Python: Add cherrypy handler function return values as taint sinks.

markshannon · markshannon · commit 91a1cc9f0b3d · 2019-02-28T15:25:13.000Z
diff --git a/python/ql/src/semmle/python/web/HttpResponse.qll b/python/ql/src/semmle/python/web/HttpResponse.qll
@@ -6,3 +6,4 @@ import semmle.python.web.twisted.Response
 import semmle.python.web.bottle.Response
 import semmle.python.web.turbogears.Response
 import semmle.python.web.falcon.Response
+import semmle.python.web.cherrypy.Response
diff --git a/python/ql/src/semmle/python/web/cherrypy/General.qll b/python/ql/src/semmle/python/web/cherrypy/General.qll
@@ -13,6 +13,8 @@ class CherryPyExposedFunction extends Function {
 
     CherryPyExposedFunction() {
         this.getADecorator().refersTo(CherryPy::expose())
+        or
+        this.getADecorator().(Call).getFunc().refersTo(CherryPy::expose())
     }
 
 }
diff --git a/python/ql/src/semmle/python/web/cherrypy/Response.qll b/python/ql/src/semmle/python/web/cherrypy/Response.qll
@@ -0,0 +1,28 @@
+import python
+
+import semmle.python.security.TaintTracking
+import semmle.python.security.strings.Untrusted
+import semmle.python.web.Http
+import semmle.python.web.cherrypy.General
+
+
+
+class CherryPyExposedFunctionResult extends TaintSink {
+
+    CherryPyExposedFunctionResult() {
+        exists(Return ret |
+            ret.getScope() instanceof CherryPyExposedFunction and
+            ret.getValue().getAFlowNode() = this
+        )
+    }
+
+    override predicate sinks(TaintKind kind) {
+        kind instanceof StringKind
+    }
+
+    override string toString() {
+        result = "cherrypy handler function result"
+    }
+
+}
+
diff --git a/python/ql/test/library-tests/web/cherrypy/Sinks.expected b/python/ql/test/library-tests/web/cherrypy/Sinks.expected
@@ -0,0 +1,3 @@
+| red.py:8 | Str | externally controlled string |
+| test.py:11 | BinaryExpr | externally controlled string |
+| test.py:17 | BinaryExpr | externally controlled string |
diff --git a/python/ql/test/library-tests/web/cherrypy/Sinks.ql b/python/ql/test/library-tests/web/cherrypy/Sinks.ql
@@ -0,0 +1,10 @@
+
+import python
+
+import semmle.python.web.HttpRequest
+import semmle.python.web.HttpResponse
+import semmle.python.security.strings.Untrusted
+
+from TaintSink sink, TaintKind kind
+where sink.sinks(kind)
+select sink.getLocation().toString(), sink.(ControlFlowNode).getNode().toString(), kind

Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,8 @@ class CherryPyExposedFunction extends Function {`
`13`	`13`
`14`	`14`	`CherryPyExposedFunction() {`
`15`	`15`	`this.getADecorator().refersTo(CherryPy::expose())`
	`16`	`+ or`
	`17`	`+ this.getADecorator().(Call).getFunc().refersTo(CherryPy::expose())`
`16`	`18`	`}`
`17`	`19`
`18`	`20`	`}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+\| red.py:8 \| Str \| externally controlled string \|`
	`2`	`+\| test.py:11 \| BinaryExpr \| externally controlled string \|`
	`3`	`+\| test.py:17 \| BinaryExpr \| externally controlled string \|`