Python: Add file-like modeling to werkzeug FileStorage

RasmusWL · RasmusWL · commit 04190ea30878 · 2021-07-22T10:43:18.000+02:00
diff --git a/python/ql/src/semmle/python/frameworks/Werkzeug.qll b/python/ql/src/semmle/python/frameworks/Werkzeug.qll
@@ -9,6 +9,7 @@ private import python
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.ApiGraphs
+private import semmle.python.frameworks.Stdlib
 
 /**
  * Provides models for the `Werkzeug` PyPI package.
@@ -107,6 +108,21 @@ module Werkzeug {
             )
           }
         }
+
+        /** A file-like object instance that originates from a `FileStorage`. */
+        class FileStorageFileLikeInstances extends Stdlib::FileLikeObject::InstanceSource {
+          FileStorageFileLikeInstances() {
+            this.(DataFlow::AttrRead).accesses(instance(), "stream")
+            or
+            // All the attributes of the wrapper stream are proxied by the file storage
+            // so it’s possible to do storage.read() instead of the long form
+            // storage.stream.read().
+            //
+            // due to the `InstanceSourceApiNode` stuff, we can't just make
+            // `InstanceSource` extend `Stdlib::FileLikeObject::InstanceSource`
+            this = any(InstanceSourceApiNode api).getAnImmediateUse()
+          }
+        }
       }
     }
   }
diff --git a/python/ql/test/library-tests/frameworks/flask/taint_test.py b/python/ql/test/library-tests/frameworks/flask/taint_test.py
@@ -70,6 +70,8 @@ def test_taint(name = "World!", number="0", foo="foo"):  # $requestHandler route
         request.files['key'], # $ tainted
         request.files['key'].filename, # $ MISSING: tainted
         request.files['key'].stream, # $ MISSING: tainted
+        request.files['key'].read(), # $ MISSING: tainted
+        request.files['key'].stream.read(), # $ MISSING: tainted
         request.files.get('key'), # $ tainted
         request.files.get('key').filename, # $ MISSING: tainted
         request.files.get('key').stream, # $ MISSING: tainted

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@ private import python`
`9`	`9`	`private import semmle.python.dataflow.new.DataFlow`
`10`	`10`	`private import semmle.python.dataflow.new.TaintTracking`
`11`	`11`	`private import semmle.python.ApiGraphs`
	`12`	`+private import semmle.python.frameworks.Stdlib`
`12`	`13`
`13`	`14`	`/**`
`14`	`15`	* Provides models for the `Werkzeug` PyPI package.
`@@ -107,6 +108,21 @@ module Werkzeug {`
`107`	`108`	`)`
`108`	`109`	`}`
`109`	`110`	`}`
	`111`	`+`
	`112`	+ /** A file-like object instance that originates from a `FileStorage`. */
	`113`	`+ class FileStorageFileLikeInstances extends Stdlib::FileLikeObject::InstanceSource {`
	`114`	`+ FileStorageFileLikeInstances() {`
	`115`	`+ this.(DataFlow::AttrRead).accesses(instance(), "stream")`
	`116`	`+ or`
	`117`	`+ // All the attributes of the wrapper stream are proxied by the file storage`
	`118`	`+ // so it’s possible to do storage.read() instead of the long form`
	`119`	`+ // storage.stream.read().`
	`120`	`+ //`
	`121`	+ // due to the `InstanceSourceApiNode` stuff, we can't just make
	`122`	+ // `InstanceSource` extend `Stdlib::FileLikeObject::InstanceSource`
	`123`	`+ this = any(InstanceSourceApiNode api).getAnImmediateUse()`
	`124`	`+ }`
	`125`	`+ }`
`110`	`126`	`}`
`111`	`127`	`}`
`112`	`128`	`}`