hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Apply suggestions from code review

Browse Source 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
This commit is contained in:
porcupineyhairs
2020-07-23 19:37:40 +05:30
committed by GitHub
parent a97f942a17
commit 8e85dc755a
8 changed files with 16 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
python/ql/src/experimental/semmle/python/templates/Cheetah.qll
View File

@@ -17,7 +17,7 @@ ClassValue theCheetahTemplateClass() { result = Value::named("Cheetah.Template.T
* contents = 'Hello World!'
* t3 = Template3("sink")
*
* This should also detect cases of the following type :
* This will also detect cases of the following type :
*
* from Cheetah.Template import Template
* t3 = Template("sink")

10
python/ql/src/experimental/semmle/python/templates/Jinja.qll
View File

@@ -17,7 +17,7 @@ Value theJinja2FromStringValue() { result = Value::named("jinja2.from_string") }
* template = Template(`sink`)
*/
class Jinja2TemplateSink extends SSTISink {
override string toString() { result = "argument to Jinja2.template()" }
override string toString() { result = "argument to jinja2.Template()" }
Jinja2TemplateSink() {
exists(CallNode call |
@@ -30,13 +30,13 @@ class Jinja2TemplateSink extends SSTISink {
}
/**
* Sink representing the `jinja2.Template` class instantiation argument.
* Sink representing the `jinja2.from_string` function call argument.
*
* from jinja2 import Template
* template = Template(`sink`)
* from jinja2 import from_string
* template = from_string(`sink`)
*/
class Jinja2FromStringSink extends SSTISink {
override string toString() { result = "argument to Jinja2.from_string()" }
override string toString() { result = "argument to jinja2.from_string()" }
Jinja2FromStringSink() {
exists(CallNode call |

2
python/ql/src/experimental/semmle/python/templates/SSTISink.qll
View File

@@ -2,6 +2,6 @@ import semmle.python.dataflow.TaintTracking
/**
* A generic taint sink that is vulnerable to template inclusions.
* The `temp` in `Jinja2.Template(temp)` and similar.
* The `temp` in `jinja2.Template(temp)` and similar.
*/
abstract class SSTISink extends TaintSink { }

1
python/ql/src/semmle/python/templates/Templates.qll
View File

@@ -1,5 +1,4 @@
import python
import semmle.python.dataflow.TaintTracking
abstract class Template extends Module { }

3
python/ql/test/experimental/CWE-074/AirspeedSsti.py
View File

@@ -5,9 +5,6 @@ from flask import Flask, request
app = Flask(__name__)
@app.route("/")
@route('/other')
def a():
template = request.args.get('template')

2
python/ql/test/experimental/CWE-074/FlaskTemplate.py
View File

@@ -12,7 +12,7 @@ def home():
@app.route("/a")
def home():
def a():
import flask
return flask.render_template_string(request.args.get('template'))

8
python/ql/test/experimental/CWE-074/JinjaSsti.py
View File

@@ -4,7 +4,7 @@ from jinja2 import Template as Jinja2_Template
from jinja2 import Environment, DictLoader, escape
def j(request):
def a(request):
# Load the template
template = request.GET['template']
t = Jinja2_Template(template)
@@ -13,7 +13,7 @@ def j(request):
html = t.render(name=escape(name))
return HttpResponse(html)
def j2(request):
def b(request):
import jinja2
# Load the template
template = request.GET['template']
@@ -25,6 +25,6 @@ def j2(request):
urlpatterns = [
path('', jinja),
path('', jinja2)
path('a', a),
path('b', b)
]

9
python/ql/test/experimental/CWE-074/TRender.py
View File

@@ -2,12 +2,11 @@ from django.urls import path
from django.http import HttpResponse
from trender import TRender
urlpatterns = [
path('', trender)
]
def trender(request):
template = request.GET['template']
compiled = TRender(template)
return HttpResponse(compiled)
urlpatterns = [
path('', trender)
]