Add namespace models

joefarebrother · joefarebrother · commit 83eadbad605b · 2025-11-25T16:56:36.000Z
diff --git a/python/ql/lib/semmle/python/frameworks/Socketio.qll b/python/ql/lib/semmle/python/frameworks/Socketio.qll
@@ -16,57 +16,101 @@ private import semmle.python.frameworks.internal.PoorMansFunctionResolution
  * See https://python-socketio.readthedocs.io/en/stable/.
  */
 module SocketIO {
-  /** An instance of a socketio `Server` or `AsyncServer`. */
-  API::Node server() {
-    result = API::moduleImport("socketio").getMember(["Server", "AsyncServer"]).getAnInstance()
-  }
-
-  API::Node serverEventAnnotation() {
-    result = server().getMember("event")
-    or
-    result = server().getMember("on").getReturn()
-  }
+  /** Provides models for socketio `Server` and `AsyncServer` classes. */
+  module Server {
+    /** An instance of a socketio `Server` or `AsyncServer`. */
+    API::Node server() {
+      result = API::moduleImport("socketio").getMember(["Server", "AsyncServer"]).getAnInstance()
+    }
 
-  private class EventHandler extends Http::Server::RequestHandler::Range {
-    EventHandler() {
-      serverEventAnnotation().getAValueReachableFromSource().asExpr() = this.getADecorator()
+    /** A decorator that indicates a socketio event handler. */
+    private API::Node serverEventAnnotation() {
+      result = server().getMember("event")
       or
-      exists(DataFlow::CallCfgNode c, DataFlow::Node arg | c = server().getMember("on").getACall() |
-        (
-          arg = c.getArg(1)
-          or
-          arg = c.getArgByName("handler")
-        ) and
-        poorMansFunctionTracker(this) = arg
-      )
+      result = server().getMember("on").getReturn()
+    }
+
+    private class EventHandler extends Http::Server::RequestHandler::Range {
+      EventHandler() {
+        serverEventAnnotation().getAValueReachableFromSource().asExpr() = this.getADecorator()
+        or
+        exists(DataFlow::CallCfgNode c, DataFlow::Node arg |
+          c = server().getMember("on").getACall()
+        |
+          (
+            arg = c.getArg(1)
+            or
+            arg = c.getArgByName("handler")
+          ) and
+          poorMansFunctionTracker(this) = arg
+        )
+      }
+
+      override Parameter getARoutedParameter() {
+        result = this.getAnArg() and
+        not result = this.getArg(0) // First parameter is `sid`, which is not a remote flow source as it cannot be controlled by the client.
+      }
+
+      override string getFramework() { result = "socketio" }
     }
 
-    override Parameter getARoutedParameter() {
-      result = this.getAnArg() and not result = this.getArg(0)
+    private class CallbackArgument extends DataFlow::Node {
+      CallbackArgument() {
+        exists(DataFlow::CallCfgNode c |
+          c = [server(), Namespace::instance()].getMember(["emit", "send"]).getACall()
+        |
+          this = c.getArgByName("callback")
+        )
+      }
     }
 
-    override string getFramework() { result = "socketio" }
-  }
+    private class CallbackHandler extends Http::Server::RequestHandler::Range {
+      CallbackHandler() { any(CallbackArgument ca) = poorMansFunctionTracker(this) }
+
+      override Parameter getARoutedParameter() { result = this.getAnArg() }
 
-  private class CallbackArgument extends DataFlow::Node {
-    CallbackArgument() {
-      exists(DataFlow::CallCfgNode c | c = server().getMember(["emit", "send"]).getACall() |
-        this = c.getArgByName("callback")
-      )
+      override string getFramework() { result = "socketio" }
+    }
+
+    private class SocketIOCall extends RemoteFlowSource::Range {
+      SocketIOCall() { this = [server(), Namespace::instance()].getMember("call").getACall() }
+
+      override string getSourceType() { result = "socketio call" }
     }
   }
 
-  private class CallbackHandler extends Http::Server::RequestHandler::Range {
-    CallbackHandler() { any(CallbackArgument ca) = poorMansFunctionTracker(this) }
+  /** Provides modelling for socketio server Namespace/AsyncNamespace classes. */
+  module Namespace {
+    /** Gets a reference to the `socketio.Namespace` or `socketio.AsyncNamespace` classes or any subclass. */
+    API::Node subclassRef() {
+      result =
+        API::moduleImport("socketio").getMember(["Namespace", "AsyncNamespace"]).getASubclass*()
+    }
 
-    override Parameter getARoutedParameter() { result = this.getAnArg() }
+    /** Gets a reference to an instance of a subclass of `socketio.Namespace` or `socketio.AsyncNamespace`. */
+    API::Node instance() { result = subclassRef().getAnInstance() }
 
-    override string getFramework() { result = "socketio" }
-  }
+    /** A socketio Namespace class. */
+    class NamespaceClass extends Class {
+      NamespaceClass() { this.getABase() = subclassRef().asSource().asExpr() }
 
