Python: Add responses to bottle framework support.

2025-12-18 01:33:15 +01:00 · 2019-02-04 14:35:30 +00:00
parent 8d525e5295
commit d514fc543d
7 changed files with 103 additions and 3 deletions
--- a/python/ql/src/semmle/python/web/HttpResponse.qll
+++ b/python/ql/src/semmle/python/web/HttpResponse.qll
@@ -3,3 +3,4 @@ import semmle.python.web.flask.Response
 import semmle.python.web.pyramid.Response
 import semmle.python.web.tornado.Response
 import semmle.python.web.twisted.Response
+import semmle.python.web.bottle.Response
--- a/python/ql/src/semmle/python/web/bottle/Request.qll
+++ b/python/ql/src/semmle/python/web/bottle/Request.qll
@@ -49,9 +49,9 @@ class BottleFormsDict extends TaintKind {
    }

    override TaintKind getTaintForFlowStep(ControlFlowNode fromnode, ControlFlowNode tonode) {
-        /* Cannot use `getTaintOfAttribute()` as it doesn't bind name */
+        /* Cannot use `getTaintOfAttribute(name)` as it wouldn't bind `name` */
        exists(string name |
-            tonode = fromnode.(AttrNode).getObject(name) and 
+            fromnode = tonode.(AttrNode).getObject(name) and 
            result instanceof UntrustedStringKind
            |
            name != "get" and name != "getunicode" and name != "getall"
@@ -108,7 +108,7 @@ class BottleRequestParameter extends TaintSource {
    }

    override string toString() {
-        result = "flask.request.args"
+        result = "bottle handler function argument"
    }

 }
--- a/python/ql/src/semmle/python/web/bottle/Response.qll
+++ b/python/ql/src/semmle/python/web/bottle/Response.qll
@@ -0,0 +1,58 @@
+import python
+
+import semmle.python.security.TaintTracking
+import semmle.python.security.strings.Untrusted
+import semmle.python.web.Http
+import semmle.python.web.bottle.General
+
+
+/** A django.http.response.Response object
+ * This isn't really a "taint", but we use the value tracking machinery to
+ * track the flow of response objects.
+ */
+class BottleResponse extends TaintKind {
+
+    BottleResponse() {
+        this = "bottle.response"
+    }
+
+}
+
+private Object theBottleResponseObject() {
+    result = theBottleModule().getAttribute("request")
+}
+
+class BottleResponseBodyAssignment extends TaintSink {
+
+    BottleResponseBodyAssignment() {
+        exists(DefinitionNode lhs |
+            lhs.getValue() = this and
+            lhs.(AttrNode).getObject("body").refersTo(theBottleResponseObject())
+        )
+    }
+
+    override predicate sinks(TaintKind kind) {
+        kind instanceof StringKind
+    }
+
+}
+
+class BottleHandlerFunctionResult extends TaintSink {
+
+    BottleHandlerFunctionResult() {
+        exists(BottleRoute route, Return ret |
+            ret.getScope() = route.getFunction() and
+            ret.getValue().getAFlowNode() = this
+        )
+    }
+
+    override predicate sinks(TaintKind kind) {
+        kind instanceof UntrustedStringKind
+    }
+
+    override string toString() {
+        result = "bottle handler function result"
+    }
+
+}
+