Skip to content

Commit d7e6e1d

Browse files
authored
Merge pull request #19432 from yoff/python/model-http-server-header-write
python: model `send_header` from `http.server`
2 parents 481adce + e63b38c commit d7e6e1d

File tree

3 files changed

+20
-1
lines changed

3 files changed

+20
-1
lines changed
Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
---
2+
category: minorAnalysis
3+
---
4+
* Added header write model for `send_header` in `http.server`.

python/ql/lib/semmle/python/frameworks/Stdlib.qll

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1963,6 +1963,21 @@ module StdlibPrivate {
19631963
/** Gets a reference to an instance of the `BaseHttpRequestHandler` class or any subclass. */
19641964
DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
19651965

1966+
/** A call to a method that writes to a response header. */
1967+
private class HeaderWriteCall extends Http::Server::ResponseHeaderWrite::Range,
1968+
DataFlow::MethodCallNode
1969+
{
1970+
HeaderWriteCall() { this.calls(instance(), "send_header") }
1971+
1972+
override DataFlow::Node getNameArg() { result = this.getArg(0) }
1973+
1974+
override DataFlow::Node getValueArg() { result = this.getArg(1) }
1975+
1976+
override predicate nameAllowsNewline() { any() }
1977+
1978+
override predicate valueAllowsNewline() { any() }
1979+
}
1980+
19661981
private class AdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
19671982
override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
19681983
nodeFrom = instance() and

python/ql/test/library-tests/frameworks/stdlib/http_server.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -83,7 +83,7 @@ def taint_sources(self):
8383
def do_GET(self): # $ requestHandler
8484
# send_response will log a line to stderr
8585
self.send_response(200)
86-
self.send_header("Content-type", "text/plain; charset=utf-8")
86+
self.send_header("Content-type", "text/plain; charset=utf-8") # $ headerWriteNameUnsanitized="Content-type" headerWriteValueUnsanitized="text/plain; charset=utf-8"
8787
self.end_headers()
8888
self.wfile.write(b"Hello BaseHTTPRequestHandler\n")
8989
self.wfile.writelines([b"1\n", b"2\n", b"3\n"])

0 commit comments

Comments
 (0)