Update TimingAttack.qll

ahmed-farid-dev · web-flow · commit daff7775ca38 · 2022-08-31T16:09:22.000+01:00
diff --git a/python/ql/src/experimental/semmle/python/security/TimingAttack.qll b/python/ql/src/experimental/semmle/python/security/TimingAttack.qll
@@ -186,7 +186,7 @@ abstract class ClientSuppliedSecret extends API::CallNode { }
 private class FlaskClientSuppliedSecret extends ClientSuppliedSecret {
   FlaskClientSuppliedSecret() {
     this = Flask::request().getMember("headers").getMember(["get", "get_all", "getlist"]).getACall() and
-    this.getParameter(0, "key").asSink().asExpr().(StrConst).getText().toLowerCase() = sensitiveheaders()
+    this.getParameter(0, ["key", "name"]).asSink().asExpr().(StrConst).getText().toLowerCase() = sensitiveheaders()
   }
 }
 
@@ -222,7 +222,7 @@ private class WerkzeugClientSuppliedSecret extends ClientSuppliedSecret {
   WerkzeugClientSuppliedSecret() {
     this =
       headers().getMember(["headers", "META"]).getMember(["get", "get_all", "getlist"]).getACall() and
-    this.getParameter(0, "key").asSink().asExpr().(StrConst).getText().toLowerCase() = sensitiveheaders()
+    this.getParameter(0, ["key", "name"]).asSink().asExpr().(StrConst).getText().toLowerCase() = sensitiveheaders()
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -186,7 +186,7 @@ abstract class ClientSuppliedSecret extends API::CallNode { }`
`186`	`186`	`private class FlaskClientSuppliedSecret extends ClientSuppliedSecret {`
`187`	`187`	`FlaskClientSuppliedSecret() {`
`188`	`188`	`this = Flask::request().getMember("headers").getMember(["get", "get_all", "getlist"]).getACall() and`
`189`		`- this.getParameter(0, "key").asSink().asExpr().(StrConst).getText().toLowerCase() = sensitiveheaders()`
	`189`	`+ this.getParameter(0, ["key", "name"]).asSink().asExpr().(StrConst).getText().toLowerCase() = sensitiveheaders()`
`190`	`190`	`}`
`191`	`191`	`}`
`192`	`192`
`@@ -222,7 +222,7 @@ private class WerkzeugClientSuppliedSecret extends ClientSuppliedSecret {`
`222`	`222`	`WerkzeugClientSuppliedSecret() {`
`223`	`223`	`this =`
`224`	`224`	`headers().getMember(["headers", "META"]).getMember(["get", "get_all", "getlist"]).getACall() and`
`225`		`- this.getParameter(0, "key").asSink().asExpr().(StrConst).getText().toLowerCase() = sensitiveheaders()`
	`225`	`+ this.getParameter(0, ["key", "name"]).asSink().asExpr().(StrConst).getText().toLowerCase() = sensitiveheaders()`
`226`	`226`	`}`
`227`	`227`	`}`
`228`	`228`