Add UnicodeDoS sink for werkzeug secure_filename

Sim4n6 · yoff · commit 5cc917024977 · 2024-03-15T14:17:23.000+01:00
diff --git a/python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql b/python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql
@@ -93,6 +93,16 @@ class Configuration extends TaintTracking::Configuration {
 
   override predicate isSink(DataFlow::Node sink) {
     sink = any(UnicodeCompatibilityNormalize ucn).getPathArg()
+    or
+    sink = API::moduleImport("werkzeug").getMember("secure_filename").getACall().getArg(_)
+    or
+    sink =
+      API::moduleImport("werkzeug")
+          .getMember("utils")
+          .getMember("secure_filename")
+          .getACall()
+          .getArg(_)
+  
   }
 }
 
