Python: Add support for Django 2.x and 3.x

I changed the django mock to support both 1.x and 2.x routing APIs, which is not
really a nice long term solution.

Author: RasmusWL

python/ql/src/semmle/python/web/django/General.qll

@@ -2,38 +2,111 @@ import python
 import semmle.python.regex
 import semmle.python.web.Http
 
-predicate django_route(CallNode call, ControlFlowNode regex, FunctionValue view) {
-    exists(FunctionValue url |
-        Value::named("django.conf.urls.url") = url and
-        url.getArgumentForCall(call, 0) = regex and
-        url.getArgumentForCall(call, 1).pointsTo(view)
+// TODO: Since django uses `path = partial(...)`, our analysis doesn't understand this is
+// a FunctionValue, so we can't use `FunctionValue.getArgumentForCall`
+// https://github.com/django/django/blob/master/django/urls/conf.py#L76
+
+private predicate django_regex_route(CallNode call, ControlFlowNode regex, FunctionValue view) {
+    exists(Value route_maker |
+        (
+            // Django 1.x
+            Value::named("django.conf.urls.url") = route_maker and
+            route_maker.(FunctionValue).getArgumentForCall(call, 0) = regex and
+            route_maker.(FunctionValue).getArgumentForCall(call, 1).pointsTo(view)
+        )
+        or
+        (
+            // Django 2.x and 3.x: https://docs.djangoproject.com/en/3.0/ref/urls/#re-path
+            Value::named("django.urls.re_path") = route_maker and
+            route_maker.getACall() = call and
+            (
+                call.getArg(0) = regex
+                or
+                call.getArgByName("route") = regex
+
+            ) and
+            (
+                call.getArg(1).pointsTo(view)
+                or
+                call.getArgByName("view").pointsTo(view)
+            )
+        )
+    )
+}
+
+private predicate django_path_route(CallNode call, ControlFlowNode route, FunctionValue view) {
+    exists(Value route_maker |
+        // Django 2.x and 3.x: https://docs.djangoproject.com/en/3.0/ref/urls/#path
+        Value::named("django.urls.path") = route_maker and
+        route_maker.getACall() = call and
+        (
+            call.getArg(0) = route
+            or
+            call.getArgByName("route") = route
+
+        ) and
+        (
+            call.getArg(1).pointsTo(view)
+            or
+            call.getArgByName("view").pointsTo(view)
+        )
     )
 }
 
 class DjangoRouteRegex extends RegexString {
-    DjangoRouteRegex() { django_route(_, this.getAFlowNode(), _) }
+    DjangoRouteRegex() { django_regex_route(_, this.getAFlowNode(), _) }
 }
 
-class DjangoRoute extends CallNode {
-    DjangoRoute() { django_route(this, _, _) }
+abstract class DjangoRoute extends CallNode {
+
+    abstract FunctionValue getViewFunction();
 
-    FunctionValue getViewFunction() { django_route(this, _, result) }
+    abstract string getANamedArgument();
+
+    /**
+     * Get the number of positional arguments that will be passed to the view.
+     * Will only return a result if there are no named arguments.
+     */
+    abstract int getNumPositionalArguments();
+}
 
-    string getANamedArgument() {
+class DjangoPathRoute extends DjangoRoute {
+
+    DjangoPathRoute() { django_path_route(this, _, _) }
+
+    override FunctionValue getViewFunction() { django_path_route(this, _, result) }
+
+    override string getANamedArgument() {
+        // regexp taken from django:
+        // https://github.com/django/django/blob/7d1bf29977bb368d7c28e7c6eb146db3b3009ae7/django/urls/resolvers.py#L199
+        exists(StrConst route, string match |
+            django_path_route(this, route.getAFlowNode(), _) and
+            match = route.getText().regexpFind("<(?:(?<converter>[^>:]+):)?(?<parameter>\\w+)>", _, _) and
+            result = match.regexpCapture("<(?:(?<converter>[^>:]+):)?(?<parameter>\\w+)>", 2)
+        )
+    }
+
+    override int getNumPositionalArguments() {
+        none()
+    }
+}
+
+class DjangoRegexRoute extends DjangoRoute {
+    DjangoRegexRoute() { django_regex_route(this, _, _) }
+
+    override FunctionValue getViewFunction() { django_regex_route(this, _, result) }
+
+    override string getANamedArgument() {
         exists(DjangoRouteRegex regex |
-            django_route(this, regex.getAFlowNode(), _) and
+            django_regex_route(this, regex.getAFlowNode(), _) and
             regex.getGroupName(_, _) = result
         )
     }
 
