Python: Add modeling of requests

RasmusWL · RasmusWL · commit b68d280129db · 2021-12-13T14:56:16.000+01:00
diff --git a/docs/codeql/support/reusables/frameworks.rst b/docs/codeql/support/reusables/frameworks.rst
@@ -171,6 +171,7 @@ Python built-in support
    Twisted, Web framework
    Flask-Admin, Web framework
    starlette, Asynchronous Server Gateway Interface (ASGI)
+   requests, HTTP client
    dill, Serialization
    PyYAML, Serialization
    ruamel.yaml, Serialization
diff --git a/python/ql/lib/semmle/python/Frameworks.qll b/python/ql/lib/semmle/python/Frameworks.qll
@@ -30,6 +30,7 @@ private import semmle.python.frameworks.Peewee
 private import semmle.python.frameworks.Psycopg2
 private import semmle.python.frameworks.Pydantic
 private import semmle.python.frameworks.PyMySQL
+private import semmle.python.frameworks.Requests
 private import semmle.python.frameworks.RestFramework
 private import semmle.python.frameworks.Rsa
 private import semmle.python.frameworks.RuamelYaml
diff --git a/python/ql/lib/semmle/python/frameworks/Requests.qll b/python/ql/lib/semmle/python/frameworks/Requests.qll
@@ -0,0 +1,86 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `requests` PyPI package.
+ *
+ * See
+ * - https://pypi.org/project/requests/
+ * - https://docs.python-requests.org/en/latest/
+ */
+
+private import python
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import semmle.python.dataflow.new.DataFlow
+
+/**
+ * INTERNAL: Do not use.
+ *
+ * Provides models for the `requests` PyPI package.
+ *
+ * See
+ * - https://pypi.org/project/requests/
+ * - https://docs.python-requests.org/en/latest/
+ */
+private module Requests {
+  private class OutgoingRequestCall extends HTTP::Client::Request::Range, DataFlow::CallCfgNode {
+    string methodName;
+
+    OutgoingRequestCall() {
+      methodName in [HTTP::httpVerbLower(), "request"] and
+      (
+        this = API::moduleImport("requests").getMember(methodName).getACall()
+        or
+        exists(API::Node moduleExporting, API::Node sessionInstance |
+          moduleExporting in [
+              API::moduleImport("requests"), //
+              API::moduleImport("requests").getMember("sessions")
+            ] and
+          sessionInstance = moduleExporting.getMember(["Session", "session"]).getReturn()
+        |
+          this = sessionInstance.getMember(methodName).getACall()
+        )
+      )
+    }
+
+    override DataFlow::Node getUrl() {
+      result = this.getArgByName("url")
+      or
+      not methodName = "request" and
+      result = this.getArg(0)
+      or
+      methodName = "request" and
+      result = this.getArg(1)
+    }
+
+    override DataFlow::Node getResponseBody() { none() }
+
+    /** Gets the `verify` argument to this outgoing requests call. */
+    DataFlow::Node getVerifyArg() { result = this.getArgByName("verify") }
+
+    override predicate disablesCertificateValidation(
+      DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
+    ) {
+      disablingNode = this.getVerifyArg() and
+      argumentOrigin = verifyArgBacktracker(disablingNode) and
+      argumentOrigin.asExpr().(ImmutableLiteral).booleanValue() = false and
+      not argumentOrigin.asExpr() instanceof None
+    }
+
+    override string getFramework() { result = "requests" }
+  }
+
+  /** Gets a back-reference to the verify argument `arg`. */
+  private DataFlow::TypeTrackingNode verifyArgBacktracker(
+    DataFlow::TypeBackTracker t, DataFlow::Node arg
+  ) {
+    t.start() and
+    arg = any(OutgoingRequestCall c).getVerifyArg() and
+    result = arg.getALocalSource()
+    or
+    exists(DataFlow::TypeBackTracker t2 | result = verifyArgBacktracker(t2, arg).backtrack(t2, t))
+  }
+
+  /** Gets a back-reference to the verify argument `arg`. */
+  private DataFlow::LocalSourceNode verifyArgBacktracker(DataFlow::Node arg) {
+    result = verifyArgBacktracker(DataFlow::TypeBackTracker::end(), arg)
+  }
+}
diff --git a/python/ql/test/library-tests/frameworks/requests/test.py b/python/ql/test/library-tests/frameworks/requests/test.py
@@ -1,50 +1,50 @@
 import requests
 
