Merge branch 'jty/python/emailInjection' of https://github.com/jty-team/codeql into jty/python/emailInjection

python/ql/src/experimental/semmle/python/frameworks/Sendgrid.qll

@@ -122,7 +122,6 @@ private module Sendgrid {
       )
       or
       exists(KeyValuePair content, Dict generalDict, KeyValuePair typePair, KeyValuePair valuePair |
-        // find L33
         content.getKey().(Str_).getS() = "content" and
         content.getValue().(List).getAnElt() = generalDict and
         // declare KeyValuePairs keys and values

python/ql/test/experimental/query-tests/Security/CWE-079/django_mail.py

@@ -1,6 +1,3 @@
-# https://data-flair.training/blogs/django-send-email/
-# Using flask for RFS and django.core.mail as email library
-
 from flask import request, Flask
 from django.core.mail import send_mail, mail_admins, mail_managers
 
@@ -9,15 +6,18 @@ app = Flask(__name__)
 @app.route("/send")
 def send():
   """
+  The Django.core.mail#send_mail function source code can be found in the link below:
   https://github.com/django/django/blob/ca9872905559026af82000e46cde6f7dedc897b6/django/core/mail/__init__.py#L38
 
-  Apparently there's no html_message in send_mass_mail: https://github.com/django/django/blob/ca9872905559026af82000e46cde6f7dedc897b6/django/core/mail/__init__.py#L64
+  send_mass_mail does not provide html_message as an argument to it's function. See the link below for more info: 
+  https://github.com/django/django/blob/ca9872905559026af82000e46cde6f7dedc897b6/django/core/mail/__init__.py#L64
   """
   send_mail("Subject", "plain-text body", "from@example.com", ["to@example.com"], html_message=request.args("html"))
 
 @app.route("/internal")
 def internal():
   """
+  The Django.core.mail#mail_admins and Django.core.mail#mail_managers functions source code can be found in the link below:
   https://github.com/django/django/blob/ca9872905559026af82000e46cde6f7dedc897b6/django/core/mail/__init__.py#L90-L121
   """
   mail_admins("Subject", "plain-text body", html_message=request.args("html"))

python/ql/test/experimental/query-tests/Security/CWE-079/flask_mail.py

@@ -1,6 +1,3 @@
-# https://pythonhosted.org/Flask-Mail/
-# https://github.com/mattupstate/flask-mail/blob/1709c70d839a7cc7b1f7eeb97333b71cd420fe32/flask_mail.py#L239
-
 from flask import request, Flask
 from flask_mail import Mail, Message
 
@@ -17,6 +14,7 @@ def send():
 
   # The message can contain a body and/or HTML:
   msg.body = "plain-text body"
+  # The email's HTML can be set via msg.html or as an initialize argument when creating a Message object.
   msg.html = request.args["html"]
 
   mail.send(msg)

python/ql/test/experimental/query-tests/Security/CWE-079/sendgrid_mail.py

@@ -1,5 +1,3 @@
-# https://www.twilio.com/blog/how-to-send-emails-in-python-with-sendgrid
-
 from flask import request, Flask
 from sendgrid import SendGridAPIClient
 from sendgrid.helpers.mail import Mail, Email, To, Content, MimeType
@@ -24,7 +22,6 @@ def send_post():
   subject = "Sending with SendGrid is Fun"
   content = Content("text/html", request.args["html_content"]) 
 
-  # https://github.com/sendgrid/sendgrid-python/blob/cf0924c35c37bbec8e5ca39e963a55f54f0eec11/sendgrid/helpers/mail/mime_type.py#L1
   content = Content(MimeType.html, request.args["html_content"]) 
 
   mail = Mail(from_email, to_email, subject, content)

python/ql/test/experimental/query-tests/Security/CWE-079/sendgrid_via_mail_send_post_request_body_bad.py

@@ -1,5 +1,4 @@
 # This tests that the developer doesn't pass tainted user data into the mail.send.post() method in the SendGrid library.
-# source :https://github.com/sendgrid/sendgrid-python
 import sendgrid
 import os
 
@@ -7,135 +6,32 @@ import os
 sg = sendgrid.SendGridAPIClient(os.environ.get('SENDGRID_API_KEY'))
 
