Python: Port ReflectedXss query (and tests)

2026-04-30 11:15:13 +02:00 · 2020-10-20 18:09:38 +02:00
parent df6fd53a7e
commit 8aaa36bd99
4 changed files with 55 additions and 0 deletions
--- a/python/ql/src/experimental/Security-new-dataflow/CWE-079/ReflectedXss.ql
+++ b/python/ql/src/experimental/Security-new-dataflow/CWE-079/ReflectedXss.ql
@@ -0,0 +1,38 @@
+/**
+ * @name Reflected server-side cross-site scripting
+ * @description Writing user input directly to a web page
+ *              allows for a cross-site scripting vulnerability.
+ * @kind path-problem
+ * @problem.severity error
+ * @sub-severity high
+ * @precision high
+ * @id py/reflective-xss
+ * @tags security
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ */
+
+import python
+import experimental.dataflow.DataFlow
+import experimental.dataflow.TaintTracking
+import experimental.semmle.python.Concepts
+import experimental.dataflow.RemoteFlowSources
+import DataFlow::PathGraph
+
+class ReflectedXssConfiguration extends TaintTracking::Configuration {
+  ReflectedXssConfiguration() { this = "ReflectedXssConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(HTTP::Server::HttpResponse response |
+      response.getContentType().toLowerCase().matches("text/html%") and
+      sink = response.getBody()
+    )
+  }
+}
+
+from ReflectedXssConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
+  source.getNode(), "a user-provided value"
--- a/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-079/ReflectedXss.expected
+++ b/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-079/ReflectedXss.expected
@@ -0,0 +1,3 @@
+edges
+nodes
+#select
--- a/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-079/ReflectedXss.qlref
+++ b/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-079/ReflectedXss.qlref
@@ -0,0 +1 @@
+experimental/Security-new-dataflow/CWE-079/ReflectedXss.ql
--- a/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-079/reflected_xss.py
+++ b/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-079/reflected_xss.py
@@ -0,0 +1,13 @@
+from flask import Flask, request, make_response, escape
+
+app = Flask(__name__)
+
+@app.route('/unsafe')
+def unsafe():
+    first_name = request.args.get('name', '')
+    return make_response("Your name is " + first_name)
+
+@app.route('/safe')
+def safe():
+    first_name = request.args.get('name', '')
+    return make_response("Your name is " + escape(first_name))
				`@@ -0,0 +1 @@`
				`experimental/Security-new-dataflow/CWE-079/ReflectedXss.ql`