Python: Model BaseHTTPRequestHandler.rfile as file-like object

RasmusWL · RasmusWL · commit 7020e4132bdd · 2021-07-22T10:43:18.000+02:00
diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -1031,6 +1031,13 @@ private module StdlibPrivate {
       }
     }
 
+    /** A file-like object that originates from a `BaseHTTPRequestHandler` instance. */
+    private class BaseHTTPRequestHandlerFileLikeObjectInstances extends Stdlib::FileLikeObject::InstanceSource {
+      BaseHTTPRequestHandlerFileLikeObjectInstances() {
+        this.(DataFlow::AttrRead).accesses(instance(), "rfile")
+      }
+    }
+
     /**
      * The entry-point for handling a request with a `BaseHTTPRequestHandler` subclass.
      *
diff --git a/python/ql/test/library-tests/frameworks/stdlib/http_server.py b/python/ql/test/library-tests/frameworks/stdlib/http_server.py
@@ -68,7 +68,7 @@ def taint_sources(self):
             bytes(self.headers), # $ tainted
 
             self.rfile, # $ tainted
-            self.rfile.read(), # $ MISSING: tainted
+            self.rfile.read(), # $ tainted
         )
 
         form = cgi.FieldStorage(

Original file line number	Diff line number	Diff line change
`@@ -1031,6 +1031,13 @@ private module StdlibPrivate {`
`1031`	`1031`	`}`
`1032`	`1032`	`}`
`1033`	`1033`
	`1034`	+ /** A file-like object that originates from a `BaseHTTPRequestHandler` instance. */
	`1035`	`+ private class BaseHTTPRequestHandlerFileLikeObjectInstances extends Stdlib::FileLikeObject::InstanceSource {`
	`1036`	`+ BaseHTTPRequestHandlerFileLikeObjectInstances() {`
	`1037`	`+ this.(DataFlow::AttrRead).accesses(instance(), "rfile")`
	`1038`	`+ }`
	`1039`	`+ }`
	`1040`	`+`
`1034`	`1041`	`/**`
`1035`	`1042`	* The entry-point for handling a request with a `BaseHTTPRequestHandler` subclass.
`1036`	`1043`	`*`
Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,7 @@ def taint_sources(self):`
`68`	`68`	`bytes(self.headers), # $ tainted`
`69`	`69`
`70`	`70`	`self.rfile, # $ tainted`
`71`		`- self.rfile.read(), # $ MISSING: tainted`
	`71`	`+ self.rfile.read(), # $ tainted`
`72`	`72`	`)`
`73`	`73`
`74`	`74`	`form = cgi.FieldStorage(`