Python: In flask, taint routed prameters for variable rules

Fixes https://github.com/github/codeql-python-team/issues/79

python/ql/src/semmle/python/web/flask/Request.qll

@@ -54,3 +54,35 @@ class FlaskRequestJson extends HttpRequestTaintSource {
 
     override string toString() { result = "flask.request.json" }
 }
+
+/**
+ * A parameter to a flask request handler, that can capture a part of the URL (as specified in
+ * the url-pattern of a route).
+ *
+ * For example, the `name` parameter in:
+ * ```
+ * @app.route('/hello/<name>')
+ * def hello(name):
+ * ```
+ */
+class FlaskRoutedParameter extends HttpRequestTaintSource {
+    FlaskRoutedParameter() {
+        exists(string name, Function func, StrConst url_pattern |
+            this.(ControlFlowNode).getNode() = func.getArgByName(name) and
+            flask_routing(url_pattern.getAFlowNode(), func) and
+            exists(string match |
+                match = url_pattern.getS().regexpFind(werkzeug_rule_re(), _, _) and
+                name = match.regexpCapture(werkzeug_rule_re(), 4)
+            )
+        )
+    }
+
+    override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringKind }
+}
+
+private string werkzeug_rule_re() {
+    // since flask uses werkzeug internally, we are using it's routing rules from
+    // https://github.com/pallets/werkzeug/blob/4dc8d6ab840d4b78cbd5789cef91b01e3bde01d5/src/werkzeug/routing.py#L138-L151
+    result =
+        "(?<static>[^<]*)<(?:(?<converter>[a-zA-Z_][a-zA-Z0-9_]*)(?:\\((?<args>.*?)\\))?\\:)?(?<variable>[a-zA-Z_][a-zA-Z0-9_]*)>"
+}