Python: Fix Flask request.files modeling

RasmusWL · RasmusWL · commit fb0133d276c2 · 2022-05-02T14:14:58.000+02:00
diff --git a/python/ql/lib/semmle/python/frameworks/Flask.qll b/python/ql/lib/semmle/python/frameworks/Flask.qll
@@ -418,7 +418,7 @@ module Flask {
       // TODO: This approach for identifying member-access is very adhoc, and we should
       // be able to do something more structured for providing modeling of the members
       // of a container-object.
-      exists(DataFlow::AttrRead files | files = request().getMember("files").getAnImmediateUse() |
+      exists(DataFlow::Node files | files = request().getMember("files").getAUse() |
         this.asCfgNode().(SubscriptNode).getObject() = files.asCfgNode()
         or
         this.(DataFlow::MethodCallNode).calls(files, "get")
diff --git a/python/ql/test/library-tests/frameworks/flask/taint_test.py b/python/ql/test/library-tests/frameworks/flask/taint_test.py
@@ -204,7 +204,7 @@ def test_taint(name = "World!", number="0", foo="foo"):  # $requestHandler route
         b.getlist('key'), # $ tainted
         gl('key'), # $ tainted
 
-        files.get('key').filename, # $ MISSING: tainted
+        files.get('key').filename, # $ tainted
     )
 
     # aliasing tests

Original file line number	Diff line number	Diff line change
`@@ -204,7 +204,7 @@ def test_taint(name = "World!", number="0", foo="foo"): # $requestHandler route`
`204`	`204`	`b.getlist('key'), # $ tainted`
`205`	`205`	`gl('key'), # $ tainted`
`206`	`206`
`207`		`- files.get('key').filename, # $ MISSING: tainted`
	`207`	`+ files.get('key').filename, # $ tainted`
`208`	`208`	`)`
`209`	`209`
`210`	`210`	`# aliasing tests`