-    /**
-      * Get the number of positional arguments that will be passed to the view.
-      * Will only return a result if there are no named arguments.
-      */
-    int getNumPositionalArguments() {
+    override int getNumPositionalArguments() {
         exists(DjangoRouteRegex regex |
             not exists(this.getANamedArgument()) and
-            django_route(this, regex.getAFlowNode(), _) and
+            django_regex_route(this, regex.getAFlowNode(), _) and
             result = count(regex.getGroupNumber(_, _))
         )
     }

python/ql/src/semmle/python/web/django/Request.qll

@@ -48,11 +48,12 @@ abstract class DjangoRequestSource extends HttpRequestTaintSource {
 /**
  * Function based views
  * https://docs.djangoproject.com/en/1.11/topics/http/views/
+ * https://docs.djangoproject.com/en/3.0/topics/http/views/
  */
 private class DjangoFunctionBasedViewRequestArgument extends DjangoRequestSource {
     DjangoFunctionBasedViewRequestArgument() {
-        exists(FunctionValue view |
-            django_route(_, _, view) and
+        exists(DjangoRoute route, FunctionValue view |
+            route.getViewFunction() = view and
             this = view.getScope().getArg(0).asName().getAFlowNode()
         )
     }
@@ -61,9 +62,14 @@ private class DjangoFunctionBasedViewRequestArgument extends DjangoRequestSource
 /**
  * Class based views
  * https://docs.djangoproject.com/en/1.11/topics/class-based-views/
+ * https://docs.djangoproject.com/en/3.0/topics/class-based-views/
  */
 private class DjangoView extends ClassValue {
-    DjangoView() { Value::named("django.views.generic.View") = this.getASuperType() }
+    DjangoView() {
+        Value::named("django.views.generic.View") = this.getASuperType()
+        or
+        Value::named("django.views.View") = this.getASuperType()
+    }
 }
 
 private FunctionValue djangoViewHttpMethod() {

python/ql/src/semmle/python/web/django/Response.qll

@@ -14,7 +14,15 @@ class DjangoResponse extends TaintKind {
 }
 
 private ClassValue theDjangoHttpResponseClass() {
-    result = Value::named("django.http.response.HttpResponse") and
+    (
+        // version 1.x
+        result = Value::named("django.http.response.HttpResponse")
+        or
+        // version 2.x
+        // https://docs.djangoproject.com/en/2.2/ref/request-response/#httpresponse-objects
+        result = Value::named("django.http.HttpResponse")
+    ) and
+    // TODO: does this do anything? when could they be the same???
     not result = theDjangoHttpRedirectClass()
 }
 

python/ql/src/semmle/python/web/django/Shared.qll

@@ -4,5 +4,9 @@ import python
 FunctionValue redirect() { result = Value::named("django.shortcuts.redirect") }
 
 ClassValue theDjangoHttpRedirectClass() {
+    // version 1.x
     result = Value::named("django.http.response.HttpResponseRedirectBase")
+    or
+    // version 2.x
+    result = Value::named("django.http.HttpResponseRedirectBase")
 }

python/ql/test/library-tests/web/django/HttpRedirectSinks.expected

@@ -1 +1,2 @@
 | test_1x.py:13:21:13:24 | django.redirect | externally controlled string |
+| test_2x_3x.py:13:21:13:24 | django.redirect | externally controlled string |

python/ql/test/library-tests/web/django/HttpResponseSinks.expected

@@ -8,3 +8,16 @@
 | views_1x.py:45:25:45:70 | django.Response(...) | externally controlled string |
 | views_1x.py:66:25:66:55 | django.Response(...) | externally controlled string |
 | views_1x.py:75:25:75:33 | django.Response(...) | externally controlled string |
+| views_2x_3x.py:8:25:8:63 | django.Response(...) | externally controlled string |
+| views_2x_3x.py:12:25:12:52 | django.Response(...) | externally controlled string |
+| views_2x_3x.py:16:25:16:53 | django.Response(...) | externally controlled string |
+| views_2x_3x.py:21:15:21:42 | django.Response.write(...) | externally controlled string |
+| views_2x_3x.py:30:29:30:60 | django.Response(...) | externally controlled string |
+| views_2x_3x.py:36:29:36:65 | django.Response(...) | externally controlled string |
+| views_2x_3x.py:41:25:41:63 | django.Response(...) | externally controlled string |
+| views_2x_3x.py:45:25:45:70 | django.Response(...) | externally controlled string |
+| views_2x_3x.py:66:25:66:40 | django.Response(...) | externally controlled string |
+| views_2x_3x.py:79:25:79:61 | django.Response(...) | externally controlled string |
+| views_2x_3x.py:82:25:82:69 | django.Response(...) | externally controlled string |
+| views_2x_3x.py:85:25:85:64 | django.Response(...) | externally controlled string |
+| views_2x_3x.py:88:25:88:32 | django.Response(...) | externally controlled string |

