github
diff --git a/‎python/ql/src/experimental/Security-new-dataflow/CWE-079/ReflectedXss.ql‎
Lines changed: 38 additions & 0 deletions b/‎python/ql/src/experimental/Security-new-dataflow/CWE-079/ReflectedXss.ql‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎python/ql/src/experimental/semmle/python/Concepts.qll‎
Lines changed: 57 additions & 2 deletions b/‎python/ql/src/experimental/semmle/python/Concepts.qll‎
Lines changed: 57 additions & 2 deletions
diff --git a/‎python/ql/src/experimental/semmle/python/frameworks/Flask.qll‎
Lines changed: 177 additions & 11 deletions b/‎python/ql/src/experimental/semmle/python/frameworks/Flask.qll‎
Lines changed: 177 additions & 11 deletions
diff --git a/‎python/ql/test/experimental/library-tests/frameworks/flask/ConceptsTest.ql‎
Lines changed: 10 additions & 0 deletions b/‎python/ql/test/experimental/library-tests/frameworks/flask/ConceptsTest.ql‎
Lines changed: 10 additions & 0 deletions
@@ -0,0 +1,38 @@
+/**
+ * @name Reflected server-side cross-site scripting
+ * @description Writing user input directly to a web page
+ *              allows for a cross-site scripting vulnerability.
+ * @kind path-problem
+ * @problem.severity error
+ * @sub-severity high
+ * @precision high
+ * @id py/reflective-xss
+ * @tags security
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ */
+
+import python
+import experimental.dataflow.DataFlow
+import experimental.dataflow.TaintTracking
+import experimental.semmle.python.Concepts
+import experimental.dataflow.RemoteFlowSources
+import DataFlow::PathGraph
+
+class ReflectedXssConfiguration extends TaintTracking::Configuration {
+  ReflectedXssConfiguration() { this = "ReflectedXssConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(HTTP::Server::HttpResponse response |
+      response.getMimetype().toLowerCase() = "text/html" and
+      sink = response.getBody()
+    )
+  }
+}
+
+from ReflectedXssConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
+  source.getNode(), "a user-provided value"
@@ -160,7 +160,7 @@ module HTTP {
   /** Provides classes for modeling HTTP servers. */
   module Server {
     /**
-     * An data-flow node that sets up a route on a server.
+     * A data-flow node that sets up a route on a server.
      *
      * Extend this class to refine existing API models. If you want to model new APIs,
      * extend `RouteSetup::Range` instead.
@@ -186,7 +186,7 @@ module HTTP {
     /** Provides a class for modeling new HTTP routing APIs. */
     module RouteSetup {
       /**
-       * An data-flow node that sets up a route on a server.
+       * A data-flow node that sets up a route on a server.
        *
        * Extend this class to model new APIs. If you want to refine existing API models,
        * extend `RouteSetup` instead.
@@ -219,5 +219,60 @@ module HTTP {
 
       override string getSourceType() { result = "RoutedParameter" }
     }
+
+    /**
+     * A data-flow node that creates a HTTP response on a server.
+     *
+     * Note: we don't require that this response must be sent to a client (a kind of
+     * "if a tree falls in a forest and nobody hears it" situation).
+     *
+     * Extend this class to refine existing API models. If you want to model new APIs,
+     * extend `HttpResponse::Range` instead.
+     */
+    class HttpResponse extends DataFlow::Node {
+      HttpResponse::Range range;
+
+      HttpResponse() { this = range }
+
+      /** Gets the data-flow node that specifies the body of this HTTP response. */
+      DataFlow::Node getBody() { result = range.getBody() }
+
+      /** Gets the mimetype of this HTTP response, if it can be statically determined. */
+      string getMimetype() { result = range.getMimetype() }
+    }
+
+    /** Provides a class for modeling new HTTP response APIs. */
+    module HttpResponse {
+      /**
+       * A data-flow node that creates a HTTP response on a server.
+       *
+       * Note: we don't require that this response must be sent to a client (a kind of
+       * "if a tree falls in a forest and nobody hears it" situation).
+       *
+       * Extend this class to model new APIs. If you want to refine existing API models,
+       * extend `HttpResponse` instead.
+       */
+      abstract class Range extends DataFlow::Node {
+        /** Gets the data-flow node that specifies the body of this HTTP response. */
+        abstract DataFlow::Node getBody();
+
+        /** Gets the data-flow node that specifies the content-type/mimetype of this HTTP response, if any. */
+        abstract DataFlow::Node getMimetypeOrContentTypeArg();
+
+        /** Gets the default mimetype that should be used if `getMimetypeOrContentTypeArg` has no results. */
+        abstract string getMimetypeDefault();
+
+        /** Gets the mimetype of this HTTP response, if it can be statically determined. */
+        string getMimetype() {
+          exists(StrConst str |
+            DataFlow::localFlow(DataFlow::exprNode(str), this.getMimetypeOrContentTypeArg()) and
+            result = str.getText().splitAt(";", 0)
+          )
+          or
+          not exists(this.getMimetypeOrContentTypeArg()) and
+          result = this.getMimetypeDefault()
+        }
+      }
+    }
   }
 }
@@ -15,6 +15,9 @@ private import experimental.semmle.python.frameworks.Werkzeug
  * See https://flask.palletsprojects.com/en/1.1.x/.
  */
 private module FlaskModel {
+  // ---------------------------------------------------------------------------
+  // flask
+  // ---------------------------------------------------------------------------
   /** Gets a reference to the `flask` module. */
   private DataFlow::Node flask(DataFlow::TypeTracker t) {
     t.start() and
@@ -26,21 +29,52 @@ private module FlaskModel {
   /** Gets a reference to the `flask` module. */
   DataFlow::Node flask() { result = flask(DataFlow::TypeTracker::end()) }
 
