Python: Fix falcon sources to only be source if a route is attached.

markshannon · markshannon · commit 9170d8515514 · 2019-02-27T16:42:31.000Z
diff --git a/python/ql/src/semmle/python/web/falcon/General.qll b/python/ql/src/semmle/python/web/falcon/General.qll
@@ -16,6 +16,10 @@ private predicate api_route(CallNode route_call, ControlFlowNode route, ClassObj
     route_call.getArg(1).refersTo(_, resource, _)
 }
 
+private predicate route(FalconRoute route, Function target, string funcname) {
+    route.getResourceClass().lookupAttribute("on_" + funcname).(FunctionObject).getFunction() = target
+}
+
 class FalconRoute extends ControlFlowNode {
 
     FalconRoute() {
@@ -33,28 +37,24 @@ class FalconRoute extends ControlFlowNode {
         api_route(this, _, result)
     }
 
-    FalconHandlerFunction getHandlerFunction() {
-        result = this.getResourceClass().lookupAttribute(_).(FunctionObject).getFunction()
-    }
-
     FalconHandlerFunction getHandlerFunction(string method) {
-        result = this.getResourceClass().lookupAttribute("on_" + method).(FunctionObject).getFunction()
+        route(this, result, method)
     }
 
 }
 
 class FalconHandlerFunction extends Function {
 
-    string method;
-
     FalconHandlerFunction() {
-        exists(ClassObject resource |
-            resource.lookupAttribute("on_" + method).(FunctionObject).getFunction() = this
-        )
+        route(_, this, _)
+    }
+
+    private string methodName() {
+        route(_, this, result)
     }
 
     string getMethod() {
-        result = method.toUpperCase()
+        result = this.methodName().toUpperCase()
     }
 
     Parameter getRequest() {
diff --git a/python/ql/src/semmle/python/web/falcon/Response.qll b/python/ql/src/semmle/python/web/falcon/Response.qll
@@ -40,7 +40,7 @@ class FalconResponseBodySink extends TaintSink {
     }
 
     override predicate sinks(TaintKind kind) {
-        kind instanceof ExternalStringKind
+        kind instanceof StringKind
     }
 
 }

Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ class FalconResponseBodySink extends TaintSink {`
`40`	`40`	`}`
`41`	`41`
`42`	`42`	`override predicate sinks(TaintKind kind) {`
`43`		`- kind instanceof ExternalStringKind`
	`43`	`+ kind instanceof StringKind`
`44`	`44`	`}`
`45`	`45`
`46`	`46`	`}`