Python: improve urllib3 modeling

Author: RasmusWL

python/ql/lib/semmle/python/frameworks/Urllib3.qll

@@ -1,49 +1,64 @@
 /**
  * Provides classes modeling security-relevant aspects of the `urllib3` PyPI package.
- * See https://urllib3.readthedocs.io/en/stable/reference/
+ *
+ * See
+ * - https://pypi.org/project/urllib3/
+ * - https://urllib3.readthedocs.io/en/stable/reference/
  */
 
 private import python
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
 
 /**
- * Provides models for the `Urllib3` PyPI package.
- * see https://urllib3.readthedocs.io/en/stable/reference/
+ * Provides models for the `urllib3` PyPI package.
+ *
+ * See
+ * - https://pypi.org/project/urllib3/
+ * - https://urllib3.readthedocs.io/en/stable/reference/
  */
 private module Urllib3 {
   /**
-   * Provides models for the `urllib3.PoolManager` class
+   * Provides models for the `urllib3.request.RequestMethods` class and subclasses, such
+   * as the `urllib3.PoolManager` class
    *
-   * See https://urllib3.readthedocs.io/en/stable/reference/urllib3.poolmanager.html.
+   * See
+   * - https://urllib3.readthedocs.io/en/stable/reference/urllib3.request.html#urllib3.request.RequestMethods
+   *
+   *
+   * https://urllib3.readthedocs.io/en/stable/reference/urllib3.poolmanager.html.
    */
   module PoolManager {
     /** Gets a reference to the `urllib3.PoolManager` class. */
-    private API::Node classRef() { result = API::moduleImport("urllib3").getMember("PoolManager") }
+    private API::Node classRef() {
+      result =
+        API::moduleImport("urllib3")
+            .getMember(["PoolManager", "ProxyManager", "HTTPConnectionPool", "HTTPSConnectionPool"])
+      or
+      result =
+        API::moduleImport("urllib3")
+            .getMember("request")
+            .getMember("RequestMethods")
+            .getASubclass+()
+    }
 
-    /** Gets a reference to an instance of `urllib3.PoolManager`. */
+    /** Gets a reference to an instance of a `urllib3.request.RequestMethods` subclass. */
     private API::Node instance() { result = classRef().getReturn() }
 
+    /**
+     * A call to a method making an outgoing request.
+     *
+     * See
+     * - https://urllib3.readthedocs.io/en/stable/reference/urllib3.request.html#urllib3.request.RequestMethods
+     * - https://urllib3.readthedocs.io/en/stable/reference/urllib3.connectionpool.html#urllib3.HTTPConnectionPool.urlopen
+     */
     private class RequestCall extends HTTP::Client::Request::Range, DataFlow::CallCfgNode {
       RequestCall() {
         this =
-          instance().getMember(["request", "request_encode_url", "request_encode_body"]).getACall()
-      }
-
-      override DataFlow::Node getAUrlPart() { result in [this.getArg(1), this.getArgByName("url")] }
-
-      override string getFramework() { result = "urllib3.PoolManager" }
-
-      override predicate disablesCertificateValidation(
-        DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
-      ) {
-        // TODO: Look into disabling certificate validation
-        none()
+          instance()
+              .getMember(["request", "request_encode_url", "request_encode_body", "urlopen"])
+              .getACall()
       }
-    }
-
-    private class UrlOpenCall extends HTTP::Client::Request::Range, DataFlow::CallCfgNode {
-      UrlOpenCall() { this = instance().getMember("urlopen").getACall() }
 
       override DataFlow::Node getAUrlPart() { result in [this.getArg(1), this.getArgByName("url")] }
 

python/ql/test/library-tests/frameworks/urllib3/test.py

@@ -1,8 +1,29 @@
 import urllib3
 
-http = urllib3.PoolManager()
+pool = urllib3.PoolManager()
 
-resp = http.request("method", "url") # $ clientRequestUrlPart="url"
-resp = http.request("method", url="url") # $ clientRequestUrlPart="url"
-resp = http.urlopen("method", "url") # $ clientRequestUrlPart="url"
-resp = http.urlopen("method", url="url") # $ clientRequestUrlPart="url"
+resp = pool.request("method", "url") # $ clientRequestUrlPart="url"
+resp = pool.request("method", url="url") # $ clientRequestUrlPart="url"
+resp = pool.urlopen("method", "url") # $ clientRequestUrlPart="url"
+resp = pool.urlopen("method", url="url") # $ clientRequestUrlPart="url"
+
+pool = urllib3.ProxyManager("http://proxy")
+
+resp = pool.request("method", "url") # $ clientRequestUrlPart="url"
+resp = pool.request("method", url="url") # $ clientRequestUrlPart="url"
+resp = pool.urlopen("method", "url") # $ clientRequestUrlPart="url"
+resp = pool.urlopen("method", url="url") # $ clientRequestUrlPart="url"
+
+pool = urllib3.HTTPConnectionPool("host")
+
+resp = pool.request("method", "url") # $ clientRequestUrlPart="url"
+resp = pool.request("method", url="url") # $ clientRequestUrlPart="url"
+resp = pool.urlopen("method", "url") # $ clientRequestUrlPart="url"
+resp = pool.urlopen("method", url="url") # $ clientRequestUrlPart="url"
+
+pool = urllib3.HTTPSConnectionPool("host")
+
+resp = pool.request("method", "url") # $ clientRequestUrlPart="url"
+resp = pool.request("method", url="url") # $ clientRequestUrlPart="url"
+resp = pool.urlopen("method", "url") # $ clientRequestUrlPart="url"
+resp = pool.urlopen("method", url="url") # $ clientRequestUrlPart="url"