Merge pull request #7127 from jty-team/jty/python/emailInjection

Python: CWE-079 - Add Email injection query

Author: yoff

python/ql/src/experimental/Security/CWE-079/ReflectedXSS.ql

@@ -0,0 +1,23 @@
+/**
+ * @name Reflected server-side cross-site scripting
+ * @description Writing user input directly to a web page
+ *              allows for a cross-site scripting vulnerability.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 2.9
+ * @sub-severity high
+ * @id py/reflective-xss
+ * @tags security
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ */
+
+// determine precision above
+import python
+import experimental.semmle.python.security.dataflow.ReflectedXSS
+import DataFlow::PathGraph
+
+from ReflectedXssConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
+  source.getNode(), "a user-provided value"

python/ql/src/experimental/semmle/python/Concepts.qll

@@ -602,3 +602,77 @@ class JwtDecoding extends DataFlow::Node instanceof JwtDecoding::Range {
 
 /** DEPRECATED: Alias for JwtDecoding */
 deprecated class JWTDecoding = JwtDecoding;
+
+/** Provides classes for modeling Email APIs. */
+module EmailSender {
+  /**
+   * A data-flow node that sends an email.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `EmailSender` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /**
+     * Gets a data flow node holding the plaintext version of the email body.
+     */
+    abstract DataFlow::Node getPlainTextBody();
+
+    /**
+     * Gets a data flow node holding the html version of the email body.
+     */
+    abstract DataFlow::Node getHtmlBody();
+
+    /**
+     * Gets a data flow node holding the recipients of the email.
+     */
+    abstract DataFlow::Node getTo();
+
+    /**
+     * Gets a data flow node holding the senders of the email.
+     */
+    abstract DataFlow::Node getFrom();
+
+    /**
+     * Gets a data flow node holding the subject of the email.
+     */
+    abstract DataFlow::Node getSubject();
+  }
+}
+
+/**
+ * A data-flow node that sends an email.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `EmailSender::Range` instead.
+ */
+class EmailSender extends DataFlow::Node instanceof EmailSender::Range {
+  /**
+   * Gets a data flow node holding the plaintext version of the email body.
+   */
+  DataFlow::Node getPlainTextBody() { result = super.getPlainTextBody() }
+
+  /**
+   * Gets a data flow node holding the html version of the email body.
+   */
+  DataFlow::Node getHtmlBody() { result = super.getHtmlBody() }
+
+  /**
+   * Gets a data flow node holding the recipients of the email.
+   */
+  DataFlow::Node getTo() { result = super.getTo() }
+
+  /**
+   * Gets a data flow node holding the senders of the email.
+   */
+  DataFlow::Node getFrom() { result = super.getFrom() }
+
+  /**
+   * Gets a data flow node holding the subject of the email.
+   */
+  DataFlow::Node getSubject() { result = super.getSubject() }
+
+  /**
+   * Gets a data flow node that refers to the HTML body or plaintext body of the email.
+   */
+  DataFlow::Node getABody() { result in [super.getPlainTextBody(), super.getHtmlBody()] }
+}

python/ql/src/experimental/semmle/python/Frameworks.qll

@@ -15,3 +15,6 @@ private import experimental.semmle.python.libraries.Python_JWT
 private import experimental.semmle.python.libraries.Authlib
 private import experimental.semmle.python.libraries.PythonJose
 private import experimental.semmle.python.frameworks.CopyFile
+private import experimental.semmle.python.frameworks.Sendgrid
+private import experimental.semmle.python.libraries.FlaskMail
+private import experimental.semmle.python.libraries.SmtpLib

python/ql/src/experimental/semmle/python/frameworks/Django.qll

@@ -8,8 +8,8 @@ private import semmle.python.frameworks.Django
 private import semmle.python.dataflow.new.DataFlow
 private import experimental.semmle.python.Concepts
 private import semmle.python.ApiGraphs
-import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.Concepts
+import semmle.python.dataflow.new.RemoteFlowSources
 
