Copy template injection to standard pack + add jinja sinks

2026-04-26 09:15:12 +02:00 · 2024-11-05 17:06:53 +00:00
parent 1266b244f5
commit 8647073433
6 changed files with 106 additions and 3 deletions
--- a/python/ql/src/experimental/Security/CWE-074/TemplateConstructionConcept.qll
+++ b/python/ql/src/experimental/Security/CWE-074/TemplateConstructionConcept.qll
@@ -134,7 +134,12 @@ class Jinja2TemplateConstruction extends TemplateConstruction::Range, API::CallN
 /** A call to `jinja2.from_string`. */
 class Jinja2FromStringConstruction extends TemplateConstruction::Range, API::CallNode {
  Jinja2FromStringConstruction() {
-    this = API::moduleImport("jinja2").getMember("from_string").getACall()
+    this =
+      API::moduleImport("jinja2")
+          .getMember("Environment")
+          .getReturn()
+          .getMember("from_string")
+          .getACall()
  }

  override DataFlow::Node getSourceArg() { result = this.getArg(0) }
--- a/python/ql/src/experimental/Security/CWE-074/TemplateInjectionCustomizations.qll
+++ b/python/ql/src/experimental/Security/CWE-074/TemplateInjectionCustomizations.qll
@@ -6,7 +6,7 @@

 private import python
 private import semmle.python.dataflow.new.DataFlow
-private import semmle.python.Concepts
+private import semmle.python.Concepts as C
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.BarrierGuards
 private import TemplateConstructionConcept
@@ -40,7 +40,7 @@ module TemplateInjection {
  /**
   * An active threat-model source, considered as a flow source.
   */
-  private class ActiveThreatModelSourceAsSource extends Source, ActiveThreatModelSource { }
+  private class ActiveThreatModelSourceAsSource extends Source, C::ActiveThreatModelSource { }

  /**
   * A SQL statement of a SQL construction, considered as a flow sink.