Merge pull request #978 from markshannon/python-turbogears

taus-semmle · web-flow · commit dcaf0f8ba834 · 2019-02-26T21:46:01.000+01:00
Python: Add support for turbogears; requests and responses.
diff --git a/change-notes/1.20/analysis-python.md b/change-notes/1.20/analysis-python.md
@@ -38,5 +38,7 @@ The API has been improved to declutter the global namespace and improve discover
  ## Changes to QL libraries
 
  * Added support for the `dill` pickle library.
- * Added support for the bottle web framework.
+ * Added support for the `bottle` web framework.
+ * Added support for the `turbogears` web framework.
+
  
diff --git a/change-notes/1.20/support/python-frameworks.csv b/change-notes/1.20/support/python-frameworks.csv
@@ -1,7 +1,9 @@
 Name, Category
+Bottle, Web framework
 Django, Web application framework
 Flask, Microframework
 Pyramid, Web application framework
 Tornado, Web application framework and asynchronous networking library
+Turbogears, Web framework
 Twisted, Networking engine
 WebOb, WSGI request library
diff --git a/python/ql/src/semmle/python/Function.qll b/python/ql/src/semmle/python/Function.qll
@@ -174,6 +174,14 @@ class Function extends Function_, Scope, AstNode {
         Scope.super.contains(inner)
     }
 
+    /** Gets a control flow node for a return value of this function */
+    ControlFlowNode getAReturnValueFlowNode() {
+        exists(Return ret |
+            ret.getScope() = this and
+            ret.getValue() = result.getNode()
+        )
+    }
+
 }
 
 /** A def statement. Note that FunctionDef extends Assign as a function definition binds the newly created function */
diff --git a/python/ql/src/semmle/python/security/strings/Basic.qll b/python/ql/src/semmle/python/security/strings/Basic.qll
@@ -115,3 +115,14 @@ private predicate os_path_join(ControlFlowNode fromnode, CallNode tonode) {
         tonode = path_join.getACall() and tonode.getAnArg() = fromnode 
     )
 }
+
+/** A kind of "taint", representing a dictionary mapping str->"taint" */
+class StringDictKind extends DictKind {
+
+    StringDictKind() {
+        this.getValue() instanceof StringKind
+    }
+
+}
+
+
diff --git a/python/ql/src/semmle/python/types/FunctionObject.qll b/python/ql/src/semmle/python/types/FunctionObject.qll
@@ -160,10 +160,7 @@ class PyFunctionObject extends FunctionObject {
 
     /** Gets a control flow node corresponding to the value of a return statement */
     ControlFlowNode getAReturnedNode() {
-        exists(Return ret |
-            ret.getScope() = this.getFunction() and
-            result.getNode() = ret.getValue()
-        )
+        result = this.getFunction().getAReturnValueFlowNode()
     }
 
