Polish FlaskHeaderCall

jorgectf · jorgectf · commit 3be916e82b16 · 2021-04-09T01:02:01.000+02:00
diff --git a/python/ql/src/experimental/Security/CWE-113/HeaderInjection.ql b/python/ql/src/experimental/Security/CWE-113/HeaderInjection.ql
@@ -31,8 +31,10 @@ class WerkzeugHeaderCall extends DataFlow::CallCfgNode {
   DataFlow::Node getHeaderInputNode() { result = this.getArg(1) }
 }
 
-class FlaskHeader extends DataFlow::Node {
-  FlaskHeader() {
+class FlaskHeaderCall extends DataFlow::CallCfgNode {
+  DataFlow::Node headerInputNode;
+
+  FlaskHeaderCall() {
     exists(
       DataFlow::CallCfgNode headerInstance, DataFlow::AttrRead responseMethod,
       AssignStmt sinkDeclaration
@@ -41,9 +43,12 @@ class FlaskHeader extends DataFlow::Node {
       responseMethod.getAttributeName() = "headers" and
       responseMethod.getObject().getALocalSource() = headerInstance and
       sinkDeclaration.getATarget() = responseMethod.asExpr().getParentNode() and
-      this.asExpr() = sinkDeclaration.getValue()
+      headerInputNode.asExpr() = sinkDeclaration.getValue() and
+      this.getFunction() = responseMethod
     )
   }
+
+  DataFlow::Node getHeaderInputNode() { result = headerInputNode }
 }
 
 class FlaskMakeResponse extends DataFlow::Node {
@@ -69,8 +74,8 @@ class FlaskMakeResponse extends DataFlow::Node {
 
 class HeaderInjectionSink extends DataFlow::Node {
   HeaderInjectionSink() {
-    this instanceof WerkzeugHeader or
-    this instanceof FlaskHeader or
+    this instanceof WerkzeugHeaderCall or
+    this instanceof FlaskHeaderCall or
     this instanceof FlaskMakeResponse
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -31,8 +31,10 @@ class WerkzeugHeaderCall extends DataFlow::CallCfgNode {`
`31`	`31`	`DataFlow::Node getHeaderInputNode() { result = this.getArg(1) }`
`32`	`32`	`}`
`33`	`33`
`34`		`-class FlaskHeader extends DataFlow::Node {`
`35`		`- FlaskHeader() {`
	`34`	`+class FlaskHeaderCall extends DataFlow::CallCfgNode {`
	`35`	`+ DataFlow::Node headerInputNode;`
	`36`	`+`
	`37`	`+ FlaskHeaderCall() {`
`36`	`38`	`exists(`
`37`	`39`	`DataFlow::CallCfgNode headerInstance, DataFlow::AttrRead responseMethod,`
`38`	`40`	`AssignStmt sinkDeclaration`
`@@ -41,9 +43,12 @@ class FlaskHeader extends DataFlow::Node {`
`41`	`43`	`responseMethod.getAttributeName() = "headers" and`
`42`	`44`	`responseMethod.getObject().getALocalSource() = headerInstance and`
`43`	`45`	`sinkDeclaration.getATarget() = responseMethod.asExpr().getParentNode() and`
`44`		`- this.asExpr() = sinkDeclaration.getValue()`
	`46`	`+ headerInputNode.asExpr() = sinkDeclaration.getValue() and`
	`47`	`+ this.getFunction() = responseMethod`
`45`	`48`	`)`
`46`	`49`	`}`
	`50`	`+`
	`51`	`+ DataFlow::Node getHeaderInputNode() { result = headerInputNode }`
`47`	`52`	`}`
`48`	`53`
`49`	`54`	`class FlaskMakeResponse extends DataFlow::Node {`
`@@ -69,8 +74,8 @@ class FlaskMakeResponse extends DataFlow::Node {`
`69`	`74`
`70`	`75`	`class HeaderInjectionSink extends DataFlow::Node {`
`71`	`76`	`HeaderInjectionSink() {`
`72`		`- this instanceof WerkzeugHeader or`
`73`		`- this instanceof FlaskHeader or`
	`77`	`+ this instanceof WerkzeugHeaderCall or`
	`78`	`+ this instanceof FlaskHeaderCall or`
`74`	`79`	`this instanceof FlaskMakeResponse`
`75`	`80`	`}`
`76`	`81`	`}`