Merge pull request #528 from taus-semmle/python-flask-debug

Python: Implement check for flask debug mode.

python/ql/test/query-tests/Security/CWE-215/FlaskDebug.expected

@@ -0,0 +1,3 @@
+| test.py:10:1:10:19 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |
+| test.py:25:1:25:20 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |
+| test.py:29:1:29:20 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |

python/ql/test/query-tests/Security/CWE-215/FlaskDebug.qlref

@@ -0,0 +1 @@
+Security/CWE-215/FlaskDebug.ql

python/ql/test/query-tests/Security/CWE-215/options

@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=2 -p ../lib

python/ql/test/query-tests/Security/CWE-215/test.py

@@ -0,0 +1,37 @@
+from flask import Flask
+
+app = Flask(__name__)
+
+@app.route('/crash')
+def main():
+    raise Exception()
+
+# bad
+app.run(debug=True)
+
+# okay
+app.run()
+app.run(debug=False)
+
+# also okay
+run(debug=True)
+
+app.notrun(debug=True)
+
+# a slightly more involved example using flow and truthy values
+
+DEBUG = True
+
+app.run(debug=DEBUG)
+
+DEBUG = 1
+
+app.run(debug=DEBUG)
+
+if False:
+    app.run(debug=True)
+
+# false negative
+
+runapp = app.run
+runapp(debug=True)

python/ql/test/query-tests/Security/lib/flask/__init__.py

@@ -1,7 +1,7 @@
 
 
 class Flask(object): 
-    pass
+    def run(self, *args, **kwargs): pass
 
 from .globals import request