Merge pull request #2858 from RasmusWL/python-support-django2

Approved by tausbn
2026-04-30 11:15:13 +02:00 · 2020-03-23 09:35:46 +00:00
parent 888c504f55 6d72e77cdf
commit 2c7af72f14
21 changed files with 423 additions and 102 deletions
--- a/python/ql/src/semmle/python/web/bottle/General.qll
+++ b/python/ql/src/semmle/python/web/bottle/General.qll
@@ -36,7 +36,7 @@ class BottleRoute extends ControlFlowNode {

    Function getFunction() { bottle_route(this, _, result) }

-    Parameter getNamedArgument() {
+    Parameter getANamedArgument() {
        exists(string name, Function func |
            func = this.getFunction() and
            func.getArgByName(name) = result and
--- a/python/ql/src/semmle/python/web/bottle/Request.qll
+++ b/python/ql/src/semmle/python/web/bottle/Request.qll
@@ -71,7 +71,7 @@ class UntrustedFile extends TaintKind {
 /** Parameter to a bottle request handler function */
 class BottleRequestParameter extends HttpRequestTaintSource {
    BottleRequestParameter() {
-        exists(BottleRoute route | route.getNamedArgument() = this.(ControlFlowNode).getNode())
+        exists(BottleRoute route | route.getANamedArgument() = this.(ControlFlowNode).getNode())
    }

    override predicate isSourceOf(TaintKind kind) { kind instanceof UntrustedStringKind }
--- a/python/ql/src/semmle/python/web/django/General.qll
+++ b/python/ql/src/semmle/python/web/django/General.qll
@@ -2,39 +2,142 @@ import python
 import semmle.python.regex
 import semmle.python.web.Http

-predicate django_route(CallNode call, ControlFlowNode regex, FunctionValue view) {
-    exists(FunctionValue url |
-        Value::named("django.conf.urls.url") = url and
-        url.getArgumentForCall(call, 0) = regex and
-        url.getArgumentForCall(call, 1).pointsTo(view)
-    )
+// TODO: Since django uses `path = partial(...)`, our analysis doesn't understand this is
+// a FunctionValue, so we can't use `FunctionValue.getArgumentForCall`
+// https://github.com/django/django/blob/master/django/urls/conf.py#L76
+abstract class DjangoRoute extends CallNode {
+    DjangoViewHandler getViewHandler() {
+        result = view_handler_from_view_arg(this.getArg(1))
+        or
+        result = view_handler_from_view_arg(this.getArgByName("view"))
+    }
+
+    abstract string getANamedArgument();
+
+    /**
+     * Get the number of positional arguments that will be passed to the view.
+     * Will only return a result if there are no named arguments.
+     */
+    abstract int getNumPositionalArguments();
 }

-class DjangoRouteRegex extends RegexString {
-    DjangoRouteRegex() { django_route(_, this.getAFlowNode(), _) }
+/**
+ * For function based views -- also see `DjangoClassBasedViewHandler`
+ * https://docs.djangoproject.com/en/1.11/topics/http/views/
+ * https://docs.djangoproject.com/en/3.0/topics/http/views/
+ */
+class DjangoViewHandler extends PythonFunctionValue {
+
+    /** Gets the index of the 'request' argument */
+    int getRequestArgIndex() {
+        result = 0
+    }
 }

-class DjangoRoute extends CallNode {
-    DjangoRoute() { django_route(this, _, _) }
+/**
+ * Class based views
+ * https://docs.djangoproject.com/en/1.11/topics/class-based-views/
+ * https://docs.djangoproject.com/en/3.0/topics/class-based-views/
+ */
+private class DjangoViewClass extends ClassValue {
+    DjangoViewClass() {
+        Value::named("django.views.generic.View") = this.getASuperType()
+        or
+        Value::named("django.views.View") = this.getASuperType()
+    }
+}

-    FunctionValue getViewFunction() { django_route(this, _, result) }
-
-    string getNamedArgument() {
-        exists(DjangoRouteRegex regex |
-            django_route(this, regex.getAFlowNode(), _) and
-            regex.getGroupName(_, _) = result
+class DjangoClassBasedViewHandler extends DjangoViewHandler {
+    DjangoClassBasedViewHandler() {
+        exists(DjangoViewClass cls |
+            cls.lookup(httpVerbLower()) = this
        )
    }

