Promote jinja sinks

joefarebrother · joefarebrother · commit 2ec513c73a29 · 2024-11-06T09:09:42.000Z
diff --git a/python/ql/lib/semmle/python/frameworks/Jinja2.qll b/python/ql/lib/semmle/python/frameworks/Jinja2.qll
@@ -0,0 +1,49 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `jinja2` PyPI package.
+ * See https://jinja.palletsprojects.com.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.ApiGraphs
+private import semmle.python.Concepts
+private import semmle.python.frameworks.data.ModelsAsData
+
+module Jinja2 {
+  /** A call to `jinja2.Template`. */
+  class Jinja2TemplateConstruction extends TemplateConstruction::Range, API::CallNode {
+    Jinja2TemplateConstruction() {
+      this = API::moduleImport("jinja2").getMember("Template").getACall()
+    }
+
+    override DataFlow::Node getSourceArg() { result = this.getArg(0) }
+  }
+
+  module EnvironmentClass {
+    /** Gets a reference to the `jinja2.Environment` class. */
+    API::Node classRef() {
+      result = API::moduleImport("jinja2").getMember("Environment")
+      or
+      result = ModelOutput::getATypeNode("jinja.Environment~Subclass").getASubclass*()
+    }
+
+    /** Gets a reference to an instance of `jinja2.Environment`. */
+    private DataFlow::TypeTrackingNode instance(DataFlow::TypeTracker t) {
+      t.start() and
+      result = EnvironmentClass::classRef().getACall()
+      or
+      exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t))
+    }
+
+    /** Gets a reference to an instance of `jinja2.Environment`. */
+    DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
+
+    /** A call to `jinja2.Environment.from_string`. */
+    class Jinja2FromStringConstruction extends TemplateConstruction::Range, DataFlow::MethodCallNode
+    {
+      Jinja2FromStringConstruction() { this.calls(EnvironmentClass::instance(), "from_string") }
+
+      override DataFlow::Node getSourceArg() { result = this.getArg(0) }
+    }
+  }
+}
diff --git a/python/ql/src/experimental/Security/CWE-074/TemplateConstructionConcept.qll b/python/ql/src/experimental/Security/CWE-074/TemplateConstructionConcept.qll
@@ -122,6 +122,7 @@ class GenshiMarkupTemplateConstruction extends TemplateConstruction::Range, API:
   override DataFlow::Node getSourceArg() { result = this.getArg(0) }
 }
 
+//
 /** A call to `jinja2.Template`. */
 class Jinja2TemplateConstruction extends TemplateConstruction::Range, API::CallNode {
   Jinja2TemplateConstruction() {

Original file line number	Diff line number	Diff line change
`@@ -122,6 +122,7 @@ class GenshiMarkupTemplateConstruction extends TemplateConstruction::Range, API:`
`122`	`122`	`override DataFlow::Node getSourceArg() { result = this.getArg(0) }`
`123`	`123`	`}`
`124`	`124`
	`125`	`+//`
`125`	`126`	/** A call to `jinja2.Template`. */
`126`	`127`	`class Jinja2TemplateConstruction extends TemplateConstruction::Range, API::CallNode {`
`127`	`128`	`Jinja2TemplateConstruction() {`