Python: Add support for more URL redirect sanitisers.

Since some sanitisers don't handle backslashes correctly, I updated the data-flow configuration to incorporate a flow state tracking whether or not backslashes have been eliminated or converted to forward slashes.
2026-04-25 08:45:14 +02:00 · 2023-12-19 16:26:47 +00:00
parent 6533269387
commit 98178458d0
7 changed files with 297 additions and 11 deletions
--- a/python/ql/test/query-tests/Security/CWE-601-UrlRedirect/UrlRedirect.expected
+++ b/python/ql/test/query-tests/Security/CWE-601-UrlRedirect/UrlRedirect.expected
@@ -9,6 +9,9 @@ edges
 | test.py:1:26:1:32 | ControlFlowNode for request | test.py:74:17:74:23 | ControlFlowNode for request |
 | test.py:1:26:1:32 | ControlFlowNode for request | test.py:81:17:81:23 | ControlFlowNode for request |
 | test.py:1:26:1:32 | ControlFlowNode for request | test.py:90:17:90:23 | ControlFlowNode for request |
+| test.py:1:26:1:32 | ControlFlowNode for request | test.py:111:17:111:23 | ControlFlowNode for request |
+| test.py:1:26:1:32 | ControlFlowNode for request | test.py:137:17:137:23 | ControlFlowNode for request |
+| test.py:1:26:1:32 | ControlFlowNode for request | test.py:145:17:145:23 | ControlFlowNode for request |
 | test.py:7:5:7:10 | ControlFlowNode for target | test.py:8:21:8:26 | ControlFlowNode for target |
 | test.py:7:14:7:20 | ControlFlowNode for request | test.py:7:14:7:25 | ControlFlowNode for Attribute |
 | test.py:7:14:7:25 | ControlFlowNode for Attribute | test.py:7:14:7:43 | ControlFlowNode for Attribute() |
@@ -52,6 +55,18 @@ edges
 | test.py:90:17:90:23 | ControlFlowNode for request | test.py:90:17:90:28 | ControlFlowNode for Attribute |
 | test.py:90:17:90:28 | ControlFlowNode for Attribute | test.py:90:17:90:46 | ControlFlowNode for Attribute() |
 | test.py:90:17:90:46 | ControlFlowNode for Attribute() | test.py:90:5:90:13 | ControlFlowNode for untrusted |
+| test.py:111:5:111:13 | ControlFlowNode for untrusted | test.py:114:25:114:33 | ControlFlowNode for untrusted |
+| test.py:111:17:111:23 | ControlFlowNode for request | test.py:111:17:111:28 | ControlFlowNode for Attribute |
+| test.py:111:17:111:28 | ControlFlowNode for Attribute | test.py:111:17:111:46 | ControlFlowNode for Attribute() |
+| test.py:111:17:111:46 | ControlFlowNode for Attribute() | test.py:111:5:111:13 | ControlFlowNode for untrusted |
+| test.py:137:5:137:13 | ControlFlowNode for untrusted | test.py:140:25:140:33 | ControlFlowNode for untrusted |
+| test.py:137:17:137:23 | ControlFlowNode for request | test.py:137:17:137:28 | ControlFlowNode for Attribute |
+| test.py:137:17:137:28 | ControlFlowNode for Attribute | test.py:137:17:137:46 | ControlFlowNode for Attribute() |
+| test.py:137:17:137:46 | ControlFlowNode for Attribute() | test.py:137:5:137:13 | ControlFlowNode for untrusted |
+| test.py:145:5:145:13 | ControlFlowNode for untrusted | test.py:148:25:148:33 | ControlFlowNode for untrusted |
+| test.py:145:17:145:23 | ControlFlowNode for request | test.py:145:17:145:28 | ControlFlowNode for Attribute |
+| test.py:145:17:145:28 | ControlFlowNode for Attribute | test.py:145:17:145:46 | ControlFlowNode for Attribute() |
+| test.py:145:17:145:46 | ControlFlowNode for Attribute() | test.py:145:5:145:13 | ControlFlowNode for untrusted |
 nodes
 | test.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
 | test.py:1:26:1:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
@@ -107,6 +122,21 @@ nodes
 | test.py:90:17:90:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | test.py:90:17:90:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | test.py:93:18:93:26 | ControlFlowNode for untrusted | semmle.label | ControlFlowNode for untrusted |
+| test.py:111:5:111:13 | ControlFlowNode for untrusted | semmle.label | ControlFlowNode for untrusted |
+| test.py:111:17:111:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| test.py:111:17:111:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| test.py:111:17:111:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| test.py:114:25:114:33 | ControlFlowNode for untrusted | semmle.label | ControlFlowNode for untrusted |
+| test.py:137:5:137:13 | ControlFlowNode for untrusted | semmle.label | ControlFlowNode for untrusted |
+| test.py:137:17:137:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| test.py:137:17:137:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| test.py:137:17:137:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| test.py:140:25:140:33 | ControlFlowNode for untrusted | semmle.label | ControlFlowNode for untrusted |
