github · joefarebrother · May 14, 2024 · Apr 22, 2024 · Apr 22, 2024 · Apr 25, 2024
@@ -56,6 +56,7 @@ private import semmle.python.frameworks.PyMongo
 private import semmle.python.frameworks.Pymssql
 private import semmle.python.frameworks.PyMySQL
 private import semmle.python.frameworks.Pyodbc
+private import semmle.python.frameworks.Pyramid
 private import semmle.python.frameworks.Requests
 private import semmle.python.frameworks.RestFramework
 private import semmle.python.frameworks.Rsa

@@ -0,0 +1,131 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `pyramid` PyPI package.
+ * See https://docs.pylonsproject.org/projects/pyramid/.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import semmle.python.dataflow.new.FlowSummary
+private import semmle.python.frameworks.internal.PoorMansFunctionResolution
+private import semmle.python.frameworks.internal.InstanceTaintStepsHelper
+private import semmle.python.frameworks.data.ModelsAsData
+
+/**
+ * Provides models for the `pyramid` PyPI package.
+ * See https://docs.pylonsproject.org/projects/pyramid/.
+ */
+module Pyramid {
+ // TODO: qldoc
+ module View {
+ /**
+ * A callable that could be used as a pyramid view callable.
+ */
+ private class PotentialViewCallable extends Function {
+ PotentialViewCallable() {
+ this.getPositionalParameterCount() = 1 and
+ this.getArgName(0) = "request"
+ or
+ this.getPositionalParameterCount() = 2 and
+ this.getArgName(0) = "context" and
+ this.getArgName(1) = "request"
+ }
+
+ /** Gets the `request` parameter of this view callable. */
+ Parameter getRequestParameter() { result = this.getArgByName("request") }
+ }
+
+ abstract class ViewCallable extends PotentialViewCallable, Http::Server::RequestHandler::Range {
+ override Parameter getARoutedParameter() { result = this.getRequestParameter() }
+
+ override string getFramework() { result = "Pyramid" }
+ }
+
+ private class ViewCallableFromDecorator extends ViewCallable {
+ ViewCallableFromDecorator() {
+ this.getADecorator() =
+ API::moduleImport("pyramid")
+ .getMember("view")
+ .getMember("view_config")
+ .getACall()
+ .asExpr()
+ }
+ }
+
+ private class ViewCallableFromConfigurator extends ViewCallable {
+ ViewCallableFromConfigurator() {
+ any(Configurator::AddViewCall c).getViewArg() = poorMansFunctionTracker(this)
+ }
+ }
+ }
+
+ module Configurator {
+ /** Gets a reference to the class `pyramid.config.Configurator`. */
+ API::Node classRef() {
+ result = API::moduleImport("pyramid").getMember("config").getMember("Configurator")
+ }
+
+ /** Gets a reference to an instance of `pyramid.config.Configurator`. */
+ private DataFlow::TypeTrackingNode instance(DataFlow::TypeTracker t) {
+ t.start() and
+ result = classRef().getACall()
+ or
+ exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t))
+ }
+
+ /** Gets a reference to an instance of `pyramid.config.Configurator`. */
+ DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
+
+ class AddViewCall extends DataFlow::MethodCallNode {
+ AddViewCall() { this.calls(instance(), "add_view") }
+
+ DataFlow::Node getViewArg() { result = [this.getArg(0), this.getArgByName("view")] }
+ }
+ }
+
+ module Request {
+ abstract class InstanceSource extends DataFlow::LocalSourceNode { }
+
+ /** Gets a reference to an instance of `pyramid.request.Request`. */
+ private DataFlow::TypeTrackingNode instance(DataFlow::TypeTracker t) {
+ t.start() and
+ result instanceof InstanceSource
+ or
+ exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t))
+ }
+
+ /** Gets a reference to an instance of `pyramid.request.Request`. */
+ DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
