-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathFlaskAdmin.qll
More file actions
79 lines (71 loc) · 2.7 KB
/
FlaskAdmin.qll
File metadata and controls
79 lines (71 loc) · 2.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
/**
* Provides classes modeling security-relevant aspects of the `Flask-Admin` PyPI package
* (imported as `flask_admin`).
*
* See
* - https://flask-admin.readthedocs.io/en/latest/
* - https://pypi.org/project/Flask-Admin/
*/
private import python
private import semmle.python.dataflow.new.DataFlow
private import semmle.python.dataflow.new.RemoteFlowSources
private import semmle.python.dataflow.new.TaintTracking
private import semmle.python.Concepts
private import semmle.python.frameworks.Flask
private import semmle.python.ApiGraphs
/**
* Provides models for the `Flask-Admin` PyPI package (imported as `flask_admin`).
*
* See
* - https://flask-admin.readthedocs.io/en/latest/
* - https://pypi.org/project/Flask-Admin/
*/
private module FlaskAdmin {
/**
* A call to `flask_admin.expose`, which is used as a decorator to make the
* function exposed in the admin interface (and make it a request handler)
*
* See https://flask-admin.readthedocs.io/en/latest/api/mod_base/#flask_admin.base.expose
*/
private class FlaskAdminExposeCall extends Flask::FlaskRouteSetup, DataFlow::CallCfgNode {
FlaskAdminExposeCall() {
this = API::moduleImport("flask_admin").getMember("expose").getACall()
}
override DataFlow::Node getUrlPatternArg() {
result in [this.getArg(0), this.getArgByName("url")]
}
override Function getARequestHandler() { result.getADecorator().getAFlowNode() = node }
}
/**
* A call to `flask_admin.expose_plugview`, which is used as a decorator to make the
* class (which we expect to be a flask View class) exposed in the admin interface.
*
* See https://flask-admin.readthedocs.io/en/latest/api/mod_base/#flask_admin.base.expose_plugview
*/
private class FlaskAdminExposePlugviewCall extends Flask::FlaskRouteSetup, DataFlow::CallCfgNode {
FlaskAdminExposePlugviewCall() {
this = API::moduleImport("flask_admin").getMember("expose_plugview").getACall()
}
override DataFlow::Node getUrlPatternArg() {
result in [this.getArg(0), this.getArgByName("url")]
}
override Parameter getARoutedParameter() {
result = super.getARoutedParameter() and
(
exists(this.getUrlPattern())
or
// the first argument is `self`, and the second argument `cls` will receive the
// containing flask_admin View class -- this is only relevant if the URL pattern
// is not known
not exists(this.getUrlPattern()) and
not result = this.getARequestHandler().getArg([0, 1])
)
}
override Function getARequestHandler() {
exists(Flask::FlaskViewClass cls |
cls.getADecorator().getAFlowNode() = node and
result = cls.getARequestHandler()
)
}
}
}