Merge pull request #10687 from RasmusWL/flask-debug

yoff · web-flow · commit ad83fc8a98b1 · 2022-10-05T09:08:41.000+02:00
Python: Rewrite `py/flask-debug` to use API graphs instead of type-trackers
diff --git a/python/ql/src/Security/CWE-215/FlaskDebug.ql b/python/ql/src/Security/CWE-215/FlaskDebug.ql
@@ -16,21 +16,10 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.ApiGraphs
 import semmle.python.frameworks.Flask
 
-/** Gets a reference to a truthy literal. */
-private DataFlow::TypeTrackingNode truthyLiteral(DataFlow::TypeTracker t) {
-  t.start() and
-  result.asExpr().(ImmutableLiteral).booleanValue() = true
-  or
-  exists(DataFlow::TypeTracker t2 | result = truthyLiteral(t2).track(t2, t))
-}
-
-/** Gets a reference to a truthy literal. */
-DataFlow::Node truthyLiteral() { truthyLiteral(DataFlow::TypeTracker::end()).flowsTo(result) }
-
-from API::CallNode call, DataFlow::Node debugArg
+from API::CallNode call
 where
   call = Flask::FlaskApp::instance().getMember("run").getACall() and
-  debugArg in [call.getArg(2), call.getArgByName("debug")] and
-  debugArg = truthyLiteral()
+  call.getParameter(2, "debug").getAValueReachingSink().asExpr().(ImmutableLiteral).booleanValue() =
+    true
 select call,
   "A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger."
diff --git a/python/ql/test/query-tests/Security/CWE-215-FlaskDebug/FlaskDebug.expected b/python/ql/test/query-tests/Security/CWE-215-FlaskDebug/FlaskDebug.expected
@@ -1,5 +1,6 @@
 | test.py:10:1:10:19 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |
-| test.py:25:1:25:20 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |
-| test.py:29:1:29:20 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |
-| test.py:37:1:37:18 | ControlFlowNode for runapp() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |
-| test.py:42:1:42:35 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |
+| test.py:11:1:11:27 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |
+| test.py:26:1:26:20 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |
+| test.py:30:1:30:20 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |
+| test.py:38:1:38:18 | ControlFlowNode for runapp() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |
+| test.py:43:1:43:35 | ControlFlowNode for Attribute() | A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger. |
diff --git a/python/ql/test/query-tests/Security/CWE-215-FlaskDebug/test.py b/python/ql/test/query-tests/Security/CWE-215-FlaskDebug/test.py
@@ -8,6 +8,7 @@ def main():
 
 # bad
 app.run(debug=True)
+app.run('host', 8080, True)
 
 # okay
 app.run()
