Merge pull request #5255 from RasmusWL/port-flask-debug

Python: port py/flask-debug query
2025-12-20 10:46:30 +01:00 · 2021-03-05 09:39:14 +01:00
parent d2ed216670 a6e5ec2e09
commit d17246ce2b
5 changed files with 38 additions and 8 deletions
--- a/python/ql/src/Security/CWE-215/FlaskDebug.ql
+++ b/python/ql/src/Security/CWE-215/FlaskDebug.ql
@@ -11,12 +11,25 @@
 */

 import python
-import semmle.python.web.flask.General
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.ApiGraphs
+import semmle.python.frameworks.Flask

-from CallNode call, Value isTrue
+/** Gets a reference to a truthy literal. */
+private DataFlow::LocalSourceNode truthyLiteral(DataFlow::TypeTracker t) {
+  t.start() and
+  result.asExpr().(ImmutableLiteral).booleanValue() = true
+  or
+  exists(DataFlow::TypeTracker t2 | result = truthyLiteral(t2).track(t2, t))
+}
+
+/** Gets a reference to a truthy literal. */
+DataFlow::Node truthyLiteral() { truthyLiteral(DataFlow::TypeTracker::end()).flowsTo(result) }
+
+from DataFlow::CallCfgNode call, DataFlow::Node debugArg
 where
-  call = theFlaskClass().declaredAttribute("run").(FunctionValue).getACall() and
-  call.getArgByName("debug").pointsTo(isTrue) and
-  isTrue.getDefiniteBooleanValue() = true
+  call.getFunction() = Flask::FlaskApp::instance().getMember("run").getAUse() and
+  debugArg in [call.getArg(2), call.getArgByName("debug")] and
+  debugArg = truthyLiteral()
 select call,
  "A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger."
--- a/python/ql/test/query-tests/Security/CWE-215/FlaskDebug.expected
+++ b/python/ql/test/query-tests/Security/CWE-215/FlaskDebug.expected
@@ -2,3 +2,4 @@
 | test.py:25:1:25:20 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |
 | test.py:29:1:29:20 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |
 | test.py:37:1:37:18 | ControlFlowNode for runapp() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |
+| test.py:42:1:42:35 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |
--- a/python/ql/test/query-tests/Security/CWE-215/settings.py
+++ b/python/ql/test/query-tests/Security/CWE-215/settings.py
@@ -0,0 +1 @@
+ALWAYS_TRUE = True
--- a/python/ql/test/query-tests/Security/CWE-215/test.py
+++ b/python/ql/test/query-tests/Security/CWE-215/test.py
@@ -22,11 +22,11 @@ app.notrun(debug=True)

 DEBUG = True

-app.run(debug=DEBUG)
+app.run(debug=DEBUG) # NOT OK

 DEBUG = 1

-app.run(debug=DEBUG)
+app.run(debug=DEBUG) # NOT OK

 if False:
    app.run(debug=True)
@@ -34,4 +34,17 @@ if False:


 runapp = app.run
-runapp(debug=True)
+runapp(debug=True) # NOT OK
+
+
+# imports from other module
+import settings
+app.run(debug=settings.ALWAYS_TRUE) # NOT OK
+
+
+# depending on environment values
+import os
+
+DEPENDS_ON_ENV = os.environ["ENV"] == "dev"
+
+app.run(debug=DEPENDS_ON_ENV) # OK