diff --git a/python/ql/lib/semmle/python/Concepts.qll b/python/ql/lib/semmle/python/Concepts.qll index 74e06b54b0b..20578e26960 100644 --- a/python/ql/lib/semmle/python/Concepts.qll +++ b/python/ql/lib/semmle/python/Concepts.qll @@ -1239,7 +1239,7 @@ module Http { { CookieHeaderWrite() { exists(StringLiteral str | - str.getText() = "Set-Cookie" and + str.getText().toLowerCase() = "set-cookie" and DataFlow::exprNode(str) .(DataFlow::LocalSourceNode) .flowsTo(this.(Http::Server::ResponseHeaderWrite).getNameArg()) diff --git a/python/ql/lib/semmle/python/frameworks/FastApi.qll b/python/ql/lib/semmle/python/frameworks/FastApi.qll index 8c958e9343d..423f8580a5b 100644 --- a/python/ql/lib/semmle/python/frameworks/FastApi.qll +++ b/python/ql/lib/semmle/python/frameworks/FastApi.qll @@ -361,28 +361,27 @@ module FastApi { } /** - * A call to `append` on a `headers` of a FastAPI Response, with the `Set-Cookie` - * header-key. + * A call to `append` on a `headers` of a FastAPI Response. */ - private class HeadersAppendCookie extends Http::Server::CookieWrite::Range, + private class HeadersAppend extends Http::Server::ResponseHeaderWrite::Range, DataFlow::MethodCallNode { - HeadersAppendCookie() { - exists(DataFlow::AttrRead headers, DataFlow::Node keyArg | + HeadersAppend() { + exists(DataFlow::AttrRead headers | headers.accesses(instance(), "headers") and - this.calls(headers, "append") and - keyArg in [this.getArg(0), this.getArgByName("key")] and - keyArg.getALocalSource().asExpr().(StringLiteral).getText().toLowerCase() = "set-cookie" + this.calls(headers, "append") ) } - override DataFlow::Node getHeaderArg() { + override DataFlow::Node getNameArg() { result = [this.getArg(0), this.getArgByName("key")] } + + override DataFlow::Node getValueArg() { result in [this.getArg(1), this.getArgByName("value")] } - override DataFlow::Node getNameArg() { none() } + override predicate nameAllowsNewline() { none() } - override DataFlow::Node getValueArg() { none() } + override predicate valueAllowsNewline() { none() } } } } diff --git a/python/ql/test/library-tests/frameworks/fastapi/response_test.py b/python/ql/test/library-tests/frameworks/fastapi/response_test.py index 9f276338c8c..44582d6cd6e 100644 --- a/python/ql/test/library-tests/frameworks/fastapi/response_test.py +++ b/python/ql/test/library-tests/frameworks/fastapi/response_test.py @@ -11,9 +11,9 @@ app = FastAPI() async def response_parameter(response: Response): # $ requestHandler response.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value" response.set_cookie(key="key", value="value") # $ CookieWrite CookieName="key" CookieValue="value" - response.headers.append("Set-Cookie", "key2=value2") # $ CookieWrite CookieRawHeader="key2=value2" - response.headers.append(key="Set-Cookie", value="key2=value2") # $ CookieWrite CookieRawHeader="key2=value2" - response.headers["X-MyHeader"] = "header-value" + response.headers.append("Set-Cookie", "key2=value2") # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2" + response.headers.append(key="Set-Cookie", value="key2=value2") # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2" + response.headers["X-MyHeader"] = "header-value" # $ MISSING: headerWriteName="X-MyHeader" headerWriteValue="header-value" response.status_code = 418 return {"message": "response as parameter"} # $ HttpResponse mimetype=application/json responseBody=Dict @@ -45,7 +45,7 @@ async def response_parameter_custom_type(response: MyXmlResponse): # $ requestHa print(type(response)) assert type(response) == fastapi.responses.Response response.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value" - response.headers["Custom-Response-Type"] = "yes, but only after function has run" + response.headers["Custom-Response-Type"] = "yes, but only after function has run" # $ MISSING: headerWriteName="Custom-Response-Typer" headerWriteValue="yes, but only after function has run" xml_data = "FOO" return xml_data # $ HttpResponse responseBody=xml_data mimetype=application/xml