Python: Model Werkzeug FileStorage.save as FileSystemAccess

RasmusWL · RasmusWL · commit 4d9c86a2521f · 2021-07-22T10:43:18.000+02:00
diff --git a/python/ql/src/semmle/python/frameworks/Werkzeug.qll b/python/ql/src/semmle/python/frameworks/Werkzeug.qll
@@ -10,6 +10,7 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.ApiGraphs
 private import semmle.python.frameworks.Stdlib
+private import semmle.python.Concepts
 
 /**
  * Provides models for the `Werkzeug` PyPI package.
@@ -110,6 +111,15 @@ module Werkzeug {
     private class FileStorageFileLikeInstances extends Stdlib::FileLikeObject::InstanceSource {
       FileStorageFileLikeInstances() { this.(DataFlow::AttrRead).accesses(instance(), "stream") }
     }
+
+    /** A call to the `save` method of a `FileStorage`. */
+    private class FileStorageSaveCall extends FileSystemAccess::Range, DataFlow::MethodCallNode {
+      FileStorageSaveCall() { this.calls(instance(), "save") }
+
+      override DataFlow::Node getAPathArgument() {
+        result in [this.getArg(0), this.getArgByName("dst")]
+      }
+    }
   }
 
   import WerkzeugOld
diff --git a/python/ql/test/library-tests/frameworks/flask/save_uploaded_file.py b/python/ql/test/library-tests/frameworks/flask/save_uploaded_file.py
@@ -0,0 +1,6 @@
+from flask import Flask, request
+app = Flask(__name__)
+
+@app.route("/save-uploaded-file")  # $routeSetup="/save-uploaded-file"
+def test_taint():  # $requestHandler
+    request.files['key'].save("path") # $ getAPathArgument="path"