-  private class SocketIOCall extends RemoteFlowSource::Range {
-    SocketIOCall() { this = server().getMember("call").getACall() }
+      /** Gets a handler for socketio events. */
+      Function getAnEventHandler() {
+        result = this.getAMethod() and
+        result.getName().matches("on_%")
+      }
+    }
+
+    private class NamespaceEventHandler extends Http::Server::RequestHandler::Range {
+      NamespaceEventHandler() { this = any(NamespaceClass nc).getAnEventHandler() }
 
-    override string getSourceType() { result = "socketio call" }
+      override Parameter getARoutedParameter() {
+        result = this.getAnArg() and
+        not result = this.getArg(0) and
+        not result = this.getArg(1) // First 2 parameters are `self` and `sid`.
+      }
+
+      override string getFramework() { result = "socketio" }
+    }
   }
 }
diff --git a/python/ql/test/library-tests/frameworks/socketio/taint_test.py b/python/ql/test/library-tests/frameworks/socketio/taint_test.py
@@ -11,29 +11,40 @@ def ensure_not_tainted(*args):
 sio = socketio.Server()
 
 @sio.event
-def connect(sid, environ, auth): # $ requestHandler routedParameter=sid routedParameter=environ routedParameter=auth
+def connect(sid, environ, auth): # $ requestHandler routedParameter=environ routedParameter=auth
     ensure_not_tainted(sid)
     ensure_tainted(environ,  # $ tainted
                    auth)     # $ tainted
 
 @sio.event
-def event1(sid, data): # $ requestHandler routedParameter=sid routedParameter=data
+def event1(sid, data): # $ requestHandler routedParameter=data
     ensure_not_tainted(sid)
     ensure_tainted(data)  # $ tainted
     res = sio.call("e1", sid=sid)
     ensure_tainted(res)  # $ tainted
     sio.emit("e2", "hi", to=sid, callback=lambda x: ensure_tainted(x))   # $ tainted
     sio.send("hi", to=sid, callback=lambda x: ensure_tainted(x))   # $ tainted
 
+class MyNamespace(socketio.Namespace):
+    def on_event2(self, sid, data):  # $ requestHandler routedParameter=data
+        ensure_not_tainted(self, sid)
+        ensure_tainted(data)
+        res = self.call("e1", sid=sid) 
+        ensure_tainted(res)  # $ tainted
+        self.emit("e2", "hi", to=sid, callback=lambda x: ensure_tainted(x))   # $ tainted
+        self.send("hi", to=sid, callback=lambda x: ensure_tainted(x))   # $ tainted
+
+sio.register_namespace(MyNamespace("/ns"))
+
 asio = socketio.AsyncServer(async_mode='asgi')
 
 @asio.event
-async def event2(sid, data): # $ requestHandler routedParameter=sid routedParameter=data
+async def event3(sid, data): # $ requestHandler routedParameter=sid routedParameter=data
     ensure_not_tainted(sid)
     ensure_tainted(data)  # $ tainted
-    res = await asio.call("e2", sid=sid)
+    res = await asio.call("e1", sid=sid)
     ensure_tainted(res)  # $ tainted
-    await asio.emit("e3", "hi", to=sid, callback=lambda x: ensure_tainted(x))   # $ tainted
+    await asio.emit("e2", "hi", to=sid, callback=lambda x: ensure_tainted(x))   # $ tainted
     await asio.send("hi", to=sid, callback=lambda x: ensure_tainted(x))   # $ tainted
 
 if __name__ == "__main__":
diff --git a/python/ql/test/library-tests/frameworks/socketio/test.py b/python/ql/test/library-tests/frameworks/socketio/test.py
@@ -3,23 +3,23 @@
 sio = socketio.Server()
 
 @sio.on("connect")
-def connect(sid, environ, auth): # $ requestHandler routedParameter=sid routedParameter=environ routedParameter=auth
+def connect(sid, environ, auth): # $ requestHandler routedParameter=environ routedParameter=auth
     print("connect", sid, environ, auth)
 
 @sio.on("event1")
-def handle(sid, data): # $ requestHandler routedParameter=sid routedParameter=data
+def handle(sid, data): # $ requestHandler routedParameter=data
     print("e1", sid, data)
 
 @sio.event
-def event2(sid, data): # $ requestHandler routedParameter=sid routedParameter=data
+def event2(sid, data): # $ requestHandler routedParameter=data
     print("e2", sid, data)
 
-def event3(sid, data): # $ requestHandler routedParameter=sid routedParameter=data
+def event3(sid, data): # $ requestHandler routedParameter=data
     print("e3", sid, data)
 
 sio.on("event3", handler=event3)
 
-sio.on("event4", lambda sid,data: print("e4", sid, data)) # $ requestHandler routedParameter=sid routedParameter=data
+sio.on("event4", lambda sid,data: print("e4", sid, data)) # $ requestHandler routedParameter=data
 
 
 
