Python : Add Flask sinks for path injection query

Porcuiney Hairs · Porcupiney Hairs · commit 4fd3f212f8a8 · 2021-10-28T02:12:11.000+05:30
diff --git a/python/ql/lib/semmle/python/frameworks/Flask.qll b/python/ql/lib/semmle/python/frameworks/Flask.qll
@@ -519,4 +519,34 @@ module Flask {
 
     override DataFlow::Node getValueArg() { none() }
   }
+
+  /**
+   * A `send_from_directory` call considered a sink for file system access vulnerabilities.
+   *
+   * See https://flask.palletsprojects.com/en/1.1.x/api/#flask.send_from_directory
+   */
+  class FlaskSendFromDirectory extends FileSystemAccess::Range, DataFlow::CallCfgNode {
+    FlaskSendFromDirectory() {
+      this = API::moduleImport("flask").getMember("send_from_directory").getACall()
+    }
+
+    override DataFlow::Node getAPathArgument() {
+      result in [this.getArg(_), this.getArgByName(["directory", "filename"])]
+    }
+  }
+
+  /**
+   * A `send_file` call considered a sink for file system access vulnerabilities.
+   *
+   * See https://flask.palletsprojects.com/en/1.1.x/api/#flask.send_file
+   */
+  class FlaskSendFile extends FileSystemAccess::Range, DataFlow::CallCfgNode {
+    FlaskSendFile() {
+      this = API::moduleImport("flask").getMember("send_file").getACall()
+    }
+
+    override DataFlow::Node getAPathArgument() {
+      result in [this.getArg(0), this.getArgByName("filename_or_fp")]
+    }
+  }
 }
diff --git a/python/ql/test/library-tests/frameworks/flask/save_uploaded_file.py b/python/ql/test/library-tests/frameworks/flask/save_uploaded_file.py
@@ -1,6 +1,17 @@
-from flask import Flask, request
+from flask import Flask, request, send_from_directory, send_file
 app = Flask(__name__)
 
 @app.route("/save-uploaded-file")  # $routeSetup="/save-uploaded-file"
 def test_taint():  # $requestHandler
     request.files['key'].save("path") # $ getAPathArgument="path"
+
+
+@app.route("/path-injection")  # $routeSetup="/path-injection"
+def test_path():  # $requestHandler
+
+    flask.send_from_directory("filepath","file")  # $ getAPathArgument="filepath" getAPathArgument="file"
+    flask.send_file("file")  # $ getAPathArgument="file"
+    
+    flask.send_from_directory(directory="filepath","file") # $ getAPathArgument="filepath" getAPathArgument="file"
+    flask.send_from_directory(filename="filepath","file") # $ getAPathArgument="filepath" getAPathArgument="file"
+    flask.send_file(filename_or_fp="file")  # $ getAPathArgument="file"
