Merge pull request #978 from markshannon/python-turbogears

Python: Add support for turbogears; requests and responses.
2026-04-30 19:26:02 +02:00 · 2019-02-26 21:46:01 +01:00
parent 84c7f195d6 a480da6ed5
commit dcaf0f8ba8
21 changed files with 273 additions and 5 deletions
--- a/python/ql/src/semmle/python/Function.qll
+++ b/python/ql/src/semmle/python/Function.qll
@@ -174,6 +174,14 @@ class Function extends Function_, Scope, AstNode {
        Scope.super.contains(inner)
    }

+    /** Gets a control flow node for a return value of this function */
+    ControlFlowNode getAReturnValueFlowNode() {
+        exists(Return ret |
+            ret.getScope() = this and
+            ret.getValue() = result.getNode()
+        )
+    }
+
 }

 /** A def statement. Note that FunctionDef extends Assign as a function definition binds the newly created function */
--- a/python/ql/src/semmle/python/security/strings/Basic.qll
+++ b/python/ql/src/semmle/python/security/strings/Basic.qll
@@ -115,3 +115,14 @@ private predicate os_path_join(ControlFlowNode fromnode, CallNode tonode) {
        tonode = path_join.getACall() and tonode.getAnArg() = fromnode 
    )
 }
+
+/** A kind of "taint", representing a dictionary mapping str->"taint" */
+class StringDictKind extends DictKind {
+
+    StringDictKind() {
+        this.getValue() instanceof StringKind
+    }
+
+}
+
+
--- a/python/ql/src/semmle/python/types/FunctionObject.qll
+++ b/python/ql/src/semmle/python/types/FunctionObject.qll
@@ -160,10 +160,7 @@ class PyFunctionObject extends FunctionObject {

    /** Gets a control flow node corresponding to the value of a return statement */
    ControlFlowNode getAReturnedNode() {
-        exists(Return ret |
-            ret.getScope() = this.getFunction() and
-            result.getNode() = ret.getValue()
-        )
+        result = this.getFunction().getAReturnValueFlowNode()
    }

