Implement sinks for wsgiref + allow lists in bulk header updates + local flow

2026-04-17 21:14:02 +02:00 · 2024-04-08 17:46:44 +01:00
parent 9d56f3eb68
commit eeef062f7c
3 changed files with 142 additions and 2 deletions
--- a/python/ql/lib/semmle/python/security/dataflow/HttpHeaderInjectionCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/HttpHeaderInjectionCustomizations.qll
@@ -57,7 +57,11 @@ module HttpHeaderInjection {
  {
    KeyValuePair item;

-    HeaderBulkWriteDictLiteral() { item = super.geBulkArg().asExpr().(Dict).getAnItem() }
+    HeaderBulkWriteDictLiteral() {
+      exists(Dict dict | DataFlow::localFlow(DataFlow::exprNode(dict), super.geBulkArg()) |
+        item = dict.getAnItem()
+      )
+    }

    override DataFlow::Node getNameArg() { result.asExpr() = item.getKey() }

@@ -72,6 +76,31 @@ module HttpHeaderInjection {
    }
  }

+  /** A tuple in a list for a bulk header update, considered as a single header update. */
+  // TODO: We could instead consider bulk writes as sinks with implicit read steps as needed.
+  private class HeaderBulkWriteListLiteral extends Http::Server::ResponseHeaderWrite::Range instanceof Http::Server::ResponseHeaderBulkWrite
+  {
+    Tuple item;
+
+    HeaderBulkWriteListLiteral() {
+      exists(List list | DataFlow::localFlow(DataFlow::exprNode(list), super.geBulkArg()) |
+        item = list.getAnElt()
+      )
+    }
+
+    override DataFlow::Node getNameArg() { result.asExpr() = item.getElt(0) }
+
+    override DataFlow::Node getValueArg() { result.asExpr() = item.getElt(1) }
+
+    override predicate nameAllowsNewline() {
+      Http::Server::ResponseHeaderBulkWrite.super.nameAllowsNewline()
+    }
+
+    override predicate valueAllowsNewline() {
+      Http::Server::ResponseHeaderBulkWrite.super.valueAllowsNewline()
+    }
+  }
+
  /**
   * A call to replace line breaks, considered as a sanitizer.
   */