Python: Use mimetype instead of content-type in django modeling

This enables the XSS query to actually find results from django responses.

Author: RasmusWL

python/ql/src/semmle/python/frameworks/Django.qll

@@ -670,7 +670,7 @@ private module Django {
               result.asCfgNode() in [node.getArg(1), node.getArgByName("content_type")]
             }
 
-            override string getMimetypeDefault() { result = "text/html; charset=utf-8" }
+            override string getMimetypeDefault() { result = "text/html" }
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponse`. */
@@ -738,7 +738,7 @@ private module Django {
             // How to support the `headers` argument here?
             override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
 
-            override string getMimetypeDefault() { result = "text/html; charset=utf-8" }
+            override string getMimetypeDefault() { result = "text/html" }
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponseRedirect`. */
@@ -802,7 +802,7 @@ private module Django {
             // How to support the `headers` argument here?
             override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
 
-            override string getMimetypeDefault() { result = "text/html; charset=utf-8" }
+            override string getMimetypeDefault() { result = "text/html" }
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponsePermanentRedirect`. */
@@ -928,7 +928,7 @@ private module Django {
             // How to support the `headers` argument here?
             override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
 
-            override string getMimetypeDefault() { result = "text/html; charset=utf-8" }
+            override string getMimetypeDefault() { result = "text/html" }
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponseBadRequest`. */
@@ -992,7 +992,7 @@ private module Django {
             // How to support the `headers` argument here?
             override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
 
-            override string getMimetypeDefault() { result = "text/html; charset=utf-8" }
+            override string getMimetypeDefault() { result = "text/html" }
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponseNotFound`. */
@@ -1056,7 +1056,7 @@ private module Django {
             // How to support the `headers` argument here?
             override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
 
-            override string getMimetypeDefault() { result = "text/html; charset=utf-8" }
+            override string getMimetypeDefault() { result = "text/html" }
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponseForbidden`. */
@@ -1121,7 +1121,7 @@ private module Django {
             // How to support the `headers` argument here?
             override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
 
-            override string getMimetypeDefault() { result = "text/html; charset=utf-8" }
+            override string getMimetypeDefault() { result = "text/html" }
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponseNotAllowed`. */
@@ -1185,7 +1185,7 @@ private module Django {
             // How to support the `headers` argument here?
             override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
 
-            override string getMimetypeDefault() { result = "text/html; charset=utf-8" }
+            override string getMimetypeDefault() { result = "text/html" }
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponseGone`. */
@@ -1249,7 +1249,7 @@ private module Django {
             // How to support the `headers` argument here?
             override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
 
-            override string getMimetypeDefault() { result = "text/html; charset=utf-8" }
+            override string getMimetypeDefault() { result = "text/html" }
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponseServerError`. */
@@ -1380,7 +1380,7 @@ private module Django {
             // How to support the `headers` argument here?
             override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
 
-            override string getMimetypeDefault() { result = "text/html; charset=utf-8" }
+            override string getMimetypeDefault() { result = "text/html" }
           }
 
           /** Gets a reference to an instance of `django.http.response.StreamingHttpResponse`. */
@@ -1444,7 +1444,7 @@ private module Django {
             // How to support the `headers` argument here?
             override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
 
-            override string getMimetypeDefault() { result = "text/html; charset=utf-8" }
+            override string getMimetypeDefault() { result = "text/html" }
           }
 
           /** Gets a reference to an instance of `django.http.response.FileResponse`. */

python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py

@@ -18,19 +18,19 @@ def safe__manual_content_type(request):
 # XSS FP reported in https://github.com/github/codeql/issues/3466
 # Note: This should be an open-redirect sink, but not an XSS sink.
 def or__redirect(request):
-    return HttpResponseRedirect(request.GET.get("next"))  # $HttpResponse mimetype="text/html; charset=utf-8" responseBody=Attribute()
+    return HttpResponseRedirect(request.GET.get("next"))  # $HttpResponse mimetype=text/html responseBody=Attribute()
 
 # Ensure that simple subclasses are still vuln to XSS
 def xss__not_found(request):
-    return HttpResponseNotFound(request.GET.get("name"))  # $HttpResponse mimetype="text/html; charset=utf-8" responseBody=Attribute()
+    return HttpResponseNotFound(request.GET.get("name"))  # $HttpResponse mimetype=text/html responseBody=Attribute()
 
 # Ensure we still have an XSS sink when manually setting the content_type to HTML
 def xss__manual_response_type(request):
     return HttpResponse(request.GET.get("name"), content_type="text/html; charset=utf-8")  # $HttpResponse mimetype=text/html responseBody=Attribute()
 
 def xss__write(request):
-    response = HttpResponse()  # $HttpResponse mimetype="text/html; charset=utf-8"
-    response.write(request.GET.get("name"))  # $HttpResponse mimetype="text/html; charset=utf-8" responseBody=Attribute()
+    response = HttpResponse()  # $HttpResponse mimetype=text/html
+    response.write(request.GET.get("name"))  # $HttpResponse mimetype=text/html responseBody=Attribute()
 
 # This is safe but probably a bug if the argument to `write` is not a result of `json.dumps` or similar.
 def safe__write_json(request):
@@ -50,4 +50,4 @@ def __init__(self, banner, content, *args, **kwargs):
         super().__init__(content, *args, content_type="text/html", **kwargs)
 
 def safe__custom_json_response(request):
-    return CustomJsonResponse("ACME Responses", {"foo": request.GET.get("foo")})  # $HttpResponse mimetype=application/json MISSING: responseBody=Dict SPURIOUS: responseBody="ACME Responses"
+    return CustomJsonResponse("ACME Responses", {"foo": request.GET.get("foo")})  # $HttpResponse mimetype=application/json MISSING: responseBody=Dict SPURIOUS: responseBody="ACME Responses"