Merge pull request #19432 from yoff/python/model-http-server-header-write

python: model `send_header` from `http.server`

Author: yoff

python/ql/lib/change-notes/2025-04-30-model-send-header.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added header write model for `send_header` in `http.server`.

python/ql/lib/semmle/python/frameworks/Stdlib.qll

@@ -1963,6 +1963,21 @@ module StdlibPrivate {
     /** Gets a reference to an instance of the `BaseHttpRequestHandler` class or any subclass. */
     DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
 
+    /** A call to a method that writes to a response header. */
+    private class HeaderWriteCall extends Http::Server::ResponseHeaderWrite::Range,
+      DataFlow::MethodCallNode
+    {
+      HeaderWriteCall() { this.calls(instance(), "send_header") }
+
+      override DataFlow::Node getNameArg() { result = this.getArg(0) }
+
+      override DataFlow::Node getValueArg() { result = this.getArg(1) }
+
+      override predicate nameAllowsNewline() { any() }
+
+      override predicate valueAllowsNewline() { any() }
+    }
+
     private class AdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
       override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
         nodeFrom = instance() and

python/ql/test/library-tests/frameworks/stdlib/http_server.py

@@ -83,7 +83,7 @@ def taint_sources(self):
     def do_GET(self): # $ requestHandler
         # send_response will log a line to stderr
         self.send_response(200)
-        self.send_header("Content-type", "text/plain; charset=utf-8")
+        self.send_header("Content-type", "text/plain; charset=utf-8") # $ headerWriteNameUnsanitized="Content-type" headerWriteValueUnsanitized="text/plain; charset=utf-8"
         self.end_headers()
         self.wfile.write(b"Hello BaseHTTPRequestHandler\n")
         self.wfile.writelines([b"1\n", b"2\n", b"3\n"])