+
+ private class RequestParameter extends InstanceSource, DataFlow::ParameterNode {
+ RequestParameter() { this.getParameter() = any(View::ViewCallable vc).getRequestParameter() }
+ }
+
+ private class InstanceTaintSteps extends InstanceTaintStepsHelper {
+ InstanceTaintSteps() { this = "pyramid.request.Request" }
+
+ override DataFlow::Node getInstance() { result = instance() }
+
+ override string getAttributeName() {
+ result in [
+ "accept", "accept_charset", "accept_encoding", "accept_language", "application_url",
+ "as_bytes", "authorization", "body", "body_file", "body_file_raw", "body_file_seekable",
+ "cache_control", "client_addr", "content_type", "cookies", "domain", "headers", "host",
+ "host_port", "host_url", "GET", "if_match", "if_none_match", "if_range",
+ "if_none_match", "json", "json_body", "params", "path", "path_info", "path_qs",
+ "path_url", "POST", "pragma", "query_string", "range", "referer", "referrer", "text",
+ "url", "urlargs", "urlvars", "user_agent"
+ ]
+ }
+
+ override string getMethodName() {
+ result in ["as_bytes", "copy", "copy_body", "copy_get", "path_info_peek", "path_info_pop"]
+ }
+
+ override string getAsyncMethodName() { none() }
+ }
+ }
+}
@@ -0,0 +1,4 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+testFailures
+failures
@@ -0,0 +1,2 @@
+import experimental.meta.InlineTaintTest
+import MakeInlineTaintTest<TestTaintTrackingConfig>
@@ -0,0 +1,78 @@
+from pyramid.view import view_config
+from pyramid.config import Configurator
+
+@view_config(route_name="test1")
+def test1(request):
+ ensure_tainted(
+ request, # $ tainted
+
+ request.accept, # $ tainted
+ request.accept_charset, # $ tainted
+ request.accept_encoding, # $ tainted
+ request.accept_language, # $ tainted
+ request.authorization, # $ tainted
+ request.cache_control, # $ tainted
+ request.client_addr, # $ tainted
+ request.content_type, # $ tainted
+ request.domain, # $ tainted
+ request.host, # $ tainted
+ request.host_port, # $ tainted
+ request.host_url, # $ tainted
+ request.if_match, # $ tainted
+ request.if_none_match, # $ tainted
+ request.if_range, # $ tainted 
+ request.pragma, # $ tainted
+ request.range, # $ tainted
+ request.referer, # $ tainted
+ request.referrer, # $ tainted
+ request.user_agent, # $ tainted
+
+ request.as_bytes, # $ tainted
+
+ request.body, # $ tainted
+ request.body_file, # $ tainted
+ request.body_file_raw, # $ tainted
+ request.body_file_seekable,# $ tainted
+ request.body_file.read(), # $ MISSING:tainted
+
+ request.json, # $ tainted
+ request.json_body, # $ tainted
+ request.json['a']['b'][0]['c'], # $ tainted
+
+ request.text, # $ tainted
+
+ request.path, # $ tainted
+ request.path_info, # $ tainted
+ request.path_info_peek(), # $ tainted
+ request.path_info_pop(), # $ tainted
+ request.path_qs, # $ tainted
+ request.path_url, # $ tainted
+ request.query_string, # $ tainted
+
+ request.url, # $ tainted
+ request.urlargs, # $ tainted
+ request.urlvars, # $ tainted
+
+ request.GET['a'], # $ tainted
+ request.POST['b'], # $ tainted
+ request.cookies['c'], # $ tainted
+ request.params['d'], # $ tainted
+ request.headers['X-My-Header'], # $ tainted
+ request.GET.values(), # $ tainted
+
+ request.copy(), # $ tainted
+ request.copy_body(), # $ tainted
+ request.copy_get(), # $ tainted
+ request.copy().GET['a'] # $ MISSING:tainted
+ ) 
+
+def test2(request):
+ ensure_tainted(request) # $ tainted
+
+@view_config(route_name="test1")
+def test3(context, request):
+ ensure_tainted(request) # $ tainted
+
+if __name__ == "__main__":
+ with Configurator() as config:
+ config.add_view(test2, route_name="test2")