Skip to content

Python: Fix flask request modeling#10629

Merged
RasmusWL merged 4 commits intogithub:mainfrom
RasmusWL:fix-flask-source
Oct 10, 2022
Merged

Python: Fix flask request modeling#10629
RasmusWL merged 4 commits intogithub:mainfrom
RasmusWL:fix-flask-source

Conversation

@RasmusWL
Copy link
Member

@RasmusWL RasmusWL commented Sep 29, 2022

This takes us part of the way. We still get multiple paths for the same
alert, but that will be fixed in a different PR.

@RasmusWL
Python: Fix flask request modeling
0cb8e12 
This takes us part of the way. We still get multiple paths for the same
alert, but that will be fixed in a different PR.
@RasmusWL RasmusWL requested a review from a team as a code owner September 29, 2022 15:44
tausbn
tausbn previously approved these changes Sep 29, 2022
View reviewed changes
Copy link
Contributor

@tausbn tausbn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's slightly strange to have the path start at the import, but I understand the reason for doing so.

I guess an alternative would be to not have request be a remote flow source in its own right, but only attributes thereof.

In the short term, I think this is a good fix, however. 👍

@RasmusWL
Copy link
Member Author

RasmusWL commented Sep 29, 2022

I guess an alternative would be to not have request be a remote flow source in its own right, but only attributes thereof.

I didn't consider this, but I agree it could be a solution 🤔

@yoff
Copy link
Contributor

yoff commented Sep 29, 2022

Another alternative, which may amount to the same thing, is to say that importing the request object is not a case of remote input, but reading from it is. I am not sure if attribute reads is the only way to access it.

@RasmusWL
Python: Adjust .expected after flask source change
b01a0ae 
It's really hard to audit that this is all good.. I tried my best with
`icdiff` though -- and there is a problem with
ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql
that needs to be fixed in the next commit
@RasmusWL
Python: Fix experimental py/ip-address-spoofing
d7be27a 
I realized the modeling was done in a non-recommended way, so I changed
the modeling. It was very nice that I could use API graphs for the flask
part, and a little sad when I couldn't for Django/Tornado.
@RasmusWL RasmusWL requested a review from tausbn October 4, 2022 12:45
@RasmusWL
Copy link
Member Author

RasmusWL commented Oct 4, 2022

this PR turned into quite a bit of a mixed bag now 😳 but everything was connected 🤷

tausbn
tausbn approved these changes Oct 7, 2022
View reviewed changes
Copy link
Contributor

@tausbn tausbn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@RasmusWL RasmusWL merged commit 4b1f6f0 into github:main Oct 10, 2022
@RasmusWL RasmusWL deleted the fix-flask-source branch October 10, 2022 07:56
@RasmusWL RasmusWL mentioned this pull request Oct 24, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tausbn tausbn tausbn approved these changes

Assignees

No one assigned

Labels

documentation Python

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@RasmusWL @yoff @tausbn