Python: Add sinks for http.server.BaseHTTPRequestHandler

RasmusWL · RasmusWL · commit 51a9094064b2 · 2020-04-22T17:28:27.000+02:00
diff --git a/python/ql/src/semmle/python/web/HttpResponse.qll b/python/ql/src/semmle/python/web/HttpResponse.qll
@@ -7,3 +7,4 @@ import semmle.python.web.bottle.Response
 import semmle.python.web.turbogears.Response
 import semmle.python.web.falcon.Response
 import semmle.python.web.cherrypy.Response
+import semmle.python.web.stdlib.Response
diff --git a/python/ql/src/semmle/python/web/stdlib/Response.qll b/python/ql/src/semmle/python/web/stdlib/Response.qll
@@ -0,0 +1,43 @@
+/**
+ * Provides the sinks for HTTP servers defined with standard library (stdlib).
+ */
+
+import python
+import semmle.python.security.TaintTracking
+import semmle.python.web.Http
+
+private predicate is_wfile(AttrNode wfile) {
+    exists(ClassValue cls |
+        // Python 2
+        cls.getABaseType+() = Value::named("BaseHTTPServer.BaseHTTPRequestHandler")
+        or
+        // Python 3
+        cls.getABaseType+() = Value::named("http.server.BaseHTTPRequestHandler")
+    |
+        wfile.getObject("wfile").pointsTo().getClass() = cls
+    )
+}
+
+/** Sink for `h.wfile.write` where `h` is an instance of BaseHTTPRequestHandler. */
+class StdLibWFileWriteSink extends HttpResponseTaintSink {
+    StdLibWFileWriteSink() {
+        exists(CallNode call |
+            is_wfile(call.getFunction().(AttrNode).getObject("write")) and
+            call.getArg(0) = this
+        )
+    }
+
+    override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
+}
+
+/** Sink for `h.wfile.writelines` where `h` is an instance of BaseHTTPRequestHandler. */
+class StdLibWFileWritelinesSink extends HttpResponseTaintSink {
+    StdLibWFileWritelinesSink() {
+        exists(CallNode call |
+            is_wfile(call.getFunction().(AttrNode).getObject("writelines")) and
+            call.getArg(0) = this
+        )
+    }
+
+    override predicate sinks(TaintKind kind) { kind instanceof ExternalStringSequenceKind }
+}
diff --git a/python/ql/test/library-tests/web/stdlib/HttpResponseSinks.expected b/python/ql/test/library-tests/web/stdlib/HttpResponseSinks.expected
@@ -0,0 +1,2 @@
+| test.py:72:26:72:58 | Taint sink | externally controlled string |
+| test.py:73:31:73:54 | Taint sink | [externally controlled string] |
diff --git a/python/ql/test/library-tests/web/stdlib/HttpResponseSinks.ql b/python/ql/test/library-tests/web/stdlib/HttpResponseSinks.ql
@@ -0,0 +1,7 @@
+import python
+import semmle.python.web.HttpResponse
+import semmle.python.security.strings.Untrusted
+
+from HttpResponseTaintSink sink, TaintKind kind
+where sink.sinks(kind)
+select sink, kind
diff --git a/python/ql/test/library-tests/web/stdlib/test.py b/python/ql/test/library-tests/web/stdlib/test.py
@@ -69,7 +69,8 @@ def do_GET(self):
         self.send_response(200)
         self.send_header("Content-type", "text/plain; charset=utf-8")
         self.end_headers()
-        self.wfile.write(b"Hello BaseHTTPRequestHandler")
+        self.wfile.write(b"Hello BaseHTTPRequestHandler\n")
+        self.wfile.writelines([b"1\n", b"2\n", b"3\n"])
         print(self.headers)
 
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+\| test.py:72:26:72:58 \| Taint sink \| externally controlled string \|`
	`2`	`+\| test.py:73:31:73:54 \| Taint sink \| [externally controlled string] \|`