Skip to content

Commit ea32299

Browse files
tausbntausbn
authored
Python: Use API-graph flow for boolean tracking
Introduces a false positive, but arguably that false positive should have been there with the local flow as well.
1 parent ba8d73c commit ea32299

File tree

2 files changed

+7
-7
lines changed

2 files changed

+7
-7
lines changed

python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -33,19 +33,18 @@ private API::Node jinja2EnvironmentOrTemplate() {
3333
result = API::moduleImport("jinja2").getMember("Template")
3434
}
3535

36-
DataFlow::Node getAutoEscapeParameter(DataFlow::CallCfgNode call) {
37-
result = call.getArgByName("autoescape")
38-
}
39-
4036
from API::CallNode call
4137
where
4238
call = jinja2EnvironmentOrTemplate().getACall() and
4339
not exists(call.asCfgNode().(CallNode).getNode().getStarargs()) and
4440
not exists(call.asCfgNode().(CallNode).getNode().getKwargs()) and
4541
(
46-
not exists(getAutoEscapeParameter(call))
42+
not exists(call.getArgByName("autoescape"))
4743
or
48-
any(DataFlow::LocalSourceNode n | n.asExpr().(ImmutableLiteral).booleanValue() = false)
49-
.flowsTo(getAutoEscapeParameter(call))
44+
call.getKeywordParameter("autoescape")
45+
.getAValueReachingRhs()
46+
.asExpr()
47+
.(ImmutableLiteral)
48+
.booleanValue() = false
5049
)
5150
select call, "Using jinja2 templates with autoescape=False can potentially allow XSS attacks."

python/ql/test/query-tests/Security/CWE-079-Jinja2WithoutEscaping/Jinja2WithoutEscaping.expected

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,4 +2,5 @@
22
| jinja2_escaping.py:41:5:41:29 | ControlFlowNode for Environment() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
33
| jinja2_escaping.py:43:1:43:3 | ControlFlowNode for E() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
44
| jinja2_escaping.py:44:1:44:15 | ControlFlowNode for E() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
5+
| jinja2_escaping.py:50:13:50:40 | ControlFlowNode for Environment() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
56
| jinja2_escaping.py:53:15:53:43 | ControlFlowNode for Template() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |

0 commit comments

Comments
 (0)