hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Python: Use API-graph flow for boolean tracking

Browse Source 
Introduces a false positive, but arguably that false positive should
have been there with the local flow as well.
This commit is contained in:
Taus
2022-05-17 13:14:55 +00:00
committed by GitHub
parent ba8d73c2be
commit ea32299ab0
2 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
View File

@@ -33,19 +33,18 @@ private API::Node jinja2EnvironmentOrTemplate() {
result = API::moduleImport("jinja2").getMember("Template")
}
DataFlow::Node getAutoEscapeParameter(DataFlow::CallCfgNode call) {
result = call.getArgByName("autoescape")
}
from API::CallNode call
where
call = jinja2EnvironmentOrTemplate().getACall() and
not exists(call.asCfgNode().(CallNode).getNode().getStarargs()) and
not exists(call.asCfgNode().(CallNode).getNode().getKwargs()) and
(
not exists(getAutoEscapeParameter(call))
not exists(call.getArgByName("autoescape"))
or
any(DataFlow::LocalSourceNode n | n.asExpr().(ImmutableLiteral).booleanValue() = false)
.flowsTo(getAutoEscapeParameter(call))
call.getKeywordParameter("autoescape")
.getAValueReachingRhs()
.asExpr()
.(ImmutableLiteral)
.booleanValue() = false
)
select call, "Using jinja2 templates with autoescape=False can potentially allow XSS attacks."

1
python/ql/test/query-tests/Security/CWE-079-Jinja2WithoutEscaping/Jinja2WithoutEscaping.expected
View File

@@ -2,4 +2,5 @@
| jinja2_escaping.py:41:5:41:29 | ControlFlowNode for Environment() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
| jinja2_escaping.py:43:1:43:3 | ControlFlowNode for E() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
| jinja2_escaping.py:44:1:44:15 | ControlFlowNode for E() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
| jinja2_escaping.py:50:13:50:40 | ControlFlowNode for Environment() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
| jinja2_escaping.py:53:15:53:43 | ControlFlowNode for Template() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |