Python: Handle content of Django redirects correctly

RasmusWL · RasmusWL · commit 353505ec6cf9 · 2020-11-04T12:10:58.000+01:00
diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -732,7 +732,10 @@ private module Django {
             ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
 
             override DataFlow::Node getBody() {
-              result.asCfgNode() in [node.getArg(0), node.getArgByName("redirect_to")]
+              // note that even though browsers like Chrome usually doesn't fetch the
+              // content of a redirect, it is possible to observe the body (for example,
+              // with cURL).
+              result.asCfgNode() in [node.getArg(1), node.getArgByName("content")]
             }
 
             // How to support the `headers` argument here?
@@ -796,7 +799,10 @@ private module Django {
             ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
 
             override DataFlow::Node getBody() {
-              result.asCfgNode() in [node.getArg(0), node.getArgByName("redirect_to")]
+              // note that even though browsers like Chrome usually doesn't fetch the
+              // content of a redirect, it is possible to observe the body (for example,
+              // with cURL).
+              result.asCfgNode() in [node.getArg(1), node.getArgByName("content")]
             }
 
             // How to support the `headers` argument here?
diff --git a/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py b/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py
@@ -18,7 +18,15 @@ def safe__manual_content_type(request):
 # XSS FP reported in https://github.com/github/codeql/issues/3466
 # Note: This should be an open-redirect sink, but not an XSS sink.
 def or__redirect(request):
-    return HttpResponseRedirect(request.GET.get("next"))  # $HttpResponse mimetype=text/html responseBody=Attribute()
+    return HttpResponseRedirect(request.GET.get("next"))  # $HttpResponse mimetype=text/html
+
+def information_exposure_through_redirect(request, as_kw=False):
+    # This is a contrived example, but possible
+    private = "private"
+    if as_kw:
+        return HttpResponseRedirect(request.GET.get("next"), content=private)  # $HttpResponse mimetype=text/html responseBody=private
+    else:
+        return HttpResponseRedirect(request.GET.get("next"), private)  # $HttpResponse mimetype=text/html responseBody=private
 
 # Ensure that simple subclasses are still vuln to XSS
 def xss__not_found(request):
