Python: Fix tornado lib: a redirect is not a http response

2026-04-30 19:26:02 +02:00 · 2020-01-28 12:51:50 +01:00
parent ee382bb2ea
commit 46f4b74134
6 changed files with 14 additions and 19 deletions
--- a/python/ql/src/semmle/python/web/tornado/Redirect.qll
+++ b/python/ql/src/semmle/python/web/tornado/Redirect.qll
@@ -13,14 +13,16 @@ import Tornado
 /**
 * Represents an argument to the `tornado.redirect` function.
 */
-class TornadoRedirect extends HttpRedirectTaintSink {
-    override string toString() { result = "tornado.redirect" }
+class TornadoHttpRequestHandlerRedirect extends HttpRedirectTaintSink {
+    override string toString() { result = "tornado.HttpRequestHandler.redirect" }

-    TornadoRedirect() {
+    TornadoHttpRequestHandlerRedirect() {
        exists(CallNode call, ControlFlowNode node |
            node = call.getFunction().(AttrNode).getObject("redirect") and
            isTornadoRequestHandlerInstance(node) and
-            this = call.getAnArg()
+            this = call.getArg(0)
        )
    }
+
+    override predicate sinks(TaintKind kind) { kind instanceof StringKind }
 }
--- a/python/ql/src/semmle/python/web/tornado/Response.qll
+++ b/python/ql/src/semmle/python/web/tornado/Response.qll
@@ -45,17 +45,3 @@ class TornadoHttpRequestHandlerWrite extends HttpResponseTaintSink {

    override predicate sinks(TaintKind kind) { kind instanceof StringKind }
 }
-
-class TornadoHttpRequestHandlerRedirect extends HttpResponseTaintSink {
-    override string toString() { result = "tornado.HttpRequestHandler.redirect" }
-
-    TornadoHttpRequestHandlerRedirect() {
-        exists(CallNode call, ControlFlowNode node |
-            node = call.getFunction().(AttrNode).getObject("redirect") and
-            isTornadoRequestHandlerInstance(node) and
-            this = call.getArg(0)
-        )
-    }
-
-    override predicate sinks(TaintKind kind) { kind instanceof StringKind }
-}