Added support for new URIValidator in AntiSSRF library. Updated test caes to use postprocessing results. Currently results for partial ssrf still need work, it is flagging cases where the URL is fully controlled, but is sanitized. I'm not sure if this should be flagged yet.

Author: bdrodes

python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll

@@ -176,4 +176,49 @@ module ServerSideRequestForgery {
       strNode = [call.getArg(0), call.getArgByName("string")]
     )
   }
+
+  /** A validation that a string does not contain certain characters, considered as a sanitizer. */
+  private class UriValidator extends FullUrlControlSanitizer {
+    UriValidator() { this = DataFlow::BarrierGuard<uri_validator/3>::getABarrierNode() }
+  }
+
+  import semmle.python.dataflow.new.internal.DataFlowPublic
+
+  private predicate uri_validator(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
+    exists(DataFlow::CallCfgNode call, Node n, string funcs |
+      funcs in ["in_domain", "in_azure_keyvault_domain", "in_azure_storage_domain"]
+    |
+      call = API::moduleImport("AntiSSRF").getMember("URIValidator").getMember(funcs).getACall() and
+      call.getArg(0).asCfgNode() = node and
+      n.getALocalSource() = call and
+      (
+        // validator used in a comparison
+        exists(CompareNode cn, Cmpop op | cn = g |
+          (
+            // validator == true or validator == false or validator is True or validator is False
+            (op instanceof Eq or op instanceof Is) and
+            exists(ControlFlowNode l, boolean bool |
+              l.getNode().(BooleanLiteral).booleanValue() = bool and
+              bool in [true, false] and
+              branch = bool and
+              cn.operands(n.asCfgNode(), op, l)
+            )
+            or
+            // validator != false or validator != true or validator is not True or validator is not False
+            (op instanceof NotEq or op instanceof IsNot) and
+            exists(ControlFlowNode l, boolean bool |
+              l.getNode().(BooleanLiteral).booleanValue() = bool and
+              bool in [true, false] and
+              branch = bool.booleanNot() and
+              cn.operands(n.asCfgNode(), op, l)
+            )
+          )
+        )
+        or
+        // validator call directly (e.g., if URIValidator.in_domain(...) )
+        g = call.asCfgNode() and
+        branch = true
+      )
+    )
+  }
 }

python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.expected

@@ -1 +1,2 @@
-Security/CWE-918/FullServerSideRequestForgery.ql
+query: Security/CWE-918/FullServerSideRequestForgery.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.qlref

@@ -1 +1,2 @@
-Security/CWE-918/PartialServerSideRequestForgery.ql
+query: Security/CWE-918/PartialServerSideRequestForgery.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected

@@ -1,26 +1,30 @@
-from flask import request
+from flask import request # $ Source
 
-import requests
+import requests 
 import re
 
 def full_ssrf():
     user_input = request.args['untrusted_input']
     query_val = request.args['query_val']
 
-    requests.get(user_input) # NOT OK -- user has full control
+    # NOT OK -- user has full control
+    requests.get(user_input) # $ Alert[py/full-ssrf]
 
     url = "https://" + user_input
-    requests.get(url) # NOT OK -- user has full control
+    # NOT OK -- user has full control
+    requests.get(url) # $ Alert[py/full-ssrf] 
 
     # although the path `/foo` is added here, this can be circumvented such that the
     # final URL is `https://evil.com/#/foo" -- since the fragment (#) is not sent to the
     # server.
     url = "https://" + user_input + "/foo"
-    requests.get(url) # NOT OK -- user has full control
+    # NOT OK -- user has full control
+    requests.get(url) # $ Alert[py/full-ssrf] 
 
     # this might seem like a dummy test, but it serves to check how our sanitizers work.
     url = "https://" + user_input + "/foo?key=" + query_val
-    requests.get(url) # NOT OK -- user has full control
+    # NOT OK -- user has full control
+    requests.get(url) # $ Alert[py/full-ssrf]
 
 # taint-steps are added as `fromNode -> toNode`, but when adding a sanitizer it's
 # currently only possible to so on either `fromNode` or `toNode` (either all edges in
@@ -39,72 +43,87 @@ def full_ssrf_format():
 
     # using .format
     url = "https://{}".format(user_input)
-    requests.get(url) # NOT OK -- user has full control
+    # NOT OK -- user has full control
+    requests.get(url) # $ Alert[py/full-ssrf]
 
     url = "https://{}/foo".format(user_input)
-    requests.get(url) # NOT OK -- user has full control
+    # NOT OK -- user has full control
+    requests.get(url) # $ Alert[py/full-ssrf]
 
     url = "https://{}/foo?key={}".format(user_input, query_val)
-    requests.get(url) # NOT OK -- user has full control
+    # NOT OK -- user has full control
+    requests.get(url) # $ Alert[py/full-ssrf]
 
     url = "https://{x}".format(x=user_input)
-    requests.get(url) # NOT OK -- user has full control
+    # NOT OK -- user has full control
+    requests.get(url) # $ Alert[py/full-ssrf]
 
     url = "https://{1}".format(0, user_input)
-    requests.get(url) # NOT OK -- user has full control
+    # NOT OK -- user has full control
+    requests.get(url) # $ Alert[py/full-ssrf]
 
 def full_ssrf_percent_format():
     user_input = request.args['untrusted_input']
     query_val = request.args['query_val']
 
