Python: Generalize turbogear response sinks to allow for internally sourced strings.

2019-02-26 18:31:06 +00:00 · 2019-02-26 18:31:06 +00:00 · a480da6ed5
--- a/python/ql/src/semmle/python/security/strings/Basic.qll
+++ b/python/ql/src/semmle/python/security/strings/Basic.qll
@ -115,3 +115,14 @@ private predicate os_path_join(ControlFlowNode fromnode, CallNode tonode) {
        tonode = path_join.getACall() and tonode.getAnArg() = fromnode 
    )
 }
+
+/** A kind of "taint", representing a dictionary mapping str->"taint" */
+class StringDictKind extends DictKind {
+
+    StringDictKind() {
+        this.getValue() instanceof StringKind
+    }
+
+}
+
+
--- a/python/ql/src/semmle/python/web/turbogears/Response.qll
+++ b/python/ql/src/semmle/python/web/turbogears/Response.qll
@ -1,7 +1,7 @@
 import python

 import semmle.python.security.TaintTracking
-import semmle.python.security.strings.Untrusted
+import semmle.python.security.strings.Basic

 import TurboGears

@ -17,7 +17,7 @@ class ControllerMethodReturnValue extends TaintSink {
    }

    override predicate sinks(TaintKind kind) {
-        kind instanceof ExternalStringKind
+        kind instanceof StringKind
    }

 }
@ -32,7 +32,7 @@ class ControllerMethodTemplatedReturnValue extends TaintSink {
    }

    override predicate sinks(TaintKind kind) {
-        kind instanceof ExternalStringDictKind
+        kind instanceof StringDictKind
    }

-}
+}