Skip to content

Commit 2879944

Browse files
committed
Python: Fix false positive in 'Incomplete URL substring sanitization' query.
1 parent c674f54 commit 2879944

File tree

2 files changed

+13
-2
lines changed

2 files changed

+13
-2
lines changed

python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -35,16 +35,18 @@ predicate incomplete_sanitization(Expr sanitizer, StrConst url) {
3535
(
3636
sanitizer.(Compare).compares(url, any(In i), _)
3737
or
38-
call_to_startswith(sanitizer, url)
38+
unsafe_call_to_startswith(sanitizer, url)
3939
or
4040
unsafe_call_to_endswith(sanitizer, url)
4141
)
4242
}
4343

44-
predicate call_to_startswith(Call sanitizer, StrConst url) {
44+
predicate unsafe_call_to_startswith(Call sanitizer, StrConst url) {
4545
sanitizer.getFunc().(Attribute).getName() = "startswith"
4646
and
4747
sanitizer.getArg(0) = url
48+
and
49+
not url.getText().regexpMatch("(?i)https?://[\\.a-z0-9-]+/.*")
4850
}
4951

5052
predicate unsafe_call_to_endswith(Call sanitizer, StrConst url) {

python/ql/test/query-tests/Security/CWE-020/urltest.py

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,3 +39,12 @@ def safe2(request):
3939
if host and host.endswith(".example.com"):
4040
return redirect(target)
4141

42+
43+
@app.route('/some/path/good3')
44+
def safe3(request):
45+
target = request.args.get('target', '')
46+
target = urlparse(target)
47+
#Start url with https:// and ends with a / so must match the correct domain.
48+
if target and target.startswith("https://example.com/"):
49+
return redirect(target)
50+

0 commit comments

Comments
 (0)