Python: Support Django FileField.upload_to

RasmusWL · RasmusWL · commit 4338c06b0d90 · 2022-01-27T17:20:16.000+01:00
diff --git a/python/ql/lib/semmle/python/frameworks/Django.qll b/python/ql/lib/semmle/python/frameworks/Django.qll
@@ -576,6 +576,38 @@ module PrivateDjango {
           }
         }
 
+        /**
+         * Provides models for the `django.db.models.FileField` class and `ImageField` subclasses.
+         *
+         * See
+         * - https://docs.djangoproject.com/en/3.1/ref/models/fields/#django.db.models.FileField
+         * - https://docs.djangoproject.com/en/3.1/ref/models/fields/#django.db.models.ImageField
+         */
+        module FileField {
+          /** Gets a reference to the `flask.views.View` class or any subclass. */
+          API::Node subclassRef() {
+            exists(string className | className in ["FileField", "ImageField"] |
+              // commonly used alias
+              result =
+                API::moduleImport("django")
+                    .getMember("db")
+                    .getMember("models")
+                    .getMember(className)
+                    .getASubclass*()
+              or
+              // actual class definition
+              result =
+                API::moduleImport("django")
+                    .getMember("db")
+                    .getMember("models")
+                    .getMember("fields")
+                    .getMember("files")
+                    .getMember(className)
+                    .getASubclass*()
+            )
+          }
+        }
+
         /**
          * Gets a reference to the Manager (django.db.models.Manager) for a django Model,
          * accessed by `<ModelName>.objects`.
@@ -2236,6 +2268,34 @@ module PrivateDjango {
     }
   }
 
+  /**
+   * A parameter that accepts the filename used to upload a file. This is the second
+   * parameter in functions used for the `upload_to` argument to a `FileField`.
+   *
+   * See
+   *  - https://docs.djangoproject.com/en/3.1/ref/models/fields/#django.db.models.FileField.upload_to
+   *  - https://docs.djangoproject.com/en/3.1/topics/http/file-uploads/#handling-uploaded-files-with-a-model
+   */
+  private class DjangoFileFieldUploadToFunctionFilenameParam extends RemoteFlowSource::Range,
+    DataFlow::ParameterNode {
+    DjangoFileFieldUploadToFunctionFilenameParam() {
+      exists(DataFlow::CallCfgNode call, DataFlow::Node uploadToArg, Function func |
+        this.getParameter() = func.getArg(1) and
+        call = django::db::models::FileField::subclassRef().getACall() and
+        (
+          uploadToArg = call.getArg(2)
+          or
+          uploadToArg = call.getArgByName("upload_to")
+        ) and
+        uploadToArg = poorMansFunctionTracker(func)
+      )
+    }
+
+    override string getSourceType() {
+      result = "django filename parameter to function used in FileField.upload_to"
+    }
+  }
+
   // ---------------------------------------------------------------------------
   // django.shortcuts.redirect
   // ---------------------------------------------------------------------------
diff --git a/python/ql/test/library-tests/web/django/FileField_test.py b/python/ql/test/library-tests/web/django/FileField_test.py
@@ -0,0 +1,27 @@
+from django.db import models
+import django.db.models.fields.files
+
+def custom_path_function_1(instance, filename):
+    ensure_tainted(filename) # $ tainted
+
+def custom_path_function_2(instance, filename):
+    ensure_tainted(filename) # $ tainted
+
+def custom_path_function_3(instance, filename):
+    ensure_tainted(filename) # $ tainted
+
+def custom_path_function_4(instance, filename):
+    ensure_tainted(filename) # $ tainted
+
+
+class CustomFileFieldSubclass(models.FileField):
+    pass
+
+
+class MyModel(models.Model):
+    upload_1 = models.FileField(None, None, custom_path_function_1)
+    upload_2 = django.db.models.fields.files.FileField(upload_to=custom_path_function_2)
+
+    upload_3 = models.ImageField(upload_to=custom_path_function_3)
+
+    upload_4 = CustomFileFieldSubclass(upload_to=custom_path_function_4)
