hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9001 from RasmusWL/files-refactoring

Browse Source 
Python: Flask: Improve `request.files` modeing
This commit is contained in:
yoff
2022-05-03 12:19:55 +02:00
committed by GitHub
parent 249f771fad 7e1be3172e
commit 56ed68b3eb
3 changed files with 13 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
python/ql/lib/change-notes/2022-05-02-flask-request-files-modeling.md Normal file
View File

@@ -0,0 +1,5 @@
---
category: minorAnalysis
---
The modeling of `request.files` in Flask has been fixed, so we now properly handle
assignments to local variables (such as `files = request.files; files['key'].filename`).

15
python/ql/lib/semmle/python/frameworks/Flask.qll
View File

@@ -411,21 +411,16 @@ module Flask {
/** An `FileStorage` instance that originates from a flask request. */ /** An `FileStorage` instance that originates from a flask request. */
private class FlaskRequestFileStorageInstances extends Werkzeug::FileStorage::InstanceSource { private class FlaskRequestFileStorageInstances extends Werkzeug::FileStorage::InstanceSource {
FlaskRequestFileStorageInstances() { FlaskRequestFileStorageInstances() {
// TODO: this currently only works in local-scope, since writing type-trackers for
// this is a little too much effort. Once API-graphs are available for more
// things, we can rewrite this.
//
// TODO: This approach for identifying member-access is very adhoc, and we should // TODO: This approach for identifying member-access is very adhoc, and we should
// be able to do something more structured for providing modeling of the members // be able to do something more structured for providing modeling of the members
// of a container-object. // of a container-object.
exists(DataFlow::AttrRead files | files = request().getMember("files").getAnImmediateUse() | exists(API::Node files | files = request().getMember("files") |
this.asCfgNode().(SubscriptNode).getObject() = files.asCfgNode() this.asCfgNode().(SubscriptNode).getObject() = files.getAUse().asCfgNode()
or or
this.(DataFlow::MethodCallNode).calls(files, "get") this = files.getMember("get").getACall()
or or
exists(DataFlow::MethodCallNode getlistCall | getlistCall.calls(files, "getlist") | this.asCfgNode().(SubscriptNode).getObject() =
this.asCfgNode().(SubscriptNode).getObject() = getlistCall.asCfgNode() files.getMember("getlist").getReturn().getAUse().asCfgNode()
)
) )
} }
} }

3
python/ql/test/library-tests/frameworks/flask/taint_test.py
View File

@@ -189,6 +189,7 @@ def test_taint(name = "World!", number="0", foo="foo"): # $requestHandler route
a = request.args a = request.args
b = a b = a
gl = b.getlist gl = b.getlist
files = request.files
ensure_tainted( ensure_tainted(
request.args, # $ tainted request.args, # $ tainted
a, # $ tainted a, # $ tainted
@@ -202,6 +203,8 @@ def test_taint(name = "World!", number="0", foo="foo"): # $requestHandler route
a.getlist('key'), # $ tainted a.getlist('key'), # $ tainted
b.getlist('key'), # $ tainted b.getlist('key'), # $ tainted
gl('key'), # $ tainted gl('key'), # $ tainted
files.get('key').filename, # $ tainted
) )
# aliasing tests # aliasing tests