Python: Add modeling of http.client.HTTPResponse

RasmusWL · RasmusWL · commit 6f81685f4875 · 2021-12-15T21:55:04.000+01:00
diff --git a/python/ql/lib/semmle/python/frameworks/Stdlib.qll b/python/ql/lib/semmle/python/frameworks/Stdlib.qll
@@ -2091,6 +2091,187 @@ private module StdlibPrivate {
     }
   }
 
+  // ---------------------------------------------------------------------------
+  // http.client (Python 3)
+  // httplib (Python 2)
+  // ---------------------------------------------------------------------------
+  /**
+   * Provides models for the `http.client.HTTPConnection` and `HTTPSConnection` classes
+   *
+   * See
+   * - https://docs.python.org/3.10/library/http.client.html#http.client.HTTPConnection
+   * - https://docs.python.org/3.10/library/http.client.html#http.client.HTTPSConnection
+   * - https://docs.python.org/2.7/library/httplib.html#httplib.HTTPConnection
+   * - https://docs.python.org/2.7/library/httplib.html#httplib.HTTPSConnection
+   */
+  module HTTPConnection {
+    /** Gets a reference to the `http.client.HTTPConnection` class. */
+    private API::Node classRef() {
+      exists(string className | className in ["HTTPConnection", "HTTPSConnection"] |
+        // Python 3
+        result = API::moduleImport("http").getMember("client").getMember(className)
+        or
+        // Python 2
+        result = API::moduleImport("httplib").getMember(className)
+        or
+        result =
+          API::moduleImport("six").getMember("moves").getMember("http_client").getMember(className)
+      )
+    }
+
+    /**
+     * A source of instances of `http.client.HTTPConnection`, extend this class to model new instances.
+     *
+     * This can include instantiations of the class, return values from function
+     * calls, or a special parameter that will be set when functions are called by an external
+     * library.
+     *
+     * Use the predicate `HTTPConnection::instance()` to get references to instances of `http.client.HTTPConnection`.
+     */
+    abstract class InstanceSource extends DataFlow::LocalSourceNode {
+      /** Gets the argument that specified the host, if any. */
+      abstract DataFlow::Node getHostArgument();
+    }
+
+    /** A direct instantiation of `http.client.HTTPConnection`. */
+    private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
+      ClassInstantiation() { this = classRef().getACall() }
+
+      override DataFlow::Node getHostArgument() {
+        result in [this.getArg(0), this.getArgByName("host")]
+      }
+    }
+
+    /**
+     * Gets a reference to an instance of `http.client.HTTPConnection`,
+     * that was instantiated with host argument `hostArg`.
+     */
+    private DataFlow::TypeTrackingNode instance(DataFlow::TypeTracker t, DataFlow::Node hostArg) {
+      t.start() and
+      hostArg = result.(InstanceSource).getHostArgument()
+      or
+      exists(DataFlow::TypeTracker t2 | result = instance(t2, hostArg).track(t2, t))
+    }
+
+    /**
+     * Gets a reference to an instance of `http.client.HTTPConnection`,
+     * that was instantiated with host argument `hostArg`.
+     */
+    DataFlow::Node instance(DataFlow::Node hostArg) {
+      instance(DataFlow::TypeTracker::end(), hostArg).flowsTo(result)
+    }
+
+    /** A method call on a HTTPConnection that sends off a request */
+    private class RequestCall extends HTTP::Client::Request::Range, DataFlow::MethodCallNode {
+      RequestCall() { this.calls(instance(_), ["request", "_send_request", "putrequest"]) }
+
+      override DataFlow::Node getResponse() {
+        // TODO: this does not seem like the right abstraction, to allow for nice path-explanations
+        //
+        // For nice path-explanation, we would like either
+        // 1: tainting instance
+        // 1a. host on object creation -> obj
+        // 1b. url on request call -> obj
+        // 2. obj -> obj.getresponse()
+        //
+        // For now, that's really all we use the `getResponse` predicate for.
+        result.(HttpConnectionGetResponseCall).getObject().getALocalSource() =
