Add additional type tracking for request attributes

joefarebrother · joefarebrother · commit 86d1e5b64676 · 2024-04-25T13:58:36.000+01:00
diff --git a/python/ql/lib/semmle/python/frameworks/Pyramid.qll b/python/ql/lib/semmle/python/frameworks/Pyramid.qll
@@ -13,6 +13,7 @@ private import semmle.python.dataflow.new.FlowSummary
 private import semmle.python.frameworks.internal.PoorMansFunctionResolution
 private import semmle.python.frameworks.internal.InstanceTaintStepsHelper
 private import semmle.python.frameworks.data.ModelsAsData
+private import semmle.python.frameworks.Stdlib
 
 /**
  * Provides models for the `pyramid` PyPI package.
@@ -122,10 +123,22 @@ module Pyramid {
       }
 
       override string getMethodName() {
-        result in ["as_bytes", "copy", "copy_body", "copy_get", "path_info_peek", "path_info_pop"]
+        result in ["as_bytes", "copy", "copy_get", "path_info_peek", "path_info_pop"]
       }
 
       override string getAsyncMethodName() { none() }
     }
+
+    private class RequestCopyCall extends InstanceSource, DataFlow::MethodCallNode {
+      RequestCopyCall() { this.calls(instance(), ["copy", "copy_get"]) }
+    }
+
+    private class RequestBodyFileLike extends Stdlib::FileLikeObject::InstanceSource instanceof DataFlow::AttrRead
+    {
+      RequestBodyFileLike() {
+        this.getObject() = instance() and
+        this.getAttributeName() = ["body_file", "body_file_raw", "body_file_seekable"]
+      }
+    }
   }
 }
diff --git a/python/ql/test/library-tests/frameworks/pyramid/pyramid_test.py b/python/ql/test/library-tests/frameworks/pyramid/pyramid_test.py
@@ -30,10 +30,9 @@ def test1(request):
         request.as_bytes,          # $ tainted
 
         request.body,              # $ tainted
-        request.body_file,         # $ tainted
-        request.body_file_raw,     # $ tainted
-        request.body_file_seekable,# $ tainted
-        request.body_file.read(),  # $ MISSING:tainted
+        request.body_file.read(),         # $ tainted
+        request.body_file_raw.read(),     # $ tainted
+        request.body_file_seekable.read(),# $ tainted
 
         request.json,              # $ tainted
         request.json_body,         # $ tainted
@@ -61,9 +60,9 @@ def test1(request):
         request.GET.values(),       # $ tainted
 
         request.copy(),             # $ tainted
-        request.copy_body(),        # $ tainted
         request.copy_get(),         # $ tainted
-        request.copy().GET['a']     # $ MISSING:tainted
+        request.copy().GET['a'],    # $ tainted
+        request.copy_get().body     # $ tainted
         ) 
 
 def test2(request):

Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@ private import semmle.python.dataflow.new.FlowSummary`
`13`	`13`	`private import semmle.python.frameworks.internal.PoorMansFunctionResolution`
`14`	`14`	`private import semmle.python.frameworks.internal.InstanceTaintStepsHelper`
`15`	`15`	`private import semmle.python.frameworks.data.ModelsAsData`
	`16`	`+private import semmle.python.frameworks.Stdlib`
`16`	`17`
`17`	`18`	`/**`
`18`	`19`	* Provides models for the `pyramid` PyPI package.
`@@ -122,10 +123,22 @@ module Pyramid {`
`122`	`123`	`}`
`123`	`124`
`124`	`125`	`override string getMethodName() {`
`125`		`- result in ["as_bytes", "copy", "copy_body", "copy_get", "path_info_peek", "path_info_pop"]`
	`126`	`+ result in ["as_bytes", "copy", "copy_get", "path_info_peek", "path_info_pop"]`
`126`	`127`	`}`
`127`	`128`
`128`	`129`	`override string getAsyncMethodName() { none() }`
`129`	`130`	`}`
	`131`	`+`
	`132`	`+ private class RequestCopyCall extends InstanceSource, DataFlow::MethodCallNode {`
	`133`	`+ RequestCopyCall() { this.calls(instance(), ["copy", "copy_get"]) }`
	`134`	`+ }`
	`135`	`+`
	`136`	`+ private class RequestBodyFileLike extends Stdlib::FileLikeObject::InstanceSource instanceof DataFlow::AttrRead`
	`137`	`+ {`
	`138`	`+ RequestBodyFileLike() {`
	`139`	`+ this.getObject() = instance() and`
	`140`	`+ this.getAttributeName() = ["body_file", "body_file_raw", "body_file_seekable"]`
	`141`	`+ }`
	`142`	`+ }`
`130`	`143`	`}`
`131`	`144`	`}`