Merge branch 'main' into redsun82/pkg

github · May 28, 2024 · afadc1f · afadc1f
2 parents f7bfe43 + 4c97b0c
commit afadc1f
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 0 deletions.
diff --git a/python/ql/lib/change-notes/2024-05-20-flask-session-interface.md b/python/ql/lib/change-notes/2024-05-20-flask-session-interface.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `request` parameter of Flask `SessionInterface.open_session` method is now modeled as a remote flow source.
diff --git a/python/ql/lib/semmle/python/frameworks/Flask.qll b/python/ql/lib/semmle/python/frameworks/Flask.qll
@@ -101,6 +101,19 @@ module Flask {
   /** Gets a reference to the `flask.request` object. */
   API::Node request() {
     result = API::moduleImport(["flask", "flask_restful"]).getMember("request")
+    or
+    result = sessionInterfaceRequestParam()
+  }
+
+  /** Gets a `request` parameter of an implementation of `open_session` in a subclass of `flask.sessions.SessionInterface` */
+  private API::Node sessionInterfaceRequestParam() {
+    result =
+      API::moduleImport("flask")
+          .getMember("sessions")
+          .getMember("SessionInterface")
+          .getASubclass+()
+          .getMember("open_session")
+          .getParameter(1)
   }
 
   /**

diff --git a/python/ql/test/library-tests/frameworks/flask/session_interface.py b/python/ql/test/library-tests/frameworks/flask/session_interface.py
@@ -0,0 +1,5 @@
+import flask 
+
+class MySessionInterface(flask.sessions.SessionInterface):
+    def open_session(self, app, request):
+        ensure_tainted(request) # $tainted