Add additional type tracking for request attributes

2025-12-21 03:06:31 +01:00 · 2024-04-25 13:58:36 +01:00
parent f85ee38e04
commit 86d1e5b646
2 changed files with 19 additions and 7 deletions
--- a/python/ql/lib/semmle/python/frameworks/Pyramid.qll
+++ b/python/ql/lib/semmle/python/frameworks/Pyramid.qll
@@ -13,6 +13,7 @@ private import semmle.python.dataflow.new.FlowSummary
 private import semmle.python.frameworks.internal.PoorMansFunctionResolution
 private import semmle.python.frameworks.internal.InstanceTaintStepsHelper
 private import semmle.python.frameworks.data.ModelsAsData
+private import semmle.python.frameworks.Stdlib

 /**
 * Provides models for the `pyramid` PyPI package.
@@ -122,10 +123,22 @@ module Pyramid {
      }

      override string getMethodName() {
-        result in ["as_bytes", "copy", "copy_body", "copy_get", "path_info_peek", "path_info_pop"]
+        result in ["as_bytes", "copy", "copy_get", "path_info_peek", "path_info_pop"]
      }

      override string getAsyncMethodName() { none() }
    }
+
+    private class RequestCopyCall extends InstanceSource, DataFlow::MethodCallNode {
+      RequestCopyCall() { this.calls(instance(), ["copy", "copy_get"]) }
+    }
+
+    private class RequestBodyFileLike extends Stdlib::FileLikeObject::InstanceSource instanceof DataFlow::AttrRead
+    {
+      RequestBodyFileLike() {
+        this.getObject() = instance() and
+        this.getAttributeName() = ["body_file", "body_file_raw", "body_file_seekable"]
+      }
+    }
  }
 }
--- a/python/ql/test/library-tests/frameworks/pyramid/pyramid_test.py
+++ b/python/ql/test/library-tests/frameworks/pyramid/pyramid_test.py
@@ -30,10 +30,9 @@ def test1(request):
        request.as_bytes,          # $ tainted

        request.body,              # $ tainted
-        request.body_file,         # $ tainted
-        request.body_file_raw,     # $ tainted
-        request.body_file_seekable,# $ tainted
-        request.body_file.read(),  # $ MISSING:tainted
+        request.body_file.read(),         # $ tainted
+        request.body_file_raw.read(),     # $ tainted
+        request.body_file_seekable.read(),# $ tainted

        request.json,              # $ tainted
        request.json_body,         # $ tainted
@@ -61,9 +60,9 @@ def test1(request):
        request.GET.values(),       # $ tainted

        request.copy(),             # $ tainted
-        request.copy_body(),        # $ tainted
        request.copy_get(),         # $ tainted
-        request.copy().GET['a']     # $ MISSING:tainted
+        request.copy().GET['a'],    # $ tainted
+        request.copy_get().body     # $ tainted
        ) 

 def test2(request):