Merge pull request #1043 from markshannon/python-fix-stack-trace-exposure

taus-semmle · web-flow · commit 984fb3a01040 · 2019-03-08T11:40:27.000+01:00
Python: fix stack trace exposure query.
diff --git a/python/ql/src/Security/CWE-209/StackTraceExposure.ql b/python/ql/src/Security/CWE-209/StackTraceExposure.ql
@@ -19,5 +19,5 @@ import semmle.python.security.Exceptions
 import semmle.python.web.HttpResponse
 
 from TaintedPathSource src, TaintedPathSink sink
-where src.flowsTo(sink)
+where src.flowsTo(sink) and src.getSource() instanceof ErrorInfoSource
 select sink.getSink(), src, sink, "$@ may be exposed to an external user", src.getSource(), "Error information"
diff --git a/python/ql/src/semmle/python/security/Exceptions.qll b/python/ql/src/semmle/python/security/Exceptions.qll
@@ -31,6 +31,10 @@ class ExceptionInfo extends StringKind {
 
 }
 
+/** A class representing sources of information about 
+ * execution state exposed in tracebacks and the like.
+ */
+abstract class ErrorInfoSource extends TaintSource {}
 
 /**
  * This kind represents exceptions themselves.
@@ -56,7 +60,7 @@ class ExceptionKind extends TaintKind {
  * A source of exception objects, either explicitly created, or captured by an
  * `except` statement.
  */
-class ExceptionSource extends TaintSource {
+class ExceptionSource extends ErrorInfoSource {
 
     ExceptionSource() {
         exists(ClassObject cls |
@@ -91,7 +95,7 @@ class ExceptionInfoSequence extends SequenceKind {
  * Represents calls to functions in the `traceback` module that return
  * sequences of exception information.
  */
-class CallToTracebackFunction extends TaintSource {
+class CallToTracebackFunction extends ErrorInfoSource {
 
     CallToTracebackFunction() {
         exists(string name |
@@ -120,7 +124,7 @@ class CallToTracebackFunction extends TaintSource {
  * Represents calls to functions in the `traceback` module that return a single
  * string of information about an exception.
  */
-class FormattedTracebackSource extends TaintSource {
+class FormattedTracebackSource extends ErrorInfoSource {
 
     FormattedTracebackSource() {
         this = traceback_function("format_exc").getACall()
diff --git a/python/ql/test/query-tests/Security/CWE-209/test.py b/python/ql/test/query-tests/Security/CWE-209/test.py
@@ -1,4 +1,4 @@
-from flask import Flask
+from flask import Flask, request, make_response
 app = Flask(__name__)
 
 
@@ -35,3 +35,8 @@ def server_bad_flow():
 
 def format_error(msg):
     return "[ERROR] " + msg
+
+#Unrelated error
+@app.route('/maybe_xss')
+def maybe_xss():
+    return make_response(request.args.get('name', ''))
