Python: Add wsgi.environment as a kind of taint, and add suuport for env attribute of falcon request objects.

markshannon · markshannon · commit 1444b3976ce9 · 2019-02-28T13:06:11.000Z
diff --git a/python/ql/src/semmle/python/security/TaintTracking.qll b/python/ql/src/semmle/python/security/TaintTracking.qll
@@ -167,6 +167,7 @@ abstract class CollectionKind extends TaintKind {
         /* Prevent any collection kinds more than 2 deep */
         not this.charAt(2) = "[" and not this.charAt(2) = "{"
     }
+
 }
 
 /** A taint kind representing a flat collections of kinds.
@@ -193,7 +194,7 @@ class SequenceKind extends CollectionKind {
             tonode.(BinaryExprNode).getAnOperand() = fromnode
         )
         or
-        result = this and copy_call(fromnode, tonode)
+        result = this and TaintFlowImplementation::copyCall(fromnode, tonode)
         or
         exists(BinaryExprNode mod |
             mod = tonode and
@@ -236,20 +237,6 @@ private predicate slice(ControlFlowNode fromnode, SubscriptNode tonode) {
     )
 }
 
-/* A call that returns a copy (or similar) of the argument */
-private predicate copy_call(ControlFlowNode fromnode, CallNode tonode) {
-    tonode.getFunction().(AttrNode).getObject("copy") = fromnode
-    or
-    exists(ModuleObject copy, string name |
-        name = "copy" or name = "deepcopy" |
-        copy.attr(name).(FunctionObject).getACall() = tonode and
-        tonode.getArg(0) = fromnode
-    )
-    or
-    tonode.getFunction().refersTo(Object::builtin("reversed")) and
-    tonode.getArg(0) = fromnode
-}
-
 /** A taint kind representing a mapping of objects to kinds.
  * Typically a dict, but can include other mappings.
  */
@@ -272,7 +259,7 @@ class DictKind extends CollectionKind {
         result = valueKind and
         tonode.(CallNode).getFunction().(AttrNode).getObject("get") = fromnode
         or
-        result = this and copy_call(fromnode, tonode)
+        result = this and TaintFlowImplementation::copyCall(fromnode, tonode)
         or
         result = this and
         tonode.(CallNode).getFunction().refersTo(theDictType()) and
@@ -1263,6 +1250,20 @@ library module TaintFlowImplementation {
         context = fromnode.getContext()
     }
 
+    /* A call that returns a copy (or similar) of the argument */
+    predicate copyCall(ControlFlowNode fromnode, CallNode tonode) {
+        tonode.getFunction().(AttrNode).getObject("copy") = fromnode
+        or
+        exists(ModuleObject copy, string name |
+            name = "copy" or name = "deepcopy" |
+            copy.attr(name).(FunctionObject).getACall() = tonode and
+            tonode.getArg(0) = fromnode
+        )
+        or
+        tonode.getFunction().refersTo(Object::builtin("reversed")) and
+        tonode.getArg(0) = fromnode
+    }
+
 }
 
 /* Helper predicate for tainted_with */
diff --git a/python/ql/src/semmle/python/security/strings/External.qll b/python/ql/src/semmle/python/security/strings/External.qll
@@ -96,15 +96,15 @@ private predicate json_load(ControlFlowNode fromnode, CallNode tonode) {
     )
 }
 
-/** A kind of "taint", representing am open file-like object from an external source. */
+/** A kind of "taint", representing an open file-like object from an external source. */
 class ExternalFileObject extends TaintKind {
 
     ExternalFileObject() {
         this = "file[" + any(ExternalStringKind key) + "]"
     }
 
 
-    /** Gets the taint kind for item in this sequence */
+    /** Gets the taint kind for the contents of this file */
     TaintKind getValue() {
         this = "file[" + result + "]"
     }
diff --git a/python/ql/src/semmle/python/web/Http.qll b/python/ql/src/semmle/python/web/Http.qll
@@ -23,3 +23,37 @@ string httpVerb() {
 string httpVerbLower() {
     result = httpVerb().toLowerCase()
 }
+
+/** Taint kind representing the WSGI environment.
+ * As specified in PEP 3333. https://www.python.org/dev/peps/pep-3333/#environ-variables
+ */
+class WsgiEnvironment extends TaintKind {
+
+    WsgiEnvironment() { this = "wsgi.environment" }
+
+    override TaintKind getTaintForFlowStep(ControlFlowNode fromnode, ControlFlowNode tonode) {
+        result = this and TaintFlowImplementation::copyCall(fromnode, tonode)
+        or
+        result = this and
+        tonode.(CallNode).getFunction().refersTo(theDictType()) and
+        tonode.(CallNode).getArg(0) = fromnode
+        or
+        exists(StringObject key, string text |
+            tonode.(CallNode).getFunction().(AttrNode).getObject("get") = fromnode and
+            tonode.(CallNode).getArg(0).refersTo(key)
+            or
+            tonode.(SubscriptNode).getValue() = fromnode and tonode.isLoad() and
+            tonode.(SubscriptNode).getIndex().refersTo(key)
+            |
+            text = key.getText() and result instanceof ExternalStringKind and
+            (
+                text = "QUERY_STRING" or
+                text = "PATH_INFO" or
+                text.prefix(5) = "HTTP_"
+            )
+        )
+    }
+
+}
+
+
diff --git a/python/ql/src/semmle/python/web/falcon/Request.qll b/python/ql/src/semmle/python/web/falcon/Request.qll
@@ -13,7 +13,8 @@ class FalconRequest extends TaintKind {
     }
 
