hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 03:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: aiohttp match_info should be tainted

Browse Source 
Whoops
This commit is contained in:
Rasmus Wriedt Larsen
2021-05-26 16:05:36 +02:00
parent 597a9dfc80
commit 63c7fa0c2c
2 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
python/ql/src/semmle/python/frameworks/Aiohttp.qll
View File

@@ -225,7 +225,7 @@ module AiohttpWebModel {
nodeTo.(DataFlow::AttrRead).getAttributeName() in [
"url", "rel_url", "forwarded", "host", "remote", "path", "path_qs", "raw_path", "query",
"headers", "transport", "cookies", "content", "_payload", "content_type", "charset",
"http_range", "if_modified_since", "if_unmodified_since", "if_range"
"http_range", "if_modified_since", "if_unmodified_since", "if_range", "match_info"
]
}
}

6
python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
View File

@@ -19,6 +19,11 @@ async def test_taint(request: web.Request): # $ requestHandler
request.path_qs, # $ tainted
request.raw_path, # $ tainted
# dict-like for captured parts of the URL
request.match_info, # $ tainted
request.match_info["key"], # $ tainted
request.match_info.get("key"), # $ tainted
# multidict.MultiDictProxy[str]
# see https://multidict.readthedocs.io/en/stable/multidict.html#multidict.MultiDictProxy
# TODO: Should have a better way to capture that we in fact _do_ model this as a
@@ -121,7 +126,6 @@ async def test_taint(request: web.Request): # $ requestHandler
ensure_not_tainted(
request.loop,
request.match_info,
request.app,
request.config_dict,
)