Python: Add rest_framework Request taint modeling

RasmusWL · RasmusWL · commit 62d30630aa68 · 2021-11-02T10:55:44.000+01:00
diff --git a/python/ql/lib/semmle/python/frameworks/Django.qll b/python/ql/lib/semmle/python/frameworks/Django.qll
@@ -369,6 +369,52 @@ module Django {
     }
   }
 
+  /**
+   * Provides models for the `django.contrib.auth.models.User` class
+   *
+   * See https://docs.djangoproject.com/en/3.2/ref/contrib/auth/#user-model.
+   */
+  module User {
+    /**
+     * A source of instances of `django.contrib.auth.models.User`, extend this class to model new instances.
+     *
+     * This can include instantiations of the class, return values from function
+     * calls, or a special parameter that will be set when functions are called by an external
+     * library.
+     *
+     * Use the predicate `User::instance()` to get references to instances of `django.contrib.auth.models.User`.
+     */
+    abstract class InstanceSource extends DataFlow::LocalSourceNode { }
+
+    /** Gets a reference to an instance of `django.contrib.auth.models.User`. */
+    private DataFlow::TypeTrackingNode instance(DataFlow::TypeTracker t) {
+      t.start() and
+      result instanceof InstanceSource
+      or
+      exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t))
+    }
+
+    /** Gets a reference to an instance of `django.contrib.auth.models.User`. */
+    DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
+
+    /**
+     * Taint propagation for `django.contrib.auth.models.User`.
+     */
+    private class InstanceTaintSteps extends InstanceTaintStepsHelper {
+      InstanceTaintSteps() { this = "django.contrib.auth.models.User" }
+
+      override DataFlow::Node getInstance() { result = instance() }
+
+      override string getAttributeName() {
+        result in ["username", "first_name", "last_name", "email"]
+      }
+
+      override string getMethodName() { none() }
+
+      override string getAsyncMethodName() { none() }
+    }
+  }
+
   /**
    * Provides models for the `django.core.files.uploadedfile.UploadedFile` class
    *
diff --git a/python/ql/lib/semmle/python/frameworks/RestFramework.qll b/python/ql/lib/semmle/python/frameworks/RestFramework.qll
@@ -171,5 +171,46 @@ private module RestFramework {
 
     /** Gets a reference to an instance of `rest_framework.request.Request`. */
     DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
+
+    /**
+     * Taint propagation for `rest_framework.request.Request`.
+     */
+    private class InstanceTaintSteps extends InstanceTaintStepsHelper {
+      InstanceTaintSteps() { this = "rest_framework.request.Request" }
+
+      override DataFlow::Node getInstance() { result = instance() }
+
+      override string getAttributeName() {
+        result in ["data", "query_params", "user", "auth", "content_type", "stream"]
+      }
+
+      override string getMethodName() { none() }
+
+      override string getAsyncMethodName() { none() }
+    }
+
+    /** An attribute read that is a `MultiValueDict` instance. */
+    private class MultiValueDictInstances extends Django::MultiValueDict::InstanceSource {
+      MultiValueDictInstances() {
+        this.(DataFlow::AttrRead).getObject() = instance() and
+        this.(DataFlow::AttrRead).getAttributeName() = "query_params"
+      }
+    }
+
+    /** An attribute read that is a `User` instance. */
+    private class UserInstances extends Django::User::InstanceSource {
+      UserInstances() {
+        this.(DataFlow::AttrRead).getObject() = instance() and
+        this.(DataFlow::AttrRead).getAttributeName() = "user"
+      }
+    }
+
+    /** An attribute read that is a file-like instance. */
+    private class FileLikeInstances extends Stdlib::FileLikeObject::InstanceSource {
+      FileLikeInstances() {
+        this.(DataFlow::AttrRead).getObject() = instance() and
+        this.(DataFlow::AttrRead).getAttributeName() = "stream"
+      }
+    }
   }
 }
diff --git a/python/ql/test/library-tests/frameworks/rest_framework/taint_test.py b/python/ql/test/library-tests/frameworks/rest_framework/taint_test.py
@@ -25,29 +25,29 @@ def test_taint(request: Request, routed_param): # $ requestHandler routedParamet
 
     # special new attributes added, see https://www.django-rest-framework.org/api-guide/requests/
     ensure_tainted(
-        request.data, # $ MISSING: tainted
-        request.data["key"], # $ MISSING: tainted
+        request.data, # $ tainted
+        request.data["key"], # $ tainted
 
         # alias for .GET
-        request.query_params, # $ MISSING: tainted
-        request.query_params["key"], # $ MISSING: tainted
-        request.query_params.get("key"), # $ MISSING: tainted
-        request.query_params.getlist("key"), # $ MISSING: tainted
-        request.query_params.getlist("key")[0], # $ MISSING: tainted
-        request.query_params.pop("key"), # $ MISSING: tainted
-        request.query_params.pop("key")[0], # $ MISSING: tainted
+        request.query_params, # $ tainted
+        request.query_params["key"], # $ tainted
+        request.query_params.get("key"), # $ tainted
+        request.query_params.getlist("key"), # $ tainted
+        request.query_params.getlist("key")[0], # $ tainted
+        request.query_params.pop("key"), # $ tainted
+        request.query_params.pop("key")[0], # $ tainted
 
         # see more detailed tests of `request.user` below
-        request.user, # $ MISSING: tainted
+        request.user, # $ tainted
 
-        request.auth, # $ MISSING: tainted
+        request.auth, # $ tainted
 
         # seems much more likely attack vector than .method, so included
         request.content_type, # $ tainted
 
         # file-like
-        request.stream, # $ MISSING: tainted
-        request.stream.read(), # $ MISSING: tainted
+        request.stream, # $ tainted
+        request.stream.read(), # $ tainted
     )
 
     ensure_not_tainted(
@@ -74,10 +74,10 @@ def test_taint(request: Request, routed_param): # $ requestHandler routedParamet
     # username/email is user-controlled, but that password isn't (since it's a hash).
     # see https://docs.djangoproject.com/en/3.2/ref/contrib/auth/#fields
     ensure_tainted(
-        request.user.username, # $ MISSING: tainted
-        request.user.first_name, # $ MISSING: tainted
-        request.user.last_name, # $ MISSING: tainted
-        request.user.email, # $ MISSING: tainted
+        request.user.username, # $ tainted
+        request.user.first_name, # $ tainted
+        request.user.last_name, # $ tainted
+        request.user.email, # $ tainted
     )
     ensure_not_tainted(request.user.password)
 
@@ -99,7 +99,7 @@ def get(self, request: Request, routed_param): # $ requestHandler routedParamete
         # request taint is the same as in function_based_view above
         ensure_tainted(
             request, # $ tainted
-            request.data # $ MISSING: tainted
+            request.data # $ tainted
         )
 
         # same as for standard Django view
