Merge pull request github#5192 from RasmusWL/framework-for-routed-params

tausbn · web-flow · commit ce1d8ded22b9 · 2021-02-17T13:19:43.000+01:00
Python: Expose framework identifier for route-setup and request handler
diff --git a/python/ql/src/semmle/python/Concepts.qll b/python/ql/src/semmle/python/Concepts.qll
@@ -325,6 +325,9 @@ module HTTP {
        * requests for this route, if any. These automatically become a `RemoteFlowSource`.
        */
       Parameter getARoutedParameter() { result = range.getARoutedParameter() }
+
+      /** Gets a string that identifies the framework used for this route setup. */
+      string getFramework() { result = range.getFramework() }
     }
 
     /** Provides a class for modeling new HTTP routing APIs. */
@@ -359,6 +362,9 @@ module HTTP {
          * requests for this route, if any. These automatically become a `RemoteFlowSource`.
          */
         abstract Parameter getARoutedParameter();
+
+        /** Gets a string that identifies the framework used for this route setup. */
+        abstract string getFramework();
       }
     }
 
@@ -378,6 +384,9 @@ module HTTP {
        * requests, if any. These automatically become a `RemoteFlowSource`.
        */
       Parameter getARoutedParameter() { result = range.getARoutedParameter() }
+
+      /** Gets a string that identifies the framework used for this route setup. */
+      string getFramework() { result = range.getFramework() }
     }
 
     /** Provides a class for modeling new HTTP request handlers. */
@@ -396,6 +405,9 @@ module HTTP {
          * requests, if any. These automatically become a `RemoteFlowSource`.
          */
         abstract Parameter getARoutedParameter();
+
+        /** Gets a string that identifies the framework used for this request handler. */
+        abstract string getFramework();
       }
     }
 
@@ -408,13 +420,17 @@ module HTTP {
         result = rs.getARoutedParameter() and
         result in [this.getArg(_), this.getArgByName(_)]
       }
+
+      override string getFramework() { result = rs.getFramework() }
     }
 
     /** A parameter that will receive parts of the url when handling an incoming request. */
     private class RoutedParameter extends RemoteFlowSource::Range, DataFlow::ParameterNode {
-      RoutedParameter() { this.getParameter() = any(RequestHandler handler).getARoutedParameter() }
+      RequestHandler handler;
+
+      RoutedParameter() { this.getParameter() = handler.getARoutedParameter() }
 
-      override string getSourceType() { result = "RoutedParameter" }
+      override string getSourceType() { result = handler.getFramework() + " RoutedParameter" }
     }
 
     /**
diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -2158,6 +2158,8 @@ private module Django {
         result = vc.getARequestHandler()
       )
     }
+
+    override string getFramework() { result = "Django" }
   }
 
   /** A request handler defined in a django view class, that has no known route. */
@@ -2175,6 +2177,8 @@ private module Django {
       result in [this.getArg(_), this.getArgByName(_)] and
       not result = any(int i | i <= this.getRequestParamIndex() | this.getArg(i))
     }
+
+    override string getFramework() { result = "Django" }
   }
 
   /**
diff --git a/python/ql/src/semmle/python/frameworks/Flask.qll b/python/ql/src/semmle/python/frameworks/Flask.qll
@@ -243,6 +243,8 @@ private module FlaskModel {
         )
       )
     }
+
+    override string getFramework() { result = "Flask" }
   }
 
   /**
@@ -309,6 +311,8 @@ private module FlaskModel {
       result in [this.getArg(_), this.getArgByName(_)] and
       not result = this.getArg(0)
     }
+
+    override string getFramework() { result = "Flask" }
   }
 
   // ---------------------------------------------------------------------------
diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -1629,6 +1629,8 @@ private module Stdlib {
       }
 
       override Parameter getARoutedParameter() { none() }
+
+      override string getFramework() { result = "Stdlib" }
     }
   }
 
diff --git a/python/ql/src/semmle/python/frameworks/Tornado.qll b/python/ql/src/semmle/python/frameworks/Tornado.qll
@@ -486,7 +486,9 @@ private module Tornado {
   }
 
   /** A tornado route setup. */
-  abstract class TornadoRouteSetup extends HTTP::Server::RouteSetup::Range { }
+  abstract class TornadoRouteSetup extends HTTP::Server::RouteSetup::Range {
+    override string getFramework() { result = "Tornado" }
+  }
 
   /**
    * A regex that is used to set up a route.
@@ -561,6 +563,8 @@ private module Tornado {
       result in [this.getArg(_), this.getArgByName(_)] and
       not result = this.getArg(0)
     }
+
+    override string getFramework() { result = "Tornado" }
   }
 
