Merge pull request #14084 from RasmusWL/flask-jsonify

Python: Remove XSS FP from use of `flask.jsonify`
2026-04-26 01:05:15 +02:00 · 2023-08-30 13:07:54 +02:00
parent 6a21fa04cd 49d510018d
commit 62c2316124
4 changed files with 28 additions and 3 deletions
--- a/python/ql/lib/semmle/python/frameworks/Flask.qll
+++ b/python/ql/lib/semmle/python/frameworks/Flask.qll
@@ -179,7 +179,13 @@ module Flask {
     * - https://flask.palletsprojects.com/en/2.2.x/api/#flask.json.jsonify
     */
    private class FlaskJsonifyCall extends InstanceSource, DataFlow::CallCfgNode {
-      FlaskJsonifyCall() { this = API::moduleImport("flask").getMember("jsonify").getACall() }
+      FlaskJsonifyCall() {
+        this = API::moduleImport("flask").getMember("jsonify").getACall()
+        or
+        this = API::moduleImport("flask").getMember("json").getMember("jsonify").getACall()
+        or
+        this = FlaskApp::instance().getMember("json").getMember("response").getACall()
+      }

      override DataFlow::Node getBody() { result in [this.getArg(_), this.getArgByName(_)] }

@@ -453,7 +459,8 @@ module Flask {
    FlaskRouteHandlerReturn() {
      exists(Function routeHandler |
        routeHandler = any(FlaskRouteSetup rs).getARequestHandler() and
-        node = routeHandler.getAReturnValueFlowNode()
+        node = routeHandler.getAReturnValueFlowNode() and
+        not this instanceof Flask::Response::InstanceSource
      )
    }

--- a/python/ql/src/change-notes/2023-08-29-fixed-jsonify-xss-fp.md
+++ b/python/ql/src/change-notes/2023-08-29-fixed-jsonify-xss-fp.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improved _Reflected server-side cross-site scripting_ (`py/reflective-xss`) query to not alert on data passed to `flask.jsonify`. Since these HTTP responses are returned with mime-type `application/json`, they do not pose a security risk for XSS.
--- a/python/ql/test/library-tests/frameworks/flask/response_test.py
+++ b/python/ql/test/library-tests/frameworks/flask/response_test.py
@@ -67,6 +67,14 @@ def html8():  # $requestHandler
@app.route("/jsonify")  # $routeSetup="/jsonify"
 def jsonify_route():  # $requestHandler
    x = "x"; y = "y"; z = "z"
+    if True:
+        import flask.json
+        resp = flask.json.jsonify(x, y, z=z)  # $HttpResponse mimetype=application/json responseBody=x responseBody=y responseBody=z
+        assert resp.mimetype == "application/json"
+
+        resp = app.json.response(x, y, z=z)  # $HttpResponse mimetype=application/json responseBody=x responseBody=y responseBody=z
+        assert resp.mimetype == "application/json"
+
    resp = jsonify(x, y, z=z)  # $ HttpResponse mimetype=application/json responseBody=x responseBody=y responseBody=z
    return resp  # $ SPURIOUS: HttpResponse mimetype=text/html responseBody=resp

--- a/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/reflected_xss.py
+++ b/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/reflected_xss.py
@@ -1,5 +1,5 @@
 import json
-from flask import Flask, request, make_response, escape
+from flask import Flask, request, make_response, escape, jsonify

 app = Flask(__name__)

@@ -26,3 +26,9 @@ def unsafe_json():
 def safe_json():
    data = json.loads(request.data)
    return make_response(json.dumps(data), 200, {'Content-Type': 'application/json'})  # OK, FP
+
+
+@app.route("/jsonify")
+def jsonify():
+    data = request.data
+    return jsonify(data)  # OK, FP