     # using %-formatting
     url = "https://%s" % user_input
-    requests.get(url) # NOT OK -- user has full control
+    # NOT OK -- user has full control
+    requests.get(url) # $ Alert[py/full-ssrf]
 
     url = "https://%s/foo" % user_input
-    requests.get(url) # NOT OK -- user has full control
+    # NOT OK -- user has full control
+    requests.get(url) # $ Alert[py/full-ssrf]
 
     url = "https://%s/foo/key=%s" % (user_input, query_val)
-    requests.get(url) # NOT OK -- user has full control
+    # NOT OK -- user has full and partial control
+    requests.get(url) # $ Alert[py/partial-ssrf] $ MISSING: Alert[py/full-ssrf] 
 
 def full_ssrf_f_strings():
     user_input = request.args['untrusted_input']
     query_val = request.args['query_val']
 
     # using f-strings
     url = f"https://{user_input}"
-    requests.get(url) # NOT OK -- user has full control
+    # NOT OK -- user has full control
+    requests.get(url) # $ Alert[py/full-ssrf]
 
     url = f"https://{user_input}/foo"
-    requests.get(url) # NOT OK -- user has full control
+    # NOT OK -- user has full control
+    requests.get(url) # $ Alert[py/full-ssrf]
 
     url = f"https://{user_input}/foo?key={query_val}"
-    requests.get(url) # NOT OK -- user has full control
+    # NOT OK -- user has full control
+    requests.get(url) # $ Alert[py/full-ssrf]
 
 
 def partial_ssrf_1():
     user_input = request.args['untrusted_input']
 
     url = "https://example.com/foo?" + user_input
-    requests.get(url) # NOT OK -- user controls query parameters
+    # NOT OK -- user controls query parameters
+    requests.get(url) # $ Alert[py/partial-ssrf]
 
 def partial_ssrf_2():
     user_input = request.args['untrusted_input']
 
     url = "https://example.com/" + user_input
-    requests.get(url) # NOT OK -- user controls path
+    # NOT OK -- user controls path
+    requests.get(url) # $ Alert[py/partial-ssrf]
 
 def partial_ssrf_3():
     user_input = request.args['untrusted_input']
 
     url = "https://example.com/" + user_input
-    requests.get(url) # NOT OK -- user controls path
+    # NOT OK -- user controls path
+    requests.get(url) # $ Alert[py/partial-ssrf]
 
 def partial_ssrf_4():
     user_input = request.args['untrusted_input']
 
     url = "https://example.com/foo#{}".format(user_input)
-    requests.get(url) # NOT OK -- user contollred fragment
+    # NOT OK -- user contollred fragment
+    requests.get(url)  # $ Alert[py/partial-ssrf]
 
 def partial_ssrf_5():
     user_input = request.args['untrusted_input']
@@ -113,20 +132,22 @@ def partial_ssrf_5():
     # controlled
 
     url = "https://example.com/foo#%s" % user_input
-    requests.get(url) # NOT OK -- user contollred fragment
+    # NOT OK -- user contollred fragment
+    requests.get(url)  # $ Alert[py/partial-ssrf]
 
 def partial_ssrf_6():
     user_input = request.args['untrusted_input']
 
     url = f"https://example.com/foo#{user_input}"
-    requests.get(url) # NOT OK -- user only controlled fragment
+    # NOT OK -- user only controlled fragment
+    requests.get(url) # $ Alert[py/partial-ssrf]
 
 def partial_ssrf_7():
     user_input = request.args['untrusted_input']
 
     if user_input.isalnum():
         url = f"https://example.com/foo#{user_input}"
-        requests.get(url) # OK - user input can only contain alphanumerical characters 
+        requests.get(url)  # OK - user input can only contain alphanumerical characters 
 
     if user_input.isalpha():
         url = f"https://example.com/foo#{user_input}"
@@ -154,7 +175,8 @@ def partial_ssrf_7():
 
     if re.fullmatch(r'.*[a-zA-Z0-9]+.*', user_input):
         url = f"https://example.com/foo#{user_input}"
-        requests.get(url) # NOT OK, but NOT FOUND - user input can contain arbitrary characters 
+        # NOT OK, but NOT FOUND - user input can contain arbitrary characters 
+        requests.get(url) # $ MISSING: Alert[py/partial-ssrf] 
 
 
     if re.match(r'^[a-zA-Z0-9]+$', user_input):
@@ -163,7 +185,8 @@ def partial_ssrf_7():
 
     if re.match(r'[a-zA-Z0-9]+', user_input):
         url = f"https://example.com/foo#{user_input}"
-        requests.get(url) # NOT OK, but NOT FOUND - user input can contain arbitrary character as a suffix.
+        # NOT OK, but NOT FOUND - user input can contain arbitrary character as a suffix.
+        requests.get(url) # $ MISSING: Alert[py/partial-ssrf] 
 
     reg = re.compile(r'^[a-zA-Z0-9]+$')