Python: Model cgi.FieldStorage

RasmusWL · RasmusWL · commit 34863721f09f · 2020-12-08T14:03:13.000+01:00
diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -1032,6 +1032,205 @@ private module Stdlib {
 
     override string getFormat() { result = "JSON" }
   }
+
+  // ---------------------------------------------------------------------------
+  // cgi
+  // ---------------------------------------------------------------------------
+  /** Gets a reference to the `cgi` module. */
+  private DataFlow::Node cgi(DataFlow::TypeTracker t) {
+    t.start() and
+    result = DataFlow::importNode("cgi")
+    or
+    exists(DataFlow::TypeTracker t2 | result = cgi(t2).track(t2, t))
+  }
+
+  /** Gets a reference to the `cgi` module. */
+  DataFlow::Node cgi() { result = cgi(DataFlow::TypeTracker::end()) }
+
+  /** Provides models for the `cgi` module. */
+  module cgi {
+    /**
+     * Provides models for the `cgi.FieldStorage` class
+     *
+     * See https://docs.python.org/3/library/cgi.html.
+     */
+    module FieldStorage {
+      /** Gets a reference to the `cgi.FieldStorage` class. */
+      private DataFlow::Node classRef(DataFlow::TypeTracker t) {
+        t.startInAttr("FieldStorage") and
+        result = cgi()
+        or
+        exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
+      }
+
+      /** Gets a reference to the `cgi.FieldStorage` class. */
+      DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
+
+      /**
+       * A source of an instance of `cgi.FieldStorage`.
+       *
+       * This can include instantiation of the class, return value from function
+       * calls, or a special parameter that will be set when functions are call by external
+       * library.
+       *
+       * Use `FieldStorage::instance()` predicate to get references to instances of `cgi.FieldStorage`.
+       */
+      abstract class InstanceSource extends DataFlow::Node { }
+
+      /**
+       * A direct instantiation of `cgi.FieldStorage`.
+       *
+       * We currently consider ALL instantiations to be `RemoteFlowSource`. This seems
+       * reasonable since it's used to parse form data for incoming POST requests, but
+       * if it turns out to be a problem, we'll have to refine.
+       */
+      private class ClassInstantiation extends InstanceSource, RemoteFlowSource::Range,
+        DataFlow::CfgNode {
+        override CallNode node;
+
+        ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
+
+        override string getSourceType() { result = "cgi.FieldStorage" }
+      }
+
+      /** Gets a reference to an instance of `cgi.FieldStorage`. */
+      private DataFlow::Node instance(DataFlow::TypeTracker t) {
+        t.start() and
+        result instanceof InstanceSource
+        or
+        exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t))
+      }
+
+      /** Gets a reference to an instance of `cgi.FieldStorage`. */
+      DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+
+      /** Gets a reference to the `getvalue` method on a `cgi.FieldStorage` instance. */
+      private DataFlow::Node getvalueRef(DataFlow::TypeTracker t) {
+        t.startInAttr("getvalue") and
+        result = instance()
+        or
+        exists(DataFlow::TypeTracker t2 | result = getvalueRef(t2).track(t2, t))
+      }
+
+      /** Gets a reference to the `getvalue` method on a `cgi.FieldStorage` instance. */
+      DataFlow::Node getvalueRef() { result = getvalueRef(DataFlow::TypeTracker::end()) }
+
+      /** Gets a reference to the result of calling the `getvalue` method on a `cgi.FieldStorage` instance. */
+      private DataFlow::Node getvalueResult(DataFlow::TypeTracker t) {
+        t.start() and
+        result.asCfgNode().(CallNode).getFunction() = getvalueRef().asCfgNode()
+        or
+        exists(DataFlow::TypeTracker t2 | result = getvalueResult(t2).track(t2, t))
+      }
+
+      /** Gets a reference to the result of calling the `getvalue` method on a `cgi.FieldStorage` instance. */