+          this.getObject().getALocalSource()
+      }
+
+      override DataFlow::Node getUrl() {
+        result in [this.getArg(1), this.getArgByName("url")]
+        or
+        this.getObject() = instance(result)
+      }
+
+      override string getFramework() { result = "http.client.HTTP[S]Connection" }
+
+      override predicate disablesCertificateValidation(
+        DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
+      ) {
+        // TODO: Proper alerting of insecure verification settings on SSLContext.
+        // Because that is not restricted to HTTP[S]Connection usage, we need something
+        // more general, and I would like to tackle that in future PR.
+        none()
+      }
+    }
+
+    /** A call to the `getresponse` method. */
+    private class HttpConnectionGetResponseCall extends DataFlow::MethodCallNode,
+      HTTPResponse::InstanceSource {
+      HttpConnectionGetResponseCall() { this.calls(instance(_), "getresponse") }
+    }
+  }
+
+  /**
+   * Provides models for the `http.client.HTTPResponse` class
+   *
+   * See
+   * - https://docs.python.org/3.10/library/http.client.html#httpresponse-objects
+   * - https://docs.python.org/3/library/http.client.html#http.client.HTTPResponse.
+   */
+  module HTTPResponse {
+    /** Gets a reference to the `http.client.HTTPResponse` class. */
+    private API::Node classRef() {
+      result = API::moduleImport("http").getMember("client").getMember("HTTPResponse")
+    }
+
+    /**
+     * A source of instances of `http.client.HTTPResponse`, extend this class to model new instances.
+     *
+     * A `http.client.HTTPResponse` is itself a file-like object.
+     *
+     * This can include instantiations of the class, return values from function
+     * calls, or a special parameter that will be set when functions are called by an external
+     * library.
+     *
+     * Use the predicate `HTTPResponse::instance()` to get references to instances of `http.client.HTTPResponse`.
+     */
+    abstract class InstanceSource extends Stdlib::FileLikeObject::InstanceSource,
+      DataFlow::LocalSourceNode { }
+
+    /** A direct instantiation of `http.client.HTTPResponse`. */
+    private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
+      ClassInstantiation() { this = classRef().getACall() }
+    }
+
+    /** Gets a reference to an instance of `http.client.HTTPResponse`. */
+    private DataFlow::TypeTrackingNode instance(DataFlow::TypeTracker t) {
+      t.start() and
+      result instanceof InstanceSource
+      or
+      exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t))
+    }
+
+    /** Gets a reference to an instance of `http.client.HTTPResponse`. */
+    DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
+
+    /**
+     * Taint propagation for `http.client.HTTPResponse`.
+     */
+    private class InstanceTaintSteps extends InstanceTaintStepsHelper {
+      InstanceTaintSteps() { this = "http.client.HTTPResponse" }
+
+      override DataFlow::Node getInstance() { result = instance() }
+
+      override string getAttributeName() { result in ["headers", "msg", "reason", "url"] }
+
+      override string getMethodName() { result in ["getheader", "getheaders", "info", "geturl",] }
+
+      override string getAsyncMethodName() { none() }
+    }
+
+    /** An attribute read that is a HTTPMessage instance. */
+    private class HTTPMessageInstances extends Stdlib::HTTPMessage::InstanceSource {
+      HTTPMessageInstances() {
+        this.(DataFlow::AttrRead).accesses(instance(), ["headers", "msg"])
+        or
+        this.(DataFlow::MethodCallNode).calls(instance(), "info")
+      }
+    }
+  }
+
   // ---------------------------------------------------------------------------
   // sqlite3
   // ---------------------------------------------------------------------------
diff --git a/python/ql/test/library-tests/frameworks/stdlib/http_client.py b/python/ql/test/library-tests/frameworks/stdlib/http_client.py
@@ -11,34 +11,35 @@
 