 private module ExperimentalPrivateDjango {
   private module DjangoMod {
@@ -189,5 +189,90 @@ private module ExperimentalPrivateDjango {
         }
       }
     }
+
+    module Email {
+      /** https://docs.djangoproject.com/en/3.2/topics/email/ */
+      private API::Node djangoMail() {
+        result = API::moduleImport("django").getMember("core").getMember("mail")
+      }
+
+      /**
+       * Gets a call to `django.core.mail.send_mail()`.
+       *
+       * Given the following example:
+       *
+       * ```py
+       * send_mail("Subject", "plain-text body", "from@example.com", ["to@example.com"], html_message=django.http.request.GET.get("html"))
+       * ```
+       *
+       * * `this` would be `send_mail("Subject", "plain-text body", "from@example.com", ["to@example.com"], html_message=django.http.request.GET.get("html"))`.
+       * * `getPlainTextBody()`'s result would be `"plain-text body"`.
+       * * `getHtmlBody()`'s result would be `django.http.request.GET.get("html")`.
+       * * `getTo()`'s result would be `["to@example.com"]`.
+       * * `getFrom()`'s result would be `"from@example.com"`.
+       * * `getSubject()`'s result would be `"Subject"`.
+       */
+      private class DjangoSendMail extends DataFlow::CallCfgNode, EmailSender::Range {
+        DjangoSendMail() { this = djangoMail().getMember("send_mail").getACall() }
+
+        override DataFlow::Node getPlainTextBody() {
+          result in [this.getArg(1), this.getArgByName("message")]
+        }
+
+        override DataFlow::Node getHtmlBody() {
+          result in [this.getArg(8), this.getArgByName("html_message")]
+        }
+
+        override DataFlow::Node getTo() {
+          result in [this.getArg(3), this.getArgByName("recipient_list")]
+        }
+
+        override DataFlow::Node getFrom() {
+          result in [this.getArg(2), this.getArgByName("from_email")]
+        }
+
+        override DataFlow::Node getSubject() {
+          result in [this.getArg(0), this.getArgByName("subject")]
+        }
+      }
+
+      /**
+       * Gets a call to `django.core.mail.mail_admins()` or `django.core.mail.mail_managers()`.
+       *
+       * Given the following example:
+       *
+       * ```py
+       * mail_admins("Subject", "plain-text body", html_message=django.http.request.GET.get("html"))
+       * ```
+       *
+       * * `this` would be `mail_admins("Subject", "plain-text body", html_message=django.http.request.GET.get("html"))`.
+       * * `getPlainTextBody()`'s result would be `"plain-text body"`.
+       * * `getHtmlBody()`'s result would be `django.http.request.GET.get("html")`.
+       * * `getTo()`'s result would be `none`.
+       * * `getFrom()`'s result would be `none`.
+       * * `getSubject()`'s result would be `"Subject"`.
+       */
+      private class DjangoMailInternal extends DataFlow::CallCfgNode, EmailSender::Range {
+        DjangoMailInternal() {
+          this = djangoMail().getMember(["mail_admins", "mail_managers"]).getACall()
+        }
+
+        override DataFlow::Node getPlainTextBody() {
+          result in [this.getArg(1), this.getArgByName("message")]
+        }
+
+        override DataFlow::Node getHtmlBody() {
+          result in [this.getArg(4), this.getArgByName("html_message")]
+        }
+
+        override DataFlow::Node getTo() { none() }
+
+        override DataFlow::Node getFrom() { none() }
+
+        override DataFlow::Node getSubject() {
+          result in [this.getArg(0), this.getArgByName("subject")]
+        }
+      }
+    }
   }
 }