 data = {
-    "asm": {
-        "group_id": 1,
-        "groups_to_display": [
-            1,
-            2,
-            3
-        ]
-    },
-    "attachments": [
-        {
-            "content": "[BASE64 encoded content block here]",
-            "content_id": "ii_139db99fdb5c3704",
-            "disposition": "inline",
-            "filename": "file1.jpg",
-            "name": "file1",
-            "type": "jpg"
-        }
-    ],
-    "batch_id": "[YOUR BATCH ID GOES HERE]",
-    "categories": [
-        "category1",
-        "category2"
-    ],
     "content": [
         {
             "type": "text/html",
             "value": "<html><p>Hello, world!</p><img src=[CID GOES HERE]></img></html>"
         }
     ],
-    "custom_args": {
-        "New Argument 1": "New Value 1",
-        "activationAttempt": "1",
-        "customerAccountNumber": "[CUSTOMER ACCOUNT NUMBER GOES HERE]"
-    },
     "from": {
         "email": "sam.smith@example.com",
         "name": "Sam Smith"
     },
     "headers": {},
-    "ip_pool_name": "[YOUR POOL NAME GOES HERE]",
     "mail_settings": {
-        "bcc": {
-            "email": "ben.doe@example.com",
-            "enable": True
-        },
-        "bypass_list_management": {
-            "enable": True
-        },
         "footer": {
             "enable": True,
             "html": "<p>Thanks</br>The SendGrid Team</p>",
             "text": "Thanks,/n The SendGrid Team"
         },
-        "sandbox_mode": {
-            "enable": False
     },
-        "spam_check": {
-            "enable": True,
-            "post_to_url": "http://example.com/compliance",
-            "threshold": 3
-        }
-    },
-    "personalizations": [
-        {
-            "bcc": [
-                {
-                    "email": "sam.doe@example.com",
-                    "name": "Sam Doe"
-                }
-            ],
-            "cc": [
-                {
-                    "email": "jane.doe@example.com",
-                    "name": "Jane Doe"
-                }
-            ],
-            "custom_args": {
-                "New Argument 1": "New Value 1",
-                "activationAttempt": "1",
-                "customerAccountNumber": "[CUSTOMER ACCOUNT NUMBER GOES HERE]"
-            },
-            "headers": {
-                "X-Accept-Language": "en",
-                "X-Mailer": "MyApp"
-            },
-            "send_at": 1409348513,
-            "subject": "Hello, World!",
-            "substitutions": {
-                "id": "substitutions",
-                "type": "object"
-            },
-            "to": [
-                {
-                    "email": "john.doe@example.com",
-                    "name": "John Doe"
-                }
-            ]
-        }
-    ],
     "reply_to": {
         "email": "sam.smith@example.com",
         "name": "Sam Smith"
     },
-    "sections": {
-        "section": {
-            ":sectionName1": "section 1 text",
-            ":sectionName2": "section 2 text"
-        }
-    },
     "send_at": 1409348513,
     "subject": "Hello, World!",
     "template_id": "[YOUR TEMPLATE ID GOES HERE]",
     "tracking_settings": {
-        "click_tracking": {
-            "enable": True,
-            "enable_text": True
-        },
-        "ganalytics": {
-            "enable": True,
-            "utm_campaign": "[NAME OF YOUR REFERRER SOURCE]",
-            "utm_content": "[USE THIS SPACE TO DIFFERENTIATE YOUR EMAIL FROM ADS]",
-            "utm_medium": "[NAME OF YOUR MARKETING MEDIUM e.g. email]",
-            "utm_name": "[NAME OF YOUR CAMPAIGN]",
-            "utm_term": "[IDENTIFY PAID KEYWORDS HERE]"
-        },
-        "open_tracking": {
-            "enable": True,
-            "substitution_tag": "%opentrack"
-        },
         "subscription_tracking": {
             "enable": True,
             "html": "If you would like to unsubscribe and stop receiving these emails <% clickhere %>.",

python/ql/test/experimental/query-tests/Security/CWE-079/smtplib_bad_subparts.py

@@ -1,6 +1,4 @@
 # This test checks that the developer doesn't pass a MIMEText instance to a MIMEMultipart initializer via the subparts parameter.
-
-# source꞉  https꞉//www.programcreek.com/python/example/53141/email.MIMEMultipart.MIMEMultipart
 from flask import Flask, request
 import json
 import smtplib, ssl
@@ -11,9 +9,8 @@ app = Flask(__name__)
 
 @app.route("/")
 def email_person():
-    sender_email = "my@gmail.com"
+    sender_email = "sender@gmail.com"
-    receiver_email = "your@gmail.com"
+    receiver_email = "receiver@example.com"
-    password = input("Type your password and press enter:")
 
     name = request.args['search']
     # Create the plain-text and HTML version of your message
@@ -33,7 +30,7 @@ def email_person():
     context = ssl.create_default_context()
     server = smtplib.SMTP_SSL("smtp.gmail.com", 465, context=context);
     
-    server.login(sender_email, password)
+    server.login(sender_email, "SERVER_PASSWORD")
     server.sendmail(
         sender_email, receiver_email, message.as_string()
     )

python/ql/test/experimental/query-tests/Security/CWE-079/smtplib_bad_via_attach.py

@@ -1,5 +1,4 @@
 # This test checks that the developer doesn't pass a MIMEText instance to a MIMEMultipart message.
-# source꞉ https꞉//realpython.com/python-send-email/
 from flask import Flask, request
 import json
 import smtplib, ssl
@@ -10,9 +9,8 @@ app = Flask(__name__)
 
 @app.route("/")
 def email_person():
-    sender_email = "my@gmail.com"
+    sender_email = "sender@gmail.com"
-    receiver_email = "your@gmail.com"
+    receiver_email = "receiver@example.com"
-    password = input("Type your password and press enter:")
 
     message = MIMEMultipart("alternative")
     message["Subject"] = "multipart test"
@@ -22,7 +20,7 @@ def email_person():
     name = request.args['name']
     # Create the plain-text and HTML version of your message
     text = "hello there"
-    html = f"hello {name}" # here is the exploit. passing vulnerable data into the html portion of the email
+    html = f"hello {name}"  
 
     # Turn these into plain/html MIMEText objects
     part1 = MIMEText(text, "plain")
@@ -37,7 +35,7 @@ def email_person():
     context = ssl.create_default_context()
     server = smtplib.SMTP_SSL("smtp.gmail.com", 465, context=context)
 
-    server.login(sender_email, password)
+    server.login(sender_email, "SERVER_PASSWORD")
     server.sendmail(
         sender_email, receiver_email, message.as_string()
     )