    override string descriptiveString() {
--- a/python/ql/src/semmle/python/web/HttpRequest.qll
+++ b/python/ql/src/semmle/python/web/HttpRequest.qll
@@ -4,3 +4,4 @@ import semmle.python.web.tornado.Request
 import semmle.python.web.pyramid.Request
 import semmle.python.web.twisted.Request
 import semmle.python.web.bottle.Request
+import semmle.python.web.turbogears.Request
--- a/python/ql/src/semmle/python/web/HttpResponse.qll
+++ b/python/ql/src/semmle/python/web/HttpResponse.qll
@@ -4,3 +4,4 @@ import semmle.python.web.pyramid.Response
 import semmle.python.web.tornado.Response
 import semmle.python.web.twisted.Response
 import semmle.python.web.bottle.Response
+import semmle.python.web.turbogears.Response
--- a/python/ql/src/semmle/python/web/turbogears/Request.qll
+++ b/python/ql/src/semmle/python/web/turbogears/Request.qll
@@ -0,0 +1,33 @@
+import python
+import semmle.python.security.strings.Untrusted
+
+import TurboGears
+
+private class ValidatedMethodParameter extends Parameter {
+
+    ValidatedMethodParameter() {
+        exists(string name, TurboGearsControllerMethod method |
+            method.getArgByName(name) = this and
+            method.getValidationDict().getItem(_).(KeyValuePair).getKey().(StrConst).getText() = name
+        )
+    }
+
+}
+
+class UnvalidatedControllerMethodParameter extends TaintSource {
+
+    UnvalidatedControllerMethodParameter() {
+        exists(Parameter p |
+            any(TurboGearsControllerMethod m | not m.getName() = "onerror").getAnArg() = p and
+            not p instanceof ValidatedMethodParameter and
+            not p.isSelf() and
+            p.(Name).getAFlowNode() = this
+        )
+    }
+
+    override predicate isSourceOf(TaintKind kind) {
+        kind instanceof UntrustedStringKind
+    }
+
+}
+
--- a/python/ql/src/semmle/python/web/turbogears/Response.qll
+++ b/python/ql/src/semmle/python/web/turbogears/Response.qll
@@ -0,0 +1,38 @@
+import python
+
+import semmle.python.security.TaintTracking
+import semmle.python.security.strings.Basic
+
+import TurboGears
+
+
+
+class ControllerMethodReturnValue extends TaintSink {
+
+    ControllerMethodReturnValue() {
+        exists(TurboGearsControllerMethod m |
+            m.getAReturnValueFlowNode() = this and
+            not m.isTemplated()
+        )
+    }
+
+    override predicate sinks(TaintKind kind) {
+        kind instanceof StringKind
+    }
+
+}
+
+class ControllerMethodTemplatedReturnValue extends TaintSink {
+
+    ControllerMethodTemplatedReturnValue() {
+        exists(TurboGearsControllerMethod m |
+            m.getAReturnValueFlowNode() = this and
+            m.isTemplated()
+        )
+    }
+
+    override predicate sinks(TaintKind kind) {
+        kind instanceof StringDictKind
+    }
+
+}
--- a/python/ql/src/semmle/python/web/turbogears/TurboGears.qll
+++ b/python/ql/src/semmle/python/web/turbogears/TurboGears.qll
@@ -0,0 +1,55 @@
+import python
+
+import semmle.python.security.TaintTracking
+
+private ClassObject theTurboGearsControllerClass() {
+    result = ModuleObject::named("tg").getAttribute("TGController")
+}
+
+
+ClassObject aTurboGearsControllerClass() {
+    result.getASuperType() = theTurboGearsControllerClass()
+}
+
+
+class TurboGearsControllerMethod extends Function {
+
+    ControlFlowNode decorator;
+
+    TurboGearsControllerMethod() {
+        aTurboGearsControllerClass().getPyClass() = this.getScope() and
+        decorator = this.getADecorator().getAFlowNode() and
+        /* Is decorated with @expose() or @expose(path) */
+        (
+            decorator.(CallNode).getFunction().(NameNode).getId() = "expose"
+            or
+            decorator.refersTo(_, ModuleObject::named("tg").getAttribute("expose"), _)
+        )
+    }
+
+    private ControlFlowNode templateName() {
+        result = decorator.(CallNode).getArg(0)
+    }
+
+    predicate isTemplated() {
+        exists(templateName())
+    }
+
+    string getTemplateName() {
+        exists(StringObject str |
+            templateName().refersTo(str) and
+            result = str.getText()
+        )
+    }
+
+    Dict getValidationDict() {
+        exists(Call call, Object dict |
+            call = this.getADecorator() and
+            call.getFunc().(Name).getId() = "validate" and
+            call.getArg(0).refersTo(dict) and
+            result = dict.getOrigin()
+        )
+    }
+
+}
+
--- a/python/ql/test/library-tests/web/turbogears/Controller.expected
+++ b/python/ql/test/library-tests/web/turbogears/Controller.expected
@@ -0,0 +1,4 @@
+| test.py:7:5:7:32 | Function onerror |
+| test.py:13:5:13:50 | Function ok_validated |
+| test.py:18:5:18:57 | Function partially_validated |
+| test.py:22:5:22:51 | Function not_validated |
--- a/python/ql/test/library-tests/web/turbogears/Controller.ql
+++ b/python/ql/test/library-tests/web/turbogears/Controller.ql
