Python: Improve full/partial SSRF split

Now full-ssrf will only alert if **all** URL parts are fully user-controlled.
2026-04-26 01:05:15 +02:00 · 2021-12-16 22:19:41 +01:00
parent cb934e17b1
commit 4b5599fe17
5 changed files with 23 additions and 8 deletions
--- a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgery.qll
@@ -9,12 +9,16 @@
 private import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
+import semmle.python.Concepts

 /**
 * Provides a taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
 *
 * This configuration has a sanitizer to limit results to cases where attacker has full control of URL.
 * See `PartialServerSideRequestForgery` for a variant without this requirement.
+ *
+ * You should use the `partOfFullyControlledRequest` to only select results where all
+ * URL parts are fully controlled.
 */
 module FullServerSideRequestForgery {
  import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery
@@ -41,6 +45,17 @@ module FullServerSideRequestForgery {
  }
 }

+/**
+ * Holds if all URL parts of `request` is fully user controlled.
+ */
+predicate fullyControlledRequest(HTTP::Client::Request request) {
+  exists(FullServerSideRequestForgery::Configuration fullConfig |
+    forall(DataFlow::Node urlPart | urlPart = request.getAUrlPart() |
+      fullConfig.hasFlow(_, urlPart)
+    )
+  )
+}
+
 /**
 * Provides a taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
 *