github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Python: Move `url_has_allowed_host_and_scheme` to Django.qll

This commit is contained in:
Rasmus Wriedt Larsen 2023-09-13 11:52:47 +02:00
Родитель 8dad4950a9
Коммит f62c4108ef
Не найден ключ, соответствующий данной подписи
2 изменённых файлов: 28 добавлений и 27 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

28
python/ql/lib/semmle/python/frameworks/Django.qll
Просмотреть файл

@ -15,6 +15,7 @@ private import semmle.python.regex
private import semmle.python.frameworks.internal.PoorMansFunctionResolution private import semmle.python.frameworks.internal.PoorMansFunctionResolution
private import semmle.python.frameworks.internal.SelfRefMixin private import semmle.python.frameworks.internal.SelfRefMixin
private import semmle.python.frameworks.internal.InstanceTaintStepsHelper private import semmle.python.frameworks.internal.InstanceTaintStepsHelper
private import semmle.python.security.dataflow.UrlRedirectCustomizations
/** /**
* INTERNAL: Do not use. * INTERNAL: Do not use.
@ -2788,4 +2789,31 @@ module PrivateDjango {
override predicate csrfEnabled() { decoratorName in ["csrf_protect", "requires_csrf_token"] } override predicate csrfEnabled() { decoratorName in ["csrf_protect", "requires_csrf_token"] }
} }
private predicate djangoUrlHasAllowedHostAndScheme(
DataFlow::GuardNode g, ControlFlowNode node, boolean branch
) {
exists(API::CallNode call |
call =
API::moduleImport("django")
.getMember("utils")
.getMember("http")
.getMember("url_has_allowed_host_and_scheme")
.getACall() and
g = call.asCfgNode() and
node = call.getParameter(0, "url").asSink().asCfgNode() and
branch = true
)
}
/**
* A call to `django.utils.http.url_has_allowed_host_and_scheme`, considered as a sanitizer-guard for URL redirection.
*
* See https://docs.djangoproject.com/en/4.2/_modules/django/utils/http/
*/
private class DjangoAllowedUrl extends UrlRedirect::Sanitizer {
DjangoAllowedUrl() {
this = DataFlow::BarrierGuard<djangoUrlHasAllowedHostAndScheme/3>::getABarrierNode()
}
}
} }

27
python/ql/lib/semmle/python/security/dataflow/UrlRedirectCustomizations.qll
Просмотреть файл

@ -70,31 +70,4 @@ module UrlRedirect {
* A comparison with a constant string, considered as a sanitizer-guard. * A comparison with a constant string, considered as a sanitizer-guard.
*/ */
class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { } class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }
private import semmle.python.ApiGraphs
private predicate djangoUrlHasAllowedHostAndScheme(
DataFlow::GuardNode g, ControlFlowNode node, boolean branch
) {
exists(API::CallNode call |
call =
API::moduleImport("django")
.getMember("utils")
.getMember("http")
.getMember("url_has_allowed_host_and_scheme")
.getACall() and
g = call.asCfgNode() and
node = call.getParameter(0, "url").asSink().asCfgNode() and
branch = true
)
}
/**
* A call to `django.utils.http.url_has_allowed_host_and_scheme`, considered as a sanitizer-guard.
*/
private class DjangoAllowedUrl extends Sanitizer {
DjangoAllowedUrl() {
this = DataFlow::BarrierGuard<djangoUrlHasAllowedHostAndScheme/3>::getABarrierNode()
}
}
} }