Merge pull request github#14084 from RasmusWL/flask-jsonify

RasmusWL · web-flow · commit 62c231612412 · 2023-08-30T13:07:54.000+02:00
Python: Remove XSS FP from use of `flask.jsonify`
diff --git a/python/ql/lib/semmle/python/frameworks/Flask.qll b/python/ql/lib/semmle/python/frameworks/Flask.qll
@@ -179,7 +179,13 @@ module Flask {
      * - https://flask.palletsprojects.com/en/2.2.x/api/#flask.json.jsonify
      */
     private class FlaskJsonifyCall extends InstanceSource, DataFlow::CallCfgNode {
-      FlaskJsonifyCall() { this = API::moduleImport("flask").getMember("jsonify").getACall() }
+      FlaskJsonifyCall() {
+        this = API::moduleImport("flask").getMember("jsonify").getACall()
+        or
+        this = API::moduleImport("flask").getMember("json").getMember("jsonify").getACall()
+        or
+        this = FlaskApp::instance().getMember("json").getMember("response").getACall()
+      }
 
       override DataFlow::Node getBody() { result in [this.getArg(_), this.getArgByName(_)] }
 
@@ -453,7 +459,8 @@ module Flask {
     FlaskRouteHandlerReturn() {
       exists(Function routeHandler |
         routeHandler = any(FlaskRouteSetup rs).getARequestHandler() and
-        node = routeHandler.getAReturnValueFlowNode()
+        node = routeHandler.getAReturnValueFlowNode() and
+        not this instanceof Flask::Response::InstanceSource
       )
     }
 
diff --git a/python/ql/src/change-notes/2023-08-29-fixed-jsonify-xss-fp.md b/python/ql/src/change-notes/2023-08-29-fixed-jsonify-xss-fp.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improved _Reflected server-side cross-site scripting_ (`py/reflective-xss`) query to not alert on data passed to `flask.jsonify`. Since these HTTP responses are returned with mime-type `application/json`, they do not pose a security risk for XSS.
diff --git a/python/ql/test/library-tests/frameworks/flask/response_test.py b/python/ql/test/library-tests/frameworks/flask/response_test.py
@@ -67,6 +67,14 @@ def html8():  # $requestHandler
 @app.route("/jsonify")  # $routeSetup="/jsonify"
 def jsonify_route():  # $requestHandler
     x = "x"; y = "y"; z = "z"
+    if True:
+        import flask.json
+        resp = flask.json.jsonify(x, y, z=z)  # $HttpResponse mimetype=application/json responseBody=x responseBody=y responseBody=z
+        assert resp.mimetype == "application/json"
+
+        resp = app.json.response(x, y, z=z)  # $HttpResponse mimetype=application/json responseBody=x responseBody=y responseBody=z
+        assert resp.mimetype == "application/json"
+
     resp = jsonify(x, y, z=z)  # $ HttpResponse mimetype=application/json responseBody=x responseBody=y responseBody=z
     return resp  # $ SPURIOUS: HttpResponse mimetype=text/html responseBody=resp
 
diff --git a/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/reflected_xss.py b/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/reflected_xss.py
@@ -1,5 +1,5 @@
 import json
-from flask import Flask, request, make_response, escape
+from flask import Flask, request, make_response, escape, jsonify
 
 app = Flask(__name__)
 
@@ -26,3 +26,9 @@ def unsafe_json():
 def safe_json():
     data = json.loads(request.data)
     return make_response(json.dumps(data), 200, {'Content-Type': 'application/json'})  # OK, FP
+
+
+@app.route("/jsonify")
+def jsonify():
+    data = request.data
+    return jsonify(data)  # OK, FP

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Improved _Reflected server-side cross-site scripting_ (`py/reflective-xss`) query to not alert on data passed to `flask.jsonify`. Since these HTTP responses are returned with mime-type `application/json`, they do not pose a security risk for XSS.