Python: Port py/flask-debug

Author: RasmusWL

python/change-notes/2021-02-24-port-flask-debug.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Updated _Flask app is run in debug mode_ (`py/flask-debug`) query to use the new type-tracking approach instead of points-to analysis. You may see differences in the results found by the query, but overall this change should result in a more robust and accurate analysis.

python/ql/src/Security/CWE-215/FlaskDebug.ql

@@ -11,12 +11,25 @@
  */
 
 import python
-import semmle.python.web.flask.General
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.ApiGraphs
+import semmle.python.frameworks.Flask
 
-from CallNode call, Value isTrue
+/** Gets a reference to a truthy literal. */
+private DataFlow::LocalSourceNode truthyLiteral(DataFlow::TypeTracker t) {
+  t.start() and
+  result.asExpr().(ImmutableLiteral).booleanValue() = true
+  or
+  exists(DataFlow::TypeTracker t2 | result = truthyLiteral(t2).track(t2, t))
+}
+
+/** Gets a reference to a truthy literal. */
+DataFlow::Node truthyLiteral() { truthyLiteral(DataFlow::TypeTracker::end()).flowsTo(result) }
+
+from DataFlow::CallCfgNode call, DataFlow::Node debugArg
 where
-  call = theFlaskClass().declaredAttribute("run").(FunctionValue).getACall() and
-  call.getArgByName("debug").pointsTo(isTrue) and
-  isTrue.getDefiniteBooleanValue() = true
+  call.getFunction() = Flask::FlaskApp::instance().getMember("run").getAUse() and
+  debugArg in [call.getArg(2), call.getArgByName("debug")] and
+  debugArg = truthyLiteral()
 select call,
   "A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger."