Python: Add cherrypy handler function return values as taint sinks.

python/ql/src/semmle/python/web/HttpResponse.qll

@@ -6,3 +6,4 @@ import semmle.python.web.twisted.Response
 import semmle.python.web.bottle.Response
 import semmle.python.web.turbogears.Response
 import semmle.python.web.falcon.Response
+import semmle.python.web.cherrypy.Response

python/ql/src/semmle/python/web/cherrypy/General.qll

@@ -13,6 +13,8 @@ class CherryPyExposedFunction extends Function {
 
     CherryPyExposedFunction() {
         this.getADecorator().refersTo(CherryPy::expose())
+        or
+        this.getADecorator().(Call).getFunc().refersTo(CherryPy::expose())
     }
 
 }

python/ql/src/semmle/python/web/cherrypy/Response.qll

@@ -0,0 +1,28 @@
+import python
+
+import semmle.python.security.TaintTracking
+import semmle.python.security.strings.Untrusted
+import semmle.python.web.Http
+import semmle.python.web.cherrypy.General
+
+
+
+class CherryPyExposedFunctionResult extends TaintSink {
+
+    CherryPyExposedFunctionResult() {
+        exists(Return ret |
+            ret.getScope() instanceof CherryPyExposedFunction and
+            ret.getValue().getAFlowNode() = this
+        )
+    }
+
+    override predicate sinks(TaintKind kind) {
+        kind instanceof StringKind
+    }
+
+    override string toString() {
+        result = "cherrypy handler function result"
+    }
+
+}
+

python/ql/test/library-tests/web/cherrypy/Sinks.expected

@@ -0,0 +1,3 @@
+| red.py:8 | Str | externally controlled string |
+| test.py:11 | BinaryExpr | externally controlled string |
+| test.py:17 | BinaryExpr | externally controlled string |

python/ql/test/library-tests/web/cherrypy/Sinks.ql

@@ -0,0 +1,10 @@
+
+import python
+
+import semmle.python.web.HttpRequest
+import semmle.python.web.HttpResponse
+import semmle.python.security.strings.Untrusted
+
+from TaintSink sink, TaintKind kind
+where sink.sinks(kind)
+select sink.getLocation().toString(), sink.(ControlFlowNode).getNode().toString(), kind