diff --git a/python/ql/lib/semmle/python/security/dataflow/CleartextLogging.qll b/python/ql/lib/semmle/python/security/dataflow/CleartextLogging.qll new file mode 100644 index 00000000000..18ebcc5c26b --- /dev/null +++ b/python/ql/lib/semmle/python/security/dataflow/CleartextLogging.qll @@ -0,0 +1,22 @@ +/** + * Provides a taint-tracking configuration for "Clear-text logging of sensitive information". + * + * Note, for performance reasons: only import this file if + * `CleartextLogging::Configuration` is needed, otherwise + * `CleartextLoggingCustomizations` should be imported instead. + */ + +private import python +private import semmle.python.dataflow.new.DataFlow +private import semmle.python.dataflow.new.TaintTracking +private import semmle.python.Concepts +private import semmle.python.dataflow.new.RemoteFlowSources +private import semmle.python.dataflow.new.BarrierGuards +private import semmle.python.dataflow.new.SensitiveDataSources + +/** + * Provides a taint-tracking configuration for detecting "Clear-text logging of sensitive information". + */ +module CleartextLogging { + import CleartextLoggingQuery // ignore-query-import +} diff --git a/python/ql/lib/semmle/python/security/dataflow/CleartextStorage.qll b/python/ql/lib/semmle/python/security/dataflow/CleartextStorage.qll new file mode 100644 index 00000000000..56cbcb73d1d --- /dev/null +++ b/python/ql/lib/semmle/python/security/dataflow/CleartextStorage.qll @@ -0,0 +1,22 @@ +/** + * Provides a taint-tracking configuration for "Clear-text storage of sensitive information". + * + * Note, for performance reasons: only import this file if + * `CleartextStorage::Configuration` is needed, otherwise + * `CleartextStorageCustomizations` should be imported instead. + */ + +private import python +private import semmle.python.dataflow.new.DataFlow +private import semmle.python.dataflow.new.TaintTracking +private import semmle.python.Concepts +private import semmle.python.dataflow.new.RemoteFlowSources +private import semmle.python.dataflow.new.BarrierGuards +private import semmle.python.dataflow.new.SensitiveDataSources + +/** + * Provides a taint-tracking configuration for detecting "Clear-text storage of sensitive information". + */ +module CleartextStorage { + import CleartextStorageQuery // ignore-query-import +} diff --git a/python/ql/lib/semmle/python/security/dataflow/CodeInjection.qll b/python/ql/lib/semmle/python/security/dataflow/CodeInjection.qll new file mode 100644 index 00000000000..1b8687573f0 --- /dev/null +++ b/python/ql/lib/semmle/python/security/dataflow/CodeInjection.qll @@ -0,0 +1,25 @@ +/** + * Provides a taint-tracking configuration for detecting "code injection" vulnerabilities. + * + * Note, for performance reasons: only import this file if + * `CodeInjection::Configuration` is needed, otherwise + * `CodeInjectionCustomizations` should be imported instead. + */ + +private import python +import semmle.python.dataflow.new.DataFlow +import semmle.python.dataflow.new.TaintTracking + +/** + * Provides a taint-tracking configuration for detecting "code injection" vulnerabilities. + */ +module CodeInjection { + import CodeInjectionQuery // ignore-query-import +} + +/** + * DEPRECATED: Don't extend this class for customization, since this will lead to bad + * performance, instead use the new `CodeInjectionCustomizations.qll` file, and extend + * its' classes. + */ +deprecated class CodeInjectionConfiguration = CodeInjection::Configuration; diff --git a/python/ql/lib/semmle/python/security/dataflow/CodeInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/CodeInjectionQuery.qll index 178d68ae0fc..f1da5235a10 100644 --- a/python/ql/lib/semmle/python/security/dataflow/CodeInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/CodeInjectionQuery.qll @@ -28,10 +28,3 @@ import semmle.python.dataflow.new.TaintTracking guard instanceof SanitizerGuard } } - -/** - * DEPRECATED: Don't extend this class for customization, since this will lead to bad - * performance, instead use the new `CodeInjectionCustomizations.qll` file, and extend - * its' classes. - */ -deprecated class CodeInjectionConfiguration = CodeInjection::Configuration; diff --git a/python/ql/lib/semmle/python/security/dataflow/CommandInjection.qll b/python/ql/lib/semmle/python/security/dataflow/CommandInjection.qll new file mode 100644 index 00000000000..e4b4aec70b4 --- /dev/null +++ b/python/ql/lib/semmle/python/security/dataflow/CommandInjection.qll @@ -0,0 +1,25 @@ +/** + * Provides a taint-tracking configuration for detecting "command injection" vulnerabilities. + * + * Note, for performance reasons: only import this file if + * `CommandInjection::Configuration` is needed, otherwise + * `CommandInjectionCustomizations` should be imported instead. + */ + +private import python +import semmle.python.dataflow.new.DataFlow +import semmle.python.dataflow.new.TaintTracking + +/** + * Provides a taint-tracking configuration for detecting "command injection" vulnerabilities. + */ +module CommandInjection { + import CommandInjectionQuery // ignore-query-import +} + +/** + * DEPRECATED: Don't extend this class for customization, since this will lead to bad + * performance, instead use the new `CommandInjectionCustomizations.qll` file, and extend + * its' classes. + */ +deprecated class CommandInjectionConfiguration = CommandInjection::Configuration; diff --git a/python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll index d58a3f36628..9ef1845f1e0 100644 --- a/python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll @@ -28,10 +28,3 @@ import semmle.python.dataflow.new.TaintTracking guard instanceof SanitizerGuard } } - -/** - * DEPRECATED: Don't extend this class for customization, since this will lead to bad - * performance, instead use the new `CommandInjectionCustomizations.qll` file, and extend - * its' classes. - */ -deprecated class CommandInjectionConfiguration = CommandInjection::Configuration; diff --git a/python/ql/lib/semmle/python/security/dataflow/LdapInjection.qll b/python/ql/lib/semmle/python/security/dataflow/LdapInjection.qll new file mode 100644 index 00000000000..d20703c3fed --- /dev/null +++ b/python/ql/lib/semmle/python/security/dataflow/LdapInjection.qll @@ -0,0 +1,24 @@ +/** + * Provides taint-tracking configurations for detecting LDAP injection vulnerabilities + * + * Note, for performance reasons: only import this file if + * `LdapInjection::Configuration` is needed, otherwise + * `LdapInjectionCustomizations` should be imported instead. + */ + +import python +import semmle.python.Concepts +import semmle.python.dataflow.new.DataFlow +import semmle.python.dataflow.new.TaintTracking +import semmle.python.dataflow.new.RemoteFlowSources + +/** + * Provides aint-tracking configurations for detecting LDAP injection vulnerabilities.class + * + * Two configurations are provided. One is for detecting LDAP injection + * via the distinguished name (DN). The other is for detecting LDAP injection + * via the filter. These require different escapings. + */ +module LdapInjection { + import LdapInjectionQuery // ignore-query-import +} diff --git a/python/ql/lib/semmle/python/security/dataflow/LogInjection.qll b/python/ql/lib/semmle/python/security/dataflow/LogInjection.qll new file mode 100644 index 00000000000..064fb2b6fa3 --- /dev/null +++ b/python/ql/lib/semmle/python/security/dataflow/LogInjection.qll @@ -0,0 +1,18 @@ +/** + * Provides a taint-tracking configuration for tracking untrusted user input used in log entries. + * + * Note, for performance reasons: only import this file if + * `LogInjection::Configuration` is needed, otherwise + * `LogInjectionCustomizations` should be imported instead. + */ + +import python +import semmle.python.dataflow.new.DataFlow +import semmle.python.dataflow.new.TaintTracking + +/** + * Provides a taint-tracking configuration for tracking untrusted user input used in log entries. + */ +module LogInjection { + import LogInjectionQuery // ignore-query-import +} diff --git a/python/ql/lib/semmle/python/security/dataflow/PathInjection.qll b/python/ql/lib/semmle/python/security/dataflow/PathInjection.qll new file mode 100644 index 00000000000..09ed02a3afa --- /dev/null +++ b/python/ql/lib/semmle/python/security/dataflow/PathInjection.qll @@ -0,0 +1,140 @@ +/** + * Provides taint-tracking configurations for detecting "path injection" vulnerabilities. + * + * Note, for performance reasons: only import this file if + * `PathInjection::Configuration` is needed, otherwise + * `PathInjectionCustomizations` should be imported instead. + */ + +private import python +private import semmle.python.Concepts +import semmle.python.dataflow.new.DataFlow +import semmle.python.dataflow.new.TaintTracking + +/** + * Provides a taint-tracking configuration for detecting "path injection" vulnerabilities. + */ +module PathInjection { + import PathInjectionQuery // ignore-query-import +} + + +// --------------------------------------------------------------------------- +// Old, deprecated code +// --------------------------------------------------------------------------- +private import semmle.python.dataflow.new.DataFlow2 +private import semmle.python.dataflow.new.TaintTracking2 +private import ChainedConfigs12 +import PathInjectionCustomizations::PathInjection + +// --------------------------------------------------------------------------- +// Case 1. The path is never normalized. +// --------------------------------------------------------------------------- +/** + * DEPRECATED: Use `PathInjection::Configuration` instead + * + * Configuration to find paths from sources to sinks that contain no normalization. + */ +deprecated class PathNotNormalizedConfiguration extends TaintTracking::Configuration { + PathNotNormalizedConfiguration() { this = "PathNotNormalizedConfiguration" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { + node instanceof Sanitizer + or + node instanceof Path::PathNormalization + } + + override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { + guard instanceof SanitizerGuard + } +} + +/** + * DEPRECATED: Use `PathInjection::Configuration` instead + * + * Holds if there is a path injection from source to sink, where the (python) path is + * not normalized. + */ +deprecated