Python: Model taint for django request methods

Author: RasmusWL

python/ql/src/semmle/python/frameworks/Django.qll

@@ -1892,9 +1892,30 @@ private module PrivateDjango {
       // (since it allows us to at least capture the most common cases).
       nodeFrom = django::http::request::HttpRequest::instance() and
       exists(DataFlow::AttrRead attr | attr.getObject() = nodeFrom |
-        attr.getAttributeName() in ["TODO"] and
+        attr.getAttributeName() in [
+            "get_full_path", "get_full_path_info", "read", "readline", "readlines"
+          ] and
+        nodeTo.(DataFlow::CallCfgNode).getFunction() = attr
+      )
+      or
+      // special handling of the `build_absolute_uri` method, see
+      // https://docs.djangoproject.com/en/3.0/ref/request-response/#django.http.HttpRequest.build_absolute_uri
+      exists(DataFlow::AttrRead attr, DataFlow::CallCfgNode call, DataFlow::Node instance |
+        instance = django::http::request::HttpRequest::instance() and
+        attr.getObject() = instance
+      |
+        attr.getAttributeName() = "build_absolute_uri" and
         nodeTo.(DataFlow::CallCfgNode).getFunction() = attr and
-        none()
+        call = nodeTo and
+        (
+          not exists(call.getArg(_)) and
+          not exists(call.getArgByName(_)) and
+          nodeFrom = instance
+          or
+          nodeFrom = call.getArg(0)
+          or
+          nodeFrom = call.getArgByName("location")
+        )
       )
       or
       // Attributes
@@ -1920,7 +1941,6 @@ private module PrivateDjango {
           // TODO: Model ResolverMatch
           "resolver_match"
         ]
-      // TODO: Handle calls to methods
       // TODO: Handle that a HttpRequest is iterable
     }
   }

python/ql/test/library-tests/frameworks/django-v2-v3/taint_test.py

@@ -94,15 +94,15 @@ def test_taint(request: HttpRequest, foo, bar, baz=None):  # $requestHandler rou
         request.resolver_match.kwargs, # $ MISSING: tainted
         request.resolver_match.kwargs["key"], # $ MISSING: tainted
 
-        request.get_full_path(), # $ MISSING: tainted
-        request.get_full_path_info(), # $ MISSING: tainted
+        request.get_full_path(), # $ tainted
+        request.get_full_path_info(), # $ tainted
         # build_absolute_uri handled below
         # get_signed_cookie handled below
 
-        request.read(), # $ MISSING: tainted
-        request.readline(), # $ MISSING: tainted
-        request.readlines(), # $ MISSING: tainted
-        request.readlines()[0], # $ MISSING: tainted
+        request.read(), # $ tainted
+        request.readline(), # $ tainted
+        request.readlines(), # $ tainted
+        request.readlines()[0], # $ tainted
         [line for line in request], # $ MISSING: tainted
     )
 
@@ -129,9 +129,9 @@ def test_taint(request: HttpRequest, foo, bar, baz=None):  # $requestHandler rou
     # build_absolute_uri
     ####################################
     ensure_tainted(
-        request.build_absolute_uri(), # $ MISSING: tainted
-        request.build_absolute_uri(request.GET["key"]), # $ MISSING: tainted
-        request.build_absolute_uri(location=request.GET["key"]), # $ MISSING: tainted
+        request.build_absolute_uri(), # $ tainted
+        request.build_absolute_uri(request.GET["key"]), # $ tainted
+        request.build_absolute_uri(location=request.GET["key"]), # $ tainted
     )
     ensure_not_tainted(
         request.build_absolute_uri("/hardcoded/"),