Merge pull request #9351 from RasmusWL/django-file-read

Python: Support `read` on Django file

python/ql/lib/semmle/python/frameworks/Django.qll

@@ -464,7 +464,15 @@ module Django {
 
     /** A file-like object instance that originates from a `UploadedFile`. */
     class UploadedFileFileLikeInstances extends Stdlib::FileLikeObject::InstanceSource {
-      UploadedFileFileLikeInstances() { this.(DataFlow::AttrRead).accesses(instance(), "file") }
+      UploadedFileFileLikeInstances() {
+        // in the bottom of
+        // https://docs.djangoproject.com/en/4.0/ref/files/file/#django.core.files.File
+        // it's mentioned that the File object itself has proxy methods for
+        // `read`/`write`/... that forwards to the underlying file object.
+        this = instance()
+        or
+        this.(DataFlow::AttrRead).accesses(instance(), "file")
+      }
     }
   }
 

python/ql/test/library-tests/frameworks/django-v2-v3/taint_test.py

@@ -71,6 +71,7 @@ def test_taint(request: HttpRequest, foo, bar, baz=None):  # $requestHandler rou
         request.FILES["key"].name, # $ tainted
         request.FILES["key"].file, # $ tainted
         request.FILES["key"].file.read(), # $ tainted
+        request.FILES["key"].read(), # $ tainted
 
         request.FILES.get("key"), # $ tainted
         request.FILES.get("key").name, # $ tainted