@@ -177,35 +177,21 @@ module ServerSideRequestForgery {
177177 )
178178 }
179179
180- /** A validation of a URI using the `AntiSSRF` library, considered as a full-ssrf sanitizer. */
181180 private class UriValidator extends FullUrlControlSanitizer {
182181 UriValidator ( ) { this = DataFlow:: BarrierGuard< uri_validator / 3 > :: getABarrierNode ( ) }
183182 }
184183
185184 import semmle.python.dataflow.new.internal.DataFlowPublic
186185
187186 private predicate uri_validator ( DataFlow:: GuardNode g , ControlFlowNode node , boolean branch ) {
188- exists ( DataFlow:: CallCfgNode call , string funcs |
189- funcs in [ "in_domain" , "in_azure_keyvault_domain" , "in_azure_storage_domain" ] and
190- call = API:: moduleImport ( "AntiSSRF" ) .getMember ( "URIValidator" ) .getMember ( funcs ) .getACall ( ) and
187+ exists ( DataFlow:: CallCfgNode call , string validator_name |
188+ validator_name in [ "in_domain" , "in_azure_keyvault_domain" , "in_azure_storage_domain" ] and
189+ call =
190+ API:: moduleImport ( "AntiSSRF" ) .getMember ( "URIValidator" ) .getMember ( validator_name ) .getACall ( ) and
191191 call .getArg ( 0 ) .asCfgNode ( ) = node
192192 |
193- // validator call directly (e.g., if URIValidator.in_domain(...) )
194193 g = call .asCfgNode ( ) and
195194 branch = true
196- or
197- // validator used in a comparison
198- exists ( Cmpop op , Node n , ControlFlowNode l |
199- n .getALocalSource ( ) = call and g .( CompareNode ) .operands ( n .asCfgNode ( ) , op , l )
200- |
201- // validator == true or validator == false or validator is True or validator is False
202- ( op instanceof Eq or op instanceof Is ) and
203- branch = l .getNode ( ) .( BooleanLiteral ) .booleanValue ( )
204- or
205- // validator != false or validator != true or validator is not True or validator is not False
206- ( op instanceof NotEq or op instanceof IsNot ) and
207- branch = l .getNode ( ) .( BooleanLiteral ) .booleanValue ( ) .booleanNot ( )
208- )
209195 )
210196 }
211197}
0 commit comments