-  /** Provides models for the `flask` module. */
-  module flask {
-    /** Gets a reference to the `flask.request` object. */
-    private DataFlow::Node request(DataFlow::TypeTracker t) {
+  /**
+   * Gets a reference to the attribute `attr_name` of the `flask` module.
+   * WARNING: Only holds for a few predefined attributes.
+   */
+  private DataFlow::Node flask_attr(DataFlow::TypeTracker t, string attr_name) {
+    attr_name in ["request", "make_response", "Response"] and
+    (
       t.start() and
-      result = DataFlow::importNode("flask.request")
+      result = DataFlow::importNode("flask" + "." + attr_name)
       or
-      t.startInAttr("request") and
+      t.startInAttr(attr_name) and
       result = flask()
-      or
-      exists(DataFlow::TypeTracker t2 | result = request(t2).track(t2, t))
-    }
+    )
+    or
+    // Due to bad performance when using normal setup with `flask_attr(t2, attr_name).track(t2, t)`
+    // we have inlined that code and forced a join
+    exists(DataFlow::TypeTracker t2 |
+      exists(DataFlow::StepSummary summary |
+        flask_attr_first_join(t2, attr_name, result, summary) and
+        t = t2.append(summary)
+      )
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flask_attr_first_join(
+    DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
+  ) {
+    DataFlow::StepSummary::step(flask_attr(t2, attr_name), res, summary)
+  }
+
+  /**
+   * Gets a reference to the attribute `attr_name` of the `flask` module.
+   * WARNING: Only holds for a few predefined attributes.
+   */
+  private DataFlow::Node flask_attr(string attr_name) {
+    result = flask_attr(DataFlow::TypeTracker::end(), attr_name)
+  }
 
+  /** Provides models for the `flask` module. */
+  module flask {
     /** Gets a reference to the `flask.request` object. */
-    DataFlow::Node request() { result = request(DataFlow::TypeTracker::end()) }
+    DataFlow::Node request() { result = flask_attr("request") }
+
+    /** Gets a reference to the `flask.make_response` function. */
+    DataFlow::Node make_response() { result = flask_attr("make_response") }
 
     /**
      * Provides models for the `flask.Flask` class
@@ -96,7 +130,7 @@ private module FlaskModel {
        * WARNING: Only holds for a few predefined attributes.
        */
       private DataFlow::Node instance_attr(DataFlow::TypeTracker t, string attr_name) {
-        attr_name in ["route", "add_url_rule"] and
+        attr_name in ["route", "add_url_rule", "make_response"] and
         t.startInAttr(attr_name) and
         result = flask::Flask::instance()
         or
@@ -131,9 +165,99 @@ private module FlaskModel {
 
       /** Gets a reference to the `add_url_rule` method on an instance of `flask.Flask`. */
       DataFlow::Node add_url_rule() { result = instance_attr("add_url_rule") }
+
+      /** Gets a reference to the `make_response` method on an instance of `flask.Flask`. */
+      // HACK: We can't call this predicate `make_response` since shadowing is
+      // completely disallowed in QL. I added an underscore to move thing forwards for
+      // now :(
+      DataFlow::Node make_response_() { result = instance_attr("make_response") }
+
+      /** Gets a reference to the `response_class` attribute on the `flask.Flask` class or an instance. */
+      private DataFlow::Node response_class(DataFlow::TypeTracker t) {
+        t.startInAttr("response_class") and
+        result in [classRef(), instance()]
+        or
+        exists(DataFlow::TypeTracker t2 | result = response_class(t2).track(t2, t))
+      }
+
+      /**
+       * Gets a reference to the `response_class` attribute on the `flask.Flask` class or an instance.
+       *
+       * See https://flask.palletsprojects.com/en/1.1.x/api/#flask.Flask.response_class
+       */
+      DataFlow::Node response_class() { result = response_class(DataFlow::TypeTracker::end()) }
     }
   }
 
