Merge pull request #979 from markshannon/python-falcon

taus-semmle · web-flow · commit b8b42163529f · 2019-02-28T15:47:35.000+01:00
Python: Add support for falcon web API framework.
diff --git a/change-notes/1.20/analysis-python.md b/change-notes/1.20/analysis-python.md
@@ -40,6 +40,7 @@ The API has been improved to declutter the global namespace and improve discover
 
  * Added support for the `dill` pickle library.
  * Added support for the `bottle` web framework.
+ * Added support for the `falcon` web API framework.
  * Added support for the `turbogears` web framework.
 
  
diff --git a/change-notes/1.20/support/python-frameworks.csv b/change-notes/1.20/support/python-frameworks.csv
@@ -1,6 +1,7 @@
 Name, Category
 Bottle, Web framework
 Django, Web application framework
+Falcon, Web API framework
 Flask, Microframework
 Pyramid, Web application framework
 Tornado, Web application framework and asynchronous networking library
diff --git a/python/ql/src/semmle/python/security/TaintTracking.qll b/python/ql/src/semmle/python/security/TaintTracking.qll
@@ -167,6 +167,7 @@ abstract class CollectionKind extends TaintKind {
         /* Prevent any collection kinds more than 2 deep */
         not this.charAt(2) = "[" and not this.charAt(2) = "{"
     }
+
 }
 
 /** A taint kind representing a flat collections of kinds.
@@ -193,7 +194,7 @@ class SequenceKind extends CollectionKind {
             tonode.(BinaryExprNode).getAnOperand() = fromnode
         )
         or
-        result = this and copy_call(fromnode, tonode)
+        result = this and TaintFlowImplementation::copyCall(fromnode, tonode)
         or
         exists(BinaryExprNode mod |
             mod = tonode and
@@ -236,20 +237,6 @@ private predicate slice(ControlFlowNode fromnode, SubscriptNode tonode) {
     )
 }
 
-/* A call that returns a copy (or similar) of the argument */
-private predicate copy_call(ControlFlowNode fromnode, CallNode tonode) {
-    tonode.getFunction().(AttrNode).getObject("copy") = fromnode
-    or
-    exists(ModuleObject copy, string name |
-        name = "copy" or name = "deepcopy" |
-        copy.attr(name).(FunctionObject).getACall() = tonode and
-        tonode.getArg(0) = fromnode
-    )
-    or
-    tonode.getFunction().refersTo(Object::builtin("reversed")) and
-    tonode.getArg(0) = fromnode
-}
-
 /** A taint kind representing a mapping of objects to kinds.
  * Typically a dict, but can include other mappings.
  */
@@ -272,7 +259,7 @@ class DictKind extends CollectionKind {
         result = valueKind and
         tonode.(CallNode).getFunction().(AttrNode).getObject("get") = fromnode
         or
-        result = this and copy_call(fromnode, tonode)
+        result = this and TaintFlowImplementation::copyCall(fromnode, tonode)
         or
         result = this and
         tonode.(CallNode).getFunction().refersTo(theDictType()) and
@@ -1263,6 +1250,20 @@ library module TaintFlowImplementation {
         context = fromnode.getContext()
     }
 
+    /* A call that returns a copy (or similar) of the argument */
+    predicate copyCall(ControlFlowNode fromnode, CallNode tonode) {
+        tonode.getFunction().(AttrNode).getObject("copy") = fromnode
+        or
+        exists(ModuleObject copy, string name |
+            name = "copy" or name = "deepcopy" |
+            copy.attr(name).(FunctionObject).getACall() = tonode and
+            tonode.getArg(0) = fromnode
+        )
+        or
+        tonode.getFunction().refersTo(Object::builtin("reversed")) and
+        tonode.getArg(0) = fromnode
+    }
+
 }
 
 /* Helper predicate for tainted_with */
diff --git a/python/ql/src/semmle/python/security/strings/External.qll b/python/ql/src/semmle/python/security/strings/External.qll
@@ -96,3 +96,23 @@ private predicate json_load(ControlFlowNode fromnode, CallNode tonode) {
     )
 }
 