     override string descriptiveString() {
diff --git a/python/ql/src/semmle/python/web/HttpRequest.qll b/python/ql/src/semmle/python/web/HttpRequest.qll
@@ -4,3 +4,4 @@ import semmle.python.web.tornado.Request
 import semmle.python.web.pyramid.Request
 import semmle.python.web.twisted.Request
 import semmle.python.web.bottle.Request
+import semmle.python.web.turbogears.Request
diff --git a/python/ql/src/semmle/python/web/HttpResponse.qll b/python/ql/src/semmle/python/web/HttpResponse.qll
@@ -4,3 +4,4 @@ import semmle.python.web.pyramid.Response
 import semmle.python.web.tornado.Response
 import semmle.python.web.twisted.Response
 import semmle.python.web.bottle.Response
+import semmle.python.web.turbogears.Response
diff --git a/python/ql/src/semmle/python/web/turbogears/Request.qll b/python/ql/src/semmle/python/web/turbogears/Request.qll
@@ -0,0 +1,33 @@
+import python
+import semmle.python.security.strings.Untrusted
+
+import TurboGears
+
+private class ValidatedMethodParameter extends Parameter {
+
+    ValidatedMethodParameter() {
+        exists(string name, TurboGearsControllerMethod method |
+            method.getArgByName(name) = this and
+            method.getValidationDict().getItem(_).(KeyValuePair).getKey().(StrConst).getText() = name
+        )
+    }
+
+}
+
+class UnvalidatedControllerMethodParameter extends TaintSource {
+
+    UnvalidatedControllerMethodParameter() {
+        exists(Parameter p |
+            any(TurboGearsControllerMethod m | not m.getName() = "onerror").getAnArg() = p and
+            not p instanceof ValidatedMethodParameter and
+            not p.isSelf() and
+            p.(Name).getAFlowNode() = this
+        )
+    }
+
+    override predicate isSourceOf(TaintKind kind) {
+        kind instanceof UntrustedStringKind
+    }
+
+}
+
diff --git a/python/ql/src/semmle/python/web/turbogears/Response.qll b/python/ql/src/semmle/python/web/turbogears/Response.qll
@@ -0,0 +1,38 @@
+import python
+
+import semmle.python.security.TaintTracking
+import semmle.python.security.strings.Basic
+
+import TurboGears
+
+
+
+class ControllerMethodReturnValue extends TaintSink {
+
+    ControllerMethodReturnValue() {
+        exists(TurboGearsControllerMethod m |
+            m.getAReturnValueFlowNode() = this and
+            not m.isTemplated()
+        )
+    }
+
+    override predicate sinks(TaintKind kind) {
+        kind instanceof StringKind
+    }
+
+}
+
+class ControllerMethodTemplatedReturnValue extends TaintSink {
+
+    ControllerMethodTemplatedReturnValue() {
+        exists(TurboGearsControllerMethod m |
+            m.getAReturnValueFlowNode() = this and
+            m.isTemplated()
+        )
+    }
+
+    override predicate sinks(TaintKind kind) {
+        kind instanceof StringDictKind
+    }
+
+}
diff --git a/python/ql/src/semmle/python/web/turbogears/TurboGears.qll b/python/ql/src/semmle/python/web/turbogears/TurboGears.qll
@@ -0,0 +1,55 @@
+import python
+
+import semmle.python.security.TaintTracking
+
+private ClassObject theTurboGearsControllerClass() {
+    result = ModuleObject::named("tg").getAttribute("TGController")
+}
+
+
+ClassObject aTurboGearsControllerClass() {
+    result.getASuperType() = theTurboGearsControllerClass()
+}
+
+
+class TurboGearsControllerMethod extends Function {
+
+    ControlFlowNode decorator;
+
+    TurboGearsControllerMethod() {
+        aTurboGearsControllerClass().getPyClass() = this.getScope() and
+        decorator = this.getADecorator().getAFlowNode() and
+        /* Is decorated with @expose() or @expose(path) */
+        (
+            decorator.(CallNode).getFunction().(NameNode).getId() = "expose"
+            or
+            decorator.refersTo(_, ModuleObject::named("tg").getAttribute("expose"), _)
+        )
+    }
+
+    private ControlFlowNode templateName() {
+        result = decorator.(CallNode).getArg(0)
+    }
+
+    predicate isTemplated() {
+        exists(templateName())
+    }
+
+    string getTemplateName() {
+        exists(StringObject str |
+            templateName().refersTo(str) and
+            result = str.getText()
+        )
+    }
+
+    Dict getValidationDict() {
+        exists(Call call, Object dict |
+            call = this.getADecorator() and
+            call.getFunc().(Name).getId() = "validate" and
+            call.getArg(0).refersTo(dict) and
+            result = dict.getOrigin()
+        )
+    }
+
+}
+
diff --git a/python/ql/test/library-tests/web/turbogears/Controller.expected b/python/ql/test/library-tests/web/turbogears/Controller.expected
@@ -0,0 +1,4 @@
+| test.py:7:5:7:32 | Function onerror |
+| test.py:13:5:13:50 | Function ok_validated |
+| test.py:18:5:18:57 | Function partially_validated |
+| test.py:22:5:22:51 | Function not_validated |
diff --git a/python/ql/test/library-tests/web/turbogears/Controller.ql b/python/ql/test/library-tests/web/turbogears/Controller.ql
@@ -0,0 +1,9 @@
+
+
+import python
+
+import semmle.python.web.turbogears.TurboGears
+
+from TurboGearsControllerMethod m
+select m
+
diff --git a/python/ql/test/library-tests/web/turbogears/Sinks.expected b/python/ql/test/library-tests/web/turbogears/Sinks.expected
@@ -0,0 +1,4 @@
+| test.py:8 | BinaryExpr | externally controlled string |
