Merge branch 'main' into redsun82/pkg

2025-12-16 16:53:25 +01:00 · 2024-05-28 11:21:19 +02:00
parent f7bfe435c8 4c97b0c785
commit afadc1f1eb
3 changed files with 22 additions and 0 deletions
--- a/python/ql/lib/change-notes/2024-05-20-flask-session-interface.md
+++ b/python/ql/lib/change-notes/2024-05-20-flask-session-interface.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `request` parameter of Flask `SessionInterface.open_session` method is now modeled as a remote flow source.
--- a/python/ql/lib/semmle/python/frameworks/Flask.qll
+++ b/python/ql/lib/semmle/python/frameworks/Flask.qll
@@ -101,6 +101,19 @@ module Flask {
  /** Gets a reference to the `flask.request` object. */
  API::Node request() {
    result = API::moduleImport(["flask", "flask_restful"]).getMember("request")
+    or
+    result = sessionInterfaceRequestParam()
+  }
+
+  /** Gets a `request` parameter of an implementation of `open_session` in a subclass of `flask.sessions.SessionInterface` */
+  private API::Node sessionInterfaceRequestParam() {
+    result =
+      API::moduleImport("flask")
+          .getMember("sessions")
+          .getMember("SessionInterface")
+          .getASubclass+()
+          .getMember("open_session")
+          .getParameter(1)
  }

  /**
--- a/python/ql/test/library-tests/frameworks/flask/session_interface.py
+++ b/python/ql/test/library-tests/frameworks/flask/session_interface.py
@@ -0,0 +1,5 @@
+import flask 
+
+class MySessionInterface(flask.sessions.SessionInterface):
+    def open_session(self, app, request):
+        ensure_tainted(request) # $tainted