Python: django.http.response.HttpRequest.write

Rasmus Lerchedahl Petersen · Rasmus Lerchedahl Petersen · commit e69349791a85 · 2020-10-30T12:51:23.000+01:00
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Django.qll b/python/ql/src/experimental/semmle/python/frameworks/Django.qll
@@ -1495,6 +1495,44 @@ private module Django {
           /** Gets a reference to an instance of `django.http.response.FileResponse`. */
           DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
         }
+
+        /** Gets a reference to the `django.http.response.HttpResponse.write` function. */
+        private DataFlow::Node write(
+          django::http::response::HttpResponse::InstanceSource instance, DataFlow::TypeTracker t
+        ) {
+          t.startInAttr("write") and
+          instance = django::http::response::HttpResponse::instance() and
+          result = instance
+          or
+          exists(DataFlow::TypeTracker t2 | result = write(instance, t2).track(t2, t))
+        }
+
+        /** Gets a reference to the `django.http.response.HttpResponse.write` function. */
+        DataFlow::Node write(django::http::response::HttpResponse::InstanceSource instance) {
+          result = write(instance, DataFlow::TypeTracker::end())
+        }
+
+        /**
+         * A call to the `django.http.response.HttpResponse.write` function.
+         *
+         * See https://docs.djangoproject.com/en/3.1/ref/request-response/#django.http.HttpResponse.write
+         */
+        class HttpResponseWriteCall extends HTTP::Server::HttpResponse::Range, DataFlow::CfgNode {
+          override CallNode node;
+          HTTP::Server::HttpResponse::Range instance;
+
+          HttpResponseWriteCall() { node.getFunction() = write(instance).asCfgNode() }
+
+          override DataFlow::Node getBody() {
+            result.asCfgNode() in [node.getArg(0), node.getArgByName("content")]
+          }
+
+          override DataFlow::Node getMimetypeOrContentTypeArg() {
+            result = instance.getMimetypeOrContentTypeArg()
+          }
+
+          override string getMimetypeDefault() { result = instance.getMimetypeDefault() }
+        }
       }
     }
   }
diff --git a/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py b/python/ql/test/experimental/library-tests/frameworks/django-v1/response_test.py
@@ -30,12 +30,12 @@ def xss__manual_response_type(request):
 
 def xss__write(request):
     response = HttpResponse()  # $HttpResponse $mimetype=text/html; charset=utf-8
-    response.write(request.GET.get("name"))  # $f-:HttpResponse $f-:mimetype=text/html; charset=utf-8 $f-:responseBody=Attribute()
+    response.write(request.GET.get("name"))  # $HttpResponse $mimetype=text/html; charset=utf-8 $responseBody=Attribute()
 
 # This is safe but probably a bug if the argument to `write` is not a result of `json.dumps` or similar.
 def safe__write_json(request):
     response = JsonResponse()  # $HttpResponse $mimetype=application/json
-    response.write(request.GET.get("name"))  # $f-:HttpResponse $f-:mimetype=application/json $f-:responseBody=Attribute()
+    response.write(request.GET.get("name"))  # $HttpResponse $mimetype=application/json $responseBody=Attribute()
 
 # Ensure manual subclasses are vulnerable
 class CustomResponse(HttpResponse):
diff --git a/python/ql/test/experimental/library-tests/frameworks/django-v1/routing_test.py b/python/ql/test/experimental/library-tests/frameworks/django-v1/routing_test.py
@@ -18,7 +18,7 @@ def post_params_xss(request):  # $routeHandler
 
 def http_resp_write(request):  # $routeHandler
     rsp = HttpResponse()  # $HttpResponse
-    rsp.write(request.GET.get("untrusted"))
+    rsp.write(request.GET.get("untrusted"))  # $HttpResponse
     return rsp
 
 
