python: move CSRF concepts inside HTTP::Server

Author: yoff

python/ql/lib/semmle/python/Concepts.qll

@@ -105,76 +105,6 @@ module FileSystemWriteAccess {
   }
 }
 
-/**
- * A data-flow node that enables or disables Cross-site request forgery protection
- * in a global manner.
- *
- * Extend this class to refine existing API models. If you want to model new APIs,
- * extend `CsrfProtectionSetting::Range` instead.
- */
-class CsrfProtectionSetting extends DataFlow::Node instanceof CsrfProtectionSetting::Range {
-  /**
-   * Gets the boolean value corresponding to if CSRF protection is enabled
-   * (`true`) or disabled (`false`) by this node.
-   */
-  boolean getVerificationSetting() { result = super.getVerificationSetting() }
-}
-
-/** Provides a class for modeling new CSRF protection setting APIs. */
-module CsrfProtectionSetting {
-  /**
-   * A data-flow node that enables or disables Cross-site request forgery protection
-   * in a global manner.
-   *
-   * Extend this class to model new APIs. If you want to refine existing API models,
-   * extend `CsrfProtectionSetting` instead.
-   */
-  abstract class Range extends DataFlow::Node {
-    /**
-     * Gets the boolean value corresponding to if CSRF protection is enabled
-     * (`true`) or disabled (`false`) by this node.
-     */
-    abstract boolean getVerificationSetting();
-  }
-}
-
-/**
- * A data-flow node that enables or disables Cross-site request forgery protection
- * for a specific part of an application.
- *
- * Extend this class to refine existing API models. If you want to model new APIs,
- * extend `CsrfLocalProtectionSetting::Range` instead.
- */
-class CsrfLocalProtectionSetting extends DataFlow::Node instanceof CsrfLocalProtectionSetting::Range {
-  /**
-   * Gets a request handler whose CSRF protection is changed.
-   */
-  Function getRequestHandler() { result = super.getRequestHandler() }
-
-  /** Holds if CSRF protection is enabled by this setting */
-  predicate csrfEnabled() { super.csrfEnabled() }
-}
-
-/** Provides a class for modeling new CSRF protection setting APIs. */
-module CsrfLocalProtectionSetting {
-  /**
-   * A data-flow node that enables or disables Cross-site request forgery protection
-   * for a specific part of an application.
-   *
-   * Extend this class to model new APIs. If you want to refine existing API models,
-   * extend `CsrfLocalProtectionSetting` instead.
-   */
-  abstract class Range extends DataFlow::Node {
-    /**
-     * Gets a request handler whose CSRF protection is changed.
-     */
-    abstract Function getRequestHandler();
-
-    /** Holds if CSRF protection is enabled by this setting */
-    abstract predicate csrfEnabled();
-  }
-}
-
 /** Provides classes for modeling path-related APIs. */
 module Path {
   /**
@@ -956,6 +886,76 @@ module HTTP {
         abstract DataFlow::Node getValueArg();
       }
     }
+
+    /**
+     * A data-flow node that enables or disables Cross-site request forgery protection
+     * in a global manner.
+     *
+     * Extend this class to refine existing API models. If you want to model new APIs,
+     * extend `CsrfProtectionSetting::Range` instead.
+     */
+    class CsrfProtectionSetting extends DataFlow::Node instanceof CsrfProtectionSetting::Range {
+      /**
+       * Gets the boolean value corresponding to if CSRF protection is enabled
+       * (`true`) or disabled (`false`) by this node.
+       */
+      boolean getVerificationSetting() { result = super.getVerificationSetting() }
+    }
+
+    /** Provides a class for modeling new CSRF protection setting APIs. */
+    module CsrfProtectionSetting {
+      /**
+       * A data-flow node that enables or disables Cross-site request forgery protection
+       * in a global manner.
+       *
+       * Extend this class to model new APIs. If you want to refine existing API models,
+       * extend `CsrfProtectionSetting` instead.
+       */
+      abstract class Range extends DataFlow::Node {
+        /**
+         * Gets the boolean value corresponding to if CSRF protection is enabled
+         * (`true`) or disabled (`false`) by this node.
+         */
+        abstract boolean getVerificationSetting();
+      }
+    }
+
+    /**
+     * A data-flow node that enables or disables Cross-site request forgery protection
+     * for a specific part of an application.
+     *
+     * Extend this class to refine existing API models. If you want to model new APIs,
+     * extend `CsrfLocalProtectionSetting::Range` instead.
+     */
+    class CsrfLocalProtectionSetting extends DataFlow::Node instanceof CsrfLocalProtectionSetting::Range {
+      /**
+       * Gets a request handler whose CSRF protection is changed.
+       */
+      Function getRequestHandler() { result = super.getRequestHandler() }
+
+      /** Holds if CSRF protection is enabled by this setting */
+      predicate csrfEnabled() { super.csrfEnabled() }
+    }
+
+    /** Provides a class for modeling new CSRF protection setting APIs. */
+    module CsrfLocalProtectionSetting {
+      /**
+       * A data-flow node that enables or disables Cross-site request forgery protection
+       * for a specific part of an application.
+       *
+       * Extend this class to model new APIs. If you want to refine existing API models,
+       * extend `CsrfLocalProtectionSetting` instead.
+       */
+      abstract class Range extends DataFlow::Node {
+        /**
+         * Gets a request handler whose CSRF protection is changed.
+         */
+        abstract Function getRequestHandler();
+
+        /** Holds if CSRF protection is enabled by this setting */
+        abstract predicate csrfEnabled();
+      }
+    }
   }
 
