Python: make sure all django and flask request sources conform to interface.

2026-05-01 03:35:13 +02:00 · 2019-03-06 17:27:37 +00:00
parent 61e6ae7c4a
commit f8c43ca40b
4 changed files with 11 additions and 11 deletions
--- a/python/ql/src/Security/CWE-079/ReflectedXss.ql
+++ b/python/ql/src/Security/CWE-079/ReflectedXss.ql
@@ -30,9 +30,9 @@ class RefectedXssConfiguration extends TaintTracking::Configuration {

    RefectedXssConfiguration() { this = "Reflected XSS configuration" }

-    override predicate isSource(TaintTracking::Source source) { source.isSourceOf(any(UntrustedStringKind u)) }
+    override predicate isSource(TaintTracking::Source source) { source instanceof HttpRequestTaintSource }

-    override predicate isSink(TaintTracking::Sink sink) { sink.sinks(any(UntrustedStringKind u)) }
+    override predicate isSink(TaintTracking::Sink sink) { sink instanceof SimpleHttpResponseTaintSink }

 }

--- a/python/ql/src/semmle/python/web/Http.qll
+++ b/python/ql/src/semmle/python/web/Http.qll
@@ -3,11 +3,7 @@ import semmle.python.security.TaintTracking
 import semmle.python.security.strings.External

 /** Generic taint source from a http request */
-abstract class SimpleHttpRequestTaintSource extends TaintSource {
-
-    override predicate isSourceOf(TaintKind kind) { 
-        kind instanceof ExternalStringKind
-    }
+abstract class HttpRequestTaintSource extends TaintSource {

 }

--- a/python/ql/src/semmle/python/web/django/Request.qll
+++ b/python/ql/src/semmle/python/web/django/Request.qll
@@ -49,7 +49,7 @@ class DjangoQueryDict extends TaintKind {

 }

-abstract class DjangoRequestSource extends TaintSource {
+abstract class DjangoRequestSource extends HttpRequestTaintSource {

    override string toString() {
        result = "Django request source"
@@ -144,7 +144,7 @@ class UrlRouting extends CallNode {
 }

 /** An argument specified in a url routing table */
-class HttpRequestParameter extends TaintSource {
+class HttpRequestParameter extends HttpRequestTaintSource {

    HttpRequestParameter() {
        exists(UrlRouting url |
--- a/python/ql/src/semmle/python/web/flask/Request.qll
+++ b/python/ql/src/semmle/python/web/flask/Request.qll
@@ -16,7 +16,7 @@ private predicate flask_request_attr(AttrNode attr, string name) {
 }

 /** Source of external data from a flask request */
-class FlaskRequestData extends SimpleHttpRequestTaintSource {
+class FlaskRequestData extends HttpRequestTaintSource {

    FlaskRequestData() {
        not this instanceof FlaskRequestArgs and
@@ -27,6 +27,10 @@ class FlaskRequestData extends SimpleHttpRequestTaintSource {
        )
    }

+    override predicate isSourceOf(TaintKind kind) { 
+        kind instanceof ExternalStringKind
+    }
+
    override string toString() {
        result = "flask.request"
    }
@@ -34,7 +38,7 @@ class FlaskRequestData extends SimpleHttpRequestTaintSource {
 }

 /** Source of dictionary whose values are externally controlled */
-class FlaskRequestArgs extends TaintSource {
+class FlaskRequestArgs extends HttpRequestTaintSource {

    FlaskRequestArgs() {
        exists(string attr |