   // ---------------------------------------------------------------------------

Original file line number	Diff line number	Diff line change
`@@ -325,6 +325,9 @@ module HTTP {`
`325`	`325`	* requests for this route, if any. These automatically become a `RemoteFlowSource`.
`326`	`326`	`*/`
`327`	`327`	`Parameter getARoutedParameter() { result = range.getARoutedParameter() }`
	`328`	`+`
	`329`	`+ /** Gets a string that identifies the framework used for this route setup. */`
	`330`	`+ string getFramework() { result = range.getFramework() }`
`328`	`331`	`}`
`329`	`332`
`330`	`333`	`/** Provides a class for modeling new HTTP routing APIs. */`
`@@ -359,6 +362,9 @@ module HTTP {`
`359`	`362`	* requests for this route, if any. These automatically become a `RemoteFlowSource`.
`360`	`363`	`*/`
`361`	`364`	`abstract Parameter getARoutedParameter();`
	`365`	`+`
	`366`	`+ /** Gets a string that identifies the framework used for this route setup. */`
	`367`	`+ abstract string getFramework();`
`362`	`368`	`}`
`363`	`369`	`}`
`364`	`370`
`@@ -378,6 +384,9 @@ module HTTP {`
`378`	`384`	* requests, if any. These automatically become a `RemoteFlowSource`.
`379`	`385`	`*/`
`380`	`386`	`Parameter getARoutedParameter() { result = range.getARoutedParameter() }`
	`387`	`+`
	`388`	`+ /** Gets a string that identifies the framework used for this route setup. */`
	`389`	`+ string getFramework() { result = range.getFramework() }`
`381`	`390`	`}`
`382`	`391`
`383`	`392`	`/** Provides a class for modeling new HTTP request handlers. */`
`@@ -396,6 +405,9 @@ module HTTP {`
`396`	`405`	* requests, if any. These automatically become a `RemoteFlowSource`.
`397`	`406`	`*/`
`398`	`407`	`abstract Parameter getARoutedParameter();`
	`408`	`+`
	`409`	`+ /** Gets a string that identifies the framework used for this request handler. */`
	`410`	`+ abstract string getFramework();`
`399`	`411`	`}`
`400`	`412`	`}`
`401`	`413`
`@@ -408,13 +420,17 @@ module HTTP {`
`408`	`420`	`result = rs.getARoutedParameter() and`
`409`	`421`	`result in [this.getArg(_), this.getArgByName(_)]`
`410`	`422`	`}`
	`423`	`+`
	`424`	`+ override string getFramework() { result = rs.getFramework() }`
`411`	`425`	`}`
`412`	`426`
`413`	`427`	`/** A parameter that will receive parts of the url when handling an incoming request. */`
`414`	`428`	`private class RoutedParameter extends RemoteFlowSource::Range, DataFlow::ParameterNode {`
`415`		`- RoutedParameter() { this.getParameter() = any(RequestHandler handler).getARoutedParameter() }`
	`429`	`+ RequestHandler handler;`
	`430`	`+`
	`431`	`+ RoutedParameter() { this.getParameter() = handler.getARoutedParameter() }`
`416`	`432`
`417`		`- override string getSourceType() { result = "RoutedParameter" }`
	`433`	`+ override string getSourceType() { result = handler.getFramework() + " RoutedParameter" }`
`418`	`434`	`}`
`419`	`435`
`420`	`436`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -2158,6 +2158,8 @@ private module Django {`
`2158`	`2158`	`result = vc.getARequestHandler()`
`2159`	`2159`	`)`
`2160`	`2160`	`}`
	`2161`	`+`
	`2162`	`+ override string getFramework() { result = "Django" }`
`2161`	`2163`	`}`
`2162`	`2164`
`2163`	`2165`	`/** A request handler defined in a django view class, that has no known route. */`
`@@ -2175,6 +2177,8 @@ private module Django {`
`2175`	`2177`	`result in [this.getArg(_), this.getArgByName(_)] and`
`2176`	`2178`	`not result = any(int i \| i <= this.getRequestParamIndex() \| this.getArg(i))`
`2177`	`2179`	`}`
	`2180`	`+`
	`2181`	`+ override string getFramework() { result = "Django" }`
`2178`	`2182`	`}`
`2179`	`2183`
`2180`	`2184`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -243,6 +243,8 @@ private module FlaskModel {`
`243`	`243`	`)`
`244`	`244`	`)`
`245`	`245`	`}`
	`246`	`+`
	`247`	`+ override string getFramework() { result = "Flask" }`
`246`	`248`	`}`
`247`	`249`
`248`	`250`	`/**`
`@@ -309,6 +311,8 @@ private module FlaskModel {`
`309`	`311`	`result in [this.getArg(_), this.getArgByName(_)] and`
`310`	`312`	`not result = this.getArg(0)`
`311`	`313`	`}`
	`314`	`+`
	`315`	`+ override string getFramework() { result = "Flask" }`
`312`	`316`	`}`
`313`	`317`
`314`	`318`	`// ---------------------------------------------------------------------------`
Original file line number	Diff line number	Diff line change
`@@ -1629,6 +1629,8 @@ private module Stdlib {`
`1629`	`1629`	`}`
`1630`	`1630`
`1631`	`1631`	`override Parameter getARoutedParameter() { none() }`
	`1632`	`+`
	`1633`	`+ override string getFramework() { result = "Stdlib" }`
`1632`	`1634`	`}`
`1633`	`1635`	`}`
`1634`	`1636`
Original file line number	Diff line number	Diff line change
`@@ -486,7 +486,9 @@ private module Tornado {`
`486`	`486`	`}`
`487`	`487`
`488`	`488`	`/** A tornado route setup. */`
`489`		`- abstract class TornadoRouteSetup extends HTTP::Server::RouteSetup::Range { }`
	`489`	`+ abstract class TornadoRouteSetup extends HTTP::Server::RouteSetup::Range {`
	`490`	`+ override string getFramework() { result = "Tornado" }`
	`491`	`+ }`
`490`	`492`
`491`	`493`	`/**`
`492`	`494`	`* A regex that is used to set up a route.`
`@@ -561,6 +563,8 @@ private module Tornado {`
`561`	`563`	`result in [this.getArg(_), this.getArgByName(_)] and`
`562`	`564`	`not result = this.getArg(0)`
`563`	`565`	`}`
	`566`	`+`
	`567`	`+ override string getFramework() { result = "Tornado" }`
`564`	`568`	`}`
`565`	`569`
`566`	`570`	`// ---------------------------------------------------------------------------`