Merge pull request #16529 from joefarebrother/python-flask-session-interface

Python: Model Flask SessionInterface request parameter

Author: joefarebrother

python/ql/lib/change-notes/2024-05-20-flask-session-interface.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `request` parameter of Flask `SessionInterface.open_session` method is now modeled as a remote flow source.

python/ql/lib/semmle/python/frameworks/Flask.qll

@@ -101,6 +101,19 @@ module Flask {
   /** Gets a reference to the `flask.request` object. */
   API::Node request() {
     result = API::moduleImport(["flask", "flask_restful"]).getMember("request")
+    or
+    result = sessionInterfaceRequestParam()
+  }
+
+  /** Gets a `request` parameter of an implementation of `open_session` in a subclass of `flask.sessions.SessionInterface` */
+  private API::Node sessionInterfaceRequestParam() {
+    result =
+      API::moduleImport("flask")
+          .getMember("sessions")
+          .getMember("SessionInterface")
+          .getASubclass+()
+          .getMember("open_session")
+          .getParameter(1)
   }
 
   /**

python/ql/test/library-tests/frameworks/flask/session_interface.py

@@ -0,0 +1,5 @@
+import flask 
+
+class MySessionInterface(flask.sessions.SessionInterface):
+    def open_session(self, app, request):
+        ensure_tainted(request) # $tainted