From d54acff270c39354f5e97318df153cab5324b514 Mon Sep 17 00:00:00 2001
From: Becojo <Becojo@users.noreply.github.com>
Date: Thu, 16 May 2024 15:34:45 -0400
Subject: [PATCH 1/2] add python.twilio.security.twiml-injection

---
 python/twilio/security/twiml-injection.py  | 88 ++++++++++++++++++++++
 python/twilio/security/twiml-injection.yml | 45 +++++++++++
 2 files changed, 133 insertions(+)
 create mode 100644 python/twilio/security/twiml-injection.py
 create mode 100644 python/twilio/security/twiml-injection.yml

diff --git a/python/twilio/security/twiml-injection.py b/python/twilio/security/twiml-injection.py
new file mode 100644
index 0000000000..6bd9577e99
--- /dev/null
+++ b/python/twilio/security/twiml-injection.py
@@ -0,0 +1,88 @@
+from twilio.rest import Client
+import html
+from xml.sax.saxutils import escape
+
+client = Client("accountSid", "authToken")
+XML = "<Response><Say>{}</Say><Hangup/></Response>"
+
+
+def fstring(to: str, msg: str) -> None:
+    client.calls.create(
+        # ruleid: twiml-injection
+        twiml=f"<Response><Say>{msg}</Say><Hangup/></Response>",
+        to=to,
+        from_="555-555-5555",
+    )
+
+
+def format_const(to: str, msg: str) -> None:
+    twiml = XML.format(msg)
+    client.calls.create(
+        # ruleid: twiml-injection
+        twiml=twiml,
+        to=to,
+        from_="555-555-5555",
+    )
+
+
+def percent(to: str, msg: str) -> None:
+    client.calls.create(
+        # ruleid: twiml-injection
+        twiml="<Response><Say>%s</Say><Hangup/></Response>" % msg,
+        to=to,
+        from_="555-555-5555",
+    )
+
+
+def format(to: str, msg: str) -> None:
+    client.calls.create(
+        # ruleid: twiml-injection
+        twiml="<Response><Say>{}</Say><Hangup/></Response>".format(msg),
+        to=to,
+        from_="555-555-5555",
+    )
+
+
+def concat(to: str, msg: str) -> None:
+    client.calls.create(
+        # ruleid: twiml-injection
+        twiml="<Response><Say>" + msg + "</Say><Hangup/></Response>",
+        to=to,
+        from_="555-555-5555",
+    )
+
+
+def safe(to: str, msg: str) -> None:
+    client.calls.create(
+        # ok: twiml-injection
+        twiml="<Response><Say>nsec</Say><Hangup/></Response>",
+        to=to,
+        from_="555-555-5555",
+    )
+
+
+def also_safe(to: str, msg: str) -> None:
+    client.calls.create(
+        # ok: twiml-injection
+        twiml="<Response><Say>nsec</Say><Hangup/></Response>",
+        to=to,
+        from_=f"{1+2}34-323-1234",
+    )
+
+
+def html_escape(to: str, msg: str) -> None:
+    client.calls.create(
+        # ok: twiml-injection
+        twiml="<Response><Say>" + html.escape(msg) + "</Say><Hangup/></Response>",
+        to=to,
+        from_="555-555-5555",
+    )
+
+
+def xml_escape(to: str, msg: str) -> None:
+    client.calls.create(
+        # ok: twiml-injection
+        twiml="<Response><Say>" + escape(msg) + "</Say><Hangup/></Response>",
+        to=to,
+        from_="555-555-5555",
+    )
diff --git a/python/twilio/security/twiml-injection.yml b/python/twilio/security/twiml-injection.yml
new file mode 100644
index 0000000000..babdd6a530
--- /dev/null
+++ b/python/twilio/security/twiml-injection.yml
@@ -0,0 +1,45 @@
+rules:
+  - id: twiml-injection
+    languages: [python]
+    severity: WARNING
+    message: >-
+      Using non-constant TwiML (Twilio Markup Language) argument when creating a
+      Twilio conversation could allow the injection of additional TwiML commands
+    metadata:
+      cwe:
+      - "CWE-91: XML Injection"
+      owasp:
+      - "A03:2021 - Injection"
+      category: security
+      technology: [--no-technology--]
+      confidence: MEDIUM
+      likelihood: HIGH
+      impact: MEDIUM
+      subcategory: vuln
+      references:
+      - https://codeberg.org/fennix/funjection
+    mode: taint
+    pattern-sources:
+    - pattern: |
+        f"..."
+    - pattern: |
+        "..." % ...
+    - pattern: |
+        "...".format(...)
+
+    - patterns:
+        - pattern: $ARG
+        - pattern-inside: |
+            def $F(..., $ARG, ...):
+                ...
+
+    pattern-sanitizers:
+    - pattern: xml.sax.saxutils.escape(...)
+    - pattern: html.escape(...)
+
+    pattern-sinks:
+    - patterns:
+      - pattern: |
+          $CLIENT.calls.create(..., twiml=$SINK, ...)
+
+      - focus-metavariable: $SINK

From 880fc3f341cd6c22c4e9830e799270bcdb750bca Mon Sep 17 00:00:00 2001
From: becojo <172889+becojo@users.noreply.github.com>
Date: Mon, 27 May 2024 09:40:24 -0400
Subject: [PATCH 2/2] add technologies

---
 python/twilio/security/twiml-injection.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/python/twilio/security/twiml-injection.yml b/python/twilio/security/twiml-injection.yml
index babdd6a530..7f63099166 100644
--- a/python/twilio/security/twiml-injection.yml
+++ b/python/twilio/security/twiml-injection.yml
@@ -11,7 +11,10 @@ rules:
       owasp:
       - "A03:2021 - Injection"
       category: security
-      technology: [--no-technology--]
+      technology:
+      - python
+      - twilio
+      - twiml
       confidence: MEDIUM
       likelihood: HIGH
       impact: MEDIUM