Python: Model FastAPI FileResponse as FileSystemAccess

This was an oversight from our initial FastAPI modeling work.
2026-04-26 17:25:19 +02:00 · 2021-11-24 11:31:59 +01:00
parent 8c9e817c0d
commit d493cfdf3a
3 changed files with 19 additions and 3 deletions
--- a/python/change-notes/2021-11-24-FastAPI-FileResponse-FileSystemAccess
+++ b/python/change-notes/2021-11-24-FastAPI-FileResponse-FileSystemAccess
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Extended the modeling of FastAPI such that `fastapi.responses.FileResponse` are considered `FileSystemAccess`, making them sinks for the _Uncontrolled data used in path expression_ (`py/path-injection`) query.
--- a/python/ql/lib/semmle/python/frameworks/FastApi.qll
+++ b/python/ql/lib/semmle/python/frameworks/FastApi.qll
@@ -226,6 +226,17 @@ private module FastApi {
      }
    }

+    /**
+     * A direct instantiation of a FileResponse.
+     */
+    private class FileResponseInstantiation extends ResponseInstantiation, FileSystemAccess::Range {
+      FileResponseInstantiation() { baseApiNode = getModeledResponseClass("FileResponse") }
+
+      override DataFlow::Node getAPathArgument() {
+        result in [this.getArg(0), this.getArgByName("path")]
+      }
+    }
+
    /**
     * An implicit response from a return of FastAPI request handler.
     */
@@ -256,7 +267,8 @@ private module FastApi {
     * An implicit response from a return of FastAPI request handler, that has
     * `response_class` set to a `FileResponse`.
     */
-    private class FastApiRequestHandlerFileResponseReturn extends FastApiRequestHandlerReturn {
+    private class FastApiRequestHandlerFileResponseReturn extends FastApiRequestHandlerReturn,
+      FileSystemAccess::Range {
      FastApiRequestHandlerFileResponseReturn() {
        exists(API::Node responseClass |
          responseClass.getAUse() = routeSetup.getResponseClassArg() and
@@ -265,6 +277,8 @@ private module FastApi {
      }

      override DataFlow::Node getBody() { none() }
+
+      override DataFlow::Node getAPathArgument() { result = this }
    }

    /**
--- a/python/ql/test/library-tests/frameworks/fastapi/response_test.py
+++ b/python/ql/test/library-tests/frameworks/fastapi/response_test.py
@@ -136,10 +136,10 @@ async def file_response(): # $ requestHandler

    # We don't really have any good QL modeling of passing a file-path, whose content
    # will be returned as part of the response... so will leave this as a TODO for now.
-    resp = fastapi.responses.FileResponse(__file__) # $ HttpResponse
+    resp = fastapi.responses.FileResponse(__file__) # $ HttpResponse getAPathArgument=__file__
    return resp # $ SPURIOUS: HttpResponse mimetype=application/json responseBody=resp


@app.get("/file_response2", response_class=fastapi.responses.FileResponse) # $ routeSetup="/file_response2"
 async def file_response2(): # $ requestHandler
-    return __file__ # $ HttpResponse
+    return __file__ # $ HttpResponse getAPathArgument=__file__