Python: Add taint-steps for yarl.URL

Author: RasmusWL

docs/codeql/support/reusables/frameworks.rst

@@ -164,6 +164,7 @@ Python built-in support
    idna, Utility library
    invoke, Utility library
    multidict, Utility library
+   yarl, Utility library
    mysql-connector-python, Database
    MySQLdb, Database
    psycopg2, Database

python/ql/src/semmle/python/Frameworks.qll

@@ -23,3 +23,4 @@ private import semmle.python.frameworks.Stdlib
 private import semmle.python.frameworks.Tornado
 private import semmle.python.frameworks.Ujson
 private import semmle.python.frameworks.Yaml
+private import semmle.python.frameworks.Yarl

python/ql/src/semmle/python/frameworks/Aiohttp.qll

@@ -11,6 +11,7 @@ private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
 private import semmle.python.frameworks.internal.PoorMansFunctionResolution
 private import semmle.python.frameworks.Multidict
+private import semmle.python.frameworks.Yarl
 
 /**
  * INTERNAL: Do not use.
@@ -248,4 +249,11 @@ module AiohttpWebModel {
       this.(DataFlow::AttrRead).getAttributeName() in ["query", "headers"]
     }
   }
+
+  class AiohttpRequestYarlUrlInstances extends Yarl::Url::InstanceSource {
+    AiohttpRequestYarlUrlInstances() {
+      this.(DataFlow::AttrRead).getObject() = Request::instance() and
+      this.(DataFlow::AttrRead).getAttributeName() in ["url", "rel_url"]
+    }
+  }
 }

python/ql/src/semmle/python/frameworks/Yarl.qll

@@ -0,0 +1,110 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `yarl` PyPI package.
+ * See https://yarl.readthedocs.io/en/stable/.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import semmle.python.frameworks.Multidict
+
+/**
+ * INTERNAL: Do not use.
+ *
+ * Provides models for the `yarl` PyPI package.
+ * See https://multidict.readthedocs.io/en/stable/.
+ */
+module Yarl {
+  /**
+   * Provides models for a the `yarl.URL` class:
+   *
+   * See https://yarl.readthedocs.io/en/stable/api.html#yarl.URL
+   */
+  module Url {
+    /**
+     * A source of instances of `yarl.URL`, extend this class to model new instances.
+     *
+     * This can include instantiations of the class, return values from function
+     * calls, or a special parameter that will be set when functions are called by an external
+     * library.
+     *
+     * Use `Url::instance()` predicate to get references to instances of `yarl.URL`.
+     */
+    abstract class InstanceSource extends DataFlow::LocalSourceNode { }
+
+    /** Gets a reference to an instance of `yarl.URL`. */
+    private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
+      t.start() and
+      result instanceof InstanceSource
+      or
+      exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t))
+    }
+
+    /** Gets a reference to an instance of `yarl.URL`. */
+    DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
+
+    /**
+     * Taint propagation for `yarl.URL`.
+     *
+     * See https://yarl.readthedocs.io/en/stable/api.html#yarl.URL
+     */
+    class YarlUrlAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
+      override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+        // Methods
+        //
+        // TODO: When we have tools that make it easy, model these properly to handle
+        // `meth = obj.meth; meth()`. Until then, we'll use this more syntactic approach
+        // (since it allows us to at least capture the most common cases).
+        exists(DataFlow::AttrRead attr |
+          // methods (that replaces part of URL, taken as only arguments)
+          attr.getAttributeName() in [
+              "with_scheme", "with_user", "with_password", "with_host", "with_port", "with_path",
+              "with_query", "with_query", "update_query", "update_query", "with_fragment",
+              "with_name",
+              // join is a bit different, but is still correct to add here :+1:
+              "join"
+            ] and
+          (
+            // obj -> obj.meth()
+            nodeFrom = instance() and
+            attr.getObject() = nodeFrom and
+            nodeTo.(DataFlow::CallCfgNode).getFunction() = attr
+            or
+            // argument of obj.meth() -> obj.meth()
+            attr.getObject() = instance() and
+            nodeTo.(DataFlow::CallCfgNode).getFunction() = attr and
+            nodeFrom in [
+                nodeTo.(DataFlow::CallCfgNode).getArg(_),
+                nodeTo.(DataFlow::CallCfgNode).getArgByName(_)
+              ]
+          )
+          or
+          // other methods
+          nodeFrom = instance() and
+          attr.getObject() = nodeFrom and
+          attr.getAttributeName() in ["human_repr"] and
+          nodeTo.(DataFlow::CallCfgNode).getFunction() = attr
+        )
+        or
+        // Attributes
+        nodeFrom = instance() and
+        nodeTo.(DataFlow::AttrRead).getObject() = nodeFrom and
+        nodeTo.(DataFlow::AttrRead).getAttributeName() in [
+            "user", "raw_user", "password", "raw_password", "host", "raw_host", "port",
+            "explicit_port", "authority", "raw_authority", "path", "raw_path", "path_qs",
+            "raw_path_qs", "query_string", "raw_query_string", "fragment", "raw_fragment", "parts",
+            "raw_parts", "name", "raw_name", "query"
+          ]
+      }
+    }
+
+    class YarlUrlMultiDictProxyInstance extends Multidict::MultiDictProxy::InstanceSource {
+      YarlUrlMultiDictProxyInstance() {
+        this.(DataFlow::AttrRead).getObject() = Yarl::Url::instance() and
+        this.(DataFlow::AttrRead).getAttributeName() = "query"
+      }
+    }
+  }
+}

