Python: Add SSRF queries

I've added 2 queries:

- one that detects full SSRF, where an attacker can control the full URL,
  which is always bad
- and one for partial SSRF, where an attacker can control parts of an
  URL (such as the path, query parameters, or fragment), which is not a
  big problem in many cases (but might still be exploitable)

full SSRF should run by default, and partial SSRF should not (but makes
it easy to see the other results).

Some elements of the full SSRF queries needs a bit more polishing, like
being able to detect `"https://" + user_input` is in fact controlling
the full URL.

Author: RasmusWL

python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgery.qll

@@ -0,0 +1,69 @@
+/**
+ * Provides a taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `ServerSideRequestForgery::Configuration` is needed, otherwise
+ * `ServerSideRequestForgeryCustomizations` should be imported instead.
+ */
+
+private import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+
+/**
+ * Provides a taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
+ *
+ * This configuration has a sanitizer to limit results to cases where attacker has full control of URL.
+ * See `PartialServerSideRequestForgery` for a variant without this requirement.
+ */
+module FullServerSideRequestForgery {
+  import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery
+
+  /**
+   * A taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "FullServerSideRequestForgery" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isSanitizer(DataFlow::Node node) {
+      node instanceof Sanitizer
+      or
+      node instanceof FullUrlControlSanitizer
+    }
+
+    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+      guard instanceof SanitizerGuard
+    }
+  }
+}
+
+/**
+ * Provides a taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
+ *
+ * This configuration has results, even when the attacker does not have full control over the URL.
+ * See `FullServerSideRequestForgery` for variant that has this requirement.
+ */
+module PartialServerSideRequestForgery {
+  import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery
+
+  /**
+   * A taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "PartialServerSideRequestForgery" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+      guard instanceof SanitizerGuard
+    }
+  }
+}

python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll

@@ -0,0 +1,94 @@
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "Server-side request forgery"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.dataflow.new.BarrierGuards
+
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "Server-side request forgery"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+module ServerSideRequestForgery {
+  /**
+   * A data flow source for "Server-side request forgery" vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for "Server-side request forgery" vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for "Server-side request forgery" vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for "Server-side request forgery" vulnerabilities,
+   * that ensures the attacker does not have full control of the URL. (that is, might
+   * still be able to control path or query parameters).
+   */
+  abstract class FullUrlControlSanitizer extends DataFlow::Node { }
+
+  /**
+   * A sanitizer guard for "Server-side request forgery" vulnerabilities.
+   */
+  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+
+  /**
+   * A source of remote user input, considered as a flow source.
+   */
+  class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
+
+  /** The URL of an HTTP request, considered as a sink. */
+  class HttpRequestUrlAsSink extends Sink {
+    HttpRequestUrlAsSink() {
+      exists(HTTP::Client::Request req | req.getAUrlPart() = this) and
+      // Since we find sinks inside stdlib, we need to exclude them manually. See
+      // comment for command injection sinks for more details.
+      not this.getScope().getEnclosingModule().getName() in ["http.client", "httplib"]
+    }
+  }
+
+  /**
+   * A comparison with a constant string, considered as a sanitizer-guard.
+   */
+  class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
+
+  /**
+   * A string construction (concat, format, f-string) where the left side is not
+   * user-controlled.
+   */
+  class StringConstructioneAsFullUrlControlSanitizer extends FullUrlControlSanitizer {
+    StringConstructioneAsFullUrlControlSanitizer() {
+      // string concat
+      exists(BinaryExprNode add |
+        add.getOp() instanceof Add and
+        add.getRight() = this.asCfgNode()
+      )
+      or
+      // % formatting
+      exists(BinaryExprNode fmt |
+        fmt.getOp() instanceof Mod and
+        fmt.getRight() = this.asCfgNode()
+      )
+      or
+      // arguments to a format call
+      exists(DataFlow::MethodCallNode call |
+        call.getMethodName() = "format" and
+        this in [call.getArg(_), call.getArgByName(_)]
+      )
+      or
+      // f-string
+      exists(Fstring fstring | fstring.getValue(any(int i | i > 0)) = this.asExpr())
+    }
+  }
+}

python/ql/src/Security/CWE-918/FullServerSideRequestForgery.ql

@@ -0,0 +1,22 @@
+/**
+ * @name Full server-side request forgery
+ * @description Making a network request to a URL that is fully user-controlled allows for request forgery attacks.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9.1
+ * @precision high
+ * @id py/full-ssrf
+ * @tags security
+ *       external/cwe/cwe-918
+ */
+
+import python
+import semmle.python.security.dataflow.ServerSideRequestForgery
+import DataFlow::PathGraph
+
+from
+  FullServerSideRequestForgery::Configuration config, DataFlow::PathNode source,
+  DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "The full URL of this request depends on $@.",
+  source.getNode(), "a user-provided value"

python/ql/src/Security/CWE-918/PartialServerSideRequestForgery.ql

@@ -0,0 +1,25 @@
+/**
+ * @name Partial server-side request forgery
+ * @description Making a network request to a URL that is partially user-controlled allows for request forgery attacks.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9.1
+ * @precision medium
+ * @id py/partial-ssrf
+ * @tags security
+ *       external/cwe/cwe-918
+ */
+
+import python
+import semmle.python.security.dataflow.ServerSideRequestForgery
+import DataFlow::PathGraph
+
+from
+  FullServerSideRequestForgery::Configuration fullConfig,
+  PartialServerSideRequestForgery::Configuration partialConfig, DataFlow::PathNode source,
+  DataFlow::PathNode sink
+where
+  partialConfig.hasFlowPath(source, sink) and
+  not fullConfig.hasFlow(source.getNode(), sink.getNode())
+select sink.getNode(), source, sink, "Part of the URL of this request depends on $@.",
+  source.getNode(), "a user-provided value"