     override TaintKind getTaintOfAttribute(string name) {
-        // name = "env" and result instanceof WsgiEnvironment
+        name = "env" and result instanceof WsgiEnvironment
+        or
         result instanceof ExternalStringKind and
         (
             name = "uri" or name = "url" or
diff --git a/python/ql/test/library-tests/web/falcon/Routing.expected b/python/ql/test/library-tests/web/falcon/Routing.expected
@@ -1,2 +1,3 @@
+| /hello | delete | test.py:22:5:22:35 | Function on_delete |
 | /hello | get | test.py:9:5:9:32 | Function on_get |
 | /hello | post | test.py:19:5:19:33 | Function on_post |
diff --git a/python/ql/test/library-tests/web/falcon/Sources.expected b/python/ql/test/library-tests/web/falcon/Sources.expected
@@ -1,2 +1,3 @@
 | test.py:9 | req | falcon.request |
 | test.py:19 | req | falcon.request |
+| test.py:22 | req | falcon.request |
diff --git a/python/ql/test/library-tests/web/falcon/Taint.expected b/python/ql/test/library-tests/web/falcon/Taint.expected
@@ -16,3 +16,10 @@
 | test.py:17 | result | {json[externally controlled string]} |
 | test.py:19 | req | falcon.request |
 | test.py:19 | resp | falcon.response |
+| test.py:22 | req | falcon.request |
+| test.py:22 | resp | falcon.response |
+| test.py:23 | Attribute | wsgi.environment |
+| test.py:23 | req | falcon.request |
+| test.py:24 | Subscript | externally controlled string |
+| test.py:24 | env | wsgi.environment |
+| test.py:25 | qs | externally controlled string |
diff --git a/python/ql/test/library-tests/web/falcon/test.py b/python/ql/test/library-tests/web/falcon/test.py
@@ -19,5 +19,10 @@ def on_get(self, req, resp):
     def on_post(self, req, resp):
         pass
 
+    def on_delete(self, req, resp):
+        env = req.env
+        qs = env["QUERY_STRING"]
+        return qs
+
 app.add_route('/hello', Handler())
 

Original file line number	Diff line number	Diff line change
`@@ -96,15 +96,15 @@ private predicate json_load(ControlFlowNode fromnode, CallNode tonode) {`
`96`	`96`	`)`
`97`	`97`	`}`
`98`	`98`
`99`		`-/** A kind of "taint", representing am open file-like object from an external source. */`
	`99`	`+/** A kind of "taint", representing an open file-like object from an external source. */`
`100`	`100`	`class ExternalFileObject extends TaintKind {`
`101`	`101`
`102`	`102`	`ExternalFileObject() {`
`103`	`103`	`this = "file[" + any(ExternalStringKind key) + "]"`
`104`	`104`	`}`
`105`	`105`
`106`	`106`
`107`		`- /** Gets the taint kind for item in this sequence */`
	`107`	`+ /** Gets the taint kind for the contents of this file */`
`108`	`108`	`TaintKind getValue() {`
`109`	`109`	`this = "file[" + result + "]"`
`110`	`110`	`}`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,8 @@ class FalconRequest extends TaintKind {`
`13`	`13`	`}`
`14`	`14`
`15`	`15`	`override TaintKind getTaintOfAttribute(string name) {`
`16`		`- // name = "env" and result instanceof WsgiEnvironment`
	`16`	`+ name = "env" and result instanceof WsgiEnvironment`
	`17`	`+ or`
`17`	`18`	`result instanceof ExternalStringKind and`
`18`	`19`	`(`
`19`	`20`	`name = "uri" or name = "url" or`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
	`1`	`+\| /hello \| delete \| test.py:22:5:22:35 \| Function on_delete \|`
`1`	`2`	`\| /hello \| get \| test.py:9:5:9:32 \| Function on_get \|`
`2`	`3`	`\| /hello \| post \| test.py:19:5:19:33 \| Function on_post \|`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`\| test.py:9 \| req \| falcon.request \|`
`2`	`2`	`\| test.py:19 \| req \| falcon.request \|`
	`3`	`+\| test.py:22 \| req \| falcon.request \|`