-    /**
-      * Get the number of positional arguments that will be passed to the view.
-      * Will only return a result if there are no named arguments.
-      */
-    int getNumPositionalArguments() {
-        exists(DjangoRouteRegex regex |
-            django_route(this, regex.getAFlowNode(), _) and
-            not exists(string s | s = regex.getGroupName(_, _)) and
+    override int getRequestArgIndex() {
+        // due to `self` being the first parameter
+        result = 1
+    }
+}
+
+/**
+ * Gets the function that will handle requests when `view_arg` is used as the view argument to a
+ * django route. That is, this methods handles Class-based Views and its `as_view()` function.
+ */
+private DjangoViewHandler view_handler_from_view_arg(ControlFlowNode view_arg) {
+    // Function-based view
+    result = view_arg.pointsTo()
+    or
+    // Class-based view
+    exists(ClassValue cls |
+        cls = view_arg.(CallNode).getFunction().(AttrNode).getObject("as_view").pointsTo() and
+        result = cls.lookup(httpVerbLower())
+    )
+}
+
+// We need this "dummy" class, since otherwise the regex argument would not be considered
+// a regex (RegexString is abstract)
+class DjangoRouteRegex extends RegexString {
+    DjangoRouteRegex() { exists(DjangoRegexRoute route | route.getRouteArg() = this.getAFlowNode()) }
+}
+
+class DjangoRegexRoute extends DjangoRoute {
+    ControlFlowNode route;
+
+    DjangoRegexRoute() {
+        exists(FunctionValue route_maker |
+            // Django 1.x: https://docs.djangoproject.com/en/1.11/ref/urls/#django.conf.urls.url
+            Value::named("django.conf.urls.url") = route_maker and
+            route_maker.getArgumentForCall(this, 0) = route
+        )
+        or
+        // Django 2.x and 3.x: https://docs.djangoproject.com/en/3.0/ref/urls/#re-path
+        this = Value::named("django.urls.re_path").getACall() and
+        (
+            route = this.getArg(0)
+            or
+            route = this.getArgByName("route")
+        )
+    }
+
+    ControlFlowNode getRouteArg() { result = route }
+
+    override string getANamedArgument() {
+        exists(DjangoRouteRegex regex | regex.getAFlowNode() = route |
+            result = regex.getGroupName(_, _)
+        )
+    }
+
+    override int getNumPositionalArguments() {
+        not exists(this.getANamedArgument()) and
+        exists(DjangoRouteRegex regex | regex.getAFlowNode() = route |
            result = count(regex.getGroupNumber(_, _))
        )
    }
 }
+
+class DjangoPathRoute extends DjangoRoute {
+    ControlFlowNode route;
+
+    DjangoPathRoute() {
+        // Django 2.x and 3.x: https://docs.djangoproject.com/en/3.0/ref/urls/#path
+        this = Value::named("django.urls.path").getACall() and
+        (
+            route = this.getArg(0)
+            or
+            route = this.getArgByName("route")
+        )
+    }
+
+    override string getANamedArgument() {
+        // regexp taken from django:
+        // https://github.com/django/django/blob/7d1bf29977bb368d7c28e7c6eb146db3b3009ae7/django/urls/resolvers.py#L199
+        exists(StrConst route_str, string match |
+            route_str = route.getNode() and
+            match = route_str.getText().regexpFind("<(?:(?<converter>[^>:]+):)?(?<parameter>\\w+)>", _, _) and
+            result = match.regexpCapture("<(?:(?<converter>[^>:]+):)?(?<parameter>\\w+)>", 2)
+        )
+    }
+
+    override int getNumPositionalArguments() { none() }
+}
--- a/python/ql/src/semmle/python/web/django/Redirect.qll
+++ b/python/ql/src/semmle/python/web/django/Redirect.qll
@@ -17,9 +17,6 @@ class DjangoRedirect extends HttpRedirectTaintSink {
    override string toString() { result = "django.redirect" }

