Merge pull request #4541 from RasmusWL/python-port-reflected-xss

Python: Port reflected XSS query

Author: tausbn

python/ql/src/experimental/Security-new-dataflow/CWE-079/ReflectedXss.ql

@@ -0,0 +1,38 @@
+/**
+ * @name Reflected server-side cross-site scripting
+ * @description Writing user input directly to a web page
+ *              allows for a cross-site scripting vulnerability.
+ * @kind path-problem
+ * @problem.severity error
+ * @sub-severity high
+ * @precision high
+ * @id py/reflective-xss
+ * @tags security
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ */
+
+import python
+import experimental.dataflow.DataFlow
+import experimental.dataflow.TaintTracking
+import experimental.semmle.python.Concepts
+import experimental.dataflow.RemoteFlowSources
+import DataFlow::PathGraph
+
+class ReflectedXssConfiguration extends TaintTracking::Configuration {
+  ReflectedXssConfiguration() { this = "ReflectedXssConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(HTTP::Server::HttpResponse response |
+      response.getMimetype().toLowerCase() = "text/html" and
+      sink = response.getBody()
+    )
+  }
+}
+
+from ReflectedXssConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
+  source.getNode(), "a user-provided value"

python/ql/src/experimental/semmle/python/Concepts.qll

@@ -228,7 +228,7 @@ module HTTP {
   /** Provides classes for modeling HTTP servers. */
   module Server {
     /**
-     * An data-flow node that sets up a route on a server.
+     * A data-flow node that sets up a route on a server.
      *
      * Extend this class to refine existing API models. If you want to model new APIs,
      * extend `RouteSetup::Range` instead.
@@ -254,7 +254,7 @@ module HTTP {
     /** Provides a class for modeling new HTTP routing APIs. */
     module RouteSetup {
       /**
-       * An data-flow node that sets up a route on a server.
+       * A data-flow node that sets up a route on a server.
        *
        * Extend this class to model new APIs. If you want to refine existing API models,
        * extend `RouteSetup` instead.
@@ -287,5 +287,60 @@ module HTTP {
 
       override string getSourceType() { result = "RoutedParameter" }
     }
+
+    /**
+     * A data-flow node that creates a HTTP response on a server.
+     *
+     * Note: we don't require that this response must be sent to a client (a kind of
+     * "if a tree falls in a forest and nobody hears it" situation).
+     *
+     * Extend this class to refine existing API models. If you want to model new APIs,
+     * extend `HttpResponse::Range` instead.
+     */
+    class HttpResponse extends DataFlow::Node {
+      HttpResponse::Range range;
+
+      HttpResponse() { this = range }
+
+      /** Gets the data-flow node that specifies the body of this HTTP response. */
+      DataFlow::Node getBody() { result = range.getBody() }
+
+      /** Gets the mimetype of this HTTP response, if it can be statically determined. */
+      string getMimetype() { result = range.getMimetype() }
+    }
+
+    /** Provides a class for modeling new HTTP response APIs. */
+    module HttpResponse {
+      /**
+       * A data-flow node that creates a HTTP response on a server.
+       *
+       * Note: we don't require that this response must be sent to a client (a kind of
+       * "if a tree falls in a forest and nobody hears it" situation).
+       *
+       * Extend this class to model new APIs. If you want to refine existing API models,
+       * extend `HttpResponse` instead.
+       */
+      abstract class Range extends DataFlow::Node {
+        /** Gets the data-flow node that specifies the body of this HTTP response. */
+        abstract DataFlow::Node getBody();
+
+        /** Gets the data-flow node that specifies the content-type/mimetype of this HTTP response, if any. */
+        abstract DataFlow::Node getMimetypeOrContentTypeArg();
+
+        /** Gets the default mimetype that should be used if `getMimetypeOrContentTypeArg` has no results. */
+        abstract string getMimetypeDefault();
+
+        /** Gets the mimetype of this HTTP response, if it can be statically determined. */
+        string getMimetype() {
+          exists(StrConst str |
+            DataFlow::localFlow(DataFlow::exprNode(str), this.getMimetypeOrContentTypeArg()) and
+            result = str.getText().splitAt(";", 0)
+          )
+          or
+          not exists(this.getMimetypeOrContentTypeArg()) and
+          result = this.getMimetypeDefault()
+        }
+      }
+    }
   }
 }