Python: Fix tornado lib: a redirect is not a http response

RasmusWL · RasmusWL · commit 46f4b7413486 · 2020-01-28T13:06:48.000+01:00
diff --git a/python/ql/src/semmle/python/web/tornado/Redirect.qll b/python/ql/src/semmle/python/web/tornado/Redirect.qll
@@ -13,14 +13,16 @@ import Tornado
 /**
  * Represents an argument to the `tornado.redirect` function.
  */
-class TornadoRedirect extends HttpRedirectTaintSink {
-    override string toString() { result = "tornado.redirect" }
+class TornadoHttpRequestHandlerRedirect extends HttpRedirectTaintSink {
+    override string toString() { result = "tornado.HttpRequestHandler.redirect" }
 
-    TornadoRedirect() {
+    TornadoHttpRequestHandlerRedirect() {
         exists(CallNode call, ControlFlowNode node |
             node = call.getFunction().(AttrNode).getObject("redirect") and
             isTornadoRequestHandlerInstance(node) and
-            this = call.getAnArg()
+            this = call.getArg(0)
         )
     }
+
+    override predicate sinks(TaintKind kind) { kind instanceof StringKind }
 }
diff --git a/python/ql/src/semmle/python/web/tornado/Response.qll b/python/ql/src/semmle/python/web/tornado/Response.qll
@@ -45,17 +45,3 @@ class TornadoHttpRequestHandlerWrite extends HttpResponseTaintSink {
 
     override predicate sinks(TaintKind kind) { kind instanceof StringKind }
 }
-
-class TornadoHttpRequestHandlerRedirect extends HttpResponseTaintSink {
-    override string toString() { result = "tornado.HttpRequestHandler.redirect" }
-
-    TornadoHttpRequestHandlerRedirect() {
-        exists(CallNode call, ControlFlowNode node |
-            node = call.getFunction().(AttrNode).getObject("redirect") and
-            isTornadoRequestHandlerInstance(node) and
-            this = call.getArg(0)
-        )
-    }
-
-    override predicate sinks(TaintKind kind) { kind instanceof StringKind }
-}
diff --git a/python/ql/test/library-tests/web/tornado/HttpRedirectSinks.expected b/python/ql/test/library-tests/web/tornado/HttpRedirectSinks.expected
@@ -0,0 +1 @@
+| test.py:20:23:20:25 | tornado.HttpRequestHandler.redirect | externally controlled string |
diff --git a/python/ql/test/library-tests/web/tornado/HttpRedirectSinks.ql b/python/ql/test/library-tests/web/tornado/HttpRedirectSinks.ql
@@ -0,0 +1,7 @@
+import python
+import semmle.python.web.HttpRedirect
+import semmle.python.security.strings.Untrusted
+
+from HttpRedirectTaintSink sink, TaintKind kind
+where sink.sinks(kind)
+select sink, kind
diff --git a/python/ql/test/library-tests/web/tornado/HttpResponseSinks.expected b/python/ql/test/library-tests/web/tornado/HttpResponseSinks.expected
@@ -1,4 +1,3 @@
 | test.py:6:20:6:43 | tornado.HttpRequestHandler.write | externally controlled string |
 | test.py:12:20:12:23 | tornado.HttpRequestHandler.write | externally controlled string |
-| test.py:20:23:20:25 | tornado.HttpRequestHandler.redirect | externally controlled string |
 | test.py:26:20:26:48 | tornado.HttpRequestHandler.write | externally controlled string |
diff --git a/python/ql/test/library-tests/web/tornado/HttpResponseSinks.ql b/python/ql/test/library-tests/web/tornado/HttpResponseSinks.ql

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+\| test.py:20:23:20:25 \| tornado.HttpRequestHandler.redirect \| externally controlled string \|`