|
| 1 | +/** |
| 2 | + * Provides classes modeling security-relevant aspects of the `cherrypy` PyPI package. |
| 3 | + */ |
| 4 | + |
| 5 | +private import python |
| 6 | +private import semmle.python.dataflow.new.DataFlow |
| 7 | +private import semmle.python.dataflow.new.RemoteFlowSources |
| 8 | +private import semmle.python.dataflow.new.TaintTracking |
| 9 | +private import semmle.python.Concepts |
| 10 | +private import semmle.python.ApiGraphs |
| 11 | + |
| 12 | +/** |
| 13 | + * Provides models for the `cherrypy` PyPI package. |
| 14 | + * See https://cherrypy.dev/. |
| 15 | + */ |
| 16 | +private module Cherrypy { |
| 17 | + /** |
| 18 | + * Holds for an instance of `cherrypy.lib.static` |
| 19 | + */ |
| 20 | + API::Node libStatic() { |
| 21 | + result = API::moduleImport("cherrypy").getMember("lib").getMember("static") |
| 22 | + } |
| 23 | + |
| 24 | + /** |
| 25 | + * A call to the `serve_file` or `serve_download`or `staticfile` functions of `cherrypy.lib.static` as a sink for Filesystem access. |
| 26 | + */ |
| 27 | + class FileResponseCall extends FileSystemAccess::Range, API::CallNode { |
| 28 | + string funcName; |
| 29 | + |
| 30 | + FileResponseCall() { |
| 31 | + this = libStatic().getMember("staticfile").getACall() and |
| 32 | + funcName = "staticfile" |
| 33 | + or |
| 34 | + this = libStatic().getMember("serve_file").getACall() and |
| 35 | + funcName = "serve_file" |
| 36 | + or |
| 37 | + this = libStatic().getMember("serve_download").getACall() and |
| 38 | + funcName = "serve_download" |
| 39 | + } |
| 40 | + |
| 41 | + override DataFlow::Node getAPathArgument() { |
| 42 | + result = this.getParameter(0, "path").asSink() and funcName = ["serve_download", "serve_file"] |
| 43 | + or |
| 44 | + result = this.getParameter(0, "filename").asSink() and |
| 45 | + funcName = "staticfile" |
| 46 | + } |
| 47 | + } |
| 48 | +} |
0 commit comments