Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
Python: Add Header Injection query #5463
Conversation
18889a4
to
b0c4986
|
The query is now ready for review. Thanks @tausbn for pointing |
javaGenerated file changes for java
- `Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,370,,,,,,,,
+ `Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,417,,,,,,,,
- Totals,,84,1575,181,13,6,6,,33,1,58
+ Totals,,84,1622,181,13,6,6,,33,1,58
- org.apache.commons.lang3,,,370,,,,,,,,,,,,,,324,46
+ org.apache.commons.lang3,,,417,,,,,,,,,,,,,,324,93 |
python/ql/src/experimental/semmle/python/security/injection/HTTPHeaders.qll
Outdated
Show resolved
Hide resolved
javaGenerated file changes for java
- `Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,370,,,,,,,,
+ `Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,417,,,,,,,,
- Totals,,84,1575,181,13,6,6,,33,1,58
+ Totals,,84,1622,181,13,6,6,,33,1,58
- org.apache.commons.lang3,,,370,,,,,,,,,,,,,,324,46
+ org.apache.commons.lang3,,,417,,,,,,,,,,,,,,324,93 |
A few minor things to address, otherwise this looks really nice!
You may also want to look at DataFlow::MethodCallNode, which can help clean up some of the AttrRead juggling that is otherwise needed.
| | flask_bad.py:44:44:44:50 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | ||
| | flask_bad.py:44:44:44:55 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | | ||
| | flask_bad.py:44:44:44:69 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript | | ||
| #select |
It looks to me as if there are no results for django_bad.py. Is this intended?
I don't really know why the results don't show when querying the whole taint config. My best guess is RemoteFlowSource does not support request.GET.get("rfs_header").
Is this something you would like to try to fix? I'm happy to merge this PR without this test passing, but the query may be missing out on results.
Of course, let me check what kind of RFS are for django and I'll change current ones with those
Co-authored-by: Taus <tausbn@github.com>
I can't get what you mean by that. Most functions are As a minor change, I'd like to know what's your view on #5463 (comment) |
|
Regarding the use of |
I think I get what you mean. Should I refactor the modeling to be more alike that one? |
If you like, sure! In this PR, the difference it makes is fairly limited. I just thought I should make you aware of this class (so that you may add it to your toolbox |
Thanks for that! I'm a bit busy lately so I think I'll leave it as it is this time, but I'll practice that way of modeling (looks very cool!) :) |
|
Hi @tausbn, apologies for the delay (I've had some issues with my computer). To make the query detect the django stuff I've had to model django's way to get a |
|
No worries about the delay. Thanks for the additional Django modelling! I think this looks good to merge now. |
This PR introduces:
adding headersto aFlask,DjangoandWerkzeugresponse.The text was updated successfully, but these errors were encountered: