Skip to content

Commit b71ba7c

Browse files
joefarebrotherjoefarebrother
committed
Move Header Write derrived concepts to Concepts
1 parent d2a00fa commit b71ba7c

File tree

2 files changed

+48
-50
lines changed

2 files changed

+48
-50
lines changed

python/ql/lib/semmle/python/Concepts.qll

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1134,6 +1134,54 @@ module Http {
11341134
}
11351135
}
11361136

1137+
/** A key-value pair in a literal for a bulk header update, considered as a single header update. */
1138+
private class HeaderBulkWriteDictLiteral extends Http::Server::ResponseHeaderWrite::Range instanceof Http::Server::ResponseHeaderBulkWrite
1139+
{
1140+
KeyValuePair item;
1141+
1142+
HeaderBulkWriteDictLiteral() {
1143+
exists(Dict dict | DataFlow::localFlow(DataFlow::exprNode(dict), super.getBulkArg()) |
1144+
item = dict.getAnItem()
1145+
)
1146+
}
1147+
1148+
override DataFlow::Node getNameArg() { result.asExpr() = item.getKey() }
1149+
1150+
override DataFlow::Node getValueArg() { result.asExpr() = item.getValue() }
1151+
1152+
override predicate nameAllowsNewline() {
1153+
Http::Server::ResponseHeaderBulkWrite.super.nameAllowsNewline()
1154+
}
1155+
1156+
override predicate valueAllowsNewline() {
1157+
Http::Server::ResponseHeaderBulkWrite.super.valueAllowsNewline()
1158+
}
1159+
}
1160+
1161+
/** A tuple in a list for a bulk header update, considered as a single header update. */
1162+
private class HeaderBulkWriteListLiteral extends Http::Server::ResponseHeaderWrite::Range instanceof Http::Server::ResponseHeaderBulkWrite
1163+
{
1164+
Tuple item;
1165+
1166+
HeaderBulkWriteListLiteral() {
1167+
exists(List list | DataFlow::localFlow(DataFlow::exprNode(list), super.getBulkArg()) |
1168+
item = list.getAnElt()
1169+
)
1170+
}
1171+
1172+
override DataFlow::Node getNameArg() { result.asExpr() = item.getElt(0) }
1173+
1174+
override DataFlow::Node getValueArg() { result.asExpr() = item.getElt(1) }
1175+
1176+
override predicate nameAllowsNewline() {
1177+
Http::Server::ResponseHeaderBulkWrite.super.nameAllowsNewline()
1178+
}
1179+
1180+
override predicate valueAllowsNewline() {
1181+
Http::Server::ResponseHeaderBulkWrite.super.valueAllowsNewline()
1182+
}
1183+
}
1184+
11371185
/**
11381186
* A data-flow node that sets a cookie in an HTTP response.
11391187
*

python/ql/lib/semmle/python/security/dataflow/HttpHeaderInjectionCustomizations.qll

Lines changed: 0 additions & 50 deletions
Original file line numberDiff line numberDiff line change
@@ -51,56 +51,6 @@ module HttpHeaderInjection {
5151
}
5252
}
5353

54-
/** A key-value pair in a literal for a bulk header update, considered as a single header update. */
55-
// TODO: We could instead consider bulk writes as sinks with an implicit read step of DictionaryKey/DictionaryValue content as needed.
56-
private class HeaderBulkWriteDictLiteral extends Http::Server::ResponseHeaderWrite::Range instanceof Http::Server::ResponseHeaderBulkWrite
57-
{
58-
KeyValuePair item;
59-
60-
HeaderBulkWriteDictLiteral() {
61-
exists(Dict dict | DataFlow::localFlow(DataFlow::exprNode(dict), super.getBulkArg()) |
62-
item = dict.getAnItem()
63-
)
64-
}
65-
66-
override DataFlow::Node getNameArg() { result.asExpr() = item.getKey() }
67-
68-
override DataFlow::Node getValueArg() { result.asExpr() = item.getValue() }
69-
70-
override predicate nameAllowsNewline() {
71-
Http::Server::ResponseHeaderBulkWrite.super.nameAllowsNewline()
72-
}
73-
74-
override predicate valueAllowsNewline() {
75-
Http::Server::ResponseHeaderBulkWrite.super.valueAllowsNewline()
76-
}
77-
}
78-
79-
/** A tuple in a list for a bulk header update, considered as a single header update. */
80-
// TODO: We could instead consider bulk writes as sinks with implicit read steps as needed.
81-
private class HeaderBulkWriteListLiteral extends Http::Server::ResponseHeaderWrite::Range instanceof Http::Server::ResponseHeaderBulkWrite
82-
{
83-
Tuple item;
84-
85-
HeaderBulkWriteListLiteral() {
86-
exists(List list | DataFlow::localFlow(DataFlow::exprNode(list), super.getBulkArg()) |
87-
item = list.getAnElt()
88-
)
89-
}
90-
91-
override DataFlow::Node getNameArg() { result.asExpr() = item.getElt(0) }
92-
93-
override DataFlow::Node getValueArg() { result.asExpr() = item.getElt(1) }
94-
95-
override predicate nameAllowsNewline() {
96-
Http::Server::ResponseHeaderBulkWrite.super.nameAllowsNewline()
97-
}
98-
99-
override predicate valueAllowsNewline() {
100-
Http::Server::ResponseHeaderBulkWrite.super.valueAllowsNewline()
101-
}
102-
}
103-
10454
/**
10555
* A call to replace line breaks, considered as a sanitizer.
10656
*/

0 commit comments

Comments
 (0)