Python: Use HTTP::Client::Request request for py/request-without-cert-validation

This is very much like the Ruby query, except we also have the origin that does the disabling. 976daddd36/ruby/ql/src/queries/security/cwe-295/RequestWithoutValidation.ql (L18-L20)
2025-12-22 11:46:32 +01:00 · 2022-06-08 15:39:10 +02:00
parent 9cb249fc2f
commit c21e05aa44
3 changed files with 17 additions and 13 deletions
--- a/python/ql/lib/semmle/python/frameworks/Requests.qll
+++ b/python/ql/lib/semmle/python/frameworks/Requests.qll
@@ -58,6 +58,7 @@ private module Requests {
    ) {
      disablingNode = this.getKeywordParameter("verify").getARhs() and
      argumentOrigin = this.getKeywordParameter("verify").getAValueReachingRhs() and
+      // requests treats `None` as the default and all other "falsey" values as `False`.
      argumentOrigin.asExpr().(ImmutableLiteral).booleanValue() = false and
      not argumentOrigin.asExpr() instanceof None
    }
--- a/python/ql/src/Security/CWE-295/RequestWithoutValidation.ql
+++ b/python/ql/src/Security/CWE-295/RequestWithoutValidation.ql
@@ -15,12 +15,14 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs

-from API::CallNode call, DataFlow::Node falseyOrigin, string verb
+from
+  HTTP::Client::Request request, DataFlow::Node disablingNode, DataFlow::Node origin, string ending
 where
-  verb = HTTP::httpVerbLower() and
-  call = API::moduleImport("requests").getMember(verb).getACall() and
-  falseyOrigin = call.getKeywordParameter("verify").getAValueReachingRhs() and
-  // requests treats `None` as the default and all other "falsey" values as `False`.
-  falseyOrigin.asExpr().(ImmutableLiteral).booleanValue() = false and
-  not falseyOrigin.asExpr() instanceof None
-select call, "Call to requests." + verb + " with verify=$@", falseyOrigin, "False"
+  request.disablesCertificateValidation(disablingNode, origin) and
+  // Showing the origin is only useful when it's a different node than the one disabling
+  // certificate validation, for example in `requests.get(..., verify=arg)`, `arg` would
+  // be the `disablingNode`, and the `origin` would be the place were `arg` got its
+  // value from.
+  if disablingNode = origin then ending = "." else ending = " by the value from $@."
+select request, "This request may run without certificate validation because it is $@" + ending,
+  disablingNode, "disabled here", origin, "here"
--- a/python/ql/test/query-tests/Security/CWE-295-RequestWithoutValidation/RequestWithoutValidation.expected
+++ b/python/ql/test/query-tests/Security/CWE-295-RequestWithoutValidation/RequestWithoutValidation.expected
@@ -1,5 +1,6 @@
-| make_request.py:5:1:5:48 | ControlFlowNode for Attribute() | Call to requests.get with verify=$@ | make_request.py:5:43:5:47 | ControlFlowNode for False | False |
-| make_request.py:7:1:7:49 | ControlFlowNode for Attribute() | Call to requests.post with verify=$@ | make_request.py:7:44:7:48 | ControlFlowNode for False | False |
-| make_request.py:12:1:12:39 | ControlFlowNode for put() | Call to requests.put with verify=$@ | make_request.py:12:34:12:38 | ControlFlowNode for False | False |
-| make_request.py:28:5:28:46 | ControlFlowNode for patch() | Call to requests.patch with verify=$@ | make_request.py:30:6:30:10 | ControlFlowNode for False | False |
-| make_request.py:34:1:34:45 | ControlFlowNode for Attribute() | Call to requests.post with verify=$@ | make_request.py:34:44:34:44 | ControlFlowNode for IntegerLiteral | False |
+| make_request.py:5:1:5:48 | ControlFlowNode for Attribute() | This request may run without certificate validation because it is $@. | make_request.py:5:43:5:47 | ControlFlowNode for False | disabled here | make_request.py:5:43:5:47 | ControlFlowNode for False | here |
+| make_request.py:7:1:7:49 | ControlFlowNode for Attribute() | This request may run without certificate validation because it is $@. | make_request.py:7:44:7:48 | ControlFlowNode for False | disabled here | make_request.py:7:44:7:48 | ControlFlowNode for False | here |
+| make_request.py:12:1:12:39 | ControlFlowNode for put() | This request may run without certificate validation because it is $@. | make_request.py:12:34:12:38 | ControlFlowNode for False | disabled here | make_request.py:12:34:12:38 | ControlFlowNode for False | here |
+| make_request.py:28:5:28:46 | ControlFlowNode for patch() | This request may run without certificate validation because it is $@ by the value from $@. | make_request.py:28:40:28:45 | ControlFlowNode for verify | disabled here | make_request.py:30:6:30:10 | ControlFlowNode for False | here |
+| make_request.py:34:1:34:45 | ControlFlowNode for Attribute() | This request may run without certificate validation because it is $@. | make_request.py:34:44:34:44 | ControlFlowNode for IntegerLiteral | disabled here | make_request.py:34:44:34:44 | ControlFlowNode for IntegerLiteral | here |
+| make_request.py:41:1:41:26 | ControlFlowNode for Attribute() | This request may run without certificate validation because it is $@. | make_request.py:41:21:41:25 | ControlFlowNode for False | disabled here | make_request.py:41:21:41:25 | ControlFlowNode for False | here |