cklin
diff --git a/‎python/ql/src/experimental/Security/CWE-113/HeaderInjection.ql
Lines changed: 6 additions & 148 deletions b/‎python/ql/src/experimental/Security/CWE-113/HeaderInjection.ql
Lines changed: 6 additions & 148 deletions
diff --git a/‎python/ql/src/experimental/Security/CWE-113/HeaderInjection.qlref b/‎python/ql/src/experimental/Security/CWE-113/HeaderInjection.qlref
diff --git a/‎python/ql/src/experimental/semmle/python/Concepts.qll
Lines changed: 14 additions & 0 deletions b/‎python/ql/src/experimental/semmle/python/Concepts.qll
Lines changed: 14 additions & 0 deletions
diff --git a/‎python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
Lines changed: 130 additions & 0 deletions b/‎python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
Lines changed: 130 additions & 0 deletions
diff --git a/‎python/ql/src/experimental/Security/CWE-113/tests/django_bad.py renamed to ‎python/ql/test/experimental/query-tests/Security/CWE-113/django_bad.py b/‎python/ql/src/experimental/Security/CWE-113/tests/django_bad.py renamed to ‎python/ql/test/experimental/query-tests/Security/CWE-113/django_bad.py
diff --git a/‎python/ql/src/experimental/Security/CWE-113/tests/flask_bad.py renamed to ‎python/ql/test/experimental/query-tests/Security/CWE-113/flask_bad.py b/‎python/ql/src/experimental/Security/CWE-113/tests/flask_bad.py renamed to ‎python/ql/test/experimental/query-tests/Security/CWE-113/flask_bad.py
@@ -1,163 +1,21 @@
 /**
  * @name HTTP Header Injection
- * @description User input should not be used in HTTP headers without first being escaped,
- *              otherwise a malicious user may be able to inject a value that could manipulate the response.
+ * @description User input should not be used in HTTP headers, otherwise a malicious user
+ *              may be able to inject a value that could manipulate the response.
  * @kind path-problem
  * @problem.severity error
- * @id python/header-injection
+ * @id py/header-injection
  * @tags security
  *       external/cwe/cwe-113
  *       external/cwe/cwe-079
  */
 
 // determine precision above
 import python
-import semmle.python.dataflow.new.RemoteFlowSources
-import semmle.python.dataflow.new.DataFlow
-import semmle.python.dataflow.new.TaintTracking
-import semmle.python.ApiGraphs
+import experimental.semmle.python.security.injection.HTTPHeaders
 import DataFlow::PathGraph
 
-class WerkzeugHeaderCall extends DataFlow::CallCfgNode {
-  WerkzeugHeaderCall() {
-    exists(DataFlow::AttrRead addMethod |
-      this.getFunction() = addMethod and
-      addMethod.getObject().getALocalSource() =
-        API::moduleImport("werkzeug").getMember("datastructures").getMember("Headers").getACall() and
-      addMethod.getAttributeName() = "add"
-    )
-  }
-
-  DataFlow::Node getHeaderInputNode() { result = this.getArg(1) }
-}
-
-class FlaskHeaderCall extends DataFlow::Node {
-  DataFlow::Node headerInputNode;
-
-  FlaskHeaderCall() {
-    exists(
-      DataFlow::CallCfgNode headerInstance, DataFlow::AttrRead responseMethod,
-      AssignStmt sinkDeclaration
-    |
-      headerInstance = API::moduleImport("flask").getMember("Response").getACall() and
-      responseMethod.getAttributeName() = "headers" and
-      responseMethod.getObject().getALocalSource() = headerInstance and
-      sinkDeclaration.getATarget() = responseMethod.asExpr().getParentNode() and
-      headerInputNode.asExpr() = sinkDeclaration.getValue() and
-      this.asExpr() = sinkDeclaration.getATarget()
-    )
-  }
-
-  DataFlow::Node getHeaderInputNode() { result = headerInputNode }
-}
-
-class FlaskMakeResponseCall extends DataFlow::Node {
-  DataFlow::Node headerInputNode;
-
-  FlaskMakeResponseCall() {
-    exists(
-      DataFlow::CallCfgNode headerInstance, DataFlow::AttrRead responseMethod,
-      AssignStmt sinkDeclaration
-    |
-      headerInstance = API::moduleImport("flask").getMember("make_response").getACall() and
-      responseMethod.getAttributeName() = "headers" and
-      responseMethod.getObject().getALocalSource() = headerInstance and
-      sinkDeclaration.getATarget() = responseMethod.asExpr().getParentNode() and
-      this.asExpr() = sinkDeclaration.getATarget() and
-      headerInputNode.asExpr() = sinkDeclaration.getValue()
-    )
-  }
-
-  DataFlow::Node getHeaderInputNode() { result = headerInputNode }
-}
-
-class FlaskMakeResponseExtendCall extends DataFlow::CallCfgNode {
-  DataFlow::Node headerInputNode;
-
-  FlaskMakeResponseExtendCall() {
-    exists(
-      DataFlow::CallCfgNode headerInstance, DataFlow::AttrRead responseMethod,
