Merge branch 'main' into threat-models

python/ql/test/experimental/meta/ConceptsTest.qll

@@ -649,13 +649,27 @@ module ThreatModelSourceTest implements TestSig {
   }
 }
 
+module CorsMiddlewareTest implements TestSig {
+  string getARelevantTag() { result = "CorsMiddleware" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(location.getFile().getRelativePath()) and
+    exists(Http::Server::CorsMiddleware cm |
+      location = cm.getLocation() and
+      element = cm.toString() and
+      value = cm.getMiddlewareName().toString() and
+      tag = "CorsMiddleware"
+    )
+  }
+}
+
 import MakeTest<MergeTests5<MergeTests5<SystemCommandExecutionTest, DecodingTest, EncodingTest, LoggingTest,
     CodeExecutionTest>,
   MergeTests5<SqlConstructionTest, SqlExecutionTest, XPathConstructionTest, XPathExecutionTest,
     EscapingTest>,
   MergeTests5<HttpServerRouteSetupTest, HttpServerRequestHandlerTest, HttpServerHttpResponseTest,
     HttpServerHttpRedirectResponseTest,
-    MergeTests<HttpServerCookieWriteTest, HttpResponseHeaderWriteTest>>,
+    MergeTests3<HttpServerCookieWriteTest, HttpResponseHeaderWriteTest, CorsMiddlewareTest>>,
   MergeTests5<FileSystemAccessTest, FileSystemWriteAccessTest, PathNormalizationTest,
     SafeAccessCheckTest, PublicKeyGenerationTest>,
   MergeTests5<CryptographicOperationTest, HttpClientRequestTest, CsrfProtectionSettingTest,

python/ql/test/library-tests/dataflow/tainttracking/commonSanitizer/InlineTaintTest.ql

@@ -6,7 +6,7 @@ module CustomSanitizerOverridesConfig implements DataFlow::ConfigSig {
 
   predicate isSink = TestTaintTrackingConfig::isSink/1;
 
-  predicate isBarrier(DataFlow::Node node) { node instanceof StringConstCompareBarrier }
+  predicate isBarrier(DataFlow::Node node) { node instanceof ConstCompareBarrier }
 }
 
 import MakeInlineTaintTest<CustomSanitizerOverridesConfig>

python/ql/test/library-tests/dataflow/tainttracking/commonSanitizer/test_const_compare.py

@@ -85,6 +85,32 @@ def test_in_local_variable():
     else:
         ensure_tainted(ts) # $ tainted
 
+def test_is_none():
+    ts = TAINTED_STRING
+    if ts is None:
+        ensure_not_tainted(ts)
+    else:
+        ensure_tainted(ts) # $ tainted
+
+def test_is_not_none():
+    ts = TAINTED_STRING
+    if ts is not None:
+        ensure_tainted(ts)  # $ tainted
+    else:
+        ensure_not_tainted(ts)
+
+def test_in_list_with_constants():
+    ts = TAINTED_STRING
+    if ts in ["safe", None, 3, False]:
+        ensure_not_tainted(ts) 
+    else:
+        ensure_tainted(ts) # $ tainted
+
+    if ts in ["safe", not_constant(), None]:
+        ensure_tainted(ts)  # $ tainted
+
+def not_constant():
+    return "x"
 
 SAFE = ["safe", "also_safe"]
 
@@ -184,6 +210,9 @@ test_in_tuple()
 test_in_set()
 test_in_local_variable()
 test_in_global_variable()
+test_is_none()
+test_is_not_none()
+test_in_list_with_constants()
 make_modification("unsafe")
 test_in_modified_global_variable()
 test_in_unsafe1(["unsafe", "foo"])

python/ql/test/library-tests/frameworks/fastapi/middleware.py

@@ -0,0 +1,10 @@
+from fastapi import FastAPI
+from fastapi.middleware.cors import CORSMiddleware
+
+app = FastAPI()
+
+origins = [
+    "*"
+]
+
+app.add_middleware(CORSMiddleware, allow_origins=origins, allow_credentials=True, allow_methods=["*"], allow_headers=["*"]) # $ CorsMiddleware=CORSMiddleware               

python/ql/test/library-tests/frameworks/starlette/Middleware.py

@@ -0,0 +1,11 @@
+from starlette.applications import Starlette
+from starlette.middleware import Middleware
+from starlette.middleware.cors import CORSMiddleware
+
+routes = ...
+
+middleware = [
+    Middleware(CORSMiddleware, allow_origins=['*'], allow_credentials=True)  # $ CorsMiddleware=CORSMiddleware
+]
+
+app = Starlette(routes=routes, middleware=middleware)

python/ql/test/query-tests/Security/CWE-942-CorsMisconfigurationMiddleware/CorsMisconfigurationMiddleware.expected

@@ -0,0 +1,2 @@
+| fastapi.py:10:1:16:1 | ControlFlowNode for Attribute() | This CORS middleware uses a vulnerable configuration that allows arbitrary websites to make authenticated cross-site requests |
+| starlette.py:8:5:8:75 | ControlFlowNode for Middleware() | This CORS middleware uses a vulnerable configuration that allows arbitrary websites to make authenticated cross-site requests |

python/ql/test/query-tests/Security/CWE-942-CorsMisconfigurationMiddleware/CorsMisconfigurationMiddleware.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE-942/CorsMisconfigurationMiddleware.ql

python/ql/test/query-tests/Security/CWE-942-CorsMisconfigurationMiddleware/fastapi.py

@@ -0,0 +1,21 @@
+from fastapi import FastAPI
+from fastapi.middleware.cors import CORSMiddleware
+
+app = FastAPI()
+
+origins = [
+    "*"
+]
+
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=origins,
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
+
+@app.get("/")
+async def main():
+    return {"message": "Hello World"}

python/ql/test/query-tests/Security/CWE-942-CorsMisconfigurationMiddleware/starlette.py

@@ -0,0 +1,11 @@
+from starlette.applications import Starlette
+from starlette.middleware import Middleware
+from starlette.middleware.cors import CORSMiddleware
+
+routes = ...
+
+middleware = [
+    Middleware(CORSMiddleware, allow_origins=['*'], allow_credentials=True)
+]
+
+app = Starlette(routes=routes, middleware=middleware)