Python: Implement check for flask debug mode.

2026-05-02 04:05:14 +02:00 · 2018-11-22 15:01:02 +01:00
parent a85dfb1c4e
commit a4da245809
9 changed files with 121 additions and 7 deletions
--- a/python/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
+++ b/python/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
@@ -1,15 +1,15 @@
 edges
-| ../lib/flask/__init__.py:14:19:14:20 | externally controlled string | ../lib/flask/__init__.py:15:19:15:20 | externally controlled string |
-| ../lib/flask/__init__.py:14:19:14:20 | externally controlled string | ../lib/flask/__init__.py:16:25:16:26 | externally controlled string |
+| ../lib/flask/__init__.py:15:19:15:20 | externally controlled string | ../lib/flask/__init__.py:16:19:16:20 | externally controlled string |
+| ../lib/flask/__init__.py:15:19:15:20 | externally controlled string | ../lib/flask/__init__.py:17:25:17:26 | externally controlled string |
 | reflected_xss.py:7:18:7:29 | dict of externally controlled string | reflected_xss.py:7:18:7:45 | externally controlled string |
 | reflected_xss.py:7:18:7:45 | externally controlled string | reflected_xss.py:8:44:8:53 | externally controlled string |
-| reflected_xss.py:8:26:8:53 | externally controlled string | ../lib/flask/__init__.py:14:19:14:20 | externally controlled string |
+| reflected_xss.py:8:26:8:53 | externally controlled string | ../lib/flask/__init__.py:15:19:15:20 | externally controlled string |
 | reflected_xss.py:8:44:8:53 | externally controlled string | reflected_xss.py:8:26:8:53 | externally controlled string |
 | reflected_xss.py:12:18:12:29 | dict of externally controlled string | reflected_xss.py:12:18:12:45 | externally controlled string |
 | reflected_xss.py:12:18:12:45 | externally controlled string | reflected_xss.py:13:51:13:60 | externally controlled string |
 parents
-| ../lib/flask/__init__.py:14:19:14:20 | externally controlled string | reflected_xss.py:8:26:8:53 | externally controlled string |
 | ../lib/flask/__init__.py:15:19:15:20 | externally controlled string | reflected_xss.py:8:26:8:53 | externally controlled string |
-| ../lib/flask/__init__.py:16:25:16:26 | externally controlled string | reflected_xss.py:8:26:8:53 | externally controlled string |
+| ../lib/flask/__init__.py:16:19:16:20 | externally controlled string | reflected_xss.py:8:26:8:53 | externally controlled string |
+| ../lib/flask/__init__.py:17:25:17:26 | externally controlled string | reflected_xss.py:8:26:8:53 | externally controlled string |
 #select
-| ../lib/flask/__init__.py:16:25:16:26 | flask.response.argument | reflected_xss.py:7:18:7:29 | dict of externally controlled string | ../lib/flask/__init__.py:16:25:16:26 | externally controlled string | Cross-site scripting vulnerability due to $@. | reflected_xss.py:7:18:7:29 | flask.request.args | user-provided value |
+| ../lib/flask/__init__.py:17:25:17:26 | flask.response.argument | reflected_xss.py:7:18:7:29 | dict of externally controlled string | ../lib/flask/__init__.py:17:25:17:26 | externally controlled string | Cross-site scripting vulnerability due to $@. | reflected_xss.py:7:18:7:29 | flask.request.args | user-provided value |
--- a/python/ql/test/query-tests/Security/CWE-215/FlaskDebug.expected
+++ b/python/ql/test/query-tests/Security/CWE-215/FlaskDebug.expected
@@ -0,0 +1,3 @@
+| test.py:10:1:10:19 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |
+| test.py:25:1:25:20 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |
+| test.py:29:1:29:20 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |
--- a/python/ql/test/query-tests/Security/CWE-215/FlaskDebug.qlref
+++ b/python/ql/test/query-tests/Security/CWE-215/FlaskDebug.qlref
@@ -0,0 +1 @@
+Security/CWE-215/FlaskDebug.ql
--- a/python/ql/test/query-tests/Security/CWE-215/options
+++ b/python/ql/test/query-tests/Security/CWE-215/options
@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=2 -p ../lib
--- a/python/ql/test/query-tests/Security/CWE-215/test.py
+++ b/python/ql/test/query-tests/Security/CWE-215/test.py
@@ -0,0 +1,37 @@
+from flask import Flask
+
+app = Flask(__name__)
+
+@app.route('/crash')
+def main():
+    raise Exception()
+
+# bad
+app.run(debug=True)
+
+# okay
+app.run()
+app.run(debug=False)
+
+# also okay
+run(debug=True)
+
+app.notrun(debug=True)
+
+# a slightly more involved example using flow and truthy values
+
+DEBUG = True
+
+app.run(debug=DEBUG)
+
+DEBUG = 1
+
+app.run(debug=DEBUG)
+
+if False:
+    app.run(debug=True)
+
+# false negative
+
+runapp = app.run
+runapp(debug=True)
--- a/python/ql/test/query-tests/Security/lib/flask/init.py
+++ b/python/ql/test/query-tests/Security/lib/flask/init.py
@@ -1,7 +1,8 @@


 class Flask(object): 
-    pass
+    def run(self, *args, **kwargs):
+        pass

 from .globals import request
				`@@ -0,0 +1 @@`
				`semmle-extractor-options: --max-import-depth=2 -p ../lib`