python/ql/src/experimental/semmle/python/frameworks/Sendgrid.qll

@@ -0,0 +1,187 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `sendgrid` PyPI package.
+ * See https://github.com/sendgrid/sendgrid-python.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import experimental.semmle.python.Concepts
+private import semmle.python.ApiGraphs
+
+private module Sendgrid {
+  /** Gets a reference to the `sendgrid` module. */
+  private API::Node sendgrid() { result = API::moduleImport("sendgrid") }
+
+  /** Gets a reference to `sendgrid.helpers.mail` */
+  private API::Node sendgridMailHelper() {
+    result = sendgrid().getMember("helpers").getMember("mail")
+  }
+
+  /** Gets a reference to `sendgrid.helpers.mail.Mail` */
+  private API::Node sendgridMailInstance() { result = sendgridMailHelper().getMember("Mail") }
+
+  /** Gets a reference to a `SendGridAPIClient` instance. */
+  private API::Node sendgridApiClient() {
+    result = sendgrid().getMember("SendGridAPIClient").getReturn()
+  }
+
+  /** Gets a reference to a `SendGridAPIClient` instance call with `send` or `post`. */
+  private DataFlow::CallCfgNode sendgridApiSendCall() {
+    result = sendgridApiClient().getMember("send").getACall()
+    or
+    result =
+      sendgridApiClient()
+          .getMember("client")
+          .getMember("mail")
+          .getMember("send")
+          .getMember("post")
+          .getACall()
+  }
+
+  /**
+   * Gets a reference to `sg.send()` and `sg.client.mail.send.post()`.
+   *
+   * Given the following example:
+   *
+   * ```py
+   *  from_email = Email("from@example.com")
+   *  to_email = To("to@example.com")
+   *  subject = "Sending with SendGrid is Fun"
+   *  content = Content("text/html", request.args["html_content"])
+   *
+   *  mail = Mail(from_email, to_email, subject, content)
+   *
+   *  sg = SendGridAPIClient(api_key='SENDGRID_API_KEY')
+   *  response = sg.client.mail.send.post(request_body=mail.get())
+   *  ```
+   *
+   * * `this` would be `sg.client.mail.send.post(request_body=mail.get())`.
+   * * `getPlainTextBody()`'s result would be `none()`.
+   * * `getHtmlBody()`'s result would be `request.args["html_content"]`.
+   * * `getTo()`'s result would be `"to@example.com"`.
+   * * `getFrom()`'s result would be `"from@example.com"`.
+   * * `getSubject()`'s result would be `"Sending with SendGrid is Fun"`.
+   */
+  private class SendGridMail extends DataFlow::CallCfgNode, EmailSender::Range {
+    SendGridMail() { this = sendgridApiSendCall() }
+
+    private DataFlow::CallCfgNode getMailCall() {
+      exists(DataFlow::Node n |
+        n in [this.getArg(0), this.getArgByName("request_body")] and
+        result = [n, n.(DataFlow::MethodCallNode).getObject()].getALocalSource()
+      )
+    }
+
+    private DataFlow::Node sendgridContent(DataFlow::CallCfgNode contentCall, string mime) {
+      mime in ["text/plain", "text/html", "text/x-amp-html"] and
+      exists(StrConst mimeNode |
+        mimeNode.getText() = mime and
+        DataFlow::exprNode(mimeNode).(DataFlow::LocalSourceNode).flowsTo(contentCall.getArg(0)) and
+        result = contentCall.getArg(1)
+      )
+    }
+
+    private DataFlow::Node sendgridWrite(string attributeName) {
+      attributeName in ["plain_text_content", "html_content", "from_email", "subject"] and
+      exists(DataFlow::AttrWrite attrWrite |
+        attrWrite.getObject().getALocalSource() = this.getMailCall() and
+        attrWrite.getAttributeName() = attributeName and
+        result = attrWrite.getValue()
+      )
+    }
+
+    override DataFlow::Node getPlainTextBody() {
+      result in [
+          this.getMailCall().getArg(3), this.getMailCall().getArgByName("plain_text_content")
+        ]
+      or
+      result in [