+/** A kind of "taint", representing an open file-like object from an external source. */
+class ExternalFileObject extends TaintKind {
+
+    ExternalFileObject() {
+        this = "file[" + any(ExternalStringKind key) + "]"
+    }
+
+
+    /** Gets the taint kind for the contents of this file */
+    TaintKind getValue() {
+        this = "file[" + result + "]"
+    }
+
+    override TaintKind getTaintOfMethodResult(string name) {
+        name = "read" and result = this.getValue()
+    }
+
+}
+
+
diff --git a/python/ql/src/semmle/python/web/Http.qll b/python/ql/src/semmle/python/web/Http.qll
@@ -23,3 +23,37 @@ string httpVerb() {
 string httpVerbLower() {
     result = httpVerb().toLowerCase()
 }
+
+/** Taint kind representing the WSGI environment.
+ * As specified in PEP 3333. https://www.python.org/dev/peps/pep-3333/#environ-variables
+ */
+class WsgiEnvironment extends TaintKind {
+
+    WsgiEnvironment() { this = "wsgi.environment" }
+
+    override TaintKind getTaintForFlowStep(ControlFlowNode fromnode, ControlFlowNode tonode) {
+        result = this and TaintFlowImplementation::copyCall(fromnode, tonode)
+        or
+        result = this and
+        tonode.(CallNode).getFunction().refersTo(theDictType()) and
+        tonode.(CallNode).getArg(0) = fromnode
+        or
+        exists(StringObject key, string text |
+            tonode.(CallNode).getFunction().(AttrNode).getObject("get") = fromnode and
+            tonode.(CallNode).getArg(0).refersTo(key)
+            or
+            tonode.(SubscriptNode).getValue() = fromnode and tonode.isLoad() and
+            tonode.(SubscriptNode).getIndex().refersTo(key)
+            |
+            text = key.getText() and result instanceof ExternalStringKind and
+            (
+                text = "QUERY_STRING" or
+                text = "PATH_INFO" or
+                text.prefix(5) = "HTTP_"
+            )
+        )
+    }
+
+}
+
+
diff --git a/python/ql/src/semmle/python/web/HttpRequest.qll b/python/ql/src/semmle/python/web/HttpRequest.qll
@@ -5,3 +5,4 @@ import semmle.python.web.pyramid.Request
 import semmle.python.web.twisted.Request
 import semmle.python.web.bottle.Request
 import semmle.python.web.turbogears.Request
+import semmle.python.web.falcon.Request
diff --git a/python/ql/src/semmle/python/web/HttpResponse.qll b/python/ql/src/semmle/python/web/HttpResponse.qll
@@ -5,3 +5,4 @@ import semmle.python.web.tornado.Response
 import semmle.python.web.twisted.Response
 import semmle.python.web.bottle.Response
 import semmle.python.web.turbogears.Response
+import semmle.python.web.falcon.Response
diff --git a/python/ql/src/semmle/python/web/falcon/General.qll b/python/ql/src/semmle/python/web/falcon/General.qll
@@ -0,0 +1,68 @@
+import python
+import semmle.python.web.Http
+
+
+/** The falcon API class */
+ClassObject theFalconAPIClass() {
+    result = ModuleObject::named("falcon").getAttribute("API")
+}
+
+
+/** Holds if `route` is routed to `resource`
+ */
+private predicate api_route(CallNode route_call, ControlFlowNode route, ClassObject resource) {
+    route_call.getFunction().(AttrNode).getObject("add_route").refersTo(_, theFalconAPIClass(), _) and
+    route_call.getArg(0) = route and
+    route_call.getArg(1).refersTo(_, resource, _)
+}
+
+private predicate route(FalconRoute route, Function target, string funcname) {
+    route.getResourceClass().lookupAttribute("on_" + funcname).(FunctionObject).getFunction() = target
+}
+
+class FalconRoute extends ControlFlowNode {
+
+    FalconRoute() {
+        api_route(this, _, _)
+    }
+
+    string getUrl() {
+        exists(StrConst url |
+            api_route(this, url.getAFlowNode(), _) and
+            result = url.getText()
+        )
+    }
+
+    ClassObject getResourceClass() {
+        api_route(this, _, result)
+    }
+
