Python: jinja2-without-escaping query: Clean up query and account for Template class in tests.

python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql

@@ -12,29 +12,20 @@
 
 import python
 
-predicate jinja2Environment(Object callable, int autoescape) {
+ClassObject jinja2EnvironmentOrTemplate() {
-    exists(ModuleObject jinja2 |
+    exists(ModuleObject jinja2, string name |
-        jinja2.getName() = "jinja2" |
+        jinja2.getName() = "jinja2" and
-        jinja2.getAttribute("Environment") = callable and
+        jinja2.getAttribute(name) = result |
-        callable.(ClassObject).getPyClass().getInitMethod().getArg(autoescape+1).asName().getId() = "autoescape"
+        name = "Environment" or
-        or
+        name = "Template"
-        exists(ModuleObject environment |
-            environment.getAttribute("Template") = callable and
-            callable.(ClassObject).lookupAttribute("__new__").(FunctionObject).getFunction().getArg(autoescape+1).asName().getId() = "autoescape"
-        )
     )
 }
 
 ControlFlowNode getAutoEscapeParameter(CallNode call) {
     exists(Object callable |
         call.getFunction().refersTo(callable) |
-        jinja2Environment(callable, _) and
+        callable = jinja2EnvironmentOrTemplate() and
         result = call.getArgByName("autoescape")
-        or
-        exists(int arg |
-            jinja2Environment(callable, arg) and
-            result = call.getArg(arg)
-        )
     )
 }
 
@@ -46,11 +37,12 @@ not exists(call.getNode().getKwargs()) and
     not exists(getAutoEscapeParameter(call)) and
     exists(Object env |
         call.getFunction().refersTo(env) and
-        jinja2Environment(env, _)
+        env = jinja2EnvironmentOrTemplate()
     )
     or
     exists(Object isFalse |
-      getAutoEscapeParameter(call).refersTo(isFalse) and isFalse.booleanValue() = false
+        getAutoEscapeParameter(call).refersTo(isFalse) and isFalse.booleanValue() = false
     )
 )
+
 select call, "Using jinja2 templates with autoescape=False can potentially allow XSS attacks."

python/ql/test/query-tests/Security/CWE-079/Jinja2WithoutEscaping.expected

@@ -2,3 +2,4 @@
 | jinja2_escaping.py:41:5:41:29 | ControlFlowNode for Environment() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
 | jinja2_escaping.py:43:1:43:3 | ControlFlowNode for E() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
 | jinja2_escaping.py:44:1:44:15 | ControlFlowNode for E() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
+| jinja2_escaping.py:53:15:53:43 | ControlFlowNode for Template() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |

python/ql/test/query-tests/Security/CWE-079/jinja2_escaping.py

@@ -1,7 +1,7 @@
 
 Environment(loader=templateLoader, autoescape=fake_func())
 from flask import Flask, request, make_response, escape
-from jinja2 import Environment, select_autoescape, FileSystemLoader
+from jinja2 import Environment, select_autoescape, FileSystemLoader, Template
 
 app = Flask(__name__)
 loader = FileSystemLoader( searchpath="templates/" )
@@ -49,3 +49,7 @@ def checked(cond=False):
     if cond:
         e = Environment(autoescape=cond) # GOOD
 
+
+unsafe_tmpl = Template('Hello {{ name }}!')
+safe1_tmpl = Template('Hello {{ name }}!', autoescape=True)
+safe2_tmpl = Template('Hello {{ name }}!', autoescape=select_autoescape())

python/ql/test/query-tests/Security/lib/jinja2.py

@@ -4,6 +4,11 @@ class Environment(object):
     def __init__(self, loader, autoescape):
         pass
 
+class Template(object):
+
+    def __init__(self, source, autoescape):
+        pass
+
 def select_autoescape(files=[]):
     def autoescape(template_name):
         pass