@@ -0,0 +1,9 @@
+
+
+import python
+
+import semmle.python.web.turbogears.TurboGears
+
+from TurboGearsControllerMethod m
+select m
+
--- a/python/ql/test/library-tests/web/turbogears/Sinks.expected
+++ b/python/ql/test/library-tests/web/turbogears/Sinks.expected
@@ -0,0 +1,4 @@
+| test.py:8 | BinaryExpr | externally controlled string |
+| test.py:14 | BinaryExpr | externally controlled string |
+| test.py:19 | BinaryExpr | externally controlled string |
+| test.py:23 | BinaryExpr | externally controlled string |
--- a/python/ql/test/library-tests/web/turbogears/Sinks.ql
+++ b/python/ql/test/library-tests/web/turbogears/Sinks.ql
@@ -0,0 +1,10 @@
+
+import python
+
+import semmle.python.web.HttpRequest
+import semmle.python.web.HttpResponse
+import semmle.python.security.strings.Untrusted
+
+from TaintSink sink, TaintKind kind
+where sink.sinks(kind)
+select sink.getLocation().toString(), sink.(ControlFlowNode).getNode().toString(), kind
--- a/python/ql/test/library-tests/web/turbogears/Sources.expected
+++ b/python/ql/test/library-tests/web/turbogears/Sources.expected
@@ -0,0 +1,3 @@
+| test.py:18 | b | externally controlled string |
+| test.py:22 | a | externally controlled string |
+| test.py:22 | b | externally controlled string |
--- a/python/ql/test/library-tests/web/turbogears/Sources.ql
+++ b/python/ql/test/library-tests/web/turbogears/Sources.ql
@@ -0,0 +1,10 @@
+
+import python
+
+import semmle.python.web.HttpRequest
+import semmle.python.security.strings.Untrusted
+
+
+from TaintSource src, TaintKind kind
+where src.isSourceOf(kind)
+select src.getLocation().toString(), src.(ControlFlowNode).getNode().toString(), kind
--- a/python/ql/test/library-tests/web/turbogears/Taint.expected
+++ b/python/ql/test/library-tests/web/turbogears/Taint.expected
@@ -0,0 +1,12 @@
+| test.py:18 | b | externally controlled string |
+| test.py:19 | BinaryExpr | [externally controlled string] |
+| test.py:19 | BinaryExpr | externally controlled string |
+| test.py:19 | Tuple | [externally controlled string] |
+| test.py:19 | b | externally controlled string |
+| test.py:22 | a | externally controlled string |
+| test.py:22 | b | externally controlled string |
+| test.py:23 | BinaryExpr | [externally controlled string] |
+| test.py:23 | BinaryExpr | externally controlled string |
+| test.py:23 | Tuple | [externally controlled string] |
+| test.py:23 | a | externally controlled string |
+| test.py:23 | b | externally controlled string |
--- a/python/ql/test/library-tests/web/turbogears/Taint.ql
+++ b/python/ql/test/library-tests/web/turbogears/Taint.ql
@@ -0,0 +1,13 @@
+
+import python
+
+
+import semmle.python.web.HttpRequest
+import semmle.python.web.HttpResponse
+import semmle.python.security.strings.Untrusted
+
+
+from TaintedNode node
+
+select node.getLocation().toString(), node.getNode().getNode().toString(), node.getTaintKind()
+
--- a/python/ql/test/library-tests/web/turbogears/options
+++ b/python/ql/test/library-tests/web/turbogears/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: --max-import-depth=3 --lang=3 -p ../../../query-tests/Security/lib/
+optimize: true
--- a/python/ql/test/library-tests/web/turbogears/test.py
+++ b/python/ql/test/library-tests/web/turbogears/test.py
@@ -0,0 +1,23 @@
+
+from tg import request, validate, expose, TGController
+from formencode import validators
+
+class RootController(TGController):
+    @expose()
+    def onerror(self, **kwargs):
+        return 'An error occurred: %s' % request.validation['errors']
+
+    @expose()
+    @validate({"a": validators.Int(not_empty=True), "b": validators.Email},
+              error_handler=onerror)
+    def ok_validated(self, a=None, b=None, *args):
+        return 'Values: %s, %s, %s' % (a, b, args)
+
+    @expose()
+    @validate({"a": validators.Int(not_empty=True)})
+    def partially_validated(self, a=None, b=None, *args):
+        return 'Values: %s, %s, %s' % (a, b, args)
+
+    @expose()
+    def not_validated(self, a=None, b=None, *args):
+        return 'Values: %s, %s, %s' % (a, b, args)
--- a/python/ql/test/query-tests/Security/lib/tg.py
+++ b/python/ql/test/query-tests/Security/lib/tg.py
@@ -0,0 +1,30 @@
+
+def validate(validators):
+    def validator(func):
+        return func
+
+def expose(*args):
+    if cond:
+        return args[0]
+    def with_template(func):
+        func
+    return with_template
+
+class TGController(object):
+    pass
+
+class TurboGearsContextMember(object):
+    """Member of the TurboGears request context.
+    Provides access to turbogears context members
+    like request, response, template context and so on
+    """
+
+    def __init__(self, name):
+        self.__dict__['name'] = name
+
+    def _current_obj(self):
+        return getattr(context, self.name)
+
+
+request = TurboGearsContextMember(name="request")
+response = TurboGearsContextMember(name="response")