Python: Update web libraries to use HttpSources and HttpSinks

2026-04-30 03:05:15 +02:00 · 2020-01-07 14:26:48 +01:00
parent 2cdbae08b6
commit 9b2ca0c9c7
36 changed files with 92 additions and 127 deletions
--- a/python/ql/src/semmle/python/web/bottle/Request.qll
+++ b/python/ql/src/semmle/python/web/bottle/Request.qll
@@ -21,7 +21,7 @@ class BottleRequestKind extends TaintKind {
    }
 }

-private class RequestSource extends TaintSource {
+private class RequestSource extends HttpRequestTaintSource {
    RequestSource() { this.(ControlFlowNode).pointsTo(theBottleRequestObject()) }

    override predicate isSourceOf(TaintKind kind) { kind instanceof BottleRequestKind }
@@ -69,7 +69,7 @@ class UntrustedFile extends TaintKind {
 //  Move UntrustedFile to shared location
 //
 /** Parameter to a bottle request handler function */
-class BottleRequestParameter extends TaintSource {
+class BottleRequestParameter extends HttpRequestTaintSource {
    BottleRequestParameter() {
        exists(BottleRoute route | route.getNamedArgument() = this.(ControlFlowNode).getNode())
    }
--- a/python/ql/src/semmle/python/web/cherrypy/Request.qll
+++ b/python/ql/src/semmle/python/web/cherrypy/Request.qll
@@ -25,7 +25,7 @@ class CherryPyRequest extends TaintKind {
    }
 }

-class CherryPyExposedFunctionParameter extends TaintSource {
+class CherryPyExposedFunctionParameter extends HttpRequestTaintSource {
    CherryPyExposedFunctionParameter() {
        exists(Parameter p |
            p = any(CherryPyExposedFunction f).getAnArg() and
@@ -39,7 +39,7 @@ class CherryPyExposedFunctionParameter extends TaintSource {
    override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringKind }
 }

-class CherryPyRequestSource extends TaintSource {
+class CherryPyRequestSource extends HttpRequestTaintSource {
    CherryPyRequestSource() { this.(ControlFlowNode).pointsTo(Value::named("cherrypy.request")) }

    override predicate isSourceOf(TaintKind kind) { kind instanceof CherryPyRequest }
--- a/python/ql/src/semmle/python/web/django/Response.qll
+++ b/python/ql/src/semmle/python/web/django/Response.qll
@@ -18,8 +18,8 @@ private ClassValue theDjangoHttpResponseClass() {
    not result = theDjangoHttpRedirectClass()
 }

-/** Instantiation of a django response. */
-class DjangoResponseSource extends TaintSource {
+/** internal class used for trakcing a django response. */
+private class DjangoResponseSource extends TaintSource {
    DjangoResponseSource() {
        exists(ClassValue cls |
            cls.getASuperType() = theDjangoHttpResponseClass() and
--- a/python/ql/src/semmle/python/web/falcon/Request.qll
+++ b/python/ql/src/semmle/python/web/falcon/Request.qll
@@ -35,7 +35,7 @@ class FalconRequest extends TaintKind {
    }
 }

-class FalconRequestParameter extends TaintSource {
+class FalconRequestParameter extends HttpRequestTaintSource {
    FalconRequestParameter() {
        exists(FalconHandlerFunction f | f.getRequest() = this.(ControlFlowNode).getNode())
    }
--- a/python/ql/src/semmle/python/web/falcon/Response.qll
+++ b/python/ql/src/semmle/python/web/falcon/Response.qll
@@ -9,7 +9,8 @@ class FalconResponse extends TaintKind {
    FalconResponse() { this = "falcon.response" }
 }

-class FalconResponseParameter extends TaintSource {
+/** Only used internally to track the response parameter */
+private class FalconResponseParameter extends TaintSource {
    FalconResponseParameter() {
        exists(FalconHandlerFunction f | f.getResponse() = this.(ControlFlowNode).getNode())
    }
--- a/python/ql/src/semmle/python/web/flask/Request.qll
+++ b/python/ql/src/semmle/python/web/flask/Request.qll
@@ -47,7 +47,7 @@ class FlaskRequestArgs extends HttpRequestTaintSource {
 }

