Python: Require quote escaping for html.escape

2025-12-18 01:33:15 +01:00 · 2024-01-30 12:17:01 +01:00
parent 00dc55d825
commit c70b32f7eb
2 changed files with 16 additions and 3 deletions
--- a/python/ql/lib/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/lib/semmle/python/frameworks/Stdlib.qll
@@ -4851,7 +4851,19 @@ module StdlibPrivate {
   * See https://docs.python.org/3/library/html.html#html.escape
   */
  private class HtmlEscapeCall extends Escaping::Range, API::CallNode {
-    HtmlEscapeCall() { this = API::moduleImport("html").getMember("escape").getACall() }
+    HtmlEscapeCall() {
+      this = API::moduleImport("html").getMember("escape").getACall() and
+      // if quote escaping is disabled, that might lead to XSS if the result is inserted
+      // in the attribute value of a tag, such as `<foo bar="escape_result">`. Since we
+      // don't know how values are being inserted, and we don't want to lose these
+      // results (FNs), we require quote escaping to be enabled. This might lead to some
+      // FPs, so we might need to revisit this in the future.
+      not this.getParameter(1, "quote")
+          .getAValueReachingSink()
+          .asExpr()
+          .(ImmutableLiteral)
+          .booleanValue() = false
+    }

    override DataFlow::Node getAnInput() { result = this.getParameter(0, "s").asSink() }