hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-23 07:45:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Replace sanitizer by exclusion from sink definition

Browse Source
This commit is contained in:
Owen Mansel-Chan
2026-01-30 09:27:38 +00:00
parent b4cb2c3f13
commit a3885cd8b2
3 changed files with 19 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
python/ql/lib/semmle/python/frameworks/Flask.qll
View File

@@ -621,24 +621,14 @@ module Flask {
}
override DataFlow::Node getAPathArgument() {
result in [
this.getArg(0), this.getArgByName("directory"),
// as described in the docs, the `filename` argument is restrained to be within
// the provided directory, so is not exposed to path-injection. (but is still a
// path-argument).
this.getArg(1), this.getArgByName("filename")
]
result = this.getArg([0, 1]) or
result = this.getArgByName(["directory", "filename"])
}
}
/**
* To exclude `filename` argument to `flask.send_from_directory` as a path-injection sink.
*/
private class FlaskSendFromDirectoryCallFilenameSanitizer extends PathInjection::Sanitizer {
FlaskSendFromDirectoryCallFilenameSanitizer() {
this = any(FlaskSendFromDirectoryCall c).getArg(1)
or
this = any(FlaskSendFromDirectoryCall c).getArgByName("filename")
override DataFlow::Node getASafePathArgument() {
// as described in the docs, the `filename` argument is restrained to be within
// the provided directory, so is not exposed to path-injection.
result in [this.getArg(1), this.getArgByName("filename")]
}
}