 
 # NOTE: the URL may be relative to host, or may be full URL.
-conn = HTTPConnection("example.com") # $ MISSING: clientRequestUrl="example.com"
-conn.request("GET", "/") # $ MISSING: clientRequestUrl="/"
-conn.request("GET", "http://example.com/") # $ MISSING: clientRequestUrl="http://example.com/"
+conn = HTTPConnection("example.com") # $ clientRequestUrl="example.com"
+conn.request("GET", "/") # $ clientRequestUrl="/"
+url = "http://example.com/"
+conn.request("GET", url) # $ clientRequestUrl=url
 
 # kwargs
-conn = HTTPConnection(host="example.com") # $ MISSING: clientRequestUrl="example.com"
-conn.request(method="GET", url="/") # $ MISSING: clientRequestUrl="/"
+conn = HTTPConnection(host="example.com") # $ clientRequestUrl="example.com"
+conn.request(method="GET", url="/") # $ clientRequestUrl="/"
 
 # using internal method... you shouldn't but you can
-conn._send_request("GET", "url", body=None, headers={}, encode_chunked=False) # $ MISSING: clientRequestUrl="url"
+conn._send_request("GET", "url", body=None, headers={}, encode_chunked=False) # $ clientRequestUrl="url"
 
 # low level sending of request
-conn.putrequest("GET", "url") # $ MISSING: clientRequestUrl="url"
+conn.putrequest("GET", "url") # $ clientRequestUrl="url"
 conn.putheader("X-Foo", "value")
 conn.endheaders(message_body=None)
 
 # HTTPS
-conn = HTTPSConnection("host") # $ MISSING: clientRequestUrl="host"
-conn.request("GET", "url") # $ MISSING: clientRequestUrl="url"
+conn = HTTPSConnection("host") # $ clientRequestUrl="host"
+conn.request("GET", "url") # $ clientRequestUrl="url"
 
 # six aliases
 import six
 
-conn = six.moves.http_client.HTTPConnection("host") # $ MISSING: clientRequestUrl="host"
-conn.request("GET", "url") # $ MISSING: clientRequestUrl="url"
+conn = six.moves.http_client.HTTPConnection("host") # $ clientRequestUrl="host"
+conn.request("GET", "url") # $ clientRequestUrl="url"
 
-conn = six.moves.http_client.HTTPSConnection("host") # $ MISSING: clientRequestUrl="host"
-conn.request("GET", "url") # $ MISSING: clientRequestUrl="url"
+conn = six.moves.http_client.HTTPSConnection("host") # $ clientRequestUrl="host"
+conn.request("GET", "url") # $ clientRequestUrl="url"
 
 # ==============================================================================
 # Certificate validation disabled
@@ -49,34 +50,34 @@
 assert context.check_hostname == True
 assert context.verify_mode == ssl.CERT_REQUIRED
 
-conn = HTTPSConnection("host", context=context) # $ MISSING: clientRequestUrl="host"
-conn.request("GET", "url") # $ MISSING: clientRequestUrl="url"
+conn = HTTPSConnection("host", context=context) # $ clientRequestUrl="host"
+conn.request("GET", "url") # $ clientRequestUrl="url"
 
 # `_create_default_https_context` is currently just an alias for `create_default_context`
 # which creates a context for SERVER_AUTH purpose.
 context = ssl.create_default_context()
 assert context.check_hostname == True
 assert context.verify_mode == ssl.CERT_REQUIRED
 
-conn = HTTPSConnection("host", context=context) # $ MISSING: clientRequestUrl="host"
-conn.request("GET", "url") # $ MISSING: clientRequestUrl="url"
+conn = HTTPSConnection("host", context=context) # $ clientRequestUrl="host"
+conn.request("GET", "url") # $ clientRequestUrl="url"
 
 # however, if you supply your own SSLContext, you need to set it manually
 context = ssl.SSLContext()
 assert context.check_hostname == False
 assert context.verify_mode == ssl.CERT_NONE
 
-conn = HTTPSConnection("host", context=context) # $ MISSING: clientRequestUrl="host"
-conn.request("GET", "url") # $ MISSING: clientRequestUrl="url" clientRequestCertValidationDisabled
+conn = HTTPSConnection("host", context=context) # $ clientRequestUrl="host"
+conn.request("GET", "url") # $ clientRequestUrl="url" MISSING: clientRequestCertValidationDisabled
 
 # and if you misunderstood whether to use server/client in the purpose, you will also
 # get a context without hostname verification.
 context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
 assert context.check_hostname == False
 assert context.verify_mode == ssl.CERT_NONE
 
-conn = HTTPSConnection("host", context=context) # $ MISSING: clientRequestUrl="host"
-conn.request("GET", "url") # $ MISSING: clientRequestUrl="url" clientRequestCertValidationDisabled
+conn = HTTPSConnection("host", context=context) # $ clientRequestUrl="host"
+conn.request("GET", "url") # $ clientRequestUrl="url" MISSING: clientRequestCertValidationDisabled
 
