Extend ReflectedXSS query

python/ql/src/experimental/Security/CWE-079/ReflectedXSS.ql

@@ -0,0 +1,23 @@
+/**
+ * @name Reflected server-side cross-site scripting
+ * @description Writing user input directly to a web page
+ *              allows for a cross-site scripting vulnerability.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 2.9
+ * @sub-severity high
+ * @id py/reflective-xss
+ * @tags security
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ */
+
+// determine precision above
+import python
+import experimental.semmle.python.security.dataflow.ReflectedXSS
+import DataFlow::PathGraph
+
+from ReflectedXssConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
+  source.getNode(), "a user-provided value"

python/ql/src/experimental/Security/CWE-079/test.ql

@@ -1,3 +0,0 @@
-select "1"
-// void query to run and generate unit_tests.testproj database to test
-// until we decide the objective of the query

python/ql/src/experimental/Security/CWE-079/unit_tests/ReflectedXSS.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE-079/ReflectedXSS.ql

python/ql/src/experimental/Security/CWE-079/unit_tests/flask_mail.py

@@ -1,7 +1,6 @@
 # https://pythonhosted.org/Flask-Mail/
 # https://github.com/mattupstate/flask-mail/blob/1709c70d839a7cc7b1f7eeb97333b71cd420fe32/flask_mail.py#L239
 
-# tmp: this test cover RFS to any part of the message, but can be shortened to a specific part (body&html) once we decide the objective of the query.
 from flask_mail import Mail, Message
 
 app = Flask(__name__)
@@ -9,15 +8,15 @@ mail = Mail(app)
 
 @app.route("/send")
 def send():
-  msg = Message(subject=request.args["subject"],
-                sender=request.args["sender"],
-                recipients=list(request.args["recipient"]),
-                body=request.args["body"],
+  msg = Message(subject="Subject",
+                sender="from@example.com",
+                recipients=["to@example.com"],
+                body="body",
                 html=request.args["html"])
 
   # The message can contain a body and/or HTML:
-  msg.body = "test"
-  msg.html = "<b>test</b>"
+  msg.body = "body"
+  msg.html = request.args["html"]
 
   mail.send(msg)
 
@@ -27,8 +26,8 @@ def connect():
   Minimal example to test mail.connect() usage
   """
   with mail.connect() as conn:
-    msg = Message(subject=request.args["subject"],
-                  sender=request.args["sender"],
-                  recipients=list(request.args["recipient"]),
-                  body=request.args["html"])
+    msg = Message(subject="Subject",
+                  sender="from@example.com",
+                  recipients=["to@example.com"],
+                  html=request.args["html"])
     conn.send(msg)

python/ql/src/experimental/Security/CWE-079/unit_tests/test.actual

@@ -1 +0,0 @@
-| 1 |

python/ql/src/experimental/Security/CWE-079/unit_tests/test.qlref

@@ -1 +0,0 @@
-experimental/Security/CWE-079/test.ql

python/ql/src/experimental/semmle/python/security/dataflow/ReflectedXSS.qll

@@ -0,0 +1,29 @@
+/**
+ * Provides a taint-tracking configuration for detecting reflected server-side
+ * cross-site scripting vulnerabilities.
+ */
+
+import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import semmle.python.dataflow.new.RemoteFlowSources
+import semmle.python.dataflow.new.BarrierGuards
+import experimental.semmle.python.Concepts
+
+/**
+ * A taint-tracking configuration for detecting reflected server-side cross-site
+ * scripting vulnerabilities.
+ */
+class ReflectedXssConfiguration extends TaintTracking::Configuration {
+  ReflectedXssConfiguration() { this = "ReflectedXssConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink = any(EmailSender email).getHtmlBody()
+  }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof StringConstCompare
+  }
+}