Add a Django Upload examples

Sim4n6 · Sim4n6 · commit 51b11de44a24 · 2023-01-26T15:16:24.000+01:00
diff --git a/python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpackQuery.qll b/python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpackQuery.qll
@@ -55,13 +55,10 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
       at = s.getObject() and at.getAttr() = "FILES" and source.asExpr() = s
     )
     or
+    // Retrieve Django uploaded files
+    // see HttpRequest.FILES: https://docs.djangoproject.com/en/4.1/ref/request-response/#django.http.HttpRequest.FILES
     exists(Node obj, AttrRead ar |
-      ar.getAMethodCall("get").flowsTo(source) and
-      ar.accesses(obj, "FILES")
-    )
-    or
-    exists(Node obj, AttrRead ar |
-      ar.getAMethodCall("getlist").flowsTo(source) and
+      ar.getAMethodCall(["getlist", "get"]).flowsTo(source) and
       ar.accesses(obj, "FILES")
     )
   }
@@ -93,7 +90,21 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
     exists(MethodCallNode mc |
       nodeFrom = mc.getObject() and
       mc.getMethodName() = "read" and
-      mc.flowsTo(nodeTo)
+      nodeTo = mc
+    )
+    or
+    // Open for access
+    exists(MethodCallNode cn |
+      nodeTo = cn.getObject() and
+      cn.getMethodName() = "open" and
+      cn.flowsTo(nodeFrom)
+    )
+    or
+    // Write for access
+    exists(MethodCallNode cn |
+      nodeTo = cn.getObject() and
+      cn.getMethodName() = "write" and
+      nodeFrom = cn.getArg(0)
     )
     or
     // Accessing the name or raw content
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022/UnsafeUnpack.py b/python/ql/test/experimental/query-tests/Security/CWE-022/UnsafeUnpack.py
@@ -85,4 +85,42 @@ def download_from_url():
 with open(tarpath, "wb") as f:
       f.write(response.raw.read())
       
-shutil.unpack_archive(tarpath, base_dir) # $result=BAD
+shutil.unpack_archive(tarpath, base_dir) # $result=BAD
+
+# the django upload functionality
+# see HttpRequest.FILES: https://docs.djangoproject.com/en/4.1/ref/request-response/#django.http.HttpRequest.FILES
+from django.shortcuts import render
+from django.core.files.storage import FileSystemStorage
+import shutil
+
+def simple_upload(request):
+
+      base_dir = "/tmp/baase_dir"
+      if request.method == 'POST':
+            # Read uploaded files by chunks of data
+            # see chunks(): https://docs.djangoproject.com/en/4.1/ref/files/uploads/#django.core.files.uploadedfile.UploadedFile.chunks 
+            savepath = os.path.join(base_dir, "tarball_compressed.tar.gz")
+            with open(savepath, 'wb+') as wfile:
+                  for chunk in request.FILES["ufile1"].chunks():
+                        wfile.write(chunk)
+            shutil.unpack_archive(savepath, base_dir) # $result=BAD
+
+            # Write in binary the uploaded tarball
+            myfile = request.FILES.get("ufile1")
+            file_path = os.path.join(base_dir, "tarball.tar")
+            with file_path.open('wb') as f:
+                  f.write(myfile.read())
+            shutil.unpack_archive(file_path, base_dir) # $result=BAD
+
+            # Save uploaded files using FileSystemStorage Django API
+            # see FileSystemStorage: https://docs.djangoproject.com/en/4.1/ref/files/storage/#django.core.files.storage.FileSystemStorage
+            for ufile in  request.FILES.getlist():
+                  fs = FileSystemStorage()
+                  filename = fs.save(ufile.name, ufile)
+                  uploaded_file_path = fs.path(filename)
+                  shutil.unpack_archive(uploaded_file_path, base_dir) # $result=BAD
+            
+            return render(request, 'simple_upload.html')
+
+      elif request.method == 'GET':
+            return render(request, 'simple_upload.html')
