Merge pull request #15398 from RasmusWL/html-escape

RasmusWL · web-flow · commit c265c15f3f4f · 2024-01-30T16:06:01.000+01:00
Python: Add `html.escape` as HTML sanitizer
diff --git a/python/ql/lib/change-notes/2024-01-22-html-escape.md b/python/ql/lib/change-notes/2024-01-22-html-escape.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added `html.escape` as a sanitizer for HTML.
diff --git a/python/ql/lib/semmle/python/frameworks/Stdlib.qll b/python/ql/lib/semmle/python/frameworks/Stdlib.qll
@@ -4830,6 +4830,35 @@ module StdlibPrivate {
       override predicate isShellInterpreted(DataFlow::Node arg) { arg = this.getCommand() }
     }
   }
+
+  // ---------------------------------------------------------------------------
+  // html
+  // ---------------------------------------------------------------------------
+  /**
+   * A call to 'html.escape'.
+   * See https://docs.python.org/3/library/html.html#html.escape
+   */
+  private class HtmlEscapeCall extends Escaping::Range, API::CallNode {
+    HtmlEscapeCall() {
+      this = API::moduleImport("html").getMember("escape").getACall() and
+      // if quote escaping is disabled, that might lead to XSS if the result is inserted
+      // in the attribute value of a tag, such as `<foo bar="escape_result">`. Since we
+      // don't know how values are being inserted, and we don't want to lose these
+      // results (FNs), we require quote escaping to be enabled. This might lead to some
+      // FPs, so we might need to revisit this in the future.
+      not this.getParameter(1, "quote")
+          .getAValueReachingSink()
+          .asExpr()
+          .(ImmutableLiteral)
+          .booleanValue() = false
+    }
+
+    override DataFlow::Node getAnInput() { result = this.getParameter(0, "s").asSink() }
+
+    override DataFlow::Node getOutput() { result = this }
+
+    override string getKind() { result = Escaping::getHtmlKind() }
+  }
 }
 
 // ---------------------------------------------------------------------------
diff --git a/python/ql/test/library-tests/frameworks/stdlib/test_html.py b/python/ql/test/library-tests/frameworks/stdlib/test_html.py
@@ -0,0 +1,9 @@
+import html
+
+s = "tainted"
+
+html.escape(s) # $ escapeInput=s escapeKind=html escapeOutput=html.escape(..)
+html.escape(s, True) # $ escapeInput=s escapeKind=html escapeOutput=html.escape(..)
+# not considered html escapes, since they don't escape all relevant characters
+html.escape(s, False)
+html.escape(s, quote=False)

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Added `html.escape` as a sanitizer for HTML.