Manually specify subclasses for redirect models

2026-04-27 01:35:13 +02:00 · 2024-04-30 14:33:46 +01:00
parent 7df8b1ba51
commit ba054bd428
2 changed files with 27 additions and 14 deletions
--- a/python/ql/lib/semmle/python/frameworks/Pyramid.qll
+++ b/python/ql/lib/semmle/python/frameworks/Pyramid.qll
@@ -183,10 +183,9 @@ module Pyramid {
      override string getMimetypeDefault() { result = "text/html" }
    }

-    /** Gets a reference to the class `pyramid.response.Response` or a subclass. */
-    API::Node subclassRef() {
-      result = API::moduleImport("pyramid").getMember("response").getMember("Response") or
-      result = ModelOutput::getATypeNode("pyramid.response.Response~Subclass").getASubclass*()
+    /** Gets a reference to the class `pyramid.response.Response`. */
+    API::Node classRef() {
+      result = API::moduleImport("pyramid").getMember("response").getMember("Response")
    }

    /**
@@ -215,7 +214,7 @@ module Pyramid {

    /** An instantiation of the class `pyramid.response.Response` or a subclass. */
    private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
-      ClassInstantiation() { this = subclassRef().getACall() }
+      ClassInstantiation() { this = classRef().getACall() }

      override DataFlow::Node getBody() { result = [this.getArg(0), this.getArgByName("body")] }

@@ -277,20 +276,20 @@ module Pyramid {

  /** Provides models for pyramid http redirects. */
  module Redirect {
-    /** Gets a reference to a subclass of `pyramid.httpexceptions._HTTPMove`, which each each exception class representing an HTTP redirect response is a subclass of. */
-    API::Node subclassRef() {
+    /** Gets a reference to a class that represents an HTTP redirect response.. */
+    API::Node classRef() {
      result =
        API::moduleImport("pyramid")
            .getMember("httpexceptions")
-            .getMember("_HTTPMove")
-            .getASubclass*() or
-      result =
-        ModelOutput::getATypeNode("pyramid.httpexceptions._HTTPMove~Subclass").getASubclass*()
+            .getMember([
+                "HTTPMultipleChoices", "HTTPMovedPermanently", "HTTPFound", "HTTPSeeOther",
+                "HTTPUseProxy", "HTTPTemporaryRedirect", "HTTPPermanentRedirect"
+              ])
    }

    /** Gets a call to a pyramid HTTP exception class that represents an HTTP redirect response. */
    class PyramidRedirect extends Http::Server::HttpRedirectResponse::Range, DataFlow::CallCfgNode {
-      PyramidRedirect() { this = subclassRef().getACall() }
+      PyramidRedirect() { this = classRef().getACall() }

      override DataFlow::Node getRedirectLocation() {
        result = [this.getArg(0), this.getArgByName("location")]
--- a/python/ql/test/library-tests/frameworks/pyramid/pyramid_test.py
+++ b/python/ql/test/library-tests/frameworks/pyramid/pyramid_test.py
@@ -1,6 +1,7 @@
 from pyramid.view import view_config
 from pyramid.config import Configurator
 from pyramid.response import Response
+from pyramid.httpexceptions import HTTPMultipleChoices, HTTPMovedPermanently, HTTPFound, HTTPSeeOther, HTTPUseProxy, HTTPTemporaryRedirect, HTTPPermanentRedirect
 from wsgiref.simple_server import make_server

 def ignore(*args, **kwargs): pass
@@ -45,6 +46,8 @@ def test1(request): # $ requestHandler

        request.text,               # $ tainted

+        request.matchdict,          # $ tainted
+
        request.path,               # $ tainted
        request.path_info,          # $ tainted
        request.path_info_peek(),   # $ tainted
@@ -87,12 +90,23 @@ def test3(ctx, req): # $ requestHandler
    resp.set_cookie(value="there", name="hi") # $ CookieWrite CookieName="hi" CookieValue="there"
    return "Ok" # $ HttpResponse responseBody="Ok" mimetype=text/html

+@view_config(route_name="test4", renderer="string") # $ routeSetup
+def test4(request): # $ requestHandler
+    a = HTTPMultipleChoices("redirect") # $HttpResponse mimetype=text/html HttpRedirectResponse redirectLocation="redirect"
+    b = HTTPMovedPermanently(location="redirect") # $HttpResponse mimetype=text/html HttpRedirectResponse redirectLocation="redirect"
+    c = HTTPFound(location="redirect") # $HttpResponse mimetype=text/html HttpRedirectResponse redirectLocation="redirect"
+    d = HTTPSeeOther(location="redirect") # $HttpResponse mimetype=text/html HttpRedirectResponse redirectLocation="redirect"
+    e = HTTPUseProxy(location="redirect") # $HttpResponse mimetype=text/html HttpRedirectResponse redirectLocation="redirect"
+    f = HTTPTemporaryRedirect(location="redirect") # $HttpResponse mimetype=text/html HttpRedirectResponse redirectLocation="redirect"
+    g = HTTPPermanentRedirect(location="redirect") # $HttpResponse mimetype=text/html HttpRedirectResponse redirectLocation="redirect"
+    raise a
+
 if __name__ == "__main__":
    with Configurator() as config:
-        for i in range(1,4):
+        for i in range(1,5):
            config.add_route(f"test{i}", f"/test{i}")
        config.add_view(test2, route_name="test2") # $ routeSetup
        config.scan()
-        server = make_server('127.0.0.1', 8000, config.make_wsgi_app())
+        server = make_server('127.0.0.1', 8080, config.make_wsgi_app())
        print("serving")
        server.serve_forever()