hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Basic handling of tainted attributes in aiohttp

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2021-05-26 15:53:33 +02:00
parent 88158e7414
commit d953ea47d4
2 changed files with 65 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
python/ql/src/semmle/python/frameworks/Aiohttp.qll
View File

@@ -197,10 +197,37 @@ module AiohttpWebModel {
// ```
this.getParameter() =
max(Parameter param, int i | param = requestHandler.getArg(i) | param order by i)
)
}
override string getSourceType() { result = "aiohttp.web.Request" }
}
/**
* Taint propagation for `aiohttp.web.Request`.
*
* See https://docs.aiohttp.org/en/stable/web_reference.html#request-and-base-request
*/
private class AiohttpRequestAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
// Methods
exists(string method_name | method_name in ["TODO"] |
// Method access (obj -> obj.meth)
none()
or
// Method call (obj.meth -> obj.meth())
none()
)
or
// Attributes
nodeFrom = Request::instance() and
nodeTo.(DataFlow::AttrRead).getObject() = nodeFrom and
nodeTo.(DataFlow::AttrRead).getAttributeName() in [
"url", "rel_url", "forwarded", "host", "remote", "path", "path_qs", "raw_path", "query",
"headers", "transport", "cookies", "content", "_payload", "body_exists", "has_body",
"content_type", "charset", "http_range", "if_modified_since", "if_unmodified_since",
"if_range"
]
}
}
}

74
python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
View File

@@ -8,76 +8,76 @@ async def test_taint(request: web.Request): # $ requestHandler
# yarl.URL instances
# https://yarl.readthedocs.io/en/stable/api.html#yarl.URL
# see below
request.url, # $ MISSING: tainted
request.rel_url, # $ MISSING: tainted
request.url, # $ tainted
request.rel_url, # $ tainted
request.forwarded, # $ MISSING: tainted
request.forwarded, # $ tainted
request.host, # $ MISSING: tainted
request.remote, # $ MISSING: tainted
request.path, # $ MISSING: tainted
request.path_qs, # $ MISSING: tainted
request.raw_path, # $ MISSING: tainted
request.host, # $ tainted
request.remote, # $ tainted
request.path, # $ tainted
request.path_qs, # $ tainted
request.raw_path, # $ tainted
# multidict.MultiDictProxy[str]
# see https://multidict.readthedocs.io/en/stable/multidict.html#multidict.MultiDictProxy
# TODO: Should have a better way to capture that we in fact _do_ model this as a
# an instance of the right class, and have the actual taint_test for that in a
# different file!
request.query, # $ MISSING: tainted
request.query["key"], # $ MISSING: tainted
request.query.get("key"), # $ MISSING: tainted
request.query, # $ tainted
request.query["key"], # $ tainted
request.query.get("key"), # $ tainted
request.query.getone("key"), # $ MISSING: tainted
request.query.getall("key"), # $ MISSING: tainted
request.query.keys(), # $ MISSING: tainted
request.query.values(), # $ MISSING: tainted
request.query.items(), # $ MISSING: tainted
request.query.copy(), # $ MISSING: tainted
list(request.query), # $ MISSING: tainted
iter(request.query), # $ MISSING: tainted
request.query.values(), # $ tainted
request.query.items(), # $ tainted
request.query.copy(), # $ tainted
list(request.query), # $ tainted
iter(request.query), # $ tainted
# multidict.CIMultiDictProxy[str]
# see https://multidict.readthedocs.io/en/stable/multidict.html#multidict.CIMultiDictProxy
# TODO: Should have a better way to capture that we in fact _do_ model this as a
# an instance of the right class, and have the actual taint_test for that in a
# different file!
request.headers, # $ MISSING: tainted
request.query.getone("key"), # $ MISSING: tainted
request.headers, # $ tainted
request.headers.getone("key"), # $ MISSING: tainted
# https://docs.python.org/3/library/asyncio-protocol.html#asyncio-transport
# TODO
request.transport, # $ MISSING: tainted
request.transport, # $ tainted
request.transport.get_extra_info("key"), # $ MISSING: tainted
# dict-like (readonly)
request.cookies, # $ MISSING: tainted
request.cookies["key"], # $ MISSING: tainted
request.cookies.get("key"), # $ MISSING: tainted
request.cookies, # $ tainted
request.cookies["key"], # $ tainted
request.cookies.get("key"), # $ tainted
request.cookies.keys(), # $ MISSING: tainted
request.cookies.values(), # $ MISSING: tainted
request.cookies.items(), # $ MISSING: tainted
list(request.cookies), # $ MISSING: tainted
iter(request.cookies), # $ MISSING: tainted
request.cookies.values(), # $ tainted
request.cookies.items(), # $ tainted
list(request.cookies), # $ tainted
iter(request.cookies), # $ tainted
# aiohttp.StreamReader
# see https://docs.aiohttp.org/en/stable/streams.html#aiohttp.StreamReader
# TODO
request.content, # $ MISSING: tainted
request._payload, # $ MISSING: tainted
request.content, # $ tainted
request._payload, # $ tainted
request.body_exists, # $ MISSING: tainted
request.has_body, # $ MISSING: tainted
request.body_exists, # $ tainted
request.has_body, # $ tainted
request.content_type, # $ MISSING: tainted
request.charset, # $ MISSING: tainted
request.content_type, # $ tainted
request.charset, # $ tainted
request.http_range, # $ MISSING: tainted
request.http_range, # $ tainted
# Optional[datetime]
request.if_modified_since, # $ MISSING: tainted
request.if_unmodified_since, # $ MISSING: tainted
request.if_range, # $ MISSING: tainted
request.if_modified_since, # $ tainted
request.if_unmodified_since, # $ tainted
request.if_range, # $ tainted
request.clone(scheme="https"), # $ MISSING: tainted
@@ -182,7 +182,7 @@ async def test_taint(request: web.Request): # $ requestHandler
request.url.with_fragment("foo"), # $ MISSING: tainted
request.url.with_name("foo"), # $ MISSING: tainted
request.url.join(yarl.URL("wat.html")), # $ MISSING: tainted
request.url.join(yarl.URL("wat.html")), # $ tainted
request.url.human_repr(), # $ MISSING: tainted
)