python/ql/test/library-tests/frameworks/aiohttp/taint_test.py

@@ -136,59 +136,60 @@ async def test_taint(request: web.Request): # $ requestHandler
     import yarl
 
     ensure_tainted(
-        request.url.user, # $ MISSING: tainted
-        request.url.raw_user, # $ MISSING: tainted
+        # see https://yarl.readthedocs.io/en/stable/api.html#yarl.URL
+        request.url.user, # $ tainted
+        request.url.raw_user, # $ tainted
 
-        request.url.password, # $ MISSING: tainted
-        request.url.raw_password, # $ MISSING: tainted
+        request.url.password, # $ tainted
+        request.url.raw_password, # $ tainted
 
-        request.url.host, # $ MISSING: tainted
-        request.url.raw_host, # $ MISSING: tainted
+        request.url.host, # $ tainted
+        request.url.raw_host, # $ tainted
 
-        request.url.port, # $ MISSING: tainted
-        request.url.explicit_port, # $ MISSING: tainted
+        request.url.port, # $ tainted
+        request.url.explicit_port, # $ tainted
 
-        request.url.authority, # $ MISSING: tainted
-        request.url.raw_authority, # $ MISSING: tainted
+        request.url.authority, # $ tainted
+        request.url.raw_authority, # $ tainted
 
-        request.url.path, # $ MISSING: tainted
-        request.url.raw_path, # $ MISSING: tainted
+        request.url.path, # $ tainted
+        request.url.raw_path, # $ tainted
 
-        request.url.path_qs, # $ MISSING: tainted
-        request.url.raw_path_qs, # $ MISSING: tainted
+        request.url.path_qs, # $ tainted
+        request.url.raw_path_qs, # $ tainted
 
-        request.url.query_string, # $ MISSING: tainted
-        request.url.raw_query_string, # $ MISSING: tainted
+        request.url.query_string, # $ tainted
+        request.url.raw_query_string, # $ tainted
 
-        request.url.fragment, # $ MISSING: tainted
-        request.url.raw_fragment, # $ MISSING: tainted
+        request.url.fragment, # $ tainted
+        request.url.raw_fragment, # $ tainted
 
-        request.url.parts, # $ MISSING: tainted
-        request.url.raw_parts, # $ MISSING: tainted
+        request.url.parts, # $ tainted
+        request.url.raw_parts, # $ tainted
 
-        request.url.name, # $ MISSING: tainted
-        request.url.raw_name, # $ MISSING: tainted
+        request.url.name, # $ tainted
+        request.url.raw_name, # $ tainted
 
         # multidict.MultiDictProxy[str]
-        request.url.query, # $ MISSING: tainted
-        request.url.query.getone("key"), # $ MISSING: tainted
-
-        request.url.with_scheme("foo"), # $ MISSING: tainted
-        request.url.with_user("foo"), # $ MISSING: tainted
-        request.url.with_password("foo"), # $ MISSING: tainted
-        request.url.with_host("foo"), # $ MISSING: tainted
-        request.url.with_port("foo"), # $ MISSING: tainted
-        request.url.with_path("foo"), # $ MISSING: tainted
-        request.url.with_query({"foo": 42}), # $ MISSING: tainted
-        request.url.with_query(foo=42), # $ MISSING: tainted
-        request.url.update_query({"foo": 42}), # $ MISSING: tainted
-        request.url.update_query(foo=42), # $ MISSING: tainted
-        request.url.with_fragment("foo"), # $ MISSING: tainted
-        request.url.with_name("foo"), # $ MISSING: tainted
+        request.url.query, # $ tainted
+        request.url.query.getone("key"), # $ tainted
+
+        request.url.with_scheme("foo"), # $ tainted
+        request.url.with_user("foo"), # $ tainted
+        request.url.with_password("foo"), # $ tainted
+        request.url.with_host("foo"), # $ tainted
+        request.url.with_port("foo"), # $ tainted
+        request.url.with_path("foo"), # $ tainted
+        request.url.with_query({"foo": 42}), # $ tainted
+        request.url.with_query(foo=42), # $ tainted
+        request.url.update_query({"foo": 42}), # $ tainted
+        request.url.update_query(foo=42), # $ tainted
+        request.url.with_fragment("foo"), # $ tainted
+        request.url.with_name("foo"), # $ tainted
 
         request.url.join(yarl.URL("wat.html")), # $ tainted
 
-        request.url.human_repr(), # $ MISSING: tainted
+        request.url.human_repr(), # $ tainted
     )