-      DataFlow::AttrRead extendMethod
-    |
-      headerInstance = API::moduleImport("flask").getMember("make_response").getACall() and
-      responseMethod.getAttributeName() = "headers" and
-      responseMethod.getObject().getALocalSource() = headerInstance and
-      extendMethod.getAttributeName() = "extend" and
-      extendMethod.getObject().getALocalSource() = responseMethod and
-      this.getFunction() = extendMethod and
-      headerInputNode = this.getArg(0)
-    )
-  }
-
-  DataFlow::Node getHeaderInputNode() { result = headerInputNode }
-}
-
-class FlaskResponseArg extends DataFlow::CallCfgNode {
-  DataFlow::Node headerInputNode;
-
-  FlaskResponseArg() {
-    this = API::moduleImport("flask").getMember("Response").getACall() and
-    headerInputNode = this.getArgByName("headers")
-  }
-
-  DataFlow::Node getHeaderInputNode() { result = headerInputNode }
-}
-
-class DjangoResponseSetItemCall extends DataFlow::CallCfgNode {
-  DjangoResponseSetItemCall() {
-    exists(DataFlow::AttrRead setItemMethod |
-      this.getFunction() = setItemMethod and
-      setItemMethod.getObject().getALocalSource() =
-        API::moduleImport("django").getMember("http").getMember("HttpResponse").getACall() and
-      setItemMethod.getAttributeName() = "__setitem__"
-    )
-  }
-
-  DataFlow::Node getHeaderInputNode() { result = this.getArg(1) }
-}
-
-class DjangoResponseAssignCall extends DataFlow::Node {
-  DataFlow::Node headerInputNode;
-
-  DjangoResponseAssignCall() {
-    exists(
-      DataFlow::CallCfgNode headerInstance, Subscript responseMethod, DataFlow::Node responseToNode,
-      AssignStmt sinkDeclaration
-    |
-      headerInstance =
-        API::moduleImport("django").getMember("http").getMember("HttpResponse").getACall() and
-      responseMethod.getValue() = responseToNode.asExpr() and
-      responseToNode.getALocalSource().asExpr() = headerInstance.asExpr() and
-      sinkDeclaration.getATarget() = responseMethod and
-      this.asExpr() = sinkDeclaration.getATarget() and
-      headerInputNode.asExpr() = sinkDeclaration.getValue()
-    )
-  }
-
-  DataFlow::Node getHeaderInputNode() { result = headerInputNode }
-}
-
-class HeaderInjectionSink extends DataFlow::Node {
-  HeaderInjectionSink() {
-    this = any(WerkzeugHeaderCall a).getHeaderInputNode() or
-    this = any(FlaskHeaderCall a).getHeaderInputNode() or
-    this = any(FlaskMakeResponseCall a).getHeaderInputNode() or
-    this = any(FlaskMakeResponseExtendCall a).getHeaderInputNode() or
-    this = any(FlaskResponseArg a).getHeaderInputNode() or
-    this = any(DjangoResponseSetItemCall a).getHeaderInputNode() or
-    this = any(DjangoResponseAssignCall a).getHeaderInputNode()
-  }
-}
-
-class HeaderInjectionFlowConfig extends TaintTracking::Configuration {
-  HeaderInjectionFlowConfig() { this = "HeaderInjectionFlowConfig" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof HeaderInjectionSink }
-}
-
 from HeaderInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ header is constructed from a $@.", sink.getNode(), "This",
-  source.getNode(), "user-provided value"
+select sink.getNode(), source, sink, "$@ HTTP header is constructed from a $@.", sink.getNode(),
+  "This", source.getNode(), "user-provided value"
@@ -13,3 +13,17 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.TaintTracking
 private import experimental.semmle.python.Frameworks
+
+module HeaderDeclaration {
+  abstract class Range extends DataFlow::Node {
+    abstract DataFlow::Node getHeaderInputNode();
+  }
+}
+
+class HeaderDeclaration extends DataFlow::Node {
+  HeaderDeclaration::Range range;
+
+  HeaderDeclaration() { this = range }
+
+  DataFlow::Node getHeaderInputNode() { result = range.getHeaderInputNode() }
+}
@@ -9,3 +9,133 @@ private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import experimental.semmle.python.Concepts
 private import semmle.python.ApiGraphs
+
+private module Headers {
+  private module Werkzeug {
+    class WerkzeugHeaderCall extends DataFlow::CallCfgNode, HeaderDeclaration::Range {
+      WerkzeugHeaderCall() {
+        exists(DataFlow::AttrRead addMethod |
+          this.getFunction() = addMethod and
+          addMethod.getObject().getALocalSource() =
+            API::moduleImport("werkzeug")
+                .getMember("datastructures")
+                .getMember("Headers")
+                .getACall() and
+          addMethod.getAttributeName() = "add"
+        )
+      }
+
+      override DataFlow::Node getHeaderInputNode() { result = this.getArg(1) }
