Python: Add responses to bottle framework support.

2026-05-01 03:35:13 +02:00 · 2019-02-04 14:35:30 +00:00
parent 8d525e5295
commit d514fc543d
7 changed files with 103 additions and 3 deletions
--- a/python/ql/src/semmle/python/web/HttpResponse.qll
+++ b/python/ql/src/semmle/python/web/HttpResponse.qll
@@ -3,3 +3,4 @@ import semmle.python.web.flask.Response
 import semmle.python.web.pyramid.Response
 import semmle.python.web.tornado.Response
 import semmle.python.web.twisted.Response
+import semmle.python.web.bottle.Response
--- a/python/ql/src/semmle/python/web/bottle/Request.qll
+++ b/python/ql/src/semmle/python/web/bottle/Request.qll
@@ -49,9 +49,9 @@ class BottleFormsDict extends TaintKind {
    }

    override TaintKind getTaintForFlowStep(ControlFlowNode fromnode, ControlFlowNode tonode) {
-        /* Cannot use `getTaintOfAttribute()` as it doesn't bind name */
+        /* Cannot use `getTaintOfAttribute(name)` as it wouldn't bind `name` */
        exists(string name |
-            tonode = fromnode.(AttrNode).getObject(name) and 
+            fromnode = tonode.(AttrNode).getObject(name) and 
            result instanceof UntrustedStringKind
            |
            name != "get" and name != "getunicode" and name != "getall"
@@ -108,7 +108,7 @@ class BottleRequestParameter extends TaintSource {
    }

    override string toString() {
-        result = "flask.request.args"
+        result = "bottle handler function argument"
    }

 }
--- a/python/ql/src/semmle/python/web/bottle/Response.qll
+++ b/python/ql/src/semmle/python/web/bottle/Response.qll
@@ -0,0 +1,58 @@
+import python
+
+import semmle.python.security.TaintTracking
+import semmle.python.security.strings.Untrusted
+import semmle.python.web.Http
+import semmle.python.web.bottle.General
+
+
+/** A django.http.response.Response object
+ * This isn't really a "taint", but we use the value tracking machinery to
+ * track the flow of response objects.
+ */
+class BottleResponse extends TaintKind {
+
+    BottleResponse() {
+        this = "bottle.response"
+    }
+
+}
+
+private Object theBottleResponseObject() {
+    result = theBottleModule().getAttribute("request")
+}
+
+class BottleResponseBodyAssignment extends TaintSink {
+
+    BottleResponseBodyAssignment() {
+        exists(DefinitionNode lhs |
+            lhs.getValue() = this and
+            lhs.(AttrNode).getObject("body").refersTo(theBottleResponseObject())
+        )
+    }
+
+    override predicate sinks(TaintKind kind) {
+        kind instanceof StringKind
+    }
+
+}
+
+class BottleHandlerFunctionResult extends TaintSink {
+
+    BottleHandlerFunctionResult() {
+        exists(BottleRoute route, Return ret |
+            ret.getScope() = route.getFunction() and
+            ret.getValue().getAFlowNode() = this
+        )
+    }
+
+    override predicate sinks(TaintKind kind) {
+        kind instanceof UntrustedStringKind
+    }
+
+    override string toString() {
+        result = "bottle handler function result"
+    }
+
+}
+
--- a/python/ql/test/library-tests/web/bottle/Sinks.expected
+++ b/python/ql/test/library-tests/web/bottle/Sinks.expected
@@ -0,0 +1,3 @@
+| test.py:9 | BinaryExpr | externally controlled string |
+| test.py:13 | BinaryExpr | externally controlled string |
+| test.py:19 | BinaryExpr | externally controlled string |
--- a/python/ql/test/library-tests/web/bottle/Sinks.ql
+++ b/python/ql/test/library-tests/web/bottle/Sinks.ql
@@ -0,0 +1,10 @@
+
+import python
+
+import semmle.python.web.HttpRequest
+import semmle.python.web.HttpResponse
+import semmle.python.security.strings.Untrusted
+
+from TaintSink sink, TaintKind kind
+where sink.sinks(kind)
+select sink.getLocation().toString(), sink.(ControlFlowNode).getNode().toString(), kind
--- a/python/ql/test/library-tests/web/bottle/Taint.expected
+++ b/python/ql/test/library-tests/web/bottle/Taint.expected
@@ -0,0 +1,15 @@
+| ../../../query-tests/Security/lib/bottle.py:64 | LocalRequest() | bottle.request |
+| ../../../query-tests/Security/lib/bottle.py:64 | request | bottle.request |
+| test.py:3 | ImportMember | bottle.request |
+| test.py:3 | request | bottle.request |
+| test.py:8 | name | externally controlled string |
+| test.py:9 | BinaryExpr | externally controlled string |
+| test.py:9 | name | externally controlled string |
+| test.py:12 | name | externally controlled string |
+| test.py:13 | BinaryExpr | externally controlled string |
+| test.py:13 | name | externally controlled string |
+| test.py:18 | Attribute | bottle.FormsDict |
+| test.py:18 | Attribute | externally controlled string |
+| test.py:18 | request | bottle.request |
+| test.py:19 | BinaryExpr | externally controlled string |
+| test.py:19 | name | externally controlled string |
--- a/python/ql/test/library-tests/web/bottle/Taint.ql
+++ b/python/ql/test/library-tests/web/bottle/Taint.ql
@@ -0,0 +1,13 @@
+
+import python
+
+
+import semmle.python.web.HttpRequest
+import semmle.python.web.HttpResponse
+import semmle.python.security.strings.Untrusted
+
+
+from TaintedNode node
+
+select node.getLocation().toString(), node.getNode().getNode().toString(), node.getTaintKind()
+