Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion python/ql/src/Security/CWE-209/StackTraceExposure.ql
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,5 @@ import semmle.python.security.Exceptions
import semmle.python.web.HttpResponse

from TaintedPathSource src, TaintedPathSink sink
where src.flowsTo(sink)
where src.flowsTo(sink) and src.getSource() instanceof ErrorInfoSource
select sink.getSink(), src, sink, "$@ may be exposed to an external user", src.getSource(), "Error information"
10 changes: 7 additions & 3 deletions python/ql/src/semmle/python/security/Exceptions.qll
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,10 @@ class ExceptionInfo extends StringKind {

}

/** A class representing sources of information about
* execution state exposed in tracebacks and the like.
*/
abstract class ErrorInfoSource extends TaintSource {}

/**
* This kind represents exceptions themselves.
Expand All @@ -56,7 +60,7 @@ class ExceptionKind extends TaintKind {
* A source of exception objects, either explicitly created, or captured by an
* `except` statement.
*/
class ExceptionSource extends TaintSource {
class ExceptionSource extends ErrorInfoSource {

ExceptionSource() {
exists(ClassObject cls |
Expand Down Expand Up @@ -91,7 +95,7 @@ class ExceptionInfoSequence extends SequenceKind {
* Represents calls to functions in the `traceback` module that return
* sequences of exception information.
*/
class CallToTracebackFunction extends TaintSource {
class CallToTracebackFunction extends ErrorInfoSource {

CallToTracebackFunction() {
exists(string name |
Expand Down Expand Up @@ -120,7 +124,7 @@ class CallToTracebackFunction extends TaintSource {
* Represents calls to functions in the `traceback` module that return a single
* string of information about an exception.
*/
class FormattedTracebackSource extends TaintSource {
class FormattedTracebackSource extends ErrorInfoSource {

FormattedTracebackSource() {
this = traceback_function("format_exc").getACall()
Expand Down
7 changes: 6 additions & 1 deletion python/ql/test/query-tests/Security/CWE-209/test.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
from flask import Flask
from flask import Flask, request, make_response
app = Flask(__name__)


Expand Down Expand Up @@ -35,3 +35,8 @@ def server_bad_flow():

def format_error(msg):
return "[ERROR] " + msg

#Unrelated error
@app.route('/maybe_xss')
def maybe_xss():
return make_response(request.args.get('name', ''))