Merge pull request #5255 from RasmusWL/port-flask-debug

Python: port py/flask-debug query

python/ql/test/query-tests/Security/CWE-215/FlaskDebug.expected

@@ -2,3 +2,4 @@
 | test.py:25:1:25:20 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |
 | test.py:29:1:29:20 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |
 | test.py:37:1:37:18 | ControlFlowNode for runapp() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |
+| test.py:42:1:42:35 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |

python/ql/test/query-tests/Security/CWE-215/settings.py

@@ -0,0 +1 @@
+ALWAYS_TRUE = True

python/ql/test/query-tests/Security/CWE-215/test.py

@@ -22,11 +22,11 @@ app.notrun(debug=True)
 
 DEBUG = True
 
-app.run(debug=DEBUG)
+app.run(debug=DEBUG) # NOT OK
 
 DEBUG = 1
 
-app.run(debug=DEBUG)
+app.run(debug=DEBUG) # NOT OK
 
 if False:
     app.run(debug=True)
@@ -34,4 +34,17 @@ if False:
 
 
 runapp = app.run
-runapp(debug=True)
+runapp(debug=True) # NOT OK
+
+
+# imports from other module
+import settings
+app.run(debug=settings.ALWAYS_TRUE) # NOT OK
+
+
+# depending on environment values
+import os
+
+DEPENDS_ON_ENV = os.environ["ENV"] == "dev"
+
+app.run(debug=DEPENDS_ON_ENV) # OK