 # NOTICE that current documentation says
 #
@@ -89,17 +90,17 @@
 context.check_hostname = True
 assert context.verify_mode == ssl.CERT_REQUIRED
 
-conn = HTTPSConnection("host", context=context) # $ MISSING: clientRequestUrl="host"
-conn.request("GET", "url") # $ MISSING: clientRequestUrl="url"
+conn = HTTPSConnection("host", context=context) # $ clientRequestUrl="host"
+conn.request("GET", "url") # $ clientRequestUrl="url"
 
 # only setting verify_mode is not enough, since check_hostname is not enabled
 
 context = ssl.SSLContext()
 context.verify_mode = ssl.CERT_REQUIRED
 assert context.check_hostname == False
 
-conn = HTTPSConnection("host", context=context) # $ MISSING: clientRequestUrl="host"
-conn.request("GET", "url") # $ MISSING: clientRequestUrl="url" clientRequestCertValidationDisabled
+conn = HTTPSConnection("host", context=context) # $ clientRequestUrl="host"
+conn.request("GET", "url") # $ clientRequestUrl="url" MISSING: clientRequestCertValidationDisabled
 
 # ==============================================================================
 # taint test
@@ -111,8 +112,8 @@ def taint_test():
     host = request.args['host']
     url = request.args['url']
 
-    conn = HTTPConnection(host) # $ MISSING: clientRequestUrl=host
-    conn.request("GET", url) # $ MISSING: clientRequestUrl=url
+    conn = HTTPConnection(host) # $ clientRequestUrl=host
+    conn.request("GET", url) # $ clientRequestUrl=url
 
     resp = conn.getresponse()
 
@@ -122,37 +123,48 @@ def taint_test():
         # https://docs.python.org/3/library/http.client.html#http.client.HTTPResponse
 
         # a HTTPResponse itself is file-like
-        resp, # $ MISSING: tainted
-        resp.read(), # $ MISSING: tainted
+        resp, # $ tainted
+        resp.read(), # $ tainted
 
-        resp.getheader("name"), # $ MISSING: tainted
-        resp.getheaders(), # $ MISSING: tainted
+        resp.getheader("name"), # $ tainted
+        resp.getheaders(), # $ tainted
 
         # http.client.HTTPMessage
-        resp.headers, # $ MISSING: tainted
-        resp.headers.get_all(), # $ MISSING: tainted
+        resp.headers, # $ tainted
+        resp.headers.get_all(), # $ tainted
 
         # Alias for .headers
         # http.client.HTTPMessage
-        resp.msg, # $ MISSING: tainted
-        resp.msg.get_all(), # $ MISSING: tainted
+        resp.msg, # $ tainted
+        resp.msg.get_all(), # $ tainted
 
         # Alias for .headers
-        resp.info(), # $ MISSING: tainted
-        resp.info().get_all(), # $ MISSING: tainted
+        resp.info(), # $ tainted
+        resp.info().get_all(), # $ tainted
 
         # although this would usually be the textual version of the status
         # ("OK" for 200), it is possible to put your own evil data in here.
-        resp.reason, # $ MISSING: tainted
+        resp.reason, # $ tainted
 
         # the URL of the recourse that was visited, if redirects were followed.
         # I don't see any reason this could not contain evil data.
-        resp.url, # $ MISSING: tainted
-        resp.geturl(), # $ MISSING: tainted
+        resp.url, # $ tainted
+        resp.geturl(), # $ tainted
     )
 
     ensure_not_tainted(
         resp.status,
         resp.code,
         resp.getcode(),
     )
+
+    # check that only setting either host/url is enough to propagate taint
+    conn = HTTPConnection("host") # $ clientRequestUrlPart="host"
+    conn.request("GET", url) # $ clientRequestUrlPart=url
+    resp = conn.getresponse()
+    ensure_tainted(resp) # $ tainted
+
+    conn = HTTPConnection(host) # $ clientRequestUrlPart=host
+    conn.request("GET", "url") # $ clientRequestUrlPart="url"
+    resp = conn.getresponse()
+    ensure_tainted(resp) # $ tainted