    DjangoRedirect() {
-        exists(CallNode call |
-            redirect().getACall() = call and
-            this = call.getAnArg()
-        )
+        this = redirect().getACall().getAnArg()
    }
 }
--- a/python/ql/src/semmle/python/web/django/Request.qll
+++ b/python/ql/src/semmle/python/web/django/Request.qll
@@ -39,54 +39,35 @@ class DjangoQueryDict extends TaintKind {
    }
 }

-abstract class DjangoRequestSource extends HttpRequestTaintSource {
+/** A Django request parameter */
+class DjangoRequestSource extends HttpRequestTaintSource {
+    DjangoRequestSource() {
+        exists(DjangoRoute route, DjangoViewHandler view, int request_arg_index |
+            route.getViewHandler() = view and
+            request_arg_index = view.getRequestArgIndex() and
+            this = view.getScope().getArg(request_arg_index).asName().getAFlowNode()
+        )
+    }
+
    override string toString() { result = "Django request source" }

    override predicate isSourceOf(TaintKind kind) { kind instanceof DjangoRequest }
 }

-/**
- * Function based views
- * https://docs.djangoproject.com/en/1.11/topics/http/views/
- */
-private class DjangoFunctionBasedViewRequestArgument extends DjangoRequestSource {
-    DjangoFunctionBasedViewRequestArgument() {
-        exists(FunctionValue view |
-            django_route(_, _, view) and
-            this = view.getScope().getArg(0).asName().getAFlowNode()
-        )
-    }
-}
-
-/**
- * Class based views
- * https://docs.djangoproject.com/en/1.11/topics/class-based-views/
- */
-private class DjangoView extends ClassValue {
-    DjangoView() { Value::named("django.views.generic.View") = this.getASuperType() }
-}
-
-private FunctionValue djangoViewHttpMethod() {
-    exists(DjangoView view | view.lookup(httpVerbLower()) = result)
-}
-
-class DjangoClassBasedViewRequestArgument extends DjangoRequestSource {
-    DjangoClassBasedViewRequestArgument() {
-        this = djangoViewHttpMethod().getScope().getArg(1).asName().getAFlowNode()
-    }
-}
-
 /** An argument specified in a url routing table */
 class DjangoRequestParameter extends HttpRequestTaintSource {
    DjangoRequestParameter() {
-        exists(DjangoRoute route, Function f |
-            f = route.getViewFunction().getScope() |
-            this.(ControlFlowNode).getNode() = f.getArgByName(route.getNamedArgument())
+        exists(DjangoRoute route, Function f, DjangoViewHandler view, int request_arg_index |
+            route.getViewHandler() = view and
+            request_arg_index = view.getRequestArgIndex() and
+            f = view.getScope()
+        |
+            this.(ControlFlowNode).getNode() = f.getArgByName(route.getANamedArgument())
            or
            exists(int i | i >= 0 |
                i < route.getNumPositionalArguments() and
                // +1 because first argument is always the request
-                this.(ControlFlowNode).getNode() = f.getArg(i+1)
+                this.(ControlFlowNode).getNode() = f.getArg(request_arg_index + 1 + i)
            )
        )
    }
--- a/python/ql/src/semmle/python/web/django/Response.qll
+++ b/python/ql/src/semmle/python/web/django/Response.qll
@@ -14,7 +14,15 @@ class DjangoResponse extends TaintKind {
 }

 private ClassValue theDjangoHttpResponseClass() {
-    result = Value::named("django.http.response.HttpResponse") and
+    (
+        // version 1.x
+        result = Value::named("django.http.response.HttpResponse")
+        or
+        // version 2.x
+        // https://docs.djangoproject.com/en/2.2/ref/request-response/#httpresponse-objects
+        result = Value::named("django.http.HttpResponse")
+    ) and
+    // TODO: does this do anything? when could they be the same???
    not result = theDjangoHttpRedirectClass()
 }

--- a/python/ql/src/semmle/python/web/django/Shared.qll
+++ b/python/ql/src/semmle/python/web/django/Shared.qll
@@ -4,5 +4,9 @@ import python
 FunctionValue redirect() { result = Value::named("django.shortcuts.redirect") }

 ClassValue theDjangoHttpRedirectClass() {
+    // version 1.x
    result = Value::named("django.http.response.HttpResponseRedirectBase")
+    or
+    // version 2.x
+    result = Value::named("django.http.HttpResponseRedirectBase")
 }