python/ql/test/library-tests/web/django/HttpSources.expected

@@ -2,6 +2,10 @@
 | test_1x.py:6:28:6:31 | path | externally controlled string |
 | test_1x.py:12:19:12:25 | request | django.request.HttpRequest |
 | test_1x.py:12:28:12:31 | path | externally controlled string |
+| test_2x_3x.py:6:19:6:25 | request | django.request.HttpRequest |
+| test_2x_3x.py:6:28:6:31 | path | externally controlled string |
+| test_2x_3x.py:12:19:12:25 | request | django.request.HttpRequest |
+| test_2x_3x.py:12:28:12:31 | path | externally controlled string |
 | views_1x.py:7:19:7:25 | request | django.request.HttpRequest |
 | views_1x.py:7:28:7:30 | foo | externally controlled string |
 | views_1x.py:7:33:7:35 | bar | externally controlled string |
@@ -18,3 +22,26 @@
 | views_1x.py:65:15:65:21 | request | django.request.HttpRequest |
 | views_1x.py:65:24:65:31 | username | externally controlled string |
 | views_1x.py:74:13:74:19 | request | django.request.HttpRequest |
+| views_2x_3x.py:7:19:7:25 | request | django.request.HttpRequest |
+| views_2x_3x.py:7:28:7:30 | foo | externally controlled string |
+| views_2x_3x.py:7:33:7:35 | bar | externally controlled string |
+| views_2x_3x.py:11:20:11:26 | request | django.request.HttpRequest |
+| views_2x_3x.py:15:21:15:27 | request | django.request.HttpRequest |
+| views_2x_3x.py:19:21:19:27 | request | django.request.HttpRequest |
+| views_2x_3x.py:29:20:29:26 | request | django.request.HttpRequest |
+| views_2x_3x.py:35:19:35:25 | request | django.request.HttpRequest |
+| views_2x_3x.py:39:19:39:25 | request | django.request.HttpRequest |
+| views_2x_3x.py:39:28:39:38 | page_number | externally controlled string |
+| views_2x_3x.py:44:24:44:30 | request | django.request.HttpRequest |
+| views_2x_3x.py:44:33:44:36 | arg0 | externally controlled string |
+| views_2x_3x.py:44:39:44:42 | arg1 | externally controlled string |
+| views_2x_3x.py:78:17:78:23 | request | django.request.HttpRequest |
+| views_2x_3x.py:78:26:78:36 | page_number | externally controlled string |
+| views_2x_3x.py:81:17:81:23 | request | django.request.HttpRequest |
+| views_2x_3x.py:81:26:81:28 | foo | externally controlled string |
+| views_2x_3x.py:81:31:81:33 | bar | externally controlled string |
+| views_2x_3x.py:81:36:81:38 | baz | externally controlled string |
+| views_2x_3x.py:84:17:84:23 | request | django.request.HttpRequest |
+| views_2x_3x.py:84:26:84:28 | foo | externally controlled string |
+| views_2x_3x.py:84:31:84:33 | bar | externally controlled string |
+| views_2x_3x.py:87:26:87:32 | request | django.request.HttpRequest |

python/ql/test/library-tests/web/django/test_2x_3x.py

@@ -0,0 +1,19 @@
+"""tests for Django 2.x and 3.x"""
+from django.urls import path
+from django.shortcuts import redirect, render
+
+
+def with_template(request, path='default'):
+    env = {'path': path}
+    # We would need to understand django templates to know if this is safe or not
+    return render(request, 'possibly-vulnerable-template.html', env)
+
+
+def vuln_redirect(request, path):
+    return redirect(path)
+
+
+urlpatterns = [
+    path('/<path>', with_template),
+    path('/redirect/<path>', vuln_redirect),
+]

