@@ -15,6 +15,8 @@ private import semmle.python.security.internal.EncryptionKeySizes
1515private import semmle.python.dataflow.new.SensitiveDataSources
1616private import codeql.threatmodels.ThreatModels
1717private import codeql.concepts.ConceptsShared
18+ private import semmle.python.ApiGraphs
19+ private import semmle.python.frameworks.data.ModelsAsData
1820
1921private module ConceptsShared = ConceptsMake< Location , PythonDataFlow > ;
2022
@@ -1656,8 +1658,35 @@ module Http {
16561658 }
16571659
16581660 import ConceptsShared:: Http:: Client as Client
1661+
16591662 // TODO: investigate whether we should treat responses to client requests as
16601663 // remote-flow-sources in general.
1664+ /**
1665+ * An HTTP request modeled from `request-forgery` sinks, modeled using MaD.
1666+ */
1667+ class HttpClientRequestFromModel extends Http:: Client:: Request:: Range instanceof API:: CallNode {
1668+ DataFlow:: Node urlArg ;
1669+
1670+ HttpClientRequestFromModel ( ) {
1671+ (
1672+ this .getArg ( _) = urlArg
1673+ or
1674+ this .getArgByName ( _) = urlArg
1675+ ) and
1676+ ModelOutput:: sinkNode ( urlArg , "request-forgery" )
1677+ }
1678+
1679+ override DataFlow:: Node getAUrlPart ( ) { result = urlArg }
1680+
1681+ override string getFramework ( ) { result = "MaD" }
1682+
1683+ override predicate disablesCertificateValidation (
1684+ DataFlow:: Node disablingNode , DataFlow:: Node argumentOrigin
1685+ ) {
1686+ // NOTE: if you need to define this, you have to special case it for every possible API in MaD
1687+ none ( )
1688+ }
1689+ }
16611690}
16621691
16631692/**
0 commit comments