Skip to content

Commit 26319bf

Browse files
RasmusWLRasmusWL
committed
Python: Fix Flask jsonify XSS regression
The reason the result was found before, is that `jsonify(data)` was modeled as TWO separate subclasses of `Http::Server::HttpResponse`, one because of the implicit construction in return (FlaskRouteHandlerReturn), and one from the `jsonify` call (FlaskJsonifyCall). Due to the QL evaluation, we got a combination from the two, meaning mime-type from FlaskRouteHandlerReturn and body from FlaskJsonifyCall...
1 parent b36fd9f commit 26319bf

File tree

2 files changed

+2
-8
lines changed

2 files changed

+2
-8
lines changed

python/ql/lib/semmle/python/frameworks/Flask.qll

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -453,7 +453,8 @@ module Flask {
453453
FlaskRouteHandlerReturn() {
454454
exists(Function routeHandler |
455455
routeHandler = any(FlaskRouteSetup rs).getARequestHandler() and
456-
node = routeHandler.getAReturnValueFlowNode()
456+
node = routeHandler.getAReturnValueFlowNode() and
457+
not this instanceof Flask::Response::InstanceSource
457458
)
458459
}
459460

python/ql/test/query-tests/Security/CWE-079-ReflectedXss/ReflectedXss.expected

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,6 @@ edges
33
| reflected_xss.py:2:26:2:32 | GSSA Variable request | reflected_xss.py:9:18:9:24 | ControlFlowNode for request |
44
| reflected_xss.py:2:26:2:32 | GSSA Variable request | reflected_xss.py:21:23:21:29 | ControlFlowNode for request |
55
| reflected_xss.py:2:26:2:32 | GSSA Variable request | reflected_xss.py:27:23:27:29 | ControlFlowNode for request |
6-
| reflected_xss.py:2:26:2:32 | GSSA Variable request | reflected_xss.py:33:12:33:18 | ControlFlowNode for request |
76
| reflected_xss.py:9:5:9:14 | SSA variable first_name | reflected_xss.py:10:26:10:53 | ControlFlowNode for BinaryExpr |
87
| reflected_xss.py:9:18:9:24 | ControlFlowNode for request | reflected_xss.py:9:18:9:29 | ControlFlowNode for Attribute |
98
| reflected_xss.py:9:18:9:29 | ControlFlowNode for Attribute | reflected_xss.py:9:18:9:45 | ControlFlowNode for Attribute() |
@@ -12,8 +11,6 @@ edges
1211
| reflected_xss.py:21:23:21:29 | ControlFlowNode for request | reflected_xss.py:21:5:21:8 | SSA variable data |
1312
| reflected_xss.py:27:5:27:8 | SSA variable data | reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() |
1413
| reflected_xss.py:27:23:27:29 | ControlFlowNode for request | reflected_xss.py:27:5:27:8 | SSA variable data |
15-
| reflected_xss.py:33:5:33:8 | SSA variable data | reflected_xss.py:34:20:34:23 | ControlFlowNode for data |
16-
| reflected_xss.py:33:12:33:18 | ControlFlowNode for request | reflected_xss.py:33:5:33:8 | SSA variable data |
1714
nodes
1815
| reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
1916
| reflected_xss.py:2:26:2:32 | GSSA Variable request | semmle.label | GSSA Variable request |
@@ -28,12 +25,8 @@ nodes
2825
| reflected_xss.py:27:5:27:8 | SSA variable data | semmle.label | SSA variable data |
2926
| reflected_xss.py:27:23:27:29 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
3027
| reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
31-
| reflected_xss.py:33:5:33:8 | SSA variable data | semmle.label | SSA variable data |
32-
| reflected_xss.py:33:12:33:18 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
33-
| reflected_xss.py:34:20:34:23 | ControlFlowNode for data | semmle.label | ControlFlowNode for data |
3428
subpaths
3529
#select
3630
| reflected_xss.py:10:26:10:53 | ControlFlowNode for BinaryExpr | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:10:26:10:53 | ControlFlowNode for BinaryExpr | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |
3731
| reflected_xss.py:22:26:22:41 | ControlFlowNode for Attribute() | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:22:26:22:41 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |
3832
| reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |
39-
| reflected_xss.py:34:20:34:23 | ControlFlowNode for data | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:34:20:34:23 | ControlFlowNode for data | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |

0 commit comments

Comments
 (0)