Merge pull request github#13438 from RasmusWL/flask-render-string

Python: Add modeling of `flask.render_template_string`

Author: yoff

python/ql/lib/change-notes/2023-06-12-flask-render-template-string.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added modeling of taint flow through the template argument of `flask.render_template_string` and `flask.stream_template_string`.

python/ql/lib/semmle/python/frameworks/Flask.qll

@@ -13,6 +13,7 @@ private import semmle.python.frameworks.Stdlib
 private import semmle.python.ApiGraphs
 private import semmle.python.frameworks.internal.InstanceTaintStepsHelper
 private import semmle.python.security.dataflow.PathInjectionCustomizations
+private import semmle.python.dataflow.new.FlowSummary
 
 /**
  * Provides models for the `flask` PyPI package.
@@ -587,4 +588,57 @@ module Flask {
   private class FlaskLogger extends Stdlib::Logger::InstanceSource {
     FlaskLogger() { this = FlaskApp::instance().getMember("logger").asSource() }
   }
+
+  /**
+   * A flow summary for `flask.render_template_string`.
+   *
+   * see https://flask.palletsprojects.com/en/2.3.x/api/#flask.render_template_string
+   */
+  private class RenderTemplateStringSummary extends SummarizedCallable {
+    RenderTemplateStringSummary() { this = "flask.render_template_string" }
+
+    override DataFlow::CallCfgNode getACall() {
+      result = API::moduleImport("flask").getMember("render_template_string").getACall()
+    }
+
+    override DataFlow::ArgumentNode getACallback() {
+      result =
+        API::moduleImport("flask")
+            .getMember("render_template_string")
+            .getAValueReachableFromSource()
+    }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[0]" and
+      output = "ReturnValue" and
+      preservesValue = false
+    }
+  }
+
+  /**
+   * A flow summary for `flask.stream_template_string`.
+   *
+   * see https://flask.palletsprojects.com/en/2.3.x/api/#flask.stream_template_string
+   */
+  private class StreamTemplateStringSummary extends SummarizedCallable {
+    StreamTemplateStringSummary() { this = "flask.stream_template_string" }
+
+    override DataFlow::CallCfgNode getACall() {
+      result = API::moduleImport("flask").getMember("stream_template_string").getACall()
+    }
+
+    override DataFlow::ArgumentNode getACallback() {
+      result =
+        API::moduleImport("flask")
+            .getMember("stream_template_string")
+            .getAValueReachableFromSource()
+    }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[0]" and
+      // Technically it's `Iterator[str]`, but list will do :)
+      output = "ReturnValue.ListElement" and
+      preservesValue = false
+    }
+  }
 }

python/ql/test/library-tests/frameworks/flask/taint_test.py

@@ -1,4 +1,4 @@
-from flask import Flask, request
+from flask import Flask, request, render_template_string, stream_template_string
 app = Flask(__name__)
 
 @app.route("/test_taint/<name>/<int:number>")  # $routeSetup="/test_taint/<name>/<int:number>"
@@ -215,7 +215,34 @@ def test_taint(name = "World!", number="0", foo="foo"):  # $requestHandler route
         gd(), # $ tainted
     )
 
-
+    # ----------------------------------
+    # non-request related taint-steps
+    # ----------------------------------
+
+    # render_template_string
+    source = TAINTED_STRING
+    ensure_tainted(source) # $ tainted
+    res = render_template_string(source)
+    ensure_tainted(res) # $ tainted
+
+    # since template variables are auto-escaped, we don't treat result as tainted
+    # see https://flask.palletsprojects.com/en/2.3.x/api/#flask.render_template_string
+    res = render_template_string("Hello {{ foo }}", foo=TAINTED_STRING)
+    ensure_not_tainted(res)
+
+
+    # stream_template_string
+    source = TAINTED_STRING
+    ensure_tainted(source) # $ tainted
+    res = stream_template_string(source)
+    for x in res:
+        ensure_tainted(x) # $ tainted
+
+    # since template variables are auto-escaped, we don't treat result as tainted
+    # see https://flask.palletsprojects.com/en/2.3.x/api/#flask.stream_template_string
+    res = stream_template_string("Hello {{ foo }}", foo=TAINTED_STRING)
+    for x in res:
+        ensure_not_tainted(x)
 
 
 @app.route("/debug/<foo>/<bar>", methods=['GET']) # $routeSetup="/debug/<foo>/<bar>"