Python: Use new taint-tracking query in reflected-xss query.

2025-12-18 01:33:15 +01:00 · 2019-03-06 15:26:56 +00:00
parent 7fc5d690cd
commit 64e8be6ed1
11 changed files with 40 additions and 18 deletions
--- a/python/ql/src/Security/CWE-079/ReflectedXss.ql
+++ b/python/ql/src/Security/CWE-079/ReflectedXss.ql
@@ -25,6 +25,17 @@ import semmle.python.web.HttpResponse
 /* Flow */
 import semmle.python.security.strings.Untrusted

-from TaintedPathSource src, TaintedPathSink sink
-where src.flowsTo(sink)
+
+class RefectedXssConfiguration extends TaintTracking::Configuration {
+
+    RefectedXssConfiguration() { this = "Reflected XSS configuration" }
+
+    override predicate isSource(TaintTracking::Source source) { source.isSourceOf(any(UntrustedStringKind u)) }
+
+    override predicate isSink(TaintTracking::Sink sink) { sink.sinks(any(UntrustedStringKind u)) }
+
+}
+
+from RefectedXssConfiguration config, TaintedPathSource src, TaintedPathSink sink
+where config.hasFlowPath(src, sink)
 select sink.getSink(), src, sink, "Cross-site scripting vulnerability due to $@.", src.getSource(), "user-provided value"
--- a/python/ql/src/semmle/python/web/Http.qll
+++ b/python/ql/src/semmle/python/web/Http.qll
@@ -89,3 +89,11 @@ class UntrustedCookie extends TaintKind {
 }


+/** Generic taint sink in a http response */
+abstract class SimpleHttpResponseTaintSink extends TaintSink {
+
+    override predicate sinks(TaintKind kind) { 
+        kind instanceof ExternalStringKind
+    }
+
+}
--- a/python/ql/src/semmle/python/web/bottle/Response.qll
+++ b/python/ql/src/semmle/python/web/bottle/Response.qll
@@ -22,7 +22,7 @@ private Object theBottleResponseObject() {
    result = theBottleModule().attr("response")
 }

-class BottleResponseBodyAssignment extends TaintSink {
+class BottleResponseBodyAssignment extends SimpleHttpResponseTaintSink {

    BottleResponseBodyAssignment() {
        exists(DefinitionNode lhs |
@@ -37,7 +37,7 @@ class BottleResponseBodyAssignment extends TaintSink {

 }

-class BottleHandlerFunctionResult extends TaintSink {
+class BottleHandlerFunctionResult extends SimpleHttpResponseTaintSink {

    BottleHandlerFunctionResult() {
        exists(BottleRoute route, Return ret |
--- a/python/ql/src/semmle/python/web/cherrypy/Response.qll
+++ b/python/ql/src/semmle/python/web/cherrypy/Response.qll
@@ -7,7 +7,7 @@ import semmle.python.web.cherrypy.General



-class CherryPyExposedFunctionResult extends TaintSink {
+class CherryPyExposedFunctionResult extends SimpleHttpResponseTaintSink {

    CherryPyExposedFunctionResult() {
        exists(Return ret |
--- a/python/ql/src/semmle/python/web/django/Response.qll
+++ b/python/ql/src/semmle/python/web/django/Response.qll
@@ -2,6 +2,7 @@ import python
 import semmle.python.security.TaintTracking
 import semmle.python.security.strings.Basic
 private import semmle.python.web.django.Shared
+private import semmle.python.web.Http


 /** A django.http.response.Response object
@@ -39,7 +40,7 @@ class DjangoResponseSource extends TaintSource {
 }

 /** A write to a django response, which is vulnerable to external data (xss) */
-class DjangoResponseWrite extends TaintSink {
+class DjangoResponseWrite extends SimpleHttpResponseTaintSink {

    DjangoResponseWrite() {
        exists(AttrNode meth, CallNode call |
@@ -60,7 +61,7 @@ class DjangoResponseWrite extends TaintSink {
 }

 /** An argument to initialization of a django response, which is vulnerable to external data (xss) */
-class DjangoResponseContent extends TaintSink {
+class DjangoResponseContent extends SimpleHttpResponseTaintSink {

    DjangoResponseContent() {
        exists(CallNode call, ClassObject cls |
--- a/python/ql/src/semmle/python/web/falcon/Response.qll
+++ b/python/ql/src/semmle/python/web/falcon/Response.qll
@@ -30,7 +30,7 @@ class FalconResponseParameter extends TaintSource {

