hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Autoformat (4 spaces) tornado library

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2019-10-01 16:06:33 +02:00
parent 2bb933fef0
commit e7eaf2b7d9
4 changed files with 36 additions and 99 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
python/ql/src/semmle/python/web/tornado/Redirect.qll
View File

@@ -1,23 +1,20 @@
/** Provides class representing the `tornado.redirect` function.
/**
* Provides class representing the `tornado.redirect` function.
* This module is intended to be imported into a taint-tracking query
* to extend `TaintSink`.
*/
import python
import python
import semmle.python.security.TaintTracking
import semmle.python.security.strings.Basic
import semmle.python.web.Http
import Tornado
/**
* Represents an argument to the `tornado.redirect` function.
*/
class TornadoRedirect extends HttpRedirectTaintSink {
override string toString() {
result = "tornado.redirect"
}
override string toString() { result = "tornado.redirect" }
TornadoRedirect() {
exists(CallNode call, ControlFlowNode node |
@@ -26,5 +23,4 @@ class TornadoRedirect extends HttpRedirectTaintSink {
this = call.getAnArg()
)
}
}

47
python/ql/src/semmle/python/web/tornado/Request.qll
View File

@@ -1,15 +1,11 @@
import python
import semmle.python.security.TaintTracking
import semmle.python.web.Http
import Tornado
/** A tornado.request.HttpRequest object */
class TornadoRequest extends TaintKind {
TornadoRequest() {
this = "tornado.request.HttpRequest"
}
TornadoRequest() { this = "tornado.request.HttpRequest" }
override TaintKind getTaintOfAttribute(string name) {
result instanceof ExternalStringDictKind and
@@ -32,68 +28,45 @@ class TornadoRequest extends TaintKind {
name = "body_arguments"
)
}
}
class TornadoRequestSource extends TaintSource {
TornadoRequestSource() { isTornadoRequestHandlerInstance(this.(AttrNode).getObject("request")) }
TornadoRequestSource() {
isTornadoRequestHandlerInstance(this.(AttrNode).getObject("request"))
}
override string toString() {
result = "Tornado request source"
}
override predicate isSourceOf(TaintKind kind) {
kind instanceof TornadoRequest
}
override string toString() { result = "Tornado request source" }
override predicate isSourceOf(TaintKind kind) { kind instanceof TornadoRequest }
}
class TornadoExternalInputSource extends TaintSource {
TornadoExternalInputSource() {
exists(string name |
name = "get_argument" or
name = "get_query_argument" or
name = "get_body_argument" or
name = "decode_argument"
|
|
this = callToNamedTornadoRequestHandlerMethod(name)
)
}
override string toString() {
result = "Tornado request method"
}
override predicate isSourceOf(TaintKind kind) {
kind instanceof ExternalStringKind
}
override string toString() { result = "Tornado request method" }
override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringKind }
}
class TornadoExternalInputListSource extends TaintSource {
TornadoExternalInputListSource() {
exists(string name |
name = "get_arguments" or
name = "get_query_arguments" or
name = "get_body_arguments"
|
|
this = callToNamedTornadoRequestHandlerMethod(name)
)
}
override string toString() {
result = "Tornado request method"
}
override predicate isSourceOf(TaintKind kind) {
kind instanceof ExternalStringSequenceKind
}
override string toString() { result = "Tornado request method" }
override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringSequenceKind }
}

