Python: Add taint-step for methods on aiohttp.web.Request

RasmusWL · RasmusWL · commit dd131e6bf79c · 2021-06-03T10:55:34.000+02:00
diff --git a/python/ql/src/semmle/python/frameworks/Aiohttp.qll b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
@@ -211,12 +211,23 @@ module AiohttpWebModel {
   private class AiohttpRequestAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
     override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
       // Methods
-      exists(string method_name | method_name in ["TODO"] |
-        // Method access (obj -> obj.meth)
-        none()
+      //
+      // TODO: When we have tools that make it easy, model these properly to handle
+      // `meth = obj.meth; meth()`. Until then, we'll use this more syntactic approach
+      // (since it allows us to at least capture the most common cases).
+      nodeFrom = Request::instance() and
+      exists(DataFlow::AttrRead attr | attr.getObject() = nodeFrom |
+        // normal methods
+        attr.getAttributeName() in ["clone", "get_extra_info"] and
+        nodeTo.(DataFlow::CallCfgNode).getFunction() = attr
         or
-        // Method call (obj.meth -> obj.meth())
-        none()
+        // async methods
+        exists(Await await, DataFlow::CallCfgNode call |
+          attr.getAttributeName() in ["read", "text", "json", "multipart", "post"] and
+          call.getFunction() = attr and
+          await.getValue() = call.asExpr() and
+          nodeTo.asExpr() = await
+        )
       )
       or
       // Attributes
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
@@ -81,25 +81,25 @@ async def test_taint(request: web.Request): # $ requestHandler
         request.if_unmodified_since, # $ tainted
         request.if_range, # $ tainted
 
-        request.clone(scheme="https"), # $ MISSING: tainted
+        request.clone(scheme="https"), # $ tainted
 
         # TODO: like request.transport.get_extra_info
-        request.get_extra_info("key"), # $ MISSING: tainted
+        request.get_extra_info("key"), # $ tainted
 
         # bytes
-        await request.read(), # $ MISSING: tainted
+        await request.read(), # $ tainted
 
         # str
-        await request.text(), # $ MISSING: tainted
+        await request.text(), # $ tainted
 
         # obj
-        await request.json(), # $ MISSING: tainted
+        await request.json(), # $ tainted
 
         # aiohttp.multipart.MultipartReader
-        await request.multipart(), # $ MISSING: tainted
+        await request.multipart(), # $ tainted
 
         # multidict.MultiDictProxy[str]
-        await request.post(), # $ MISSING: tainted
+        await request.post(), # $ tainted
         (await request.post()).getone("key"), # $ MISSING: tainted
     )
 