predicate pathNotNormalized(CustomPathNode source, CustomPathNode sink) { + any(PathNotNormalizedConfiguration config).hasFlowPath(source.asNode1(), sink.asNode1()) +} + +// --------------------------------------------------------------------------- +// Case 2. The path is normalized at least once, but never checked afterwards. +// --------------------------------------------------------------------------- +/** + * DEPRECATED: Use `PathInjection::Configuration` instead + * + * Configuration to find paths from sources to normalizations that contain no prior normalizations. + */ +deprecated class FirstNormalizationConfiguration extends TaintTracking::Configuration { + FirstNormalizationConfiguration() { this = "FirstNormalizationConfiguration" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Path::PathNormalization } + + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } + + override predicate isSanitizerOut(DataFlow::Node node) { node instanceof Path::PathNormalization } + + override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { + guard instanceof SanitizerGuard + } +} + +/** + * DEPRECATED: Use `PathInjection::Configuration` instead + * + * Configuration to find paths from normalizations to sinks that do not go through a check. + */ +deprecated class NormalizedPathNotCheckedConfiguration extends TaintTracking2::Configuration { + NormalizedPathNotCheckedConfiguration() { this = "NormalizedPathNotCheckedConfiguration" } + + override predicate isSource(DataFlow::Node source) { source instanceof Path::PathNormalization } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } + + override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { + guard instanceof Path::SafeAccessCheck + or + guard instanceof SanitizerGuard + } +} + +/** + * DEPRECATED: Use `PathInjection::Configuration` instead + * + * Holds if there is a path injection from source to sink, where the (python) path is + * normalized at least once, but never checked afterwards. + */ +deprecated predicate pathNotCheckedAfterNormalization(CustomPathNode source, CustomPathNode sink) { + exists( + FirstNormalizationConfiguration config, DataFlow::PathNode mid1, DataFlow2::PathNode mid2, + NormalizedPathNotCheckedConfiguration config2 + | + config.hasFlowPath(source.asNode1(), mid1) and + config2.hasFlowPath(mid2, sink.asNode2()) and + mid1.getNode().asCfgNode() = mid2.getNode().asCfgNode() + ) +} + +// --------------------------------------------------------------------------- +// Query: Either case 1 or case 2. +// --------------------------------------------------------------------------- +/** + * DEPRECATED: Use `PathInjection::Configuration` instead + * + * Holds if there is a path injection from source to sink + */ +deprecated predicate pathInjection(CustomPathNode source, CustomPathNode sink) { + pathNotNormalized(source, sink) + or + pathNotCheckedAfterNormalization(source, sink) +} diff --git a/python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll index ee812a2b59f..d9f7349c183 100644 --- a/python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll @@ -75,124 +75,3 @@ import semmle.python.dataflow.new.TaintTracking class NormalizedUnchecked extends DataFlow::FlowState { NormalizedUnchecked() { this = "NormalizedUnchecked" } } - - -// --------------------------------------------------------------------------- -// Old, deprecated code -// --------------------------------------------------------------------------- -private import semmle.python.dataflow.new.DataFlow2 -private import semmle.python.dataflow.new.TaintTracking2 -private import ChainedConfigs12 -import PathInjectionCustomizations::PathInjection - -// --------------------------------------------------------------------------- -// Case 1. The path is never normalized. -// --------------------------------------------------------------------------- -/** - * DEPRECATED: Use `PathInjection::Configuration` instead - * - * Configuration to find paths from sources to sinks that contain no normalization. - */ -deprecated class PathNotNormalizedConfiguration extends TaintTracking::Configuration { - PathNotNormalizedConfiguration() { this = "PathNotNormalizedConfiguration" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - node instanceof Sanitizer - or - node instanceof Path::PathNormalization - } - - override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { - guard instanceof SanitizerGuard - } -} - -/** - * DEPRECATED: Use `PathInjection::Configuration` instead - * - * Holds if there is a path injection from source to sink, where the (python) path is - * not normalized. - */ -deprecated predicate pathNotNormalized(CustomPathNode source, CustomPathNode sink) { - any(PathNotNormalizedConfiguration config).hasFlowPath(source.asNode1(), sink.asNode1()) -} - -// --------------------------------------------------------------------------- -// Case 2. The path is normalized at least once, but never checked afterwards. -// --------------------------------------------------------------------------- -/** - * DEPRECATED: Use `PathInjection::Configuration` instead - * - * Configuration to find paths from