Flask is a popular open-source web framework written in Python. Pysa already has some models for Flask (see flask_sources_sinks.pysa), but we are missing some coverage.
A view function in Flask is code that responds to an application, which can take in user-controlled data and return a response. Flask also supports class-based views as an alternate way of defining views.
It looks like some functions on the View classes such as (but not limited to) get/post/other verbs as well as dispatch_request can accept user-controlled data and return data to users. We should taint all the function parameters as being sources of UserControlled data and the functions as being returning data to users. Consider also looking into the as_view function and how we might model that.
We use the following linters internally, so to save everyone's time, please make sure you run the following linters locally and fix errors related to the files you modified before submitting a PR:
black && usort format . && flake8
To install the linters, you can run the following command:
Flask is a popular open-source web framework written in Python. Pysa already has some models for Flask (see flask_sources_sinks.pysa), but we are missing some coverage.
A view function in Flask is code that responds to an application, which can take in user-controlled data and return a response. Flask also supports class-based views as an alternate way of defining views.
It looks like some functions on the
Viewclasses such as (but not limited to)get/post/other verbs as well asdispatch_requestcan accept user-controlled data and return data to users. We should taint all the function parameters as being sources ofUserControlleddata and the functions as being returning data to users. Consider also looking into theas_viewfunction and how we might model that.The Pysa DSL might be useful for doing this.
Submitting a PR
We use the following linters internally, so to save everyone's time, please make sure you run the following linters locally and fix errors related to the files you modified before submitting a PR:
To install the linters, you can run the following command: