Python: Add taint-step for methods on aiohttp.web.Request

2026-04-29 18:55:14 +02:00 · 2021-05-27 10:28:07 +02:00
parent 63c7fa0c2c
commit dd131e6bf7
2 changed files with 23 additions and 12 deletions
--- a/python/ql/src/semmle/python/frameworks/Aiohttp.qll
+++ b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
@@ -211,12 +211,23 @@ module AiohttpWebModel {
  private class AiohttpRequestAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
    override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
      // Methods
-      exists(string method_name | method_name in ["TODO"] |
-        // Method access (obj -> obj.meth)
-        none()
+      //
+      // TODO: When we have tools that make it easy, model these properly to handle
+      // `meth = obj.meth; meth()`. Until then, we'll use this more syntactic approach
+      // (since it allows us to at least capture the most common cases).
+      nodeFrom = Request::instance() and
+      exists(DataFlow::AttrRead attr | attr.getObject() = nodeFrom |
+        // normal methods
+        attr.getAttributeName() in ["clone", "get_extra_info"] and
+        nodeTo.(DataFlow::CallCfgNode).getFunction() = attr
        or
-        // Method call (obj.meth -> obj.meth())
-        none()
+        // async methods
+        exists(Await await, DataFlow::CallCfgNode call |
+          attr.getAttributeName() in ["read", "text", "json", "multipart", "post"] and
+          call.getFunction() = attr and
+          await.getValue() = call.asExpr() and
+          nodeTo.asExpr() = await
+        )
      )
      or
      // Attributes
--- a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
@@ -81,25 +81,25 @@ async def test_taint(request: web.Request): # $ requestHandler
        request.if_unmodified_since, # $ tainted
        request.if_range, # $ tainted

-        request.clone(scheme="https"), # $ MISSING: tainted
+        request.clone(scheme="https"), # $ tainted

        # TODO: like request.transport.get_extra_info
-        request.get_extra_info("key"), # $ MISSING: tainted
+        request.get_extra_info("key"), # $ tainted

        # bytes
-        await request.read(), # $ MISSING: tainted
+        await request.read(), # $ tainted

        # str
-        await request.text(), # $ MISSING: tainted
+        await request.text(), # $ tainted

        # obj
-        await request.json(), # $ MISSING: tainted
+        await request.json(), # $ tainted

        # aiohttp.multipart.MultipartReader
-        await request.multipart(), # $ MISSING: tainted
+        await request.multipart(), # $ tainted

        # multidict.MultiDictProxy[str]
-        await request.post(), # $ MISSING: tainted
+        await request.post(), # $ tainted
        (await request.post()).getone("key"), # $ MISSING: tainted
    )