Python: make sure all django and flask request sources conform to interface.

markshannon · markshannon · commit f8c43ca40b97 · 2019-04-04T10:56:45.000+01:00
diff --git a/python/ql/src/Security/CWE-079/ReflectedXss.ql b/python/ql/src/Security/CWE-079/ReflectedXss.ql
@@ -30,9 +30,9 @@ class RefectedXssConfiguration extends TaintTracking::Configuration {
 
     RefectedXssConfiguration() { this = "Reflected XSS configuration" }
 
-    override predicate isSource(TaintTracking::Source source) { source.isSourceOf(any(UntrustedStringKind u)) }
+    override predicate isSource(TaintTracking::Source source) { source instanceof HttpRequestTaintSource }
 
-    override predicate isSink(TaintTracking::Sink sink) { sink.sinks(any(UntrustedStringKind u)) }
+    override predicate isSink(TaintTracking::Sink sink) { sink instanceof SimpleHttpResponseTaintSink }
 
 }
 
diff --git a/python/ql/src/semmle/python/web/Http.qll b/python/ql/src/semmle/python/web/Http.qll
@@ -3,11 +3,7 @@ import semmle.python.security.TaintTracking
 import semmle.python.security.strings.External
 
 /** Generic taint source from a http request */
-abstract class SimpleHttpRequestTaintSource extends TaintSource {
-
-    override predicate isSourceOf(TaintKind kind) { 
-        kind instanceof ExternalStringKind
-    }
+abstract class HttpRequestTaintSource extends TaintSource {
 
 }
 
diff --git a/python/ql/src/semmle/python/web/django/Request.qll b/python/ql/src/semmle/python/web/django/Request.qll
@@ -49,7 +49,7 @@ class DjangoQueryDict extends TaintKind {
 
 }
 
-abstract class DjangoRequestSource extends TaintSource {
+abstract class DjangoRequestSource extends HttpRequestTaintSource {
 
     override string toString() {
         result = "Django request source"
@@ -144,7 +144,7 @@ class UrlRouting extends CallNode {
 }
 
 /** An argument specified in a url routing table */
-class HttpRequestParameter extends TaintSource {
+class HttpRequestParameter extends HttpRequestTaintSource {
 
     HttpRequestParameter() {
         exists(UrlRouting url |
diff --git a/python/ql/src/semmle/python/web/flask/Request.qll b/python/ql/src/semmle/python/web/flask/Request.qll
@@ -16,7 +16,7 @@ private predicate flask_request_attr(AttrNode attr, string name) {
 }
 
 /** Source of external data from a flask request */
-class FlaskRequestData extends SimpleHttpRequestTaintSource {
+class FlaskRequestData extends HttpRequestTaintSource {
 
     FlaskRequestData() {
         not this instanceof FlaskRequestArgs and
@@ -27,14 +27,18 @@ class FlaskRequestData extends SimpleHttpRequestTaintSource {
         )
     }
 
+    override predicate isSourceOf(TaintKind kind) { 
+        kind instanceof ExternalStringKind
+    }
+
     override string toString() {
         result = "flask.request"
     }
 
 }
 
 /** Source of dictionary whose values are externally controlled */
-class FlaskRequestArgs extends TaintSource {
+class FlaskRequestArgs extends HttpRequestTaintSource {
 
     FlaskRequestArgs() {
         exists(string attr |

Original file line number	Diff line number	Diff line change
`@@ -30,9 +30,9 @@ class RefectedXssConfiguration extends TaintTracking::Configuration {`
`30`	`30`
`31`	`31`	`RefectedXssConfiguration() { this = "Reflected XSS configuration" }`
`32`	`32`
`33`		`- override predicate isSource(TaintTracking::Source source) { source.isSourceOf(any(UntrustedStringKind u)) }`
	`33`	`+ override predicate isSource(TaintTracking::Source source) { source instanceof HttpRequestTaintSource }`
`34`	`34`
`35`		`- override predicate isSink(TaintTracking::Sink sink) { sink.sinks(any(UntrustedStringKind u)) }`
	`35`	`+ override predicate isSink(TaintTracking::Sink sink) { sink instanceof SimpleHttpResponseTaintSink }`
`36`	`36`
`37`	`37`	`}`
`38`	`38`
Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,7 @@ class DjangoQueryDict extends TaintKind {`
`49`	`49`
`50`	`50`	`}`
`51`	`51`
`52`		`-abstract class DjangoRequestSource extends TaintSource {`
	`52`	`+abstract class DjangoRequestSource extends HttpRequestTaintSource {`
`53`	`53`
`54`	`54`	`override string toString() {`
`55`	`55`	`result = "Django request source"`
`@@ -144,7 +144,7 @@ class UrlRouting extends CallNode {`
`144`	`144`	`}`
`145`	`145`
`146`	`146`	`/** An argument specified in a url routing table */`
`147`		`-class HttpRequestParameter extends TaintSource {`
	`147`	`+class HttpRequestParameter extends HttpRequestTaintSource {`
`148`	`148`
`149`	`149`	`HttpRequestParameter() {`
`150`	`150`	`exists(UrlRouting url \|`
Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ private predicate flask_request_attr(AttrNode attr, string name) {`
`16`	`16`	`}`
`17`	`17`
`18`	`18`	`/** Source of external data from a flask request */`
`19`		`-class FlaskRequestData extends SimpleHttpRequestTaintSource {`
	`19`	`+class FlaskRequestData extends HttpRequestTaintSource {`
`20`	`20`
`21`	`21`	`FlaskRequestData() {`
`22`	`22`	`not this instanceof FlaskRequestArgs and`
`@@ -27,14 +27,18 @@ class FlaskRequestData extends SimpleHttpRequestTaintSource {`
`27`	`27`	`)`
`28`	`28`	`}`
`29`	`29`
	`30`	`+ override predicate isSourceOf(TaintKind kind) {`
	`31`	`+ kind instanceof ExternalStringKind`
	`32`	`+ }`
	`33`	`+`
`30`	`34`	`override string toString() {`
`31`	`35`	`result = "flask.request"`
`32`	`36`	`}`
`33`	`37`
`34`	`38`	`}`
`35`	`39`
`36`	`40`	`/** Source of dictionary whose values are externally controlled */`
`37`		`-class FlaskRequestArgs extends TaintSource {`
	`41`	`+class FlaskRequestArgs extends HttpRequestTaintSource {`
`38`	`42`
`39`	`43`	`FlaskRequestArgs() {`
`40`	`44`	`exists(string attr \|`