hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Fix false positive in 'Incomplete URL substring sanitization' query.

Browse Source
This commit is contained in:
Mark Shannon
2019-04-18 12:42:27 +01:00
parent c674f54129
commit 28799441af
2 changed files with 13 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
View File

@@ -35,16 +35,18 @@ predicate incomplete_sanitization(Expr sanitizer, StrConst url) {
(
sanitizer.(Compare).compares(url, any(In i), _)
or
call_to_startswith(sanitizer, url)
unsafe_call_to_startswith(sanitizer, url)
or
unsafe_call_to_endswith(sanitizer, url)
)
}
predicate call_to_startswith(Call sanitizer, StrConst url) {
predicate unsafe_call_to_startswith(Call sanitizer, StrConst url) {
sanitizer.getFunc().(Attribute).getName() = "startswith"
and
sanitizer.getArg(0) = url
and
not url.getText().regexpMatch("(?i)https?://[\\.a-z0-9-]+/.*")
}
predicate unsafe_call_to_endswith(Call sanitizer, StrConst url) {

9
python/ql/test/query-tests/Security/CWE-020/urltest.py
View File

@@ -39,3 +39,12 @@ def safe2(request):
if host and host.endswith(".example.com"):
return redirect(target)
@app.route('/some/path/good3')
def safe3(request):
target = request.args.get('target', '')
target = urlparse(target)
#Start url with https:// and ends with a / so must match the correct domain.
if target and target.startswith("https://example.com/"):
return redirect(target)