hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Handle content of Django redirects correctly

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2020-11-04 12:10:58 +01:00
parent 92dc7dc2f3
commit 353505ec6c
2 changed files with 17 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
python/ql/src/semmle/python/frameworks/Django.qll
View File

@@ -732,7 +732,10 @@ private module Django {
ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
override DataFlow::Node getBody() {
result.asCfgNode() in [node.getArg(0), node.getArgByName("redirect_to")]
// note that even though browsers like Chrome usually doesn't fetch the
// content of a redirect, it is possible to observe the body (for example,
// with cURL).
result.asCfgNode() in [node.getArg(1), node.getArgByName("content")]
}
// How to support the `headers` argument here?
@@ -796,7 +799,10 @@ private module Django {
ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
override DataFlow::Node getBody() {
result.asCfgNode() in [node.getArg(0), node.getArgByName("redirect_to")]
// note that even though browsers like Chrome usually doesn't fetch the
// content of a redirect, it is possible to observe the body (for example,
// with cURL).
result.asCfgNode() in [node.getArg(1), node.getArgByName("content")]
}
// How to support the `headers` argument here?

10
python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py
View File

@@ -18,7 +18,15 @@ def safe__manual_content_type(request):
# XSS FP reported in https://github.com/github/codeql/issues/3466
# Note: This should be an open-redirect sink, but not an XSS sink.
def or__redirect(request):
return HttpResponseRedirect(request.GET.get("next")) # $HttpResponse mimetype=text/html responseBody=Attribute()
return HttpResponseRedirect(request.GET.get("next")) # $HttpResponse mimetype=text/html
def information_exposure_through_redirect(request, as_kw=False):
# This is a contrived example, but possible
private = "private"
if as_kw:
return HttpResponseRedirect(request.GET.get("next"), content=private) # $HttpResponse mimetype=text/html responseBody=private
else:
return HttpResponseRedirect(request.GET.get("next"), private) # $HttpResponse mimetype=text/html responseBody=private
# Ensure that simple subclasses are still vuln to XSS
def xss__not_found(request):