55
python/ql/src/semmle/python/web/tornado/Response.qll
View File

@@ -1,63 +1,42 @@
import python
import semmle.python.security.TaintTracking
import semmle.python.security.strings.Basic
private import semmle.python.web.Http
import Tornado
class TornadoConnection extends TaintKind {
TornadoConnection() {
this = "tornado.http.connection"
}
TornadoConnection() { this = "tornado.http.connection" }
}
class TornadoConnectionSource extends TaintSource {
TornadoConnectionSource() {
isTornadoRequestHandlerInstance(this.(AttrNode).getObject("connection"))
}
override string toString() {
result = "Tornado http connection source"
}
override predicate isSourceOf(TaintKind kind) {
kind instanceof TornadoConnection
}
override string toString() { result = "Tornado http connection source" }
override predicate isSourceOf(TaintKind kind) { kind instanceof TornadoConnection }
}
class TornadoConnectionWrite extends HttpResponseTaintSink {
override string toString() {
result = "tornado.connection.write"
}
override string toString() { result = "tornado.connection.write" }
TornadoConnectionWrite() {
exists(CallNode call, ControlFlowNode conn |
conn = call.getFunction().(AttrNode).getObject("write") and
this = call.getAnArg() |
this = call.getAnArg()
|
exists(TornadoConnection tc | tc.taints(conn))
or
isTornadoRequestHandlerInstance(conn)
)
}
override predicate sinks(TaintKind kind) {
kind instanceof StringKind
}
override predicate sinks(TaintKind kind) { kind instanceof StringKind }
}
class TornadoHttpRequestHandlerWrite extends HttpResponseTaintSink {
override string toString() {
result = "tornado.HttpRequesHandler.write"
}
override string toString() { result = "tornado.HttpRequesHandler.write" }
TornadoHttpRequestHandlerWrite() {
exists(CallNode call, ControlFlowNode node |
@@ -67,17 +46,11 @@ class TornadoHttpRequestHandlerWrite extends HttpResponseTaintSink {
)
}
override predicate sinks(TaintKind kind) {
kind instanceof StringKind
}
override predicate sinks(TaintKind kind) { kind instanceof StringKind }
}
class TornadoHttpRequestHandlerRedirect extends HttpResponseTaintSink {
override string toString() {
result = "tornado.HttpRequesHandler.redirect"
}
override string toString() { result = "tornado.HttpRequesHandler.redirect" }
TornadoHttpRequestHandlerRedirect() {
exists(CallNode call, ControlFlowNode node |
@@ -87,11 +60,5 @@ class TornadoHttpRequestHandlerRedirect extends HttpResponseTaintSink {
)
}
override predicate sinks(TaintKind kind) {
kind instanceof StringKind
}
override predicate sinks(TaintKind kind) { kind instanceof StringKind }
}

21
python/ql/src/semmle/python/web/tornado/Tornado.qll
View File

@@ -1,5 +1,4 @@
import python
import semmle.python.security.TaintTracking
import semmle.python.web.Http
@@ -11,28 +10,31 @@ ClassValue aTornadoRequestHandlerClass() {
result.getABaseType+() = theTornadoRequestHandlerClass()
}
/** Holds if `node` is likely to refer to an instance of a tornado
/**
* Holds if `node` is likely to refer to an instance of a tornado
* `RequestHandler` class.
*/
predicate isTornadoRequestHandlerInstance(ControlFlowNode node) {
node.pointsTo().getClass() = aTornadoRequestHandlerClass()
or
/* In some cases, the points-to analysis won't capture all instances we care
* about. For these, we use the following syntactic check. First, that
* `node` appears inside a method of a subclass of
* `tornado.web.RequestHandler`:*/
/*
* In some cases, the points-to analysis won't capture all instances we care
* about. For these, we use the following syntactic check. First, that
* `node` appears inside a method of a subclass of
* `tornado.web.RequestHandler`:
*/
node.getScope().getEnclosingScope() = aTornadoRequestHandlerClass().getScope() and
/* Secondly, that `node` refers to the `self` argument: */
node.isLoad() and node.(NameNode).isSelf()
node.isLoad() and
node.(NameNode).isSelf()
}
CallNode callToNamedTornadoRequestHandlerMethod(string name) {
isTornadoRequestHandlerInstance(result.getFunction().(AttrNode).getObject(name))
}
class TornadoCookieSet extends CookieSet, CallNode {
TornadoCookieSet() {
exists(ControlFlowNode f |
f = this.getFunction().(AttrNode).getObject("set_cookie") and
@@ -45,5 +47,4 @@ class TornadoCookieSet extends CookieSet, CallNode {
override ControlFlowNode getKey() { result = this.getArg(0) }
override ControlFlowNode getValue() { result = this.getArg(1) }
}