Added a sanitizer for replacing newlines.

Author: joefarebrother

python/ql/lib/semmle/python/security/dataflow/HttpHeaderInjectionCustomizations.qll

@@ -71,4 +71,14 @@ module HttpHeaderInjection {
       Http::Server::ResponseHeaderBulkWrite.super.valueAllowsNewline()
     }
   }
+
+  /**
+   * A call to replace line breaks, considered as a sanitizer.
+   */
+  class ReplaceLineBreaksSanitizer extends Sanitizer, DataFlow::CallCfgNode {
+    ReplaceLineBreaksSanitizer() {
+      this.getFunction().(DataFlow::AttrRead).getAttributeName() = "replace" and
+      this.getArg(0).asExpr().(StrConst).getText() = "\n"
+    }
+  }
 }

python/ql/test/query-tests/Security/CWE-113-HeaderInjection/flask_tests.py

@@ -58,4 +58,13 @@ def flask_make_response_header_arg3():
 def flask_make_response_header_arg2():
     rfs_header = request.args["rfs_header"]
     resp = make_response("hello", {request.args["rfs_header"]: "HeaderValue"}) # BAD
-    return resp
+    return resp
+
+@app.route("/flask_escaped")
+def flask_escaped():
+    rfs_header = request.args["rfs_header"]
+    resp = make_response("hello", {rfs_header.replace("\n", ""): "HeaderValue"}) # GOOD - Newlines are removed from the input.
+    return resp
+
+# if __name__ == "__main__":
+#     app.run(debug=True)