diff --git a/python/ql/lib/semmle/python/frameworks/Aiohttp.qll b/python/ql/lib/semmle/python/frameworks/Aiohttp.qll index 78d269c31d3..517b309594a 100644 --- a/python/ql/lib/semmle/python/frameworks/Aiohttp.qll +++ b/python/ql/lib/semmle/python/frameworks/Aiohttp.qll @@ -706,6 +706,33 @@ module AiohttpWebModel { override DataFlow::Node getValueArg() { result = value } } + + /** + * A dict-like write to an item of the `headers` attribute on a HTTP response, such as + * `response.headers[name] = value`. + */ + class AiohttpResponseHeaderSubscriptWrite extends Http::Server::ResponseHeaderWrite::Range { + DataFlow::Node index; + DataFlow::Node value; + + AiohttpResponseHeaderSubscriptWrite() { + exists(API::Node i | + value = aiohttpResponseInstance().getMember("headers").getSubscriptAt(i).asSink() and + index = i.asSink() and + // To give `this` a value, we need to choose between either LHS or RHS, + // and just go with the RHS as it is readily available + this = value + ) + } + + override DataFlow::Node getNameArg() { result = index } + + override DataFlow::Node getValueArg() { result = value } + + override predicate nameAllowsNewline() { none() } + + override predicate valueAllowsNewline() { none() } + } } /** diff --git a/python/ql/lib/semmle/python/frameworks/Django.qll b/python/ql/lib/semmle/python/frameworks/Django.qll index 7c0befa6349..69b0e8710da 100644 --- a/python/ql/lib/semmle/python/frameworks/Django.qll +++ b/python/ql/lib/semmle/python/frameworks/Django.qll @@ -2240,6 +2240,10 @@ module PrivateDjango { override DataFlow::Node getValueArg() { result = value } } + /** + * A dict-like write to an item of the `headers` attribute on a HTTP response, such as + * `response.headers[name] = value`. + */ class DjangoResponseHeaderSubscriptWrite extends Http::Server::ResponseHeaderWrite::Range { DataFlow::Node index; DataFlow::Node value; diff --git a/python/ql/lib/semmle/python/frameworks/FastApi.qll b/python/ql/lib/semmle/python/frameworks/FastApi.qll index 028c5f26601..0793b4b7d6a 100644 --- a/python/ql/lib/semmle/python/frameworks/FastApi.qll +++ b/python/ql/lib/semmle/python/frameworks/FastApi.qll @@ -384,6 +384,10 @@ module FastApi { override predicate valueAllowsNewline() { none() } } + /** + * A dict-like write to an item of the `headers` attribute on a HTTP response, such as + * `response.headers[name] = value`. + */ class HeaderSubscriptWrite extends Http::Server::ResponseHeaderWrite::Range { DataFlow::Node index; DataFlow::Node value; diff --git a/python/ql/lib/semmle/python/frameworks/Tornado.qll b/python/ql/lib/semmle/python/frameworks/Tornado.qll index 1bd40603296..7bc4cf25794 100644 --- a/python/ql/lib/semmle/python/frameworks/Tornado.qll +++ b/python/ql/lib/semmle/python/frameworks/Tornado.qll @@ -63,6 +63,50 @@ module Tornado { override string getAsyncMethodName() { none() } } + + /** + * A dict-like write to an item of an `HTTPHeaders` object. + */ + private class TornadoHeaderSubscriptWrite extends Http::Server::ResponseHeaderWrite::Range { + DataFlow::Node index; + DataFlow::Node value; + + TornadoHeaderSubscriptWrite() { + exists(SubscriptNode subscript | + subscript.getObject() = instance().asCfgNode() and + value.asCfgNode() = subscript.(DefinitionNode).getValue() and + index.asCfgNode() = subscript.getIndex() and + this.asCfgNode() = subscript + ) + } + + override DataFlow::Node getNameArg() { result = index } + + override DataFlow::Node getValueArg() { result = value } + + override predicate nameAllowsNewline() { none() } + + override predicate valueAllowsNewline() { none() } + } + + /** + * A call to `HTTPHeaders.add`. + */ + private class TornadoHeadersAppendCall extends Http::Server::ResponseHeaderWrite::Range, + DataFlow::MethodCallNode + { + TornadoHeadersAppendCall() { this.calls(instance(), "append") } + + override DataFlow::Node getNameArg() { result = [this.getArg(0), this.getArgByName("name")] } + + override DataFlow::Node getValueArg() { + result in [this.getArg(1), this.getArgByName("value")] + } + + override predicate nameAllowsNewline() { none() } + + override predicate valueAllowsNewline() { none() } + } } // --------------------------------------------------------------------------- @@ -209,6 +253,25 @@ module Tornado { this.