Python: Consider routed parameter if URL pattern unknown

RasmusWL · RasmusWL · commit b82727d0b8b2 · 2020-10-06T11:03:25.000+02:00
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Flask.qll b/python/ql/src/experimental/semmle/python/frameworks/Flask.qll
@@ -117,6 +117,12 @@ private module Flask {
   /** A route setup made by flask (sharing handling of URL patterns). */
   abstract private class FlaskRouteSetup extends HTTP::Server::RouteSetup::Range {
     override Parameter getARoutedParameter() {
+      // If we don't know the URL pattern, we simply mark all parameters as a routed
+      // parameter. This should give us more RemoteFlowSources but could also lead to
+      // more FPs. If this turns out to be the wrong tradeoff, we can always change our mind.
+      not exists(this.getUrlPattern()) and
+      result = this.getARouteHandler().getArgByName(_)
+      or
       exists(string name |
         result = this.getARouteHandler().getArgByName(name) and
         exists(string match |
diff --git a/python/ql/test/experimental/library-tests/frameworks/flask/routing_test.py b/python/ql/test/experimental/library-tests/frameworks/flask/routing_test.py
@@ -24,7 +24,7 @@ def later_set():  # $f-:routeHandler
 
 
 @app.route(UNKNOWN_ROUTE) # $routeSetup
-def unkown_route(foo, bar):  # $routeHandler
+def unkown_route(foo, bar):  # $routeHandler $routedParameter=foo $routedParameter=bar
     return make_response("unkown_route")
 
 