+    FalconHandlerFunction getHandlerFunction(string method) {
+        route(this, result, method)
+    }
+
+}
+
+class FalconHandlerFunction extends Function {
+
+    FalconHandlerFunction() {
+        route(_, this, _)
+    }
+
+    private string methodName() {
+        route(_, this, result)
+    }
+
+    string getMethod() {
+        result = this.methodName().toUpperCase()
+    }
+
+    Parameter getRequest() {
+        result = this.getArg(1)
+    }
+
+    Parameter getResponse() {
+        result = this.getArg(2)
+    }
+
+}
diff --git a/python/ql/src/semmle/python/web/falcon/Request.qll b/python/ql/src/semmle/python/web/falcon/Request.qll
@@ -0,0 +1,56 @@
+import python
+
+import semmle.python.security.TaintTracking
+import semmle.python.web.Http
+import semmle.python.web.falcon.General
+import semmle.python.security.strings.External
+
+/** https://falcon.readthedocs.io/en/stable/api/request_and_response.html */
+class FalconRequest extends TaintKind {
+
+    FalconRequest() {
+        this = "falcon.request"
+    }
+
+    override TaintKind getTaintOfAttribute(string name) {
+        name = "env" and result instanceof WsgiEnvironment
+        or
+        result instanceof ExternalStringKind and
+        (
+            name = "uri" or name = "url" or
+            name = "forwarded_uri" or
+            name = "relative_uri" or
+            name = "query_string"
+        )
+        or
+        result instanceof ExternalStringDictKind and
+        (
+            name = "cookies" or name = "params"
+        )
+        or
+        name = "stream" and result instanceof ExternalFileObject
+    }
+
+    override TaintKind getTaintOfMethodResult(string name) {
+        name = "get_param" and result instanceof ExternalStringKind
+        or
+        name = "get_param_as_json" and result instanceof ExternalJsonKind
+        or
+        name = "get_param_as_list" and result instanceof ExternalStringSequenceKind
+    }
+}
+
+class FalconRequestParameter extends TaintSource {
+
+    FalconRequestParameter() {
+        exists(FalconHandlerFunction f |
+            f.getRequest() = this.(ControlFlowNode).getNode()
+        )
+    }
+
+    override predicate isSourceOf(TaintKind k) {
+        k instanceof FalconRequest
+    }
+
+}
+
diff --git a/python/ql/src/semmle/python/web/falcon/Response.qll b/python/ql/src/semmle/python/web/falcon/Response.qll
@@ -0,0 +1,48 @@
+import python
+
+
+import semmle.python.security.TaintTracking
+import semmle.python.web.Http
+import semmle.python.web.falcon.General
+import semmle.python.security.strings.External
+
+
+/** https://falcon.readthedocs.io/en/stable/api/request_and_response.html */
+class FalconResponse extends TaintKind {
+
+    FalconResponse() {
+        this = "falcon.response"
+    }
+
+}
+
+class FalconResponseParameter extends TaintSource {
+
+    FalconResponseParameter() {
+        exists(FalconHandlerFunction f |
+            f.getResponse() = this.(ControlFlowNode).getNode()
+        )
+    }
+
+    override predicate isSourceOf(TaintKind k) {
+        k instanceof FalconResponse
+    }
+
+}
+
+class FalconResponseBodySink extends TaintSink {
+
+    FalconResponseBodySink() {
+        exists(AttrNode attr |
+            any(FalconResponse f).taints(attr.getObject("body")) |
+            attr.(DefinitionNode).getValue() = this
+        )
+    }
+
+    override predicate sinks(TaintKind kind) {
+        kind instanceof StringKind
+    }
+
+}
+
+
diff --git a/python/ql/test/library-tests/web/falcon/Routing.expected b/python/ql/test/library-tests/web/falcon/Routing.expected
@@ -0,0 +1,3 @@
+| /hello | delete | test.py:22:5:22:35 | Function on_delete |
+| /hello | get | test.py:9:5:9:32 | Function on_get |
+| /hello | post | test.py:19:5:19:33 | Function on_post |
