Python: Add prefix sanitizer on URL redirect query

RasmusWL · RasmusWL · commit 37aa9b9d060d · 2021-01-20T11:35:47.000+01:00
This doesn't cover 100% of what we want to, but matches what we used to.
diff --git a/python/ql/src/semmle/python/security/dataflow/UrlRedirect.qll b/python/ql/src/semmle/python/security/dataflow/UrlRedirect.qll
@@ -22,6 +22,15 @@ class UrlRedirectConfiguration extends TaintTracking::Configuration {
     sink = any(HTTP::Server::HttpRedirectResponse e).getRedirectLocation()
   }
 
+  override predicate isSanitizer(DataFlow::Node node) {
+    // Url redirection is a problem only if the user controls the prefix of the URL.
+    // This is a copy of the taint-sanitizer from the old points-to query, which doesn't
+    // cover formatting.
+    exists(BinaryExprNode string_concat | string_concat.getOp() instanceof Add |
+      string_concat.getRight() = node.asCfgNode()
+    )
+  }
+
   override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
     guard instanceof StringConstCompare
   }
diff --git a/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected b/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected
@@ -1,7 +1,5 @@
 edges
 | test.py:7:14:7:25 | ControlFlowNode for Attribute | test.py:8:21:8:26 | ControlFlowNode for target |
-| test.py:15:17:15:28 | ControlFlowNode for Attribute | test.py:18:21:18:24 | ControlFlowNode for safe |
-| test.py:23:17:23:28 | ControlFlowNode for Attribute | test.py:25:21:25:24 | ControlFlowNode for safe |
 | test.py:30:17:30:28 | ControlFlowNode for Attribute | test.py:32:21:32:24 | ControlFlowNode for safe |
 | test.py:37:17:37:28 | ControlFlowNode for Attribute | test.py:39:21:39:24 | ControlFlowNode for safe |
 | test.py:44:17:44:28 | ControlFlowNode for Attribute | test.py:46:21:46:24 | ControlFlowNode for safe |
@@ -12,10 +10,6 @@ edges
 nodes
 | test.py:7:14:7:25 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | test.py:8:21:8:26 | ControlFlowNode for target | semmle.label | ControlFlowNode for target |
-| test.py:15:17:15:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| test.py:18:21:18:24 | ControlFlowNode for safe | semmle.label | ControlFlowNode for safe |
-| test.py:23:17:23:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| test.py:25:21:25:24 | ControlFlowNode for safe | semmle.label | ControlFlowNode for safe |
 | test.py:30:17:30:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | test.py:32:21:32:24 | ControlFlowNode for safe | semmle.label | ControlFlowNode for safe |
 | test.py:37:17:37:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
@@ -32,8 +26,6 @@ nodes
 | test.py:76:21:76:26 | ControlFlowNode for unsafe | semmle.label | ControlFlowNode for unsafe |
 #select
 | test.py:8:21:8:26 | ControlFlowNode for target | test.py:7:14:7:25 | ControlFlowNode for Attribute | test.py:8:21:8:26 | ControlFlowNode for target | Untrusted URL redirection due to $@. | test.py:7:14:7:25 | ControlFlowNode for Attribute | A user-provided value |
-| test.py:18:21:18:24 | ControlFlowNode for safe | test.py:15:17:15:28 | ControlFlowNode for Attribute | test.py:18:21:18:24 | ControlFlowNode for safe | Untrusted URL redirection due to $@. | test.py:15:17:15:28 | ControlFlowNode for Attribute | A user-provided value |
-| test.py:25:21:25:24 | ControlFlowNode for safe | test.py:23:17:23:28 | ControlFlowNode for Attribute | test.py:25:21:25:24 | ControlFlowNode for safe | Untrusted URL redirection due to $@. | test.py:23:17:23:28 | ControlFlowNode for Attribute | A user-provided value |
 | test.py:32:21:32:24 | ControlFlowNode for safe | test.py:30:17:30:28 | ControlFlowNode for Attribute | test.py:32:21:32:24 | ControlFlowNode for safe | Untrusted URL redirection due to $@. | test.py:30:17:30:28 | ControlFlowNode for Attribute | A user-provided value |
 | test.py:39:21:39:24 | ControlFlowNode for safe | test.py:37:17:37:28 | ControlFlowNode for Attribute | test.py:39:21:39:24 | ControlFlowNode for safe | Untrusted URL redirection due to $@. | test.py:37:17:37:28 | ControlFlowNode for Attribute | A user-provided value |
 | test.py:46:21:46:24 | ControlFlowNode for safe | test.py:44:17:44:28 | ControlFlowNode for Attribute | test.py:46:21:46:24 | ControlFlowNode for safe | Untrusted URL redirection due to $@. | test.py:44:17:44:28 | ControlFlowNode for Attribute | A user-provided value |
diff --git a/python/ql/test/query-tests/Security/CWE-601/test.py b/python/ql/test/query-tests/Security/CWE-601/test.py
@@ -15,14 +15,14 @@ def ok():
     untrusted = request.args.get('target', '')
     safe = "https://safe.com/"
     safe += untrusted
-    return redirect(safe, code=302) # FP
+    return redirect(safe, code=302)
 
 
 @app.route('/ok2')
 def ok2():
     untrusted = request.args.get('target', '')
     safe = "https://safe.com/" + untrusted
-    return redirect(safe, code=302) # FP
+    return redirect(safe, code=302)
 
 
 @app.route('/ok3')
