Python : Add Flask sinks for path injection query

2026-04-30 19:26:02 +02:00 · 2021-07-20 02:03:48 +05:30
parent 0d161bec7a
commit 4fd3f212f8
2 changed files with 42 additions and 1 deletions
--- a/python/ql/lib/semmle/python/frameworks/Flask.qll
+++ b/python/ql/lib/semmle/python/frameworks/Flask.qll
@@ -519,4 +519,34 @@ module Flask {

    override DataFlow::Node getValueArg() { none() }
  }
+
+  /**
+   * A `send_from_directory` call considered a sink for file system access vulnerabilities.
+   *
+   * See https://flask.palletsprojects.com/en/1.1.x/api/#flask.send_from_directory
+   */
+  class FlaskSendFromDirectory extends FileSystemAccess::Range, DataFlow::CallCfgNode {
+    FlaskSendFromDirectory() {
+      this = API::moduleImport("flask").getMember("send_from_directory").getACall()
+    }
+
+    override DataFlow::Node getAPathArgument() {
+      result in [this.getArg(_), this.getArgByName(["directory", "filename"])]
+    }
+  }
+
+  /**
+   * A `send_file` call considered a sink for file system access vulnerabilities.
+   *
+   * See https://flask.palletsprojects.com/en/1.1.x/api/#flask.send_file
+   */
+  class FlaskSendFile extends FileSystemAccess::Range, DataFlow::CallCfgNode {
+    FlaskSendFile() {
+      this = API::moduleImport("flask").getMember("send_file").getACall()
+    }
+
+    override DataFlow::Node getAPathArgument() {
+      result in [this.getArg(0), this.getArgByName("filename_or_fp")]
+    }
+  }
 }
--- a/python/ql/test/library-tests/frameworks/flask/save_uploaded_file.py
+++ b/python/ql/test/library-tests/frameworks/flask/save_uploaded_file.py
@@ -1,6 +1,17 @@
-from flask import Flask, request
+from flask import Flask, request, send_from_directory, send_file
 app = Flask(__name__)

@app.route("/save-uploaded-file")  # $routeSetup="/save-uploaded-file"
 def test_taint():  # $requestHandler
    request.files['key'].save("path") # $ getAPathArgument="path"
+
+
+@app.route("/path-injection")  # $routeSetup="/path-injection"
+def test_path():  # $requestHandler
+
+    flask.send_from_directory("filepath","file")  # $ getAPathArgument="filepath" getAPathArgument="file"
+    flask.send_file("file")  # $ getAPathArgument="file"
+    
+    flask.send_from_directory(directory="filepath","file") # $ getAPathArgument="filepath" getAPathArgument="file"
+    flask.send_from_directory(filename="filepath","file") # $ getAPathArgument="filepath" getAPathArgument="file"
+    flask.send_file(filename_or_fp="file")  # $ getAPathArgument="file"