-resp = requests.get("url") # $ MISSING: clientRequestUrl="url"
-resp = requests.get(url="url") # $ MISSING: clientRequestUrl="url"
+resp = requests.get("url") # $ clientRequestUrl="url"
+resp = requests.get(url="url") # $ clientRequestUrl="url"
 
-resp = requests.request("GET", "url") # $ MISSING: clientRequestUrl="url"
+resp = requests.request("GET", "url") # $ clientRequestUrl="url"
 
 with requests.Session() as session:
-    resp = session.get("url") # $ MISSING: clientRequestUrl="url"
-    resp = session.request(method="GET", url="url") # $ MISSING: clientRequestUrl="url"
+    resp = session.get("url") # $ clientRequestUrl="url"
+    resp = session.request(method="GET", url="url") # $ clientRequestUrl="url"
 
 s = requests.Session()
-resp = s.get("url") # $ MISSING: clientRequestUrl="url"
+resp = s.get("url") # $ clientRequestUrl="url"
 
 s = requests.session()
-resp = s.get("url") # $ MISSING: clientRequestUrl="url"
+resp = s.get("url") # $ clientRequestUrl="url"
 
 # test full import path for Session
 with requests.sessions.Session() as session:
-    resp = session.get("url") # $ MISSING: clientRequestUrl="url"
+    resp = session.get("url") # $ clientRequestUrl="url"
 
 # Low level access
 req = requests.Request("GET", "url") # $ MISSING: clientRequestUrl="url"
 resp = s.send(req.prepare())
 
 # other methods than GET
-resp = requests.post("url") # $ MISSING: clientRequestUrl="url"
-resp = requests.patch("url") # $ MISSING: clientRequestUrl="url"
-resp = requests.options("url") # $ MISSING: clientRequestUrl="url"
+resp = requests.post("url") # $ clientRequestUrl="url"
+resp = requests.patch("url") # $ clientRequestUrl="url"
+resp = requests.options("url") # $ clientRequestUrl="url"
 
 # ==============================================================================
 # Disabling certificate validation
 # ==============================================================================
 
-resp = requests.get("url", verify=False) # $ MISSING: clientRequestUrl="url" clientRequestCertValidationDisabled
+resp = requests.get("url", verify=False) # $ clientRequestUrl="url" clientRequestCertValidationDisabled
 
 def make_get(verify_arg):
-    resp = requests.get("url", verify=verify_arg) # $ MISSING: clientRequestUrl="url" clientRequestCertValidationDisabled
+    resp = requests.get("url", verify=verify_arg) # $ clientRequestUrl="url" clientRequestCertValidationDisabled
 
 make_get(False)
 
 
 with requests.Session() as session:
     # see https://github.com/psf/requests/blob/39d0fdd9096f7dceccbc8f82e1eda7dd64717a8e/requests/sessions.py#L621
     session.verify = False
-    resp = session.get("url") # $ MISSING: clientRequestUrl="url" clientRequestCertValidationDisabled
-    resp = session.get("url", verify=True) # $ MISSING: clientRequestUrl="url"
+    resp = session.get("url") # $ clientRequestUrl="url" MISSING: clientRequestCertValidationDisabled
+    resp = session.get("url", verify=True) # $ clientRequestUrl="url"
 
     req = requests.Request("GET", "url") # $ MISSING: clientRequestUrl="url"
     resp = session.send(req.prepare()) # $ MISSING: clientRequestCertValidationDisabled
