codeql/python/ql/src/experimental/Security/CWE-074/TemplateConstructionConcept.qll at f86570f6e7fe55d0a497eb4d935de7c05b85d6e2 · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
private import python
private import semmle.python.dataflow.new.DataFlow
private import semmle.python.ApiGraphs

/**
 * A data-flow node that constructs a template.
 *
 * Extend this class to refine existing API models. If you want to model new APIs,
 * extend `TemplateConstruction::Range` instead.
 */
class TemplateConstruction extends DataFlow::Node instanceof TemplateConstruction::Range {
  /** Gets the argument that specifies the template source. */
  DataFlow::Node getSourceArg() { result = super.getSourceArg() }
}

/** Provides a class for modeling new system-command execution APIs. */
module TemplateConstruction {
  /**
   * A data-flow node that constructs a template.
   *
   * Extend this class to model new APIs. If you want to refine existing API models,
   * extend `TemplateConstruction` instead.
   */
  abstract class Range extends DataFlow::Node {
    /** Gets the argument that specifies the template source. */
    abstract DataFlow::Node getSourceArg();
  }
}

// -----------------------------------------------------------------------------
/** A call to `airspeed.Template`. */
class AirspeedTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
  AirspeedTemplateConstruction() {
    this = API::moduleImport("airspeed").getMember("Template").getACall()
  }

  override DataFlow::Node getSourceArg() { result = this.getArg(0) }
}

/** A call to `bottle.SimpleTemplate`. */
class BottleSimpleTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
  BottleSimpleTemplateConstruction() {
    this = API::moduleImport("bottle").getMember("SimpleTemplate").getACall()
  }

  override DataFlow::Node getSourceArg() { result = this.getArg(0) }
}

/** A call to `bottle.template`. */
class BottleTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
  BottleTemplateConstruction() {
    this = API::moduleImport("bottle").getMember("template").getACall()
  }

  override DataFlow::Node getSourceArg() { result = this.getArg(0) }
}

/** A call to `chameleon.PageTemplate`. */
class ChameleonTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
  ChameleonTemplateConstruction() {
    this = API::moduleImport("chameleon").getMember("PageTemplate").getACall()
  }

  override DataFlow::Node getSourceArg() { result = this.getArg(0) }
}

/** A call to `Cheetah.Template.Template`. */
class CheetahTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
  CheetahTemplateConstruction() {
    this =
      API::moduleImport("Cheetah")
          .getMember("Template")
          .getMember("Template")
          .getASubclass*()
          .getACall()
  }

  override DataFlow::Node getSourceArg() { result = this.getArg(0) }
}

/** A call to `chevron.render`. */
class ChevronRenderConstruction extends TemplateConstruction::Range, API::CallNode {
  ChevronRenderConstruction() { this = API::moduleImport("chevron").getMember("render").getACall() }

  override DataFlow::Node getSourceArg() { result = this.getArg(0) }
}

/** A call to `django.template.Template` */
class DjangoTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
  DjangoTemplateConstruction() {
    this = API::moduleImport("django").getMember("template").getMember("Template").getACall()
  }

  override DataFlow::Node getSourceArg() { result = this.getArg(0) }
}

// TODO: support django.template.engines["django"]].from_string
/** A call to `flask.render_template_string`. */
class FlaskTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
  FlaskTemplateConstruction() {
    this = API::moduleImport("flask").getMember("render_template_string").getACall()
  }

  override DataFlow::Node getSourceArg() { result = this.getArg(0) }
}

/** A call to `genshi.template.TextTemplate`. */
class GenshiTextTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
  GenshiTextTemplateConstruction() {
    this = API::moduleImport("genshi").getMember("template").getMember("TextTemplate").getACall()
  }

  override DataFlow::Node getSourceArg() { result = this.getArg(0) }
}

/** A call to `genshi.template.MarkupTemplate` */
class GenshiMarkupTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
  GenshiMarkupTemplateConstruction() {
    this = API::moduleImport("genshi").getMember("template").getMember("MarkupTemplate").getACall()
  }

  override DataFlow::Node getSourceArg() { result = this.getArg(0) }
}

/** A call to `jinja2.Template`. */
class Jinja2TemplateConstruction extends TemplateConstruction::Range, API::CallNode {
  Jinja2TemplateConstruction() {
    this = API::moduleImport("jinja2").getMember("Template").getACall()
  }

  override DataFlow::Node getSourceArg() { result = this.getArg(0) }
}

/** A call to `jinja2.from_string`. */
class Jinja2FromStringConstruction extends TemplateConstruction::Range, API::CallNode {
  Jinja2FromStringConstruction() {
    this = API::moduleImport("jinja2").getMember("from_string").getACall()
  }

  override DataFlow::Node getSourceArg() { result = this.getArg(0) }
}

/** A call to `mako.template.Template`. */
class MakoTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
  MakoTemplateConstruction() {
    this = API::moduleImport("mako").getMember("template").getMember("Template").getACall()
  }

  override DataFlow::Node getSourceArg() { result = this.getArg(0) }
}

/** A call to `trender.TRender`. */
class TRenderTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
  TRenderTemplateConstruction() {
    this = API::moduleImport("trender").getMember("TRender").getACall()
  }

  override DataFlow::Node getSourceArg() { result = this.getArg(0) }
}