Merge pull request #16893 from joefarebrother/python-cookie-injectio-promote

Python: Promote cookie injection query from experimental
2026-01-05 18:50:23 +01:00 · 2024-07-29 10:17:01 +01:00
parent 0a7772d8a7 ebeb187fd9
commit 58689c90fb
14 changed files with 179 additions and 153 deletions
--- a/python/ql/lib/semmle/python/security/dataflow/CookieInjectionCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/CookieInjectionCustomizations.qll
@@ -0,0 +1,48 @@
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "cookie injection"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.RemoteFlowSources
+
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "cookie injection"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+module CookieInjection {
+  /**
+   * A data flow source for "cookie injection" vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for "cookie injection" vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for "cookie injection" vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A source of remote user input, considered as a flow source.
+   */
+  class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
+
+  /**
+   * A write to a cookie, considered as a sink.
+   */
+  class CookieWriteSink extends Sink {
+    CookieWriteSink() {
+      exists(Http::Server::CookieWrite cw |
+        this = [cw.getNameArg(), cw.getValueArg(), cw.getHeaderArg()]
+      )
+    }
+  }
+}
--- a/python/ql/lib/semmle/python/security/dataflow/CookieInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/CookieInjectionQuery.qll
@@ -0,0 +1,26 @@
+/**
+ * Provides a taint-tracking configuration for detecting "cookie injection" vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `CookieInjectionFlow` is needed, otherwise
+ * `CookieInjectionCustomizations` should be imported instead.
+ */
+
+private import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import CookieInjectionCustomizations::CookieInjection
+
+/**
+ * A taint-tracking configuration for detecting "cookie injection" vulnerabilities.
+ */
+module CookieInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/** Global taint-tracking for detecting "cookie injection" vulnerabilities. */
+module CookieInjectionFlow = TaintTracking::Global<CookieInjectionConfig>;