diff --git a/python/ql/src/Security/CWE-209/StackTraceExposure.ql b/python/ql/src/Security/CWE-209/StackTraceExposure.ql index 4a1452655ed9..3b0c2203c6e4 100644 --- a/python/ql/src/Security/CWE-209/StackTraceExposure.ql +++ b/python/ql/src/Security/CWE-209/StackTraceExposure.ql @@ -19,5 +19,5 @@ import semmle.python.security.Exceptions import semmle.python.web.HttpResponse from TaintedPathSource src, TaintedPathSink sink -where src.flowsTo(sink) +where src.flowsTo(sink) and src.getSource() instanceof ErrorInfoSource select sink.getSink(), src, sink, "$@ may be exposed to an external user", src.getSource(), "Error information" diff --git a/python/ql/src/semmle/python/security/Exceptions.qll b/python/ql/src/semmle/python/security/Exceptions.qll index 0e7487b31aec..86a74a1da2f0 100644 --- a/python/ql/src/semmle/python/security/Exceptions.qll +++ b/python/ql/src/semmle/python/security/Exceptions.qll @@ -31,6 +31,10 @@ class ExceptionInfo extends StringKind { } +/** A class representing sources of information about + * execution state exposed in tracebacks and the like. + */ +abstract class ErrorInfoSource extends TaintSource {} /** * This kind represents exceptions themselves. @@ -56,7 +60,7 @@ class ExceptionKind extends TaintKind { * A source of exception objects, either explicitly created, or captured by an * `except` statement. */ -class ExceptionSource extends TaintSource { +class ExceptionSource extends ErrorInfoSource { ExceptionSource() { exists(ClassObject cls | @@ -91,7 +95,7 @@ class ExceptionInfoSequence extends SequenceKind { * Represents calls to functions in the `traceback` module that return * sequences of exception information. */ -class CallToTracebackFunction extends TaintSource { +class CallToTracebackFunction extends ErrorInfoSource { CallToTracebackFunction() { exists(string name | @@ -120,7 +124,7 @@ class CallToTracebackFunction extends TaintSource { * Represents calls to functions in the `traceback` module that return a single * string of information about an exception. */ -class FormattedTracebackSource extends TaintSource { +class FormattedTracebackSource extends ErrorInfoSource { FormattedTracebackSource() { this = traceback_function("format_exc").getACall() diff --git a/python/ql/test/query-tests/Security/CWE-209/test.py b/python/ql/test/query-tests/Security/CWE-209/test.py index 6e96cba15c57..1ccdfb95de75 100644 --- a/python/ql/test/query-tests/Security/CWE-209/test.py +++ b/python/ql/test/query-tests/Security/CWE-209/test.py @@ -1,4 +1,4 @@ -from flask import Flask +from flask import Flask, request, make_response app = Flask(__name__) @@ -35,3 +35,8 @@ def server_bad_flow(): def format_error(msg): return "[ERROR] " + msg + +#Unrelated error +@app.route('/maybe_xss') +def maybe_xss(): + return make_response(request.args.get('name', ''))