hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Use mimetype instead of content-type in django modeling

Browse Source 
This enables the XSS query to actually find results from django responses.
This commit is contained in:
Rasmus Wriedt Larsen
2020-11-04 11:32:52 +01:00
parent 22b4df0f3c
commit 92dc7dc2f3
2 changed files with 16 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
python/ql/src/semmle/python/frameworks/Django.qll
View File

@@ -670,7 +670,7 @@ private module Django {
result.asCfgNode() in [node.getArg(1), node.getArgByName("content_type")]
}
override string getMimetypeDefault() { result = "text/html; charset=utf-8" }
override string getMimetypeDefault() { result = "text/html" }
}
/** Gets a reference to an instance of `django.http.response.HttpResponse`. */
@@ -738,7 +738,7 @@ private module Django {
// How to support the `headers` argument here?
override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
override string getMimetypeDefault() { result = "text/html; charset=utf-8" }
override string getMimetypeDefault() { result = "text/html" }
}
/** Gets a reference to an instance of `django.http.response.HttpResponseRedirect`. */
@@ -802,7 +802,7 @@ private module Django {
// How to support the `headers` argument here?
override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
override string getMimetypeDefault() { result = "text/html; charset=utf-8" }
override string getMimetypeDefault() { result = "text/html" }
}
/** Gets a reference to an instance of `django.http.response.HttpResponsePermanentRedirect`. */
@@ -928,7 +928,7 @@ private module Django {
// How to support the `headers` argument here?
override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
override string getMimetypeDefault() { result = "text/html; charset=utf-8" }
override string getMimetypeDefault() { result = "text/html" }
}
/** Gets a reference to an instance of `django.http.response.HttpResponseBadRequest`. */
@@ -992,7 +992,7 @@ private module Django {
// How to support the `headers` argument here?
override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
override string getMimetypeDefault() { result = "text/html; charset=utf-8" }
override string getMimetypeDefault() { result = "text/html" }
}
/** Gets a reference to an instance of `django.http.response.HttpResponseNotFound`. */
@@ -1056,7 +1056,7 @@ private module Django {
// How to support the `headers` argument here?
override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
override string getMimetypeDefault() { result = "text/html; charset=utf-8" }
override string getMimetypeDefault() { result = "text/html" }
}
/** Gets a reference to an instance of `django.http.response.HttpResponseForbidden`. */
@@ -1121,7 +1121,7 @@ private module Django {
// How to support the `headers` argument here?
override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
override string getMimetypeDefault() { result = "text/html; charset=utf-8" }
override string getMimetypeDefault() { result = "text/html" }
}
/** Gets a reference to an instance of `django.http.response.HttpResponseNotAllowed`. */
@@ -1185,7 +1185,7 @@ private module Django {
// How to support the `headers` argument here?
override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
override string getMimetypeDefault() { result = "text/html; charset=utf-8" }
override string getMimetypeDefault() { result = "text/html" }
}
/** Gets a reference to an instance of `django.http.response.HttpResponseGone`. */
@@ -1249,7 +1249,7 @@ private module Django {
// How to support the `headers` argument here?
override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
override string getMimetypeDefault() { result = "text/html; charset=utf-8" }
override string getMimetypeDefault() { result = "text/html" }
}
/** Gets a reference to an instance of `django.http.response.HttpResponseServerError`. */
@@ -1380,7 +1380,7 @@ private module Django {
// How to support the `headers` argument here?
override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
override string getMimetypeDefault() { result = "text/html; charset=utf-8" }
override string getMimetypeDefault() { result = "text/html" }
}
/** Gets a reference to an instance of `django.http.response.StreamingHttpResponse`. */
@@ -1444,7 +1444,7 @@ private module Django {
// How to support the `headers` argument here?
override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
override string getMimetypeDefault() { result = "text/html; charset=utf-8" }
override string getMimetypeDefault() { result = "text/html" }
}
/** Gets a reference to an instance of `django.http.response.FileResponse`. */

10
python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py
View File

@@ -18,19 +18,19 @@ def safe__manual_content_type(request):
# XSS FP reported in https://github.com/github/codeql/issues/3466
# Note: This should be an open-redirect sink, but not an XSS sink.
def or__redirect(request):
return HttpResponseRedirect(request.GET.get("next")) # $HttpResponse mimetype="text/html; charset=utf-8" responseBody=Attribute()
return HttpResponseRedirect(request.GET.get("next")) # $HttpResponse mimetype=text/html responseBody=Attribute()
# Ensure that simple subclasses are still vuln to XSS
def xss__not_found(request):
return HttpResponseNotFound(request.GET.get("name")) # $HttpResponse mimetype="text/html; charset=utf-8" responseBody=Attribute()
return HttpResponseNotFound(request.GET.get("name")) # $HttpResponse mimetype=text/html responseBody=Attribute()
# Ensure we still have an XSS sink when manually setting the content_type to HTML
def xss__manual_response_type(request):
return HttpResponse(request.GET.get("name"), content_type="text/html; charset=utf-8") # $HttpResponse mimetype=text/html responseBody=Attribute()
def xss__write(request):
response = HttpResponse() # $HttpResponse mimetype="text/html; charset=utf-8"
response.write(request.GET.get("name")) # $HttpResponse mimetype="text/html; charset=utf-8" responseBody=Attribute()
response = HttpResponse() # $HttpResponse mimetype=text/html
response.write(request.GET.get("name")) # $HttpResponse mimetype=text/html responseBody=Attribute()
# This is safe but probably a bug if the argument to `write` is not a result of `json.dumps` or similar.
def safe__write_json(request):
@@ -50,4 +50,4 @@ class CustomJsonResponse(JsonResponse):
super().__init__(content, *args, content_type="text/html", **kwargs)
def safe__custom_json_response(request):
return CustomJsonResponse("ACME Responses", {"foo": request.GET.get("foo")}) # $HttpResponse mimetype=application/json MISSING: responseBody=Dict SPURIOUS: responseBody="ACME Responses"
return CustomJsonResponse("ACME Responses", {"foo": request.GET.get("foo")}) # $HttpResponse mimetype=application/json MISSING: responseBody=Dict SPURIOUS: responseBody="ACME Responses"