+      DataFlow::Node getvalueResult() { result = getvalueResult(DataFlow::TypeTracker::end()) }
+
+      /** Gets a reference to the `getfirst` method on a `cgi.FieldStorage` instance. */
+      private DataFlow::Node getfirstRef(DataFlow::TypeTracker t) {
+        t.startInAttr("getfirst") and
+        result = instance()
+        or
+        exists(DataFlow::TypeTracker t2 | result = getfirstRef(t2).track(t2, t))
+      }
+
+      /** Gets a reference to the `getfirst` method on a `cgi.FieldStorage` instance. */
+      DataFlow::Node getfirstRef() { result = getfirstRef(DataFlow::TypeTracker::end()) }
+
+      /** Gets a reference to the result of calling the `getfirst` method on a `cgi.FieldStorage` instance. */
+      private DataFlow::Node getfirstResult(DataFlow::TypeTracker t) {
+        t.start() and
+        result.asCfgNode().(CallNode).getFunction() = getfirstRef().asCfgNode()
+        or
+        exists(DataFlow::TypeTracker t2 | result = getfirstResult(t2).track(t2, t))
+      }
+
+      /** Gets a reference to the result of calling the `getfirst` method on a `cgi.FieldStorage` instance. */
+      DataFlow::Node getfirstResult() { result = getfirstResult(DataFlow::TypeTracker::end()) }
+
+      /** Gets a reference to the `getlist` method on a `cgi.FieldStorage` instance. */
+      private DataFlow::Node getlistRef(DataFlow::TypeTracker t) {
+        t.startInAttr("getlist") and
+        result = instance()
+        or
+        exists(DataFlow::TypeTracker t2 | result = getlistRef(t2).track(t2, t))
+      }
+
+      /** Gets a reference to the `getlist` method on a `cgi.FieldStorage` instance. */
+      DataFlow::Node getlistRef() { result = getlistRef(DataFlow::TypeTracker::end()) }
+
+      /** Gets a reference to the result of calling the `getlist` method on a `cgi.FieldStorage` instance. */
+      private DataFlow::Node getlistResult(DataFlow::TypeTracker t) {
+        t.start() and
+        result.asCfgNode().(CallNode).getFunction() = getlistRef().asCfgNode()
+        or
+        exists(DataFlow::TypeTracker t2 | result = getlistResult(t2).track(t2, t))
+      }
+
+      /** Gets a reference to the result of calling the `getlist` method on a `cgi.FieldStorage` instance. */
+      DataFlow::Node getlistResult() { result = getlistResult(DataFlow::TypeTracker::end()) }
+
+      /** Gets a reference to a list of fields. */
+      private DataFlow::Node fieldList(DataFlow::TypeTracker t) {
+        t.start() and
+        (
+          result = getlistResult()
+          or
+          result = getvalueResult()
+          or
+          // TODO: Should have better handling of subscripting
+          result.asCfgNode().(SubscriptNode).getObject() = instance().asCfgNode()
+        )
+        or
+        exists(DataFlow::TypeTracker t2 | result = fieldList(t2).track(t2, t))
+      }
+
+      /** Gets a reference to a list of fields. */
+      DataFlow::Node fieldList() { result = fieldList(DataFlow::TypeTracker::end()) }
+
+      /** Gets a reference to a field. */
+      private DataFlow::Node field(DataFlow::TypeTracker t) {
+        t.start() and
+        (
+          result = getfirstResult()
+          or
+          result = getvalueResult()
+          or
+          // TODO: Should have better handling of subscripting
+          result.asCfgNode().(SubscriptNode).getObject() = [instance(), fieldList()].asCfgNode()
+        )
+        or
+        exists(DataFlow::TypeTracker t2 | result = field(t2).track(t2, t))
+      }
+
+      /** Gets a reference to a field. */
+      DataFlow::Node field() { result = field(DataFlow::TypeTracker::end()) }
+
+      private class AdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
+        override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+          // Methods
+          nodeFrom = instance() and
+          nodeTo in [getvalueRef(), getfirstRef(), getlistRef()]
+          or