+          this.sendgridContent([
+              this.getMailCall().getArg(3), this.getMailCall().getArgByName("plain_text_content")
+            ].getALocalSource(), "text/plain"),
+          this.sendgridContent(sendgridMailInstance().getMember("add_content").getACall(),
+            "text/plain")
+        ]
+      or
+      result = this.sendgridWrite("plain_text_content")
+    }
+
+    override DataFlow::Node getHtmlBody() {
+      result in [this.getMailCall().getArg(4), this.getMailCall().getArgByName("html_content")]
+      or
+      result = this.getMailCall().getAMethodCall("set_html").getArg(0)
+      or
+      result =
+        this.sendgridContent([
+            this.getMailCall().getArg(4), this.getMailCall().getArgByName("html_content")
+          ].getALocalSource(), ["text/html", "text/x-amp-html"])
+      or
+      result = this.sendgridWrite("html_content")
+      or
+      exists(KeyValuePair content, Dict generalDict, KeyValuePair typePair, KeyValuePair valuePair |
+        content.getKey().(StrConst).getText() = "content" and
+        content.getValue().(List).getAnElt() = generalDict and
+        // declare KeyValuePairs keys and values
+        typePair.getKey().(StrConst).getText() = "type" and
+        typePair.getValue().(StrConst).getText() = ["text/html", "text/x-amp-html"] and
+        valuePair.getKey().(StrConst).getText() = "value" and
+        result.asExpr() = valuePair.getValue() and
+        // correlate generalDict with previously set KeyValuePairs
+        generalDict.getAnItem() in [typePair, valuePair] and
+        [this.getArg(0), this.getArgByName("request_body")].getALocalSource().asExpr() =
+          any(Dict d | d.getAnItem() = content)
+      )
+      or
+      exists(KeyValuePair footer, Dict generalDict, KeyValuePair enablePair, KeyValuePair htmlPair |
+        footer.getKey().(StrConst).getText() = ["footer", "subscription_tracking"] and
+        footer.getValue() = generalDict and
+        // check footer is enabled
+        enablePair.getKey().(StrConst).getText() = "enable" and
+        exists(enablePair.getValue().(True)) and
+        // get html content
+        htmlPair.getKey().(StrConst).getText() = "html" and
+        result.asExpr() = htmlPair.getValue() and
+        // correlate generalDict with previously set KeyValuePairs
+        generalDict.getAnItem() in [enablePair, htmlPair] and
+        exists(KeyValuePair k |
+          k.getKey() =
+            [this.getArg(0), this.getArgByName("request_body")]
+                .getALocalSource()
+                .asExpr()
+                .(Dict)
+                .getAKey() and
+          k.getValue() = any(Dict d | d.getAKey() = footer.getKey())
+        )
+      )
+    }
+
+    override DataFlow::Node getTo() {
+      result in [this.getMailCall().getArg(1), this.getMailCall().getArgByName("to_emails")]
+      or
+      result = this.getMailCall().getAMethodCall("To").getArg(0)
+      or
+      result =
+        this.getMailCall()
+            .getAMethodCall(["to", "add_to", "cc", "add_cc", "bcc", "add_bcc"])
+            .getArg(0)
+    }
+
+    override DataFlow::Node getFrom() {
+      result in [this.getMailCall().getArg(0), this.getMailCall().getArgByName("from_email")]
+      or
+      result = this.getMailCall().getAMethodCall("Email").getArg(0)
+      or
+      result = this.getMailCall().getAMethodCall(["from_email", "set_from"]).getArg(0)
+      or
+      result = this.sendgridWrite("from_email")
+    }
+
+    override DataFlow::Node getSubject() {
+      result in [this.getMailCall().getArg(2), this.getMailCall().getArgByName("subject")]
+      or
+      result = this.getMailCall().getAMethodCall(["subject", "set_subject"]).getArg(0)
+      or
+      result = this.sendgridWrite("subject")
+    }
+  }
+}