diff --git a/python/ql/test/library-tests/web/falcon/Routing.ql b/python/ql/test/library-tests/web/falcon/Routing.ql
@@ -0,0 +1,8 @@
+import python
+
+import semmle.python.web.falcon.General
+
+from FalconRoute route, string method
+
+select route.getUrl(), method, route.getHandlerFunction(method)
+
diff --git a/python/ql/test/library-tests/web/falcon/Sinks.expected b/python/ql/test/library-tests/web/falcon/Sinks.expected
@@ -0,0 +1 @@
+| test.py:17 | Attribute() | externally controlled string |
diff --git a/python/ql/test/library-tests/web/falcon/Sinks.ql b/python/ql/test/library-tests/web/falcon/Sinks.ql
@@ -0,0 +1,10 @@
+
+import python
+
+import semmle.python.web.HttpRequest
+import semmle.python.web.HttpResponse
+import semmle.python.security.strings.Untrusted
+
+from TaintSink sink, TaintKind kind
+where sink.sinks(kind)
+select sink.getLocation().toString(), sink.(ControlFlowNode).getNode().toString(), kind
diff --git a/python/ql/test/library-tests/web/falcon/Sources.expected b/python/ql/test/library-tests/web/falcon/Sources.expected
@@ -0,0 +1,3 @@
+| test.py:9 | req | falcon.request |
+| test.py:19 | req | falcon.request |
+| test.py:22 | req | falcon.request |
diff --git a/python/ql/test/library-tests/web/falcon/Sources.ql b/python/ql/test/library-tests/web/falcon/Sources.ql
@@ -0,0 +1,10 @@
+
+import python
+
+import semmle.python.web.HttpRequest
+import semmle.python.security.strings.Untrusted
+
+
+from TaintSource src, TaintKind kind
+where src.isSourceOf(kind) and not kind.matches("tornado%")
+select src.getLocation().toString(), src.(ControlFlowNode).getNode().toString(), kind
diff --git a/python/ql/test/library-tests/web/falcon/Taint.expected b/python/ql/test/library-tests/web/falcon/Taint.expected
@@ -0,0 +1,25 @@
+| test.py:9 | req | falcon.request |
+| test.py:9 | resp | falcon.response |
+| test.py:10 | Attribute | file[externally controlled string] |
+| test.py:10 | Attribute() | externally controlled string |
+| test.py:10 | req | falcon.request |
+| test.py:11 | Attribute() | externally controlled string |
+| test.py:11 | Attribute() | json[externally controlled string] |
+| test.py:11 | raw_json | externally controlled string |
+| test.py:12 | resp | falcon.response |
+| test.py:13 | Dict | {externally controlled string} |
+| test.py:13 | Dict | {json[externally controlled string]} |
+| test.py:15 | result | externally controlled string |
+| test.py:15 | result | json[externally controlled string] |
+| test.py:17 | resp | falcon.response |
+| test.py:17 | result | {externally controlled string} |
+| test.py:17 | result | {json[externally controlled string]} |
+| test.py:19 | req | falcon.request |
+| test.py:19 | resp | falcon.response |
+| test.py:22 | req | falcon.request |
+| test.py:22 | resp | falcon.response |
+| test.py:23 | Attribute | wsgi.environment |
+| test.py:23 | req | falcon.request |
+| test.py:24 | Subscript | externally controlled string |
+| test.py:24 | env | wsgi.environment |
+| test.py:25 | qs | externally controlled string |
diff --git a/python/ql/test/library-tests/web/falcon/Taint.ql b/python/ql/test/library-tests/web/falcon/Taint.ql
diff --git a/python/ql/test/library-tests/web/falcon/options b/python/ql/test/library-tests/web/falcon/options
diff --git a/python/ql/test/library-tests/web/falcon/test.py b/python/ql/test/library-tests/web/falcon/test.py
diff --git a/python/ql/test/query-tests/Security/lib/falcon/__init__.py b/python/ql/test/query-tests/Security/lib/falcon/__init__.py
diff --git a/python/ql/test/query-tests/Security/lib/falcon/api.py b/python/ql/test/query-tests/Security/lib/falcon/api.py
diff --git a/python/ql/test/query-tests/Security/lib/falcon/request.py b/python/ql/test/query-tests/Security/lib/falcon/request.py
diff --git a/python/ql/test/query-tests/Security/lib/falcon/response.py b/python/ql/test/query-tests/Security/lib/falcon/response.py
