codeql/python/ql/lib/semmle/python/frameworks/SSRFSink.qll at 7ddfa8039961e7d606db0e09e548c0750b069dac · microsoft/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
/**
 * Provides classes for SSRF sinks modeled using Models as Data (MaD).
 */

private import python
private import semmle.python.Concepts
private import semmle.python.ApiGraphs
private import semmle.python.frameworks.data.ModelsAsData

/**
 * INTERNAL: Do not use.
 *
 * Sets up SSRF sinks as Http::Client::Request
 */
module SsrfMaDModel {
  /**
   * An HTTP request modeled from `ssrf` sinks, modeled using MaD.
   */
  class SsrfSink extends Http::Client::Request::Range instanceof API::CallNode {
    DataFlow::Node urlArg;

    SsrfSink() {
      (
        this.getArg(_) = urlArg
        or
        this.getArgByName(_) = urlArg
      ) and
      urlArg = ModelOutput::getASinkNode("ssrf").asSink()
    }

    override DataFlow::Node getAUrlPart() { result = urlArg }

    override string getFramework() { result = "MaD" }

    override predicate disablesCertificateValidation(
      DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
    ) {
      // NOTE: if you need to define this, you have to special case it for every possible API in MaD
      none()
    }
  }
}