(DataFlow::AttrRead).getAttributeName() = "request" } } + + /** A call to `RequestHandler.set_header` or `RequestHandler.add_header` */ + private class TornadoSetHeaderCall extends Http::Server::ResponseHeaderWrite::Range, + DataFlow::MethodCallNode + { + TornadoSetHeaderCall() { this.calls(instance(), ["set_header", "add_header"]) } + + override DataFlow::Node getNameArg() { + result = [this.getArg(0), this.getArgByName("name")] + } + + override DataFlow::Node getValueArg() { + result in [this.getArg(1), this.getArgByName("value")] + } + + override predicate nameAllowsNewline() { none() } + + override predicate valueAllowsNewline() { none() } + } } /** diff --git a/python/ql/test/library-tests/frameworks/aiohttp/response_test.py b/python/ql/test/library-tests/frameworks/aiohttp/response_test.py index bc9bc8d3bda..a40bf0bbc65 100644 --- a/python/ql/test/library-tests/frameworks/aiohttp/response_test.py +++ b/python/ql/test/library-tests/frameworks/aiohttp/response_test.py @@ -96,7 +96,7 @@ async def streaming_response(request): # $ requestHandler async def setting_cookie(request): # $ requestHandler resp = web.Response(text="foo") # $ HttpResponse mimetype=text/plain responseBody="foo" resp.cookies["key"] = "value" # $ CookieWrite CookieName="key" CookieValue="value" - resp.headers["Set-Cookie"] = "key2=value2" # $ MISSING: CookieWrite CookieRawHeader="key2=value2" + resp.headers["Set-Cookie"] = "key2=value2" # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2" resp.set_cookie("key3", "value3") # $ CookieWrite CookieName="key3" CookieValue="value3" resp.set_cookie(name="key3", value="value3") # $ CookieWrite CookieName="key3" CookieValue="value3" resp.del_cookie("key4") # $ CookieWrite CookieName="key4" diff --git a/python/ql/test/library-tests/frameworks/tornado/response_test.py b/python/ql/test/library-tests/frameworks/tornado/response_test.py index 1ca37ed773c..1685ac4d158 100644 --- a/python/ql/test/library-tests/frameworks/tornado/response_test.py +++ b/python/ql/test/library-tests/frameworks/tornado/response_test.py @@ -24,10 +24,10 @@ class ExplicitContentType(tornado.web.RequestHandler): # what matters. self.write("foo") # $ HttpResponse mimetype=text/html responseBody="foo" - self.set_header("Content-Type", "text/plain; charset=utf-8") + self.set_header("Content-Type", "text/plain; charset=utf-8") # $ headerWriteName="Content-Type" headerWriteValue="text/plain; charset=utf-8" def post(self): # $ requestHandler - self.set_header("Content-Type", "text/plain; charset=utf-8") + self.set_header("Content-Type", "text/plain; charset=utf-8") # $ headerWriteName="Content-Type" headerWriteValue="text/plain; charset=utf-8" self.write("foo") # $ HttpResponse responseBody="foo" MISSING: mimetype=text/plain SPURIOUS: mimetype=text/html @@ -67,7 +67,10 @@ class CookieWriting(tornado.web.RequestHandler): self.write("foo") # $ HttpResponse mimetype=text/html responseBody="foo" self.set_cookie("key", "value") # $ CookieWrite CookieName="key" CookieValue="value" self.set_cookie(name="key", value="value") # $ CookieWrite CookieName="key" CookieValue="value" - self.set_header("Set-Cookie", "key2=value2") # $ MISSING: CookieWrite CookieRawHeader="key2=value2" + self.set_header("Set-Cookie", "key2=value2") # $ headerWriteName="Set-Cookie" headerWriteValue="key2=value2" CookieWrite CookieRawHeader="key2=value2" + self.add_header("Set-Cookie", "key3=value3") # $ headerWriteName="Set-Cookie" headerWriteValue="key3=value3" CookieWrite CookieRawHeader="key3=value3" + self.request.headers.append("Set-Cookie", "key4=value4") # $ headerWriteName="Set-Cookie" headerWriteValue="key4=value4" CookieWrite CookieRawHeader="key4=value4" + self.request.headers["Set-Cookie"] = "key5=value5" # $ headerWriteName="Set-Cookie" headerWriteValue="key5=value5" CookieWrite CookieRawHeader="key5=value5" def make_app():