Python: aiohttp match_info should be tainted

Whoops

Author: RasmusWL

python/ql/src/semmle/python/frameworks/Aiohttp.qll

@@ -225,7 +225,7 @@ module AiohttpWebModel {
       nodeTo.(DataFlow::AttrRead).getAttributeName() in [
           "url", "rel_url", "forwarded", "host", "remote", "path", "path_qs", "raw_path", "query",
           "headers", "transport", "cookies", "content", "_payload", "content_type", "charset",
-          "http_range", "if_modified_since", "if_unmodified_since", "if_range"
+          "http_range", "if_modified_since", "if_unmodified_since", "if_range", "match_info"
         ]
     }
   }

python/ql/test/library-tests/frameworks/aiohttp/taint_test.py

@@ -19,6 +19,11 @@ async def test_taint(request: web.Request): # $ requestHandler
         request.path_qs, # $ tainted
         request.raw_path, # $ tainted
 
+        # dict-like for captured parts of the URL
+        request.match_info, # $ tainted
+        request.match_info["key"], # $ tainted
+        request.match_info.get("key"), # $ tainted
+
         # multidict.MultiDictProxy[str]
         # see https://multidict.readthedocs.io/en/stable/multidict.html#multidict.MultiDictProxy
         # TODO: Should have a better way to capture that we in fact _do_ model this as a
@@ -121,7 +126,6 @@ async def test_taint(request: web.Request): # $ requestHandler
     ensure_not_tainted(
         request.loop,
 
-        request.match_info,
         request.app,
         request.config_dict,
     )