {
}
/** A direct instantiation of `django.http.response.HttpResponse`. */
@@ -156,7 +156,7 @@ private module ExperimentalPrivateDjango {
*/
class DjangoResponseSetCookieCall extends DataFlow::MethodCallNode, Cookie::Range {
DjangoResponseSetCookieCall() {
this.calls(PrivateDjango::DjangoImpl::Http::Response::HttpResponse::instance(),
this.calls(PrivateDjango::DjangoImpl::DjangoHttp::Response::HttpResponse::instance(),
"set_cookie")
}

2
python/ql/src/meta/alerts/RequestHandlers.ql
View File

@@ -13,7 +13,7 @@ private import semmle.python.dataflow.new.DataFlow
private import semmle.python.Concepts
private import meta.MetaMetrics
from HTTP::Server::RequestHandler requestHandler, string title
from Http::Server::RequestHandler requestHandler, string title
where
not requestHandler.getLocation().getFile() instanceof IgnoredFile and
if requestHandler.isMethod()

26
python/ql/test/experimental/meta/ConceptsTest.qll
View File

@@ -239,7 +239,7 @@ class HttpServerRouteSetupTest extends InlineExpectationsTest {
override predicate hasActualResult(Location location, string element, string tag, string value) {
exists(location.getFile().getRelativePath()) and
exists(HTTP::Server::RouteSetup setup |
exists(Http::Server::RouteSetup setup |
location = setup.getLocation() and
element = setup.toString() and
(
@@ -261,14 +261,14 @@ class HttpServerRequestHandlerTest extends InlineExpectationsTest {
override predicate hasActualResult(Location location, string element, string tag, string value) {
exists(location.getFile().getRelativePath()) and
(
exists(HTTP::Server::RequestHandler handler |
exists(Http::Server::RequestHandler handler |
location = handler.getLocation() and
element = handler.toString() and
value = "" and
tag = "requestHandler"
)
or
exists(HTTP::Server::RequestHandler handler, Parameter param |
exists(Http::Server::RequestHandler handler, Parameter param |
param = handler.getARoutedParameter() and
location = param.getLocation() and
element = param.toString() and
@@ -299,21 +299,21 @@ class HttpServerHttpResponseTest extends InlineExpectationsTest {
// we need to do this step since we expect subclasses could override getARelevantTag
tag = getARelevantTag() and
(
exists(HTTP::Server::HttpResponse response |
exists(Http::Server::HttpResponse response |
location = response.getLocation() and
element = response.toString() and
value = "" and
tag = "HttpResponse"
)
or
exists(HTTP::Server::HttpResponse response |
exists(Http::Server::HttpResponse response |
location = response.getLocation() and
element = response.toString() and
value = prettyNodeForInlineTest(response.getBody()) and
tag = "responseBody"
)
or
exists(HTTP::Server::HttpResponse response |
exists(Http::Server::HttpResponse response |
location = response.getLocation() and
element = response.toString() and
// Ensure that an expectation value such as "mimetype=text/html; charset=utf-8" is parsed as a
@@ -338,14 +338,14 @@ class HttpServerHttpRedirectResponseTest extends InlineExpectationsTest {
override predicate hasActualResult(Location location, string element, string tag, string value) {
exists(location.getFile().getRelativePath()) and
(
exists(HTTP::Server::HttpRedirectResponse redirect |
exists(Http::Server::HttpRedirectResponse redirect |
location = redirect.getLocation() and
element = redirect.toString() and
value = "" and
tag = "HttpRedirectResponse"
)
or
exists(HTTP::Server::HttpRedirectResponse redirect |
exists(Http::Server::HttpRedirectResponse redirect |
location = redirect.getLocation() and
element = redirect.toString() and
value = prettyNodeForInlineTest(redirect.getRedirectLocation()) and
@@ -364,7 +364,7 @@ class HttpServerCookieWriteTest extends InlineExpectationsTest {
override predicate hasActualResult(Location location, string element, string tag, string value) {
exists(location.getFile().getRelativePath()) and
exists(HTTP::Server::CookieWrite cookieWrite |
exists(Http::Server::CookieWrite cookieWrite |
location = cookieWrite.getLocation() and
(
element = cookieWrite.toString() and
@@ -519,7 +519,7 @@ class HttpClientRequestTest extends InlineExpectationsTest {
override predicate hasActualResult(Location location, string element, string tag, string value) {
exists(location.getFile().getRelativePath()) and
exists(HTTP::Client::Request req, DataFlow::Node url |
exists(Http::Client::Request req, DataFlow::Node url |
url = req.getAUrlPart() and
location = url.getLocation() and
element = url.toString() and
@@ -528,7 +528,7 @@ class HttpClientRequestTest extends InlineExpectationsTest {
)
or
exists(location.getFile().getRelativePath()) and
exists(HTTP::Client::Request req |
exists(Http::Client::Request req |
req.disablesCertificateValidation(_, _) and
location = req.getLocation() and
element = req.toString() and
@@ -545,7 +545,7 @@ class CsrfProtectionSettingTest extends InlineExpectationsTest {
override predicate hasActualResult(Location location, string element, string tag, string value) {
exists(location.getFile().getRelativePath()) and
exists(HTTP::Server::CsrfProtectionSetting setting |
exists(Http::Server::CsrfProtectionSetting setting |
location = setting.getLocation() and
element = setting.toString() and
value = setting.getVerificationSetting().toString() and
@@ -561,7 +561,7 @@ class CsrfLocalProtectionSettingTest extends InlineExpectationsTest {
override predicate hasActualResult(Location location, string element, string tag, string value) {
exists(location.getFile().getRelativePath()) and
exists(HTTP::Server::CsrfLocalProtectionSetting p |
exists(Http::Server::CsrfLocalProtectionSetting p |
location = p.getLocation() and
element = p.toString() and
value = p.getRequestHandler().getName().toString() and