Python: Fix tornado lib: a redirect is not a http response

2026-04-30 19:26:02 +02:00 · 2020-01-28 12:51:50 +01:00
parent ee382bb2ea
commit 46f4b74134
6 changed files with 14 additions and 19 deletions
--- a/python/ql/src/semmle/python/web/tornado/Redirect.qll
+++ b/python/ql/src/semmle/python/web/tornado/Redirect.qll
@@ -13,14 +13,16 @@ import Tornado
 /**
 * Represents an argument to the `tornado.redirect` function.
 */
-class TornadoRedirect extends HttpRedirectTaintSink {
-    override string toString() { result = "tornado.redirect" }
+class TornadoHttpRequestHandlerRedirect extends HttpRedirectTaintSink {
+    override string toString() { result = "tornado.HttpRequestHandler.redirect" }

-    TornadoRedirect() {
+    TornadoHttpRequestHandlerRedirect() {
        exists(CallNode call, ControlFlowNode node |
            node = call.getFunction().(AttrNode).getObject("redirect") and
            isTornadoRequestHandlerInstance(node) and
-            this = call.getAnArg()
+            this = call.getArg(0)
        )
    }
+
+    override predicate sinks(TaintKind kind) { kind instanceof StringKind }
 }
--- a/python/ql/src/semmle/python/web/tornado/Response.qll
+++ b/python/ql/src/semmle/python/web/tornado/Response.qll
@@ -45,17 +45,3 @@ class TornadoHttpRequestHandlerWrite extends HttpResponseTaintSink {

    override predicate sinks(TaintKind kind) { kind instanceof StringKind }
 }
-
-class TornadoHttpRequestHandlerRedirect extends HttpResponseTaintSink {
-    override string toString() { result = "tornado.HttpRequestHandler.redirect" }
-
-    TornadoHttpRequestHandlerRedirect() {
-        exists(CallNode call, ControlFlowNode node |
-            node = call.getFunction().(AttrNode).getObject("redirect") and
-            isTornadoRequestHandlerInstance(node) and
-            this = call.getArg(0)
-        )
-    }
-
-    override predicate sinks(TaintKind kind) { kind instanceof StringKind }
-}
--- a/python/ql/test/library-tests/web/tornado/HttpRedirectSinks.expected
+++ b/python/ql/test/library-tests/web/tornado/HttpRedirectSinks.expected
@@ -0,0 +1 @@
+| test.py:20:23:20:25 | tornado.HttpRequestHandler.redirect | externally controlled string |
--- a/python/ql/test/library-tests/web/tornado/HttpRedirectSinks.ql
+++ b/python/ql/test/library-tests/web/tornado/HttpRedirectSinks.ql
@@ -0,0 +1,7 @@
+import python
+import semmle.python.web.HttpRedirect
+import semmle.python.security.strings.Untrusted
+
+from HttpRedirectTaintSink sink, TaintKind kind
+where sink.sinks(kind)
+select sink, kind
--- a/python/ql/test/library-tests/web/tornado/HttpResponseSinks.expected
+++ b/python/ql/test/library-tests/web/tornado/HttpResponseSinks.expected
@@ -1,4 +1,3 @@
 | test.py:6:20:6:43 | tornado.HttpRequestHandler.write | externally controlled string |
 | test.py:12:20:12:23 | tornado.HttpRequestHandler.write | externally controlled string |
-| test.py:20:23:20:25 | tornado.HttpRequestHandler.redirect | externally controlled string |
 | test.py:26:20:26:48 | tornado.HttpRequestHandler.write | externally controlled string |
--- a/python/ql/test/library-tests/web/tornado/HttpResponseSinks.ql
+++ b/python/ql/test/library-tests/web/tornado/HttpResponseSinks.ql
				`@@ -0,0 +1 @@`
				`\| test.py:20:23:20:25 \| tornado.HttpRequestHandler.redirect \| externally controlled string \|`