Python: Basic handling of tainted attributes in aiohttp

RasmusWL · RasmusWL · commit d953ea47d471 · 2021-06-03T10:55:34.000+02:00
diff --git a/python/ql/src/semmle/python/frameworks/Aiohttp.qll b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
@@ -197,10 +197,37 @@ module AiohttpWebModel {
         // ```
         this.getParameter() =
           max(Parameter param, int i | param = requestHandler.getArg(i) | param order by i)
-
       )
     }
 
     override string getSourceType() { result = "aiohttp.web.Request" }
   }
+
+  /**
+   * Taint propagation for `aiohttp.web.Request`.
+   *
+   * See https://docs.aiohttp.org/en/stable/web_reference.html#request-and-base-request
+   */
+  private class AiohttpRequestAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
+    override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+      // Methods
+      exists(string method_name | method_name in ["TODO"] |
+        // Method access (obj -> obj.meth)
+        none()
+        or
+        // Method call (obj.meth -> obj.meth())
+        none()
+      )
+      or
+      // Attributes
+      nodeFrom = Request::instance() and
+      nodeTo.(DataFlow::AttrRead).getObject() = nodeFrom and
+      nodeTo.(DataFlow::AttrRead).getAttributeName() in [
+          "url", "rel_url", "forwarded", "host", "remote", "path", "path_qs", "raw_path", "query",
+          "headers", "transport", "cookies", "content", "_payload", "body_exists", "has_body",
+          "content_type", "charset", "http_range", "if_modified_since", "if_unmodified_since",
+          "if_range"
+        ]
+    }
+  }
 }
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
@@ -8,76 +8,76 @@ async def test_taint(request: web.Request): # $ requestHandler
         # yarl.URL instances
         # https://yarl.readthedocs.io/en/stable/api.html#yarl.URL
         # see below
-        request.url, # $ MISSING: tainted
-        request.rel_url, # $ MISSING: tainted
+        request.url, # $ tainted
+        request.rel_url, # $ tainted
 
-        request.forwarded, # $ MISSING: tainted
+        request.forwarded, # $ tainted
 
-        request.host, # $ MISSING: tainted
-        request.remote, # $ MISSING: tainted
-        request.path, # $ MISSING: tainted
-        request.path_qs, # $ MISSING: tainted
-        request.raw_path, # $ MISSING: tainted
+        request.host, # $ tainted
+        request.remote, # $ tainted
+        request.path, # $ tainted
+        request.path_qs, # $ tainted
+        request.raw_path, # $ tainted
 
         # multidict.MultiDictProxy[str]
         # see https://multidict.readthedocs.io/en/stable/multidict.html#multidict.MultiDictProxy
         # TODO: Should have a better way to capture that we in fact _do_ model this as a
         # an instance of the right class, and have the actual taint_test for that in a
         # different file!
-        request.query, # $ MISSING: tainted
-        request.query["key"], # $ MISSING: tainted
-        request.query.get("key"), # $ MISSING: tainted
+        request.query, # $ tainted
+        request.query["key"], # $ tainted
+        request.query.get("key"), # $ tainted
         request.query.getone("key"), # $ MISSING: tainted
         request.query.getall("key"), # $ MISSING: tainted
         request.query.keys(), # $ MISSING: tainted
-        request.query.values(), # $ MISSING: tainted
-        request.query.items(), # $ MISSING: tainted
-        request.query.copy(), # $ MISSING: tainted
-        list(request.query), # $ MISSING: tainted
-        iter(request.query), # $ MISSING: tainted
+        request.query.values(), # $ tainted
+        request.query.items(), # $ tainted
+        request.query.copy(), # $ tainted
+        list(request.query), # $ tainted
+        iter(request.query), # $ tainted
 
         # multidict.CIMultiDictProxy[str]
         # see https://multidict.readthedocs.io/en/stable/multidict.html#multidict.CIMultiDictProxy
         # TODO: Should have a better way to capture that we in fact _do_ model this as a
         # an instance of the right class, and have the actual taint_test for that in a
         # different file!
-        request.headers, # $ MISSING: tainted
-        request.query.getone("key"), # $ MISSING: tainted
+        request.headers, # $ tainted
+        request.headers.getone("key"), # $ MISSING: tainted
 
         # https://docs.python.org/3/library/asyncio-protocol.html#asyncio-transport
         # TODO
-        request.transport, # $ MISSING: tainted
+        request.transport, # $ tainted
         request.transport.get_extra_info("key"), # $ MISSING: tainted
 
         # dict-like (readonly)
-        request.cookies, # $ MISSING: tainted
-        request.cookies["key"], # $ MISSING: tainted
-        request.cookies.get("key"), # $ MISSING: tainted
+        request.cookies, # $ tainted
+        request.cookies["key"], # $ tainted
+        request.cookies.get("key"), # $ tainted
         request.cookies.keys(), # $ MISSING: tainted
-        request.cookies.values(), # $ MISSING: tainted
-        request.cookies.items(), # $ MISSING: tainted
-        list(request.cookies), # $ MISSING: tainted
-        iter(request.cookies), # $ MISSING: tainted
+        request.cookies.values(), # $ tainted
+        request.cookies.items(), # $ tainted
+        list(request.cookies), # $ tainted
+        iter(request.cookies), # $ tainted
 
 
         # aiohttp.StreamReader
         # see https://docs.aiohttp.org/en/stable/streams.html#aiohttp.StreamReader
         # TODO
-        request.content, # $ MISSING: tainted
-        request._payload, # $ MISSING: tainted
+        request.content, # $ tainted
+        request._payload, # $ tainted
 
-        request.body_exists, # $ MISSING: tainted
-        request.has_body, # $ MISSING: tainted
+        request.body_exists, # $ tainted
+        request.has_body, # $ tainted
 
-        request.content_type, # $ MISSING: tainted
-        request.charset, # $ MISSING: tainted
+        request.content_type, # $ tainted
+        request.charset, # $ tainted
 
-        request.http_range, # $ MISSING: tainted
+        request.http_range, # $ tainted
 
         # Optional[datetime]
-        request.if_modified_since, # $ MISSING: tainted
-        request.if_unmodified_since, # $ MISSING: tainted
-        request.if_range, # $ MISSING: tainted
+        request.if_modified_since, # $ tainted
+        request.if_unmodified_since, # $ tainted
+        request.if_range, # $ tainted
 
         request.clone(scheme="https"), # $ MISSING: tainted
 
@@ -182,7 +182,7 @@ async def test_taint(request: web.Request): # $ requestHandler
         request.url.with_fragment("foo"), # $ MISSING: tainted
         request.url.with_name("foo"), # $ MISSING: tainted
 
-        request.url.join(yarl.URL("wat.html")), # $ MISSING: tainted
+        request.url.join(yarl.URL("wat.html")), # $ tainted
 
         request.url.human_repr(), # $ MISSING: tainted
     )
