Python: Add jsonify XSS regression example

RasmusWL · RasmusWL · commit b36fd9fdab2c · 2023-08-29T10:38:49.000+02:00
diff --git a/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/ReflectedXss.expected b/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/ReflectedXss.expected
@@ -3,6 +3,7 @@ edges
 | reflected_xss.py:2:26:2:32 | GSSA Variable request | reflected_xss.py:9:18:9:24 | ControlFlowNode for request |
 | reflected_xss.py:2:26:2:32 | GSSA Variable request | reflected_xss.py:21:23:21:29 | ControlFlowNode for request |
 | reflected_xss.py:2:26:2:32 | GSSA Variable request | reflected_xss.py:27:23:27:29 | ControlFlowNode for request |
+| reflected_xss.py:2:26:2:32 | GSSA Variable request | reflected_xss.py:33:12:33:18 | ControlFlowNode for request |
 | reflected_xss.py:9:5:9:14 | SSA variable first_name | reflected_xss.py:10:26:10:53 | ControlFlowNode for BinaryExpr |
 | reflected_xss.py:9:18:9:24 | ControlFlowNode for request | reflected_xss.py:9:18:9:29 | ControlFlowNode for Attribute |
 | reflected_xss.py:9:18:9:29 | ControlFlowNode for Attribute | reflected_xss.py:9:18:9:45 | ControlFlowNode for Attribute() |
@@ -11,6 +12,8 @@ edges
 | reflected_xss.py:21:23:21:29 | ControlFlowNode for request | reflected_xss.py:21:5:21:8 | SSA variable data |
 | reflected_xss.py:27:5:27:8 | SSA variable data | reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() |
 | reflected_xss.py:27:23:27:29 | ControlFlowNode for request | reflected_xss.py:27:5:27:8 | SSA variable data |
+| reflected_xss.py:33:5:33:8 | SSA variable data | reflected_xss.py:34:20:34:23 | ControlFlowNode for data |
+| reflected_xss.py:33:12:33:18 | ControlFlowNode for request | reflected_xss.py:33:5:33:8 | SSA variable data |
 nodes
 | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
 | reflected_xss.py:2:26:2:32 | GSSA Variable request | semmle.label | GSSA Variable request |
@@ -25,8 +28,12 @@ nodes
 | reflected_xss.py:27:5:27:8 | SSA variable data | semmle.label | SSA variable data |
 | reflected_xss.py:27:23:27:29 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| reflected_xss.py:33:5:33:8 | SSA variable data | semmle.label | SSA variable data |
+| reflected_xss.py:33:12:33:18 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| reflected_xss.py:34:20:34:23 | ControlFlowNode for data | semmle.label | ControlFlowNode for data |
 subpaths
 #select
 | reflected_xss.py:10:26:10:53 | ControlFlowNode for BinaryExpr | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:10:26:10:53 | ControlFlowNode for BinaryExpr | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |
 | reflected_xss.py:22:26:22:41 | ControlFlowNode for Attribute() | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:22:26:22:41 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |
 | reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:28:26:28:41 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |
+| reflected_xss.py:34:20:34:23 | ControlFlowNode for data | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | reflected_xss.py:34:20:34:23 | ControlFlowNode for data | Cross-site scripting vulnerability due to a $@. | reflected_xss.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |
diff --git a/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/reflected_xss.py b/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/reflected_xss.py
@@ -1,5 +1,5 @@
 import json
-from flask import Flask, request, make_response, escape
+from flask import Flask, request, make_response, escape, jsonify
 
 app = Flask(__name__)
 
@@ -26,3 +26,9 @@ def unsafe_json():
 def safe_json():
     data = json.loads(request.data)
     return make_response(json.dumps(data), 200, {'Content-Type': 'application/json'})  # OK, FP
+
+
+@app.route("/jsonify")
+def jsonify():
+    data = request.data
+    return jsonify(data)  # OK, FP
