Model Flask SessionInterface request parameter

joefarebrother · joefarebrother · commit 7727e465f43e · 2024-05-20T09:46:54.000+01:00
diff --git a/python/ql/lib/semmle/python/frameworks/Flask.qll b/python/ql/lib/semmle/python/frameworks/Flask.qll
@@ -101,6 +101,19 @@ module Flask {
   /** Gets a reference to the `flask.request` object. */
   API::Node request() {
     result = API::moduleImport(["flask", "flask_restful"]).getMember("request")
+    or
+    result = sessionInterfaceRequestParam()
+  }
+
+  /** Gets a `request` parameter of an implementation of `open_session` in a subclass of `flask.sessions.SessionInterface` */
+  private API::Node sessionInterfaceRequestParam() {
+    result =
+      API::moduleImport("flask")
+          .getMember("sessions")
+          .getMember("SessionInterface")
+          .getASubclass+()
+          .getMember("open_session")
+          .getParameter(1)
   }
 
   /**
diff --git a/python/ql/test/library-tests/frameworks/flask/session_interface.py b/python/ql/test/library-tests/frameworks/flask/session_interface.py
@@ -0,0 +1,5 @@
+import flask 
+
+class MySessionInterface(flask.sessions.SessionInterface):
+    def open_session(self, app, request):
+        ensure_tainted(request) # $tainted