   /** Provides classes for modeling HTTP clients. */

python/ql/lib/semmle/python/frameworks/Django.qll

@@ -2320,7 +2320,7 @@ module PrivateDjango {
   /**
    * A custom middleware stack
    */
-  private class DjangoSettingsMiddlewareStack extends CsrfProtectionSetting::Range {
+  private class DjangoSettingsMiddlewareStack extends HTTP::Server::CsrfProtectionSetting::Range {
     List list;
 
     DjangoSettingsMiddlewareStack() {
@@ -2356,7 +2356,7 @@ module PrivateDjango {
     }
   }
 
-  private class DjangoCsrfDecorator extends CsrfLocalProtectionSetting::Range {
+  private class DjangoCsrfDecorator extends HTTP::Server::CsrfLocalProtectionSetting::Range {
     string decoratorName;
     Function function;
 

python/ql/src/Security/CWE-352/CSRFProtectionDisabled.ql

@@ -14,10 +14,10 @@
 import python
 import semmle.python.Concepts
 
-from CsrfProtectionSetting s
+from HTTP::Server::CsrfProtectionSetting s
 where
   s.getVerificationSetting() = false and
-  not exists(CsrfLocalProtectionSetting p | p.csrfEnabled()) and
+  not exists(HTTP::Server::CsrfLocalProtectionSetting p | p.csrfEnabled()) and
   // rule out test code as this is a common place to turn off CSRF protection
   not s.getLocation().getFile().getAbsolutePath().matches("%test%")
 select s, "Potential CSRF vulnerability due to forgery protection being disabled or weakened."

python/ql/test/experimental/meta/ConceptsTest.qll

@@ -511,7 +511,7 @@ class CsrfProtectionSettingTest extends InlineExpectationsTest {
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     exists(location.getFile().getRelativePath()) and
-    exists(CsrfProtectionSetting setting |
+    exists(HTTP::Server::CsrfProtectionSetting setting |
       location = setting.getLocation() and
       element = setting.toString() and
       value = setting.getVerificationSetting().toString() and
@@ -527,7 +527,7 @@ class CsrfLocalProtectionSettingTest extends InlineExpectationsTest {
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     exists(location.getFile().getRelativePath()) and
-    exists(CsrfLocalProtectionSetting p |
+    exists(HTTP::Server::CsrfLocalProtectionSetting p |
       location = p.getLocation() and
       element = p.toString() and
       value = p.getRequestHandler().getName().toString() and