sources to normalizations that contain no prior normalizations. - */ -deprecated class FirstNormalizationConfiguration extends TaintTracking::Configuration { - FirstNormalizationConfiguration() { this = "FirstNormalizationConfiguration" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Path::PathNormalization } - - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - - override predicate isSanitizerOut(DataFlow::Node node) { node instanceof Path::PathNormalization } - - override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { - guard instanceof SanitizerGuard - } -} - -/** - * DEPRECATED: Use `PathInjection::Configuration` instead - * - * Configuration to find paths from normalizations to sinks that do not go through a check. - */ -deprecated class NormalizedPathNotCheckedConfiguration extends TaintTracking2::Configuration { - NormalizedPathNotCheckedConfiguration() { this = "NormalizedPathNotCheckedConfiguration" } - - override predicate isSource(DataFlow::Node source) { source instanceof Path::PathNormalization } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - - override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { - guard instanceof Path::SafeAccessCheck - or - guard instanceof SanitizerGuard - } -} - -/** - * DEPRECATED: Use `PathInjection::Configuration` instead - * - * Holds if there is a path injection from source to sink, where the (python) path is - * normalized at least once, but never checked afterwards. - */ -deprecated predicate pathNotCheckedAfterNormalization(CustomPathNode source, CustomPathNode sink) { - exists( - FirstNormalizationConfiguration config, DataFlow::PathNode mid1, DataFlow2::PathNode mid2, - NormalizedPathNotCheckedConfiguration config2 - | - config.hasFlowPath(source.asNode1(), mid1) and - config2.hasFlowPath(mid2, sink.asNode2()) and - mid1.getNode().asCfgNode() = mid2.getNode().asCfgNode() - ) -} - -// --------------------------------------------------------------------------- -// Query: Either case 1 or case 2. -// --------------------------------------------------------------------------- -/** - * DEPRECATED: Use `PathInjection::Configuration` instead - * - * Holds if there is a path injection from source to sink - */ -deprecated predicate pathInjection(CustomPathNode source, CustomPathNode sink) { - pathNotNormalized(source, sink) - or - pathNotCheckedAfterNormalization(source, sink) -} diff --git a/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoS.qll b/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoS.qll new file mode 100644 index 00000000000..161e0a2702d --- /dev/null +++ b/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoS.qll @@ -0,0 +1,18 @@ +/** + * Provides a taint-tracking configuration for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities. + * + * Note, for performance reasons: only import this file if + * `PolynomialReDoS::Configuration` is needed, otherwise + * `PolynomialReDoSCustomizations` should be imported instead. + */ + +private import python +import semmle.python.dataflow.new.DataFlow +import semmle.python.dataflow.new.TaintTracking + +/** + * Provides a taint-tracking configuration for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities. + */ +module PolynomialReDoS { + import PolynomialReDoSQuery // ignore-query-import +} diff --git a/python/ql/lib/semmle/python/security/dataflow/ReflectedXSS.qll b/python/ql/lib/semmle/python/security/dataflow/ReflectedXSS.qll new file mode 100644 index 00000000000..08a504725ec --- /dev/null +++ b/python/ql/lib/semmle/python/security/dataflow/ReflectedXSS.qll @@ -0,0 +1,28 @@ +/** + * Provides a taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities. + * + * Note, for performance reasons: only import this file if + * `ReflectedXSS::Configuration` is needed, otherwise + * `ReflectedXSSCustomizations` should be imported instead. + */ + +private import python +import semmle.python.dataflow.new.DataFlow +import semmle.python.dataflow.new.TaintTracking + +/** + * Provides a taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities. + */ +module ReflectedXss { + import ReflectedXSSQuery // ignore-query-import +} + +/** DEPRECATED: Alias for ReflectedXss */ +deprecated module ReflectedXSS = ReflectedXss; + +/** + * DEPRECATED: Don't extend this class for customization, since this will lead to bad + * performance, instead use the new `ReflectedXSSCustomizations.qll` file, and extend + * its' classes. + */ +deprecated class ReflectedXssConfiguration = ReflectedXss::Configuration; diff --git a/python/ql/lib/semmle/python/security/dataflow/ReflectedXSSQuery.qll b/python/ql/lib/semmle/python/security/dataflow/ReflectedXSSQuery.qll index 14706a5fff5..6e473bfe907 100644 --- a/python/ql/lib/semmle/python/security/dataflow/ReflectedXSSQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/ReflectedXSSQuery.qll @@ -28,13 +28,3 @@ import semmle.python.dataflow.new.TaintTracking guard instanceof SanitizerGuard } } - -/** DEPRECATED: Alias for ReflectedXss */ -deprecated module ReflectedXSS = ReflectedXss; - -/** - * DEPRECATED: Don't extend this class for customization, since this will lead to