 /** Source of dictionary whose values are externally controlled */
-class FlaskRequestJson extends TaintSource {
+class FlaskRequestJson extends HttpRequestTaintSource {
    FlaskRequestJson() { flask_request_attr(this, "json") }

    override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalJsonKind }
--- a/python/ql/src/semmle/python/web/pyramid/Request.qll
+++ b/python/ql/src/semmle/python/web/pyramid/Request.qll
@@ -11,7 +11,7 @@ class PyramidRequest extends BaseWebobRequest {
 }

 /** Source of pyramid request objects */
-class PyramidViewArgument extends TaintSource {
+class PyramidViewArgument extends HttpRequestTaintSource {
    PyramidViewArgument() {
        exists(Function view_func |
            is_pyramid_view_function(view_func) and
--- a/python/ql/src/semmle/python/web/tornado/Request.qll
+++ b/python/ql/src/semmle/python/web/tornado/Request.qll
@@ -30,7 +30,7 @@ class TornadoRequest extends TaintKind {
    }
 }

-class TornadoRequestSource extends TaintSource {
+class TornadoRequestSource extends HttpRequestTaintSource {
    TornadoRequestSource() { isTornadoRequestHandlerInstance(this.(AttrNode).getObject("request")) }

    override string toString() { result = "Tornado request source" }
@@ -38,7 +38,7 @@ class TornadoRequestSource extends TaintSource {
    override predicate isSourceOf(TaintKind kind) { kind instanceof TornadoRequest }
 }

-class TornadoExternalInputSource extends TaintSource {
+class TornadoExternalInputSource extends HttpRequestTaintSource {
    TornadoExternalInputSource() {
        exists(string name |
            name = "get_argument" or
@@ -55,7 +55,7 @@ class TornadoExternalInputSource extends TaintSource {
    override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringKind }
 }

-class TornadoExternalInputListSource extends TaintSource {
+class TornadoExternalInputListSource extends HttpRequestTaintSource {
    TornadoExternalInputListSource() {
        exists(string name |
            name = "get_arguments" or
--- a/python/ql/src/semmle/python/web/turbogears/Request.qll
+++ b/python/ql/src/semmle/python/web/turbogears/Request.qll
@@ -1,5 +1,6 @@
 import python
 import semmle.python.security.strings.Untrusted
+import semmle.python.web.Http
 import TurboGears

 private class ValidatedMethodParameter extends Parameter {
@@ -11,7 +12,7 @@ private class ValidatedMethodParameter extends Parameter {
    }
 }

-class UnvalidatedControllerMethodParameter extends TaintSource {
+class UnvalidatedControllerMethodParameter extends HttpRequestTaintSource {
    UnvalidatedControllerMethodParameter() {
        exists(Parameter p |
            any(TurboGearsControllerMethod m | not m.getName() = "onerror").getAnArg() = p and
--- a/python/ql/src/semmle/python/web/twisted/Request.qll
+++ b/python/ql/src/semmle/python/web/twisted/Request.qll
@@ -26,7 +26,7 @@ class TwistedRequest extends TaintKind {
    }
 }

-class TwistedRequestSource extends TaintSource {
+class TwistedRequestSource extends HttpRequestTaintSource {
    TwistedRequestSource() { isTwistedRequestInstance(this) }

    override string toString() { result = "Twisted request source" }
--- a/python/ql/src/semmle/python/web/twisted/Response.qll
+++ b/python/ql/src/semmle/python/web/twisted/Response.qll
@@ -5,7 +5,7 @@ import semmle.python.security.strings.Basic
 import Twisted
 import Request

-class TwistedResponse extends TaintSink {
+class TwistedResponse extends HttpResponseTaintSink {
    TwistedResponse() {
        exists(PythonFunctionValue func, string name |
            isKnownRequestHandlerMethodName(name) and