+          nodeFrom = getvalueRef() and nodeTo = getvalueResult()
+          or
+          nodeFrom = getfirstRef() and nodeTo = getfirstResult()
+          or
+          nodeFrom = getlistRef() and nodeTo = getlistResult()
+          or
+          // Indexing
+          nodeFrom in [instance(), fieldList()] and
+          nodeTo.asCfgNode().(SubscriptNode).getObject() = nodeFrom.asCfgNode()
+          or
+          // Attributes on Field
+          nodeFrom = field() and
+          exists(DataFlow::AttrRead read | nodeTo = read and read.getObject() = nodeFrom |
+            read.getAttributeName() in ["value", "file", "filename"]
+          )
+        }
+      }
+    }
+  }
 }
 
 // ---------------------------------------------------------------------------
diff --git a/python/ql/test/experimental/library-tests/frameworks/stdlib/TestTaint.expected b/python/ql/test/experimental/library-tests/frameworks/stdlib/TestTaint.expected
@@ -2,21 +2,21 @@
 | CodeExecution.py:36 | ok   | test_additional_taint | cmd1 |
 | CodeExecution.py:37 | ok   | test_additional_taint | cmd2 |
 | CodeExecution.py:38 | ok   | test_additional_taint | cmd3 |
-| http_server.py:22 | fail | test_cgi_FieldStorage_taint | form |
-| http_server.py:24 | fail | test_cgi_FieldStorage_taint | form['key'] |
-| http_server.py:25 | fail | test_cgi_FieldStorage_taint | form['key'].value |
-| http_server.py:26 | fail | test_cgi_FieldStorage_taint | form['key'].file |
-| http_server.py:27 | fail | test_cgi_FieldStorage_taint | form['key'].filename |
-| http_server.py:28 | fail | test_cgi_FieldStorage_taint | form['key'][0] |
-| http_server.py:29 | fail | test_cgi_FieldStorage_taint | form['key'][0].value |
-| http_server.py:30 | fail | test_cgi_FieldStorage_taint | form['key'][0].file |
-| http_server.py:31 | fail | test_cgi_FieldStorage_taint | form['key'][0].filename |
+| http_server.py:22 | ok   | test_cgi_FieldStorage_taint | form |
+| http_server.py:24 | ok   | test_cgi_FieldStorage_taint | form['key'] |
+| http_server.py:25 | ok   | test_cgi_FieldStorage_taint | form['key'].value |
+| http_server.py:26 | ok   | test_cgi_FieldStorage_taint | form['key'].file |
+| http_server.py:27 | ok   | test_cgi_FieldStorage_taint | form['key'].filename |
+| http_server.py:28 | ok   | test_cgi_FieldStorage_taint | form['key'][0] |
+| http_server.py:29 | ok   | test_cgi_FieldStorage_taint | form['key'][0].value |
+| http_server.py:30 | ok   | test_cgi_FieldStorage_taint | form['key'][0].file |
+| http_server.py:31 | ok   | test_cgi_FieldStorage_taint | form['key'][0].filename |
 | http_server.py:32 | fail | test_cgi_FieldStorage_taint | ListComp |
-| http_server.py:34 | fail | test_cgi_FieldStorage_taint | form.getvalue(..) |
-| http_server.py:35 | fail | test_cgi_FieldStorage_taint | form.getvalue(..)[0] |
-| http_server.py:37 | fail | test_cgi_FieldStorage_taint | form.getfirst(..) |
-| http_server.py:39 | fail | test_cgi_FieldStorage_taint | form.getlist(..) |
-| http_server.py:40 | fail | test_cgi_FieldStorage_taint | form.getlist(..)[0] |
+| http_server.py:34 | ok   | test_cgi_FieldStorage_taint | form.getvalue(..) |
+| http_server.py:35 | ok   | test_cgi_FieldStorage_taint | form.getvalue(..)[0] |
+| http_server.py:37 | ok   | test_cgi_FieldStorage_taint | form.getfirst(..) |
+| http_server.py:39 | ok   | test_cgi_FieldStorage_taint | form.getlist(..) |
+| http_server.py:40 | ok   | test_cgi_FieldStorage_taint | form.getlist(..)[0] |
 | http_server.py:41 | fail | test_cgi_FieldStorage_taint | ListComp |
 | http_server.py:50 | fail | taint_sources | self |
 | http_server.py:52 | fail | taint_sources | self.requestline |
@@ -34,4 +34,4 @@
 | http_server.py:66 | fail | taint_sources | bytes(..) |
 | http_server.py:68 | fail | taint_sources | self.rfile |
 | http_server.py:69 | fail | taint_sources | self.rfile.read() |
-| http_server.py:78 | fail | taint_sources | form |
+| http_server.py:78 | ok   | taint_sources | form |