python/ql/test/library-tests/web/django/views_2x_3x.py

@@ -0,0 +1,122 @@
+"""testing views for Django 2.x and 3.x"""
+from django.urls import path, re_path
+from django.http import HttpResponse
+from django.views import View
+
+
+def url_match_xss(request, foo, bar, no_taint=None):
+    return HttpResponse('url_match_xss: {} {}'.format(foo, bar))
+
+
+def get_params_xss(request):
+    return HttpResponse(request.GET.get("untrusted"))
+
+
+def post_params_xss(request):
+    return HttpResponse(request.POST.get("untrusted"))
+
+
+def http_resp_write(request):
+    rsp = HttpResponse()
+    rsp.write(request.GET.get("untrusted"))
+    return rsp
+
+
+class Foo(object):
+    # Note: since Foo is used as the super type in a class view, it will be able to handle requests.
+
+    # TODO: Currently we don't flag `untrusted` as a DjangoRequestParameter
+    def post(self, request, untrusted):
+        return HttpResponse('Foo post: {}'.format(untrusted))
+
+
+class ClassView(View, Foo):
+    # TODO: Currently we don't flag `untrusted` as a DjangoRequestParameter
+    def get(self, request, untrusted):
+        return HttpResponse('ClassView get: {}'.format(untrusted))
+
+
+def show_articles(request, page_number=1):
+    page_number = int(page_number)
+    return HttpResponse('articles page: {}'.format(page_number))
+
+
+def xxs_positional_arg(request, arg0, arg1, no_taint=None):
+    return HttpResponse('xxs_positional_arg: {} {}'.format(arg0, arg1))
+
+
+urlpatterns = [
+    re_path(r'^url_match/(?P<foo>[^/]+)/(?P<bar>[^/]+)$', url_match_xss),
+    re_path(r'^get_params$', get_params_xss),
+    re_path(r'^post_params$', post_params_xss),
+    re_path(r'^http_resp_write$', http_resp_write),
+    re_path(r'^class_view/(?P<untrusted>.+)$', ClassView.as_view()),
+
+    # one pattern to support `articles/page-<n>` and ensuring that articles/ goes to page-1
+    re_path(r'articles/^(?:page-(?P<page_number>\d+)/)?$', show_articles),
+    # passing as positional argument is not the recommended way of doing things, but it is certainly
+    # possible
+    re_path(r'^([^/]+)/(?:foo|bar)/([^/]+)$', xxs_positional_arg, name='xxs_positional_arg'),
+]
+
+
+# Show we understand the keyword arguments to from django.urls.re_path
+
+def re_path_kwargs(request):
+    return HttpResponse('re_path_kwargs')
+
+
+urlpatterns = [
+    re_path(view=re_path_kwargs, regex=r'^specifying-as-kwargs-is-not-a-problem$')
+]
+
+################################################################################
+# Using path
+################################################################################
+
+# saying page_number is an externally controlled *string* is a bit strange, when we have an int converter :O
+def page_number(request, page_number=1):
+    return HttpResponse('page_number: {}'.format(page_number))
+
+def foo_bar_baz(request, foo, bar, baz):
+    return HttpResponse('foo_bar_baz: {} {} {}'.format(foo, bar, baz))
+
+def path_kwargs(request, foo, bar):
+    return HttpResponse('path_kwargs: {} {} {}'.format(foo, bar))
+
+def not_valid_identifier(request):
+    return HttpResponse('<foo!>')
+
+urlpatterns = [
+    path('articles/', page_number),
+    path('articles/page-<int:page_number>', page_number),
+    path('<int:foo>/<str:bar>/<baz>', foo_bar_baz, name='foo-bar-baz'),
+
+    path(view=path_kwargs, route='<foo>/<bar>'),
+
+    # We should not report there is a request parameter called `not_valid!`
+    path('not_valid/<not_valid!>', not_valid_identifier),
+]
+
+
+################################################################################
+
+
+# We should abort if a decorator is used. As demonstrated below, anything might happen
+
+# def reverse_kwargs(f):
+#     @wraps(f)
+#     def f_(*args, **kwargs):
+#         new_kwargs = dict()
+#         for key, value in kwargs.items():
+#             new_kwargs[key[::-1]] = value
+#         return f(*args, **new_kwargs)
+#     return f_
+
+# @reverse_kwargs
+# def decorators_can_do_anything(request, oof, foo=None):
+#     return HttpResponse('This is a mess'[::-1])
+
+# urlpatterns = [
+#     path('rev/<foo>', decorators_can_do_anything),
+# ]

python/ql/test/query-tests/Security/lib/django/conf/urls.py

@@ -2,5 +2,6 @@
 def url(regex, view, kwargs=None, name=None):
     pass
 
+
 def patterns(*urls):
     pass