Skip to content

Commit 67cc3a3

Browse files
RasmusWLRasmusWL
committed
Python: Move experimental ReflectedXSS to new dataflow API
1 parent a0d2674 commit 67cc3a3

File tree

3 files changed

+14
-11
lines changed

3 files changed

+14
-11
lines changed

python/ql/src/experimental/Security/CWE-079/ReflectedXSS.ql

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -16,9 +16,9 @@
1616
// determine precision above
1717
import python
1818
import experimental.semmle.python.security.dataflow.ReflectedXSS
19-
import DataFlow::PathGraph
19+
import ReflectedXSSFlow::PathGraph
2020

21-
from ReflectedXssConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
22-
where config.hasFlowPath(source, sink)
21+
from ReflectedXSSFlow::PathNode source, ReflectedXSSFlow::PathNode sink
22+
where ReflectedXSSFlow::flowPath(source, sink)
2323
select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
2424
source.getNode(), "a user-provided value"

python/ql/src/experimental/semmle/python/security/dataflow/ReflectedXSS.qll

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -16,20 +16,18 @@ import semmle.python.ApiGraphs
1616
* A taint-tracking configuration for detecting reflected server-side cross-site
1717
* scripting vulnerabilities.
1818
*/
19-
class ReflectedXssConfiguration extends TaintTracking::Configuration {
20-
ReflectedXssConfiguration() { this = "ReflectedXssConfiguration" }
19+
private module ReflectedXSSConfig implements DataFlow::ConfigSig {
20+
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
2121

22-
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
22+
predicate isSink(DataFlow::Node sink) { sink = any(EmailSender email).getHtmlBody() }
2323

24-
override predicate isSink(DataFlow::Node sink) { sink = any(EmailSender email).getHtmlBody() }
25-
26-
override predicate isSanitizer(DataFlow::Node sanitizer) {
24+
predicate isBarrier(DataFlow::Node sanitizer) {
2725
sanitizer = any(HtmlEscaping esc).getOutput()
2826
or
2927
sanitizer instanceof StringConstCompareBarrier
3028
}
3129

32-
override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
30+
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
3331
exists(DataFlow::CallCfgNode htmlContentCall |
3432
htmlContentCall =
3533
API::moduleImport("sendgrid")
@@ -42,3 +40,6 @@ class ReflectedXssConfiguration extends TaintTracking::Configuration {
4240
)
4341
}
4442
}
43+
44+
/** Global taint-tracking for detecting "TODO" vulnerabilities. */
45+
module ReflectedXSSFlow = TaintTracking::Global<ReflectedXSSConfig>;

python/ql/test/experimental/query-tests/Security/CWE-079/ReflectedXSS.expected

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,8 @@ edges
1212
| sendgrid_mail.py:1:19:1:25 | GSSA Variable request | sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request |
1313
| sendgrid_mail.py:1:19:1:25 | GSSA Variable request | sendgrid_mail.py:37:41:37:47 | ControlFlowNode for request |
1414
| sendgrid_mail.py:14:22:14:28 | ControlFlowNode for request | sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript |
15-
| sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request | sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() |
15+
| sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request | sendgrid_mail.py:26:34:26:61 | ControlFlowNode for Subscript |
16+
| sendgrid_mail.py:26:34:26:61 | ControlFlowNode for Subscript | sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() |
1617
| sendgrid_mail.py:37:41:37:47 | ControlFlowNode for request | sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript |
1718
| sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | GSSA Variable request |
1819
| sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | GSSA Variable request | sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:57 | ControlFlowNode for request |
@@ -52,6 +53,7 @@ nodes
5253
| sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
5354
| sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() | semmle.label | ControlFlowNode for HtmlContent() |
5455
| sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
56+
| sendgrid_mail.py:26:34:26:61 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
5557
| sendgrid_mail.py:37:41:37:47 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
5658
| sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
5759
| sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |

0 commit comments

Comments
 (0)