Merge pull request #979 from markshannon/python-falcon

Python: Add support for falcon web API framework.
2026-05-04 13:15:21 +02:00 · 2019-02-28 15:47:35 +01:00
parent 5478e0da62 1444b3976c
commit b8b4216352
24 changed files with 375 additions and 16 deletions
--- a/python/ql/test/library-tests/web/falcon/Routing.expected
+++ b/python/ql/test/library-tests/web/falcon/Routing.expected
@@ -0,0 +1,3 @@
+| /hello | delete | test.py:22:5:22:35 | Function on_delete |
+| /hello | get | test.py:9:5:9:32 | Function on_get |
+| /hello | post | test.py:19:5:19:33 | Function on_post |
--- a/python/ql/test/library-tests/web/falcon/Routing.ql
+++ b/python/ql/test/library-tests/web/falcon/Routing.ql
@@ -0,0 +1,8 @@
+import python
+
+import semmle.python.web.falcon.General
+
+from FalconRoute route, string method
+
+select route.getUrl(), method, route.getHandlerFunction(method)
+
--- a/python/ql/test/library-tests/web/falcon/Sinks.expected
+++ b/python/ql/test/library-tests/web/falcon/Sinks.expected
@@ -0,0 +1 @@
+| test.py:17 | Attribute() | externally controlled string |
--- a/python/ql/test/library-tests/web/falcon/Sinks.ql
+++ b/python/ql/test/library-tests/web/falcon/Sinks.ql
@@ -0,0 +1,10 @@
+
+import python
+
+import semmle.python.web.HttpRequest
+import semmle.python.web.HttpResponse
+import semmle.python.security.strings.Untrusted
+
+from TaintSink sink, TaintKind kind
+where sink.sinks(kind)
+select sink.getLocation().toString(), sink.(ControlFlowNode).getNode().toString(), kind
--- a/python/ql/test/library-tests/web/falcon/Sources.expected
+++ b/python/ql/test/library-tests/web/falcon/Sources.expected
@@ -0,0 +1,3 @@
+| test.py:9 | req | falcon.request |
+| test.py:19 | req | falcon.request |
+| test.py:22 | req | falcon.request |
--- a/python/ql/test/library-tests/web/falcon/Sources.ql
+++ b/python/ql/test/library-tests/web/falcon/Sources.ql
@@ -0,0 +1,10 @@
+
+import python
+
+import semmle.python.web.HttpRequest
+import semmle.python.security.strings.Untrusted
+
+
+from TaintSource src, TaintKind kind
+where src.isSourceOf(kind) and not kind.matches("tornado%")
+select src.getLocation().toString(), src.(ControlFlowNode).getNode().toString(), kind
--- a/python/ql/test/library-tests/web/falcon/Taint.expected
+++ b/python/ql/test/library-tests/web/falcon/Taint.expected
@@ -0,0 +1,25 @@
+| test.py:9 | req | falcon.request |
+| test.py:9 | resp | falcon.response |
+| test.py:10 | Attribute | file[externally controlled string] |
+| test.py:10 | Attribute() | externally controlled string |
+| test.py:10 | req | falcon.request |
+| test.py:11 | Attribute() | externally controlled string |
+| test.py:11 | Attribute() | json[externally controlled string] |
+| test.py:11 | raw_json | externally controlled string |
+| test.py:12 | resp | falcon.response |
+| test.py:13 | Dict | {externally controlled string} |
+| test.py:13 | Dict | {json[externally controlled string]} |
+| test.py:15 | result | externally controlled string |
+| test.py:15 | result | json[externally controlled string] |
+| test.py:17 | resp | falcon.response |
+| test.py:17 | result | {externally controlled string} |
+| test.py:17 | result | {json[externally controlled string]} |
+| test.py:19 | req | falcon.request |
+| test.py:19 | resp | falcon.response |
+| test.py:22 | req | falcon.request |
+| test.py:22 | resp | falcon.response |
+| test.py:23 | Attribute | wsgi.environment |
+| test.py:23 | req | falcon.request |
+| test.py:24 | Subscript | externally controlled string |
+| test.py:24 | env | wsgi.environment |
+| test.py:25 | qs | externally controlled string |
--- a/python/ql/test/library-tests/web/falcon/Taint.ql
+++ b/python/ql/test/library-tests/web/falcon/Taint.ql
@@ -0,0 +1,13 @@
+
+import python
+
+
+import semmle.python.web.HttpRequest
+import semmle.python.web.HttpResponse
+import semmle.python.security.strings.Untrusted
+
+
+from TaintedNode node
+where node.getLocation().getFile().getName().matches("%falcon/test.py")
+select node.getLocation().toString(), node.getNode().getNode().toString(), node.getTaintKind()
+
--- a/python/ql/test/library-tests/web/falcon/options
+++ b/python/ql/test/library-tests/web/falcon/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: --max-import-depth=3 --lang=3 -p ../../../query-tests/Security/lib/
+optimize: true
--- a/python/ql/test/library-tests/web/falcon/test.py
+++ b/python/ql/test/library-tests/web/falcon/test.py
@@ -0,0 +1,28 @@
+import json
+
+from falcon import API
+
+app = API()
+
+class Handler(object):
+
+    def on_get(self, req, resp):
+        raw_json = req.stream.read()
+        result = json.loads(raw_json)
+        resp.status = 200
+        result = {
+            'status': 'success',
+            'data': result
+        }
+        resp.body = json.dumps(result)
+
+    def on_post(self, req, resp):
+        pass
+
+    def on_delete(self, req, resp):
+        env = req.env
+        qs = env["QUERY_STRING"]
+        return qs
+
+app.add_route('/hello', Handler())
+
--- a/python/ql/test/query-tests/Security/lib/falcon/init.py
+++ b/python/ql/test/query-tests/Security/lib/falcon/init.py
@@ -0,0 +1,4 @@
+
+from falcon.api import API
+from falcon.request import Request
+from falcon.response import Response
--- a/python/ql/test/query-tests/Security/lib/falcon/api.py
+++ b/python/ql/test/query-tests/Security/lib/falcon/api.py
@@ -0,0 +1,14 @@
+
+"""Falcon API class."""
+
+class API(object):
+
+    def add_route(self, uri_template, resource, **kwargs):
+        pass
+
+    def add_sink(self, sink, prefix=r'/'):
+        pass
+
+    def add_error_handler(self, exception, handler=None):
+        pass
+
--- a/python/ql/test/query-tests/Security/lib/falcon/request.py
+++ b/python/ql/test/query-tests/Security/lib/falcon/request.py
@@ -0,0 +1,3 @@
+
+class Request(object):
+    pass
--- a/python/ql/test/query-tests/Security/lib/falcon/response.py
+++ b/python/ql/test/query-tests/Security/lib/falcon/response.py
@@ -0,0 +1,4 @@
+
+
+class Response(object):
+    pass
				`@@ -0,0 +1 @@`
				`\| test.py:17 \| Attribute() \| externally controlled string \|`