+  /**
+   * Provides models for the `flask.Response` class
+   *
+   * See https://flask.palletsprojects.com/en/1.1.x/api/#flask.Response.
+   */
+  module Response {
+    /** Gets a reference to the `flask.Response` class. */
+    private DataFlow::Node classRef(DataFlow::TypeTracker t) {
+      t.start() and
+      result in [flask_attr("Response"), flask::Flask::response_class()]
+      or
+      exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
+    }
+
+    /** Gets a reference to the `flask.Response` class. */
+    DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
+
+    /**
+     * A source of an instance of `flask.Response`.
+     *
+     * This can include instantiation of the class, return value from function
+     * calls, or a special parameter that will be set when functions are call by external
+     * library.
+     *
+     * Use `Response::instance()` predicate to get references to instances of `flask.Response`.
+     */
+    abstract class InstanceSource extends HTTP::Server::HttpResponse::Range, DataFlow::Node { }
+
+    /** A direct instantiation of `flask.Response`. */
+    private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
+      override CallNode node;
+
+      ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
+
+      override DataFlow::Node getBody() { result.asCfgNode() = node.getArg(0) }
+
+      override string getMimetypeDefault() { result = "text/html" }
+
+      /** Gets the argument passed to the `mimetype` parameter, if any. */
+      private DataFlow::Node getMimetypeArg() {
+        result.asCfgNode() in [node.getArg(3), node.getArgByName("mimetype")]
+      }
+
+      /** Gets the argument passed to the `content_type` parameter, if any. */
+      private DataFlow::Node getContentTypeArg() {
+        result.asCfgNode() in [node.getArg(4), node.getArgByName("content_type")]
+      }
+
+      override DataFlow::Node getMimetypeOrContentTypeArg() {
+        result = this.getContentTypeArg()
+        or
+        // content_type argument takes priority over mimetype argument
+        not exists(this.getContentTypeArg()) and
+        result = this.getMimetypeArg()
+      }
+    }
+
+    /** Gets a reference to an instance of `flask.Response`. */
+    private DataFlow::Node instance(DataFlow::TypeTracker t) {
+      t.start() and
+      result instanceof InstanceSource
+      or
+      exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t))
+    }
+
+    /** Gets a reference to an instance of `flask.Response`. */
+    DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+  }
+
   // ---------------------------------------------------------------------------
   // routing modeling
   // ---------------------------------------------------------------------------
@@ -324,8 +448,50 @@ private module FlaskModel {
   private class RequestInputFiles extends RequestInputMultiDict {
     RequestInputFiles() { attr_name = "files" }
   }
+
   // TODO: Somehow specify that elements of `RequestInputFiles` are
   // Werkzeug::werkzeug::datastructures::FileStorage and should have those additional taint steps
   // AND that the 0-indexed argument to its' save method is a sink for path-injection.
   // https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.FileStorage.save
+  // ---------------------------------------------------------------------------
+  // Response modeling
+  // ---------------------------------------------------------------------------
+  /**
+   * A call to either `flask.make_response` function, or the `make_response` method on
+   * an instance of `flask.Flask`.
+   *
+   * See
+   * - https://flask.palletsprojects.com/en/1.1.x/api/#flask.Flask.make_response
+   * - https://flask.palletsprojects.com/en/1.1.x/api/#flask.make_response
+   */
+  private class FlaskMakeResponseCall extends HTTP::Server::HttpResponse::Range, DataFlow::CfgNode {
+    override CallNode node;
+
+    FlaskMakeResponseCall() {
+      node.getFunction() = flask::make_response().asCfgNode()
+      or
+      node.getFunction() = flask::Flask::make_response_().asCfgNode()
+    }
+
+    override DataFlow::Node getBody() { result.asCfgNode() = node.getArg(0) }
+
+    override string getMimetypeDefault() { result = "text/html" }
+
+    override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
+  }
+
+  private class FlaskRouteHandlerReturn extends HTTP::Server::HttpResponse::Range, DataFlow::CfgNode {
+    FlaskRouteHandlerReturn() {
+      exists(Function routeHandler |
+        routeHandler = any(FlaskRouteSetup rs).getARouteHandler() and
+        node = routeHandler.getAReturnValueFlowNode()
+      )
+    }
+
+    override DataFlow::Node getBody() { result = this }
+
+    override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
+
+    override string getMimetypeDefault() { result = "text/html" }
+  }
 }
@@ -1,2 +1,12 @@
 import python
 import experimental.meta.ConceptsTest
+
+class DedicatedFlaskResponseTest extends HttpServerHttpResponseTest {
+  DedicatedFlaskResponseTest() { file.getShortName() = "response_test.py" }
+}
+
+class OtherFlaskResponseTest extends HttpServerHttpResponseTest {
+  OtherFlaskResponseTest() { not this instanceof DedicatedFlaskResponseTest }
+
+  override string getARelevantTag() { result = "HttpResponse" }
+}