Skip to content

Python: Refine the location of flask.request flow sources #20281

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Python: Refine the location of flask.request flow sources #20281

wants to merge 3 commits into from

Conversation

tausbn
Copy link
Contributor

@tausbn tausbn commented Aug 25, 2025

The flask.request global object is commonly used in request handlers to access data in the active request. In our modelling, we handled this by treating the initial (module-local) definition of request as a source of remote flow. In practice this meant a lot of alerts would act as if from flask import request was the ultimate "source" of remote flow, and to find the actual request-handler-local instance of request one would have to inspect the data-flow path between source and sink.

To improve this state of affairs, I have made the following changes to the definition of FlaskRequestSource:

  • We no longer consider from flask import request to be a source.
  • Instead, we look at all places where that request value can flow, and include only the ones that are LocalSourceNodes (so that inside a request handler, the first occurrence of the request object is the source).

In practice, this leads to alerts that are much easier to decipher.

@tausbn
Python: Refine the location of flask.request flow sources
f3a5d0a 
The `flask.request` global object is commonly used in request handlers
to access data in the active request. In our modelling, we handled this
by treating the initial (module-local) definition of `request` as a
source of remote flow. In practice this meant a lot of alerts would act
as if `from flask import request` was the ultimate "source" of remote
flow, and to find the actual request-handler-local instance of `request`
one would have to inspect the data-flow path between source and sink.

To improve this state of affairs, I have made the following changes to
the definition of `FlaskRequestSource`:

- We no longer consider `from flask import request` to be a source.
- Instead, we look at all places where that `request` value can flow,
and include only the ones that are `LocalSourceNode`s (so that inside a
request handler, the first occurrence of the `request` object is the
source).

In practice, this leads to alerts that are much easier to decipher.
tausbn added 2 commits August 28, 2025 13:23
@tausbn
Python: More refinements
6dea278 
As it turns out, referring to the request object using `flask.request`
is not uncommon, and this meant restricting to `Name` nodes was too
strong. With the changes in this commit, we now include those
occurrences as well.
@tausbn
Python: Update test .expected files
0f4f909 
Really starting to regret our widespread use of `flask.request` as _the_
example of a remote flow source.
@tausbn tausbn force-pushed the tausbn/python-refine-location-of-flask-request-sources branch from a842023 to 0f4f909 Compare August 29, 2025 12:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation Python
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tausbn