Added a sanitizer for replacing newlines.

2026-04-27 01:35:13 +02:00 · 2024-04-03 16:34:50 +01:00
parent dbbc944f32
commit fa28d94363
2 changed files with 20 additions and 1 deletions
--- a/python/ql/lib/semmle/python/security/dataflow/HttpHeaderInjectionCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/HttpHeaderInjectionCustomizations.qll
@@ -71,4 +71,14 @@ module HttpHeaderInjection {
      Http::Server::ResponseHeaderBulkWrite.super.valueAllowsNewline()
    }
  }
+
+  /**
+   * A call to replace line breaks, considered as a sanitizer.
+   */
+  class ReplaceLineBreaksSanitizer extends Sanitizer, DataFlow::CallCfgNode {
+    ReplaceLineBreaksSanitizer() {
+      this.getFunction().(DataFlow::AttrRead).getAttributeName() = "replace" and
+      this.getArg(0).asExpr().(StrConst).getText() = "\n"
+    }
+  }
 }
--- a/python/ql/test/query-tests/Security/CWE-113-HeaderInjection/flask_tests.py
+++ b/python/ql/test/query-tests/Security/CWE-113-HeaderInjection/flask_tests.py
@@ -58,4 +58,13 @@ def flask_make_response_header_arg3():
 def flask_make_response_header_arg2():
    rfs_header = request.args["rfs_header"]
    resp = make_response("hello", {request.args["rfs_header"]: "HeaderValue"}) # BAD
-    return resp
+    return resp
+
+@app.route("/flask_escaped")
+def flask_escaped():
+    rfs_header = request.args["rfs_header"]
+    resp = make_response("hello", {rfs_header.replace("\n", ""): "HeaderValue"}) # GOOD - Newlines are removed from the input.
+    return resp
+
+# if __name__ == "__main__":
+#     app.run(debug=True)