+| test.py:145:5:145:13 | ControlFlowNode for untrusted | semmle.label | ControlFlowNode for untrusted |
+| test.py:145:17:145:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| test.py:145:17:145:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| test.py:145:17:145:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| test.py:148:25:148:33 | ControlFlowNode for untrusted | semmle.label | ControlFlowNode for untrusted |
 subpaths
 #select
 | test.py:8:21:8:26 | ControlFlowNode for target | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:8:21:8:26 | ControlFlowNode for target | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
@@ -118,3 +148,6 @@ subpaths
 | test.py:76:21:76:26 | ControlFlowNode for unsafe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:76:21:76:26 | ControlFlowNode for unsafe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
 | test.py:83:21:83:26 | ControlFlowNode for unsafe | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:83:21:83:26 | ControlFlowNode for unsafe | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
 | test.py:93:18:93:26 | ControlFlowNode for untrusted | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:93:18:93:26 | ControlFlowNode for untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
+| test.py:114:25:114:33 | ControlFlowNode for untrusted | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:114:25:114:33 | ControlFlowNode for untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
+| test.py:140:25:140:33 | ControlFlowNode for untrusted | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:140:25:140:33 | ControlFlowNode for untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
+| test.py:148:25:148:33 | ControlFlowNode for untrusted | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:148:25:148:33 | ControlFlowNode for untrusted | Untrusted URL redirection depends on a $@. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
--- a/python/ql/test/query-tests/Security/CWE-601-UrlRedirect/test.py
+++ b/python/ql/test/query-tests/Security/CWE-601-UrlRedirect/test.py
@@ -94,4 +94,72 @@ def ok6():
    if url_has_allowed_host_and_scheme(untrusted, allowed_hosts=None):
        return redirect(untrusted, code=302) # OK
    
-    return redirect("https://example.com", code=302) # OK
+    return redirect("https://example.com", code=302) # OK
+
+import yarl
+
+@app.route('/ok7')
+def ok7():
+    untrusted = request.args.get('target', '')
+    untrusted = untrusted.replace("\\", "/")
+    if not yarl.URL(untrusted).is_absolute():
+        return redirect(untrusted, code=302) # OK
+    return redirect("/", code=302)
+
+@app.route('/not_ok5')
+def not_ok5():
+    untrusted = request.args.get('target', '')
+    # no backslash replace
+    if not yarl.URL(untrusted).is_absolute():
+        return redirect(untrusted, code=302) # NOT OK
+    return redirect("/", code=302)
+
+from urllib.parse import urlparse
+
+@app.route('/ok8')
+def ok8():
+    untrusted = request.args.get('target', '')
+    untrusted = untrusted.replace("\\", "/")
+    if not urlparse(untrusted).netloc:
+        return redirect(untrusted, code=302) # OK
+    return redirect("/", code=302)
+
+@app.route('/ok9')
+def ok9():
+    untrusted = request.args.get('target', '')
+    untrusted = untrusted.replace("\\", "/")
+    if urlparse(untrusted).netloc == "":
+        return redirect(untrusted, code=302) # OK
+    return redirect("/", code=302)
+
+@app.route('/not_ok6')
+def not_ok6():
+    untrusted = request.args.get('target', '')
+    # no backslash replace
+    if not urlparse(untrusted).netloc:
+        return redirect(untrusted, code=302) # NOT OK
+    return redirect("/", code=302)
+
+@app.route('/not_ok7')
+def not_ok7():
+    untrusted = request.args.get('target', '')
+    # wrong check
+    if urlparse(untrusted).netloc != "":
+        return redirect(untrusted, code=302) # NOT OK
+    return redirect("/", code=302)
+
+@app.route('/ok10')
+def ok10():
+    untrusted = request.args.get('target', '')
+    untrusted = untrusted.replace("\\", "/")
+    if urlparse(untrusted).netloc in ["", request.host]:
+        return redirect(untrusted, code=302) # OK
+    return redirect("/", code=302)
+
+@app.route('/ok11')
+def ok11():
+    untrusted = request.args.get('target', '')
+    untrusted = untrusted.replace("\\", "/")
+    if urlparse(untrusted).netloc not in ["", request.host]:
+        return redirect("/", code=302) # OK
+    return redirect(untrusted, code=302)