Python: Move url_has_allowed_host_and_scheme to Django.qll

RasmusWL · RasmusWL · commit f62c4108ef0d · 2023-09-13T11:55:44.000+02:00
diff --git a/python/ql/lib/semmle/python/frameworks/Django.qll b/python/ql/lib/semmle/python/frameworks/Django.qll
@@ -15,6 +15,7 @@ private import semmle.python.regex
 private import semmle.python.frameworks.internal.PoorMansFunctionResolution
 private import semmle.python.frameworks.internal.SelfRefMixin
 private import semmle.python.frameworks.internal.InstanceTaintStepsHelper
+private import semmle.python.security.dataflow.UrlRedirectCustomizations
 
 /**
  * INTERNAL: Do not use.
@@ -2788,4 +2789,31 @@ module PrivateDjango {
 
     override predicate csrfEnabled() { decoratorName in ["csrf_protect", "requires_csrf_token"] }
   }
+
+  private predicate djangoUrlHasAllowedHostAndScheme(
+    DataFlow::GuardNode g, ControlFlowNode node, boolean branch
+  ) {
+    exists(API::CallNode call |
+      call =
+        API::moduleImport("django")
+            .getMember("utils")
+            .getMember("http")
+            .getMember("url_has_allowed_host_and_scheme")
+            .getACall() and
+      g = call.asCfgNode() and
+      node = call.getParameter(0, "url").asSink().asCfgNode() and
+      branch = true
+    )
+  }
+
+  /**
+   * A call to `django.utils.http.url_has_allowed_host_and_scheme`, considered as a sanitizer-guard for URL redirection.
+   *
+   * See https://docs.djangoproject.com/en/4.2/_modules/django/utils/http/
+   */
+  private class DjangoAllowedUrl extends UrlRedirect::Sanitizer {
+    DjangoAllowedUrl() {
+      this = DataFlow::BarrierGuard<djangoUrlHasAllowedHostAndScheme/3>::getABarrierNode()
+    }
+  }
 }
diff --git a/python/ql/lib/semmle/python/security/dataflow/UrlRedirectCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/UrlRedirectCustomizations.qll
@@ -70,31 +70,4 @@ module UrlRedirect {
    * A comparison with a constant string, considered as a sanitizer-guard.
    */
   class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }
-
-  private import semmle.python.ApiGraphs
-
-  private predicate djangoUrlHasAllowedHostAndScheme(
-    DataFlow::GuardNode g, ControlFlowNode node, boolean branch
-  ) {
-    exists(API::CallNode call |
-      call =
-        API::moduleImport("django")
-            .getMember("utils")
-            .getMember("http")
-            .getMember("url_has_allowed_host_and_scheme")
-            .getACall() and
-      g = call.asCfgNode() and
-      node = call.getParameter(0, "url").asSink().asCfgNode() and
-      branch = true
-    )
-  }
-
-  /**
-   * A call to `django.utils.http.url_has_allowed_host_and_scheme`, considered as a sanitizer-guard.
-   */
-  private class DjangoAllowedUrl extends Sanitizer {
-    DjangoAllowedUrl() {
-      this = DataFlow::BarrierGuard<djangoUrlHasAllowedHostAndScheme/3>::getABarrierNode()
-    }
-  }
 }