+    }
+  }
+
+  private module Flask {
+    class FlaskHeaderCall extends DataFlow::Node, HeaderDeclaration::Range {
+      DataFlow::Node headerInputNode;
+
+      FlaskHeaderCall() {
+        exists(
+          DataFlow::CallCfgNode headerInstance, DataFlow::AttrRead responseMethod,
+          AssignStmt sinkDeclaration
+        |
+          headerInstance = API::moduleImport("flask").getMember("Response").getACall() and
+          responseMethod.getAttributeName() = "headers" and
+          responseMethod.getObject().getALocalSource() = headerInstance and
+          sinkDeclaration.getATarget() = responseMethod.asExpr().getParentNode() and
+          headerInputNode.asExpr() = sinkDeclaration.getValue() and
+          this.asExpr() = sinkDeclaration.getATarget()
+        )
+      }
+
+      override DataFlow::Node getHeaderInputNode() { result = headerInputNode }
+    }
+
+    class FlaskMakeResponseCall extends DataFlow::Node, HeaderDeclaration::Range {
+      DataFlow::Node headerInputNode;
+
+      FlaskMakeResponseCall() {
+        exists(
+          DataFlow::CallCfgNode headerInstance, DataFlow::AttrRead responseMethod,
+          AssignStmt sinkDeclaration
+        |
+          headerInstance = API::moduleImport("flask").getMember("make_response").getACall() and
+          responseMethod.getAttributeName() = "headers" and
+          responseMethod.getObject().getALocalSource() = headerInstance and
+          sinkDeclaration.getATarget() = responseMethod.asExpr().getParentNode() and
+          this.asExpr() = sinkDeclaration.getATarget() and
+          headerInputNode.asExpr() = sinkDeclaration.getValue()
+        )
+      }
+
+      override DataFlow::Node getHeaderInputNode() { result = headerInputNode }
+    }
+
+    class FlaskMakeResponseExtendCall extends DataFlow::CallCfgNode, HeaderDeclaration::Range {
+      DataFlow::Node headerInputNode;
+
+      FlaskMakeResponseExtendCall() {
+        exists(
+          DataFlow::CallCfgNode headerInstance, DataFlow::AttrRead responseMethod,
+          DataFlow::AttrRead extendMethod
+        |
+          headerInstance = API::moduleImport("flask").getMember("make_response").getACall() and
+          responseMethod.getAttributeName() = "headers" and
+          responseMethod.getObject().getALocalSource() = headerInstance and
+          extendMethod.getAttributeName() = "extend" and
+          extendMethod.getObject().getALocalSource() = responseMethod and
+          this.getFunction() = extendMethod and
+          headerInputNode = this.getArg(0)
+        )
+      }
+
+      override DataFlow::Node getHeaderInputNode() { result = headerInputNode }
+    }
+
+    class FlaskResponseArg extends DataFlow::CallCfgNode, HeaderDeclaration::Range {
+      DataFlow::Node headerInputNode;
+
+      FlaskResponseArg() {
+        this = API::moduleImport("flask").getMember("Response").getACall() and
+        headerInputNode = this.getArgByName("headers")
+      }
+
+      override DataFlow::Node getHeaderInputNode() { result = headerInputNode }
+    }
+
+    class DjangoResponseSetItemCall extends DataFlow::CallCfgNode, HeaderDeclaration::Range {
+      DjangoResponseSetItemCall() {
+        exists(DataFlow::AttrRead setItemMethod |
+          this.getFunction() = setItemMethod and
+          setItemMethod.getObject().getALocalSource() =
+            API::moduleImport("django").getMember("http").getMember("HttpResponse").getACall() and
+          setItemMethod.getAttributeName() = "__setitem__"
+        )
+      }
+
+      override DataFlow::Node getHeaderInputNode() { result = this.getArg(1) }
+    }
+  }
+
+  private module Django {
+    class DjangoResponseAssignCall extends DataFlow::Node, HeaderDeclaration::Range {
+      DataFlow::Node headerInputNode;
+
+      DjangoResponseAssignCall() {
+        exists(
+          DataFlow::CallCfgNode headerInstance, Subscript responseMethod,
+          DataFlow::Node responseToNode, AssignStmt sinkDeclaration
+        |
+          headerInstance =
+            API::moduleImport("django").getMember("http").getMember("HttpResponse").getACall() and
+          responseMethod.getValue() = responseToNode.asExpr() and
+          responseToNode.getALocalSource().asExpr() = headerInstance.asExpr() and
+          sinkDeclaration.getATarget() = responseMethod and
+          this.asExpr() = sinkDeclaration.getATarget() and
+          headerInputNode.asExpr() = sinkDeclaration.getValue()
+        )
+      }
+
+      override DataFlow::Node getHeaderInputNode() { result = headerInputNode }
+    }
+  }
+}