 }

-class FalconResponseBodySink extends TaintSink {
+class FalconResponseBodySink extends SimpleHttpResponseTaintSink {

    FalconResponseBodySink() {
        exists(AttrNode attr |
--- a/python/ql/src/semmle/python/web/flask/Response.qll
+++ b/python/ql/src/semmle/python/web/flask/Response.qll
@@ -8,7 +8,7 @@ import semmle.python.web.flask.General

 /** A flask response, which is vulnerable to any sort of 
 * http response malice. */
-class FlaskRoutedResponse extends TaintSink {
+class FlaskRoutedResponse extends SimpleHttpResponseTaintSink {

    FlaskRoutedResponse() {
        exists(PyFunctionObject response |
@@ -28,7 +28,7 @@ class FlaskRoutedResponse extends TaintSink {
 }


-class FlaskResponseArgument extends TaintSink {
+class FlaskResponseArgument extends SimpleHttpResponseTaintSink {

    FlaskResponseArgument() {
        exists(CallNode call |
--- a/python/ql/src/semmle/python/web/pyramid/Response.qll
+++ b/python/ql/src/semmle/python/web/pyramid/Response.qll
@@ -5,10 +5,11 @@ import semmle.python.security.TaintTracking
 import semmle.python.security.strings.Basic

 private import semmle.python.web.pyramid.View
+private import semmle.python.web.Http

 /** A pyramid response, which is vulnerable to any sort of 
 * http response malice. */
-class PyramidRoutedResponse extends TaintSink {
+class PyramidRoutedResponse extends SimpleHttpResponseTaintSink {

    PyramidRoutedResponse() {
        exists(PyFunctionObject view |
--- a/python/ql/src/semmle/python/web/tornado/Response.qll
+++ b/python/ql/src/semmle/python/web/tornado/Response.qll
@@ -3,6 +3,7 @@ import python

 import semmle.python.security.TaintTracking
 import semmle.python.security.strings.Basic
+private import semmle.python.web.Http

 import Tornado

@@ -30,7 +31,7 @@ class TornadoConnectionSource extends TaintSource {

 }

-class TornadoConnectionWrite extends TaintSink {
+class TornadoConnectionWrite extends SimpleHttpResponseTaintSink {

    override string toString() {
        result = "tornado.connection.write"
@@ -52,7 +53,7 @@ class TornadoConnectionWrite extends TaintSink {

 }

-class TornadoHttpRequestHandlerWrite extends TaintSink {
+class TornadoHttpRequestHandlerWrite extends SimpleHttpResponseTaintSink {

    override string toString() {
        result = "tornado.HttpRequesHandler.write"
@@ -72,7 +73,7 @@ class TornadoHttpRequestHandlerWrite extends TaintSink {

 }

-class TornadoHttpRequestHandlerRedirect extends TaintSink {
+class TornadoHttpRequestHandlerRedirect extends SimpleHttpResponseTaintSink {

    override string toString() {
        result = "tornado.HttpRequesHandler.redirect"
--- a/python/ql/src/semmle/python/web/turbogears/Response.qll
+++ b/python/ql/src/semmle/python/web/turbogears/Response.qll
@@ -2,12 +2,12 @@ import python

 import semmle.python.security.TaintTracking
 import semmle.python.security.strings.Basic
-
+import semmle.python.web.Http
 import TurboGears



-class ControllerMethodReturnValue extends TaintSink {
+class ControllerMethodReturnValue extends SimpleHttpResponseTaintSink {

    ControllerMethodReturnValue() {
        exists(TurboGearsControllerMethod m |
@@ -22,7 +22,7 @@ class ControllerMethodReturnValue extends TaintSink {

 }

-class ControllerMethodTemplatedReturnValue extends TaintSink {
+class ControllerMethodTemplatedReturnValue extends SimpleHttpResponseTaintSink {

    ControllerMethodTemplatedReturnValue() {
        exists(TurboGearsControllerMethod m |
--- a/python/ql/src/semmle/python/web/twisted/Response.qll
+++ b/python/ql/src/semmle/python/web/twisted/Response.qll
@@ -30,7 +30,7 @@ class TwistedResponse extends TaintSink {
 * object, which affects the properties of the subsequent response sent to this
 * request.
 */
- class TwistedRequestSetter extends TaintSink {
+ class TwistedRequestSetter extends SimpleHttpResponseTaintSink {
    TwistedRequestSetter() {
        exists(CallNode call, ControlFlowNode node, string name |
            (