hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

Python: Support %-style formatting for MarkupSafe

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2021-06-30 14:15:41 +02:00
parent 0a4efd0e86
commit c2708176b1
2 changed files with 23 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
python/ql/src/semmle/python/frameworks/MarkupSafe.qll
View File

@@ -71,6 +71,16 @@ private module MarkupSafeModel {
StringFormat() { this.calls(instance(), "format") }
}
/** A %-style string format with `markupsafe.Markup` as the format string. */
class PercentStringFormat extends Markup::InstanceSource, DataFlow::CfgNode {
override BinaryExprNode node;
PercentStringFormat() {
node.getOp() instanceof Mod and
instance().asCfgNode() = node.getLeft()
}
}
/** Taint propagation for `markupsafe.Markup`. */
class AddtionalTaintSteps extends TaintTracking::AdditionalTaintStep {
override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
@@ -127,4 +137,15 @@ private module MarkupSafeModel {
override DataFlow::Node getOutput() { result = this }
}
/** A escape from %-style string format with `markupsafe.Markup` as the format string. */
private class MarkupEscapeFromPercentStringFormat extends MarkupSafeEscape,
Markup::PercentStringFormat {
override DataFlow::Node getAnInput() {
result.asCfgNode() = node.getRight() and
not result = Markup::instance()
}
override DataFlow::Node getOutput() { result = this }
}
}