Merge pull request github#5078 from RasmusWL/flask-blueprints

tausbn · web-flow · commit 9499edf761f1 · 2021-02-16T17:22:13.000+01:00
Python: Add modeling of Flask blueprints
diff --git a/python/change-notes/2021-02-03-flask-add-blueprint-modeling.md b/python/change-notes/2021-02-03-flask-add-blueprint-modeling.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added modeling of flask blueprints (`flask.Blueprint`), specifically request handlers defined with such blueprints. This can result in new sources of remote user input (`RemoteFlowSource`) -- since we're now able to detect routed parameters -- and new XSS sinks from the responses of these request handlers.
diff --git a/python/ql/src/semmle/python/frameworks/Flask.qll b/python/ql/src/semmle/python/frameworks/Flask.qll
@@ -72,6 +72,30 @@ private module FlaskModel {
       API::Node response_class() { result = [classRef(), instance()].getMember("response_class") }
     }
 
+    /**
+     * Provides models for the `flask.Blueprint` class
+     *
+     * See https://flask.palletsprojects.com/en/1.1.x/api/#flask.Blueprint.
+     */
+    module Blueprint {
+      /** Gets a reference to the `flask.Blueprint` class. */
+      API::Node classRef() { result = flask().getMember("Blueprint") }
+
+      /** Gets a reference to an instance of `flask.Blueprint`. */
+      API::Node instance() { result = classRef().getReturn() }
+
+      /**
+       * Gets a reference to the attribute `attr_name` of an instance of `flask.Blueprint`.
+       */
+      private API::Node instance_attr(string attr_name) { result = instance().getMember(attr_name) }
+
+      /** Gets a reference to the `route` method on an instance of `flask.Blueprint`. */
+      API::Node route() { result = instance_attr("route") }
+
+      /** Gets a reference to the `add_url_rule` method on an instance of `flask.Blueprint`. */
+      API::Node add_url_rule() { result = instance_attr("add_url_rule") }
+    }
+
     // -------------------------------------------------------------------------
     // flask.views
     // -------------------------------------------------------------------------
@@ -222,12 +246,16 @@ private module FlaskModel {
   }
 
   /**
-   * A call to the `route` method on an instance of `flask.Flask`.
+   * A call to the `route` method on an instance of `flask.Flask` or an instance of `flask.Blueprint`.
    *
    * See https://flask.palletsprojects.com/en/1.1.x/api/#flask.Flask.route
    */
   private class FlaskAppRouteCall extends FlaskRouteSetup, DataFlow::CallCfgNode {
-    FlaskAppRouteCall() { this.getFunction() = flask::Flask::route().getAUse() }
+    FlaskAppRouteCall() {
+      this.getFunction() = flask::Flask::route().getAUse()
+      or
+      this.getFunction() = flask::Blueprint::route().getAUse()
+    }
 
     override DataFlow::Node getUrlPatternArg() {
       result in [this.getArg(0), this.getArgByName("rule")]
@@ -237,12 +265,16 @@ private module FlaskModel {
   }
 
   /**
-   * A call to the `add_url_rule` method on an instance of `flask.Flask`.
+   * A call to the `add_url_rule` method on an instance of `flask.Flask` or an instance of `flask.Blueprint`.
    *
    * See https://flask.palletsprojects.com/en/1.1.x/api/#flask.Flask.add_url_rule
    */
   private class FlaskAppAddUrlRuleCall extends FlaskRouteSetup, DataFlow::CallCfgNode {
-    FlaskAppAddUrlRuleCall() { this.getFunction() = flask::Flask::add_url_rule().getAUse() }
+    FlaskAppAddUrlRuleCall() {
+      this.getFunction() = flask::Flask::add_url_rule().getAUse()
+      or
+      this.getFunction() = flask::Blueprint::add_url_rule().getAUse()
+    }
 
     override DataFlow::Node getUrlPatternArg() {
       result in [this.getArg(0), this.getArgByName("rule")]
diff --git a/python/ql/test/experimental/library-tests/frameworks/flask/external_blueprint.py b/python/ql/test/experimental/library-tests/frameworks/flask/external_blueprint.py
@@ -0,0 +1,7 @@
+import flask
+
+bp3 = flask.Blueprint("bp3", __name__)
+
+@bp3.route("/bp3/example") # $ routeSetup="/bp3/example"
+def bp3_example(): # $ requestHandler
+    return "bp 3 example" # $ HttpResponse
diff --git a/python/ql/test/experimental/library-tests/frameworks/flask/routing_test.py b/python/ql/test/experimental/library-tests/frameworks/flask/routing_test.py
@@ -93,5 +93,32 @@ def get(self, foo, not_routed=42):  # $ requestHandler routedParameter=foo SPURI
         pass
 
 
+# Blueprints
+#
+# see https://flask.palletsprojects.com/en/1.1.x/blueprints/
+
+bp1 = flask.Blueprint("bp1", __name__)
+
+@bp1.route("/bp1/example/<foo>") # $ routeSetup="/bp1/example/<foo>"
+def bp1_example(foo): # $ requestHandler routedParameter=foo
+    return "bp 1 example foo={}".format(foo) # $ HttpResponse
+
+app.register_blueprint(bp1) # by default, URLs of blueprints are not prefixed
+
+
+bp2 = flask.Blueprint("bp2", __name__)
+
+@bp2.route("/example") # $ routeSetup="/example"
+def bp2_example(): # $ requestHandler
+    return "bp 2 example" # $ HttpResponse
+
+app.register_blueprint(bp2, url_prefix="/bp2") # but it is possible to add a URL prefix
+
+
+from external_blueprint import bp3
+app.register_blueprint(bp3)
+
+
 if __name__ == "__main__":
+    print(app.url_map)
     app.run(debug=True)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+lgtm,codescanning`
	`2`	+* Added modeling of flask blueprints (`flask.Blueprint`), specifically request handlers defined with such blueprints. This can result in new sources of remote user input (`RemoteFlowSource`) -- since we're now able to detect routed parameters -- and new XSS sinks from the responses of these request handlers.