Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit b841ecb

Browse files
markshannonmarkshannon
committed
Python: Fix tornado and twisted request attribute tracking; 'path' attribute can be trusted, but 'uri' and 'arguments' cannot.
1 parent ccfb1c2 commit b841ecb

2 files changed

Lines changed: 9 additions & 4 deletions

File tree

python/ql/src/semmle/python/web/tornado/Request.qll

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,16 +15,22 @@ class TornadoRequest extends TaintKind {
1515
result instanceof ExternalStringDictKind and
1616
(
1717
name = "headers" or
18-
name = "arguments" or
1918
name = "cookies"
2019
)
2120
or
2221
result instanceof ExternalStringKind and
2322
(
24-
name = "path" or
23+
name = "uri" or
2524
name = "query" or
2625
name = "body"
2726
)
27+
or
28+
result instanceof ExternalStringSequenceDictKind and
29+
(
30+
name = "arguments" or
31+
name = "query_arguments" or
32+
name = "body_arguments"
33+
)
2834
}
2935

3036
}

python/ql/src/semmle/python/web/twisted/Request.qll

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,8 +19,7 @@ class TwistedRequest extends TaintKind {
1919
or
2020
result instanceof ExternalStringKind and
2121
(
22-
name = "uri" or
23-
name = "path"
22+
name = "uri"
2423
)
2524
}
2625

0 commit comments

Comments
 (0)