hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 12:46:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

Python: Add redirect modeling for Tornado

Browse Source 
After making https://github.com/github/codeql/pull/4995, I realized how easy
this would be :D

Will need to do some manual merge-conflict handling, but it should be all good
:)
This commit is contained in:
Rasmus Wriedt Larsen
2021-01-21 14:04:11 +01:00
parent 2f86937e5a
commit 7a76a5134e
2 changed files with 39 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
python/ql/src/semmle/python/frameworks/Tornado.qll
View File

@@ -216,6 +216,17 @@ private module Tornado {
/** Gets a reference to one of the methods `get_arguments`, `get_body_arguments`, `get_query_arguments`. */
DataFlow::Node argumentsMethod() { result = argumentsMethod(DataFlow::TypeTracker::end()) }
/** Gets a reference the `redirect` method. */
private DataFlow::Node redirectMethod(DataFlow::TypeTracker t) {
t.startInAttr("redirect") and
result = instance()
or
exists(DataFlow::TypeTracker t2 | result = redirectMethod(t2).track(t2, t))
}
/** Gets a reference the `redirect` method. */
DataFlow::Node redirectMethod() { result = redirectMethod(DataFlow::TypeTracker::end()) }
private class AdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
// Method access
@@ -540,4 +551,31 @@ private module Tornado {
not result = this.getArg(0)
}
}
// ---------------------------------------------------------------------------
// Response modeling
// ---------------------------------------------------------------------------
/**
* A call to `tornado.web.RequestHandler.write` method.
*
* See https://www.tornadoweb.org/en/stable/web.html?highlight=write#tornado.web.RequestHandler.write
*/
private class TornadoRequestHandlerRedirectCall extends HTTP::Server::HttpRedirectResponse::Range,
DataFlow::CfgNode {
override CallNode node;
TornadoRequestHandlerRedirectCall() {
node.getFunction() = tornado::web::RequestHandler::redirectMethod().asCfgNode()
}
override DataFlow::Node getRedirectLocation() {
result.asCfgNode() in [node.getArg(0), node.getArgByName("url")]
}
override DataFlow::Node getBody() { none() }
override string getMimetypeDefault() { none() }
override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
}
}