Python: Make any routed parameter a RemoteFlowSource

I'm not 100% sure whether this approach makes everything too magic, but I like the fact that you can't _forget_ to make routed params remove-flow sources.
2025-12-20 10:46:30 +01:00 · 2020-10-06 02:49:49 +02:00
parent b78c665f34
commit f03a8a838b
3 changed files with 10 additions and 2 deletions
--- a/python/ql/src/experimental/dataflow/RemoteFlowSources.qll
+++ b/python/ql/src/experimental/dataflow/RemoteFlowSources.qll
@@ -2,6 +2,7 @@ private import python
 private import experimental.dataflow.DataFlow
 // Need to import since frameworks can extend `RemoteFlowSource::Range`
 private import experimental.semmle.python.Frameworks
+private import experimental.semmle.python.Concepts

 /**
 * A data flow source of remote user input.
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -7,6 +7,7 @@
 import python
 private import experimental.dataflow.DataFlow
 private import experimental.semmle.python.Frameworks
+private import experimental.dataflow.RemoteFlowSources

 /**
 * A data-flow node that executes an operating system command,
@@ -89,5 +90,11 @@ module HTTP {
        abstract Parameter getARoutedParameter();
      }
    }
+
+    private class RoutedParameter extends RemoteFlowSource::Range, DataFlow::ParameterNode {
+      RoutedParameter() { this.getParameter() = any(RouteSetup setup).getARoutedParameter() }
+
+      override string getSourceType() { result = "RoutedParameter" }
+    }
  }
 }