Python: Account for other 'falsey' values in query.

markshannon · markshannon · commit 65886067399c · 2018-11-23T14:42:45.000Z
diff --git a/python/ql/src/Security/CWE-295/RequestWithoutValidation.qhelp b/python/ql/src/Security/CWE-295/RequestWithoutValidation.qhelp
@@ -21,7 +21,7 @@ Never use <code>verify=False</code> when making a request.
 
 <example>
 <p>
-The example shows an unsafe call to <a href="https://semmle.com">semmle.com</a>, followed by various safe alternatives.
+The example shows two unsafe calls to <a href="https://semmle.com">semmle.com</a>, followed by various safe alternatives.
 </p>
 
 <sample src="examples/make_request.py" />
diff --git a/python/ql/src/Security/CWE-295/RequestWithoutValidation.ql b/python/ql/src/Security/CWE-295/RequestWithoutValidation.ql
@@ -21,10 +21,16 @@ FunctionObject requestFunction() {
     )
 }
 
-from CallNode call, FunctionObject func, ControlFlowNode false_
+/** requests treats None as the default and all other "falsey" values as False */
+predicate falseNotNone(Object o) {
+    o.booleanValue() = false and not o = theNoneObject()
+}
+
+from CallNode call, FunctionObject func, Object falsey, ControlFlowNode origin
 where 
 func = requestFunction() and
 func.getACall() = call and
-call.getArgByName("verify").refersTo(theFalseObject(), false_)
+falseNotNone(falsey) and
+call.getArgByName("verify").refersTo(falsey, origin)
 
-select call, "Call to $@ with verify=$@", func, "requests." + func.getName(), false_, "False"
+select call, "Call to $@ with verify=$@", func, "requests." + func.getName(), origin, "False"
diff --git a/python/ql/src/Security/CWE-295/examples/make_request.py b/python/ql/src/Security/CWE-295/examples/make_request.py
@@ -1,8 +1,9 @@
 import requests
 
-#An unsafe request
+#Unsafe requests
 
 requests.get('https://semmle.com', verify=False) # UNSAFE
+requests.get('https://semmle.com', verify=0) # UNSAFE
 
 #Various safe options
 
diff --git a/python/ql/test/query-tests/Security/CWE-295/RequestWithoutValidation.expected b/python/ql/test/query-tests/Security/CWE-295/RequestWithoutValidation.expected
@@ -2,3 +2,4 @@
 | make_request.py:7:1:7:49 | ControlFlowNode for Attribute() | Call to $@ with verify=$@ | ../lib/requests.py:11:1:11:46 | Function post | requests.post | make_request.py:7:44:7:48 | ControlFlowNode for False | False |
 | make_request.py:12:1:12:39 | ControlFlowNode for put() | Call to $@ with verify=$@ | ../lib/requests.py:14:1:14:34 | Function put | requests.put | make_request.py:12:34:12:38 | ControlFlowNode for False | False |
 | make_request.py:28:5:28:46 | ControlFlowNode for patch() | Call to $@ with verify=$@ | ../lib/requests.py:17:1:17:36 | Function patch | requests.patch | make_request.py:30:6:30:10 | ControlFlowNode for False | False |
+| make_request.py:34:1:34:45 | ControlFlowNode for Attribute() | Call to $@ with verify=$@ | ../lib/requests.py:11:1:11:46 | Function post | requests.post | make_request.py:34:44:34:44 | ControlFlowNode for IntegerLiteral | False |
diff --git a/python/ql/test/query-tests/Security/CWE-295/make_request.py b/python/ql/test/query-tests/Security/CWE-295/make_request.py
@@ -30,3 +30,5 @@ def req2(verify):
 req2(False) # BAD (at line 28)
 req2("/path/to/cert/") # GOOD
 
+#Falsey value
+requests.post('https://semmle.com', verify=0) # BAD