+| test.py:14 | BinaryExpr | externally controlled string |
+| test.py:19 | BinaryExpr | externally controlled string |
+| test.py:23 | BinaryExpr | externally controlled string |
diff --git a/python/ql/test/library-tests/web/turbogears/Sinks.ql b/python/ql/test/library-tests/web/turbogears/Sinks.ql
@@ -0,0 +1,10 @@
+
+import python
+
+import semmle.python.web.HttpRequest
+import semmle.python.web.HttpResponse
+import semmle.python.security.strings.Untrusted
+
+from TaintSink sink, TaintKind kind
+where sink.sinks(kind)
+select sink.getLocation().toString(), sink.(ControlFlowNode).getNode().toString(), kind
diff --git a/python/ql/test/library-tests/web/turbogears/Sources.expected b/python/ql/test/library-tests/web/turbogears/Sources.expected
@@ -0,0 +1,3 @@
+| test.py:18 | b | externally controlled string |
+| test.py:22 | a | externally controlled string |
+| test.py:22 | b | externally controlled string |
diff --git a/python/ql/test/library-tests/web/turbogears/Sources.ql b/python/ql/test/library-tests/web/turbogears/Sources.ql
@@ -0,0 +1,10 @@
+
+import python
+
+import semmle.python.web.HttpRequest
+import semmle.python.security.strings.Untrusted
+
+
+from TaintSource src, TaintKind kind
+where src.isSourceOf(kind)
+select src.getLocation().toString(), src.(ControlFlowNode).getNode().toString(), kind
diff --git a/python/ql/test/library-tests/web/turbogears/Taint.expected b/python/ql/test/library-tests/web/turbogears/Taint.expected
@@ -0,0 +1,12 @@
+| test.py:18 | b | externally controlled string |
+| test.py:19 | BinaryExpr | [externally controlled string] |
+| test.py:19 | BinaryExpr | externally controlled string |
+| test.py:19 | Tuple | [externally controlled string] |
+| test.py:19 | b | externally controlled string |
+| test.py:22 | a | externally controlled string |
+| test.py:22 | b | externally controlled string |
+| test.py:23 | BinaryExpr | [externally controlled string] |
+| test.py:23 | BinaryExpr | externally controlled string |
+| test.py:23 | Tuple | [externally controlled string] |
+| test.py:23 | a | externally controlled string |
+| test.py:23 | b | externally controlled string |
diff --git a/python/ql/test/library-tests/web/turbogears/Taint.ql b/python/ql/test/library-tests/web/turbogears/Taint.ql
@@ -0,0 +1,13 @@
+
+import python
+
+
+import semmle.python.web.HttpRequest
+import semmle.python.web.HttpResponse
+import semmle.python.security.strings.Untrusted
+
+
+from TaintedNode node
+
+select node.getLocation().toString(), node.getNode().getNode().toString(), node.getTaintKind()
+
diff --git a/python/ql/test/library-tests/web/turbogears/options b/python/ql/test/library-tests/web/turbogears/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: --max-import-depth=3 --lang=3 -p ../../../query-tests/Security/lib/
+optimize: true
diff --git a/python/ql/test/library-tests/web/turbogears/test.py b/python/ql/test/library-tests/web/turbogears/test.py
@@ -0,0 +1,23 @@
+
+from tg import request, validate, expose, TGController
+from formencode import validators
+
+class RootController(TGController):
+    @expose()
+    def onerror(self, **kwargs):
+        return 'An error occurred: %s' % request.validation['errors']
+
+    @expose()
+    @validate({"a": validators.Int(not_empty=True), "b": validators.Email},
+              error_handler=onerror)
+    def ok_validated(self, a=None, b=None, *args):
+        return 'Values: %s, %s, %s' % (a, b, args)
+
+    @expose()
+    @validate({"a": validators.Int(not_empty=True)})
+    def partially_validated(self, a=None, b=None, *args):
+        return 'Values: %s, %s, %s' % (a, b, args)
+
+    @expose()
+    def not_validated(self, a=None, b=None, *args):
+        return 'Values: %s, %s, %s' % (a, b, args)
diff --git a/python/ql/test/query-tests/Security/lib/tg.py b/python/ql/test/query-tests/Security/lib/tg.py
@@ -0,0 +1,30 @@
+
+def validate(validators):
+    def validator(func):
+        return func
+
+def expose(*args):
+    if cond:
+        return args[0]
+    def with_template(func):
+        func
+    return with_template
+
+class TGController(object):
+    pass
+
+class TurboGearsContextMember(object):
+    """Member of the TurboGears request context.
+    Provides access to turbogears context members
+    like request, response, template context and so on
+    """
+
+    def __init__(self, name):
+        self.__dict__['name'] = name
+
+    def _current_obj(self):
+        return getattr(context, self.name)
+
+
+request = TurboGearsContextMember(name="request")
+response = TurboGearsContextMember(name="response")

Original file line number	Diff line number	Diff line change
`@@ -174,6 +174,14 @@ class Function extends Function_, Scope, AstNode {`
`174`	`174`	`Scope.super.contains(inner)`
`175`	`175`	`}`
`176`	`176`
	`177`	`+ /** Gets a control flow node for a return value of this function */`
	`178`	`+ ControlFlowNode getAReturnValueFlowNode() {`
	`179`	`+ exists(Return ret \|`
	`180`	`+ ret.getScope() = this and`
	`181`	`+ ret.getValue() = result.getNode()`
	`182`	`+ )`
	`183`	`+ }`
	`184`	`+`
`177`	`185`	`}`
`178`	`186`
`179`	`187`	`/** A def statement. Note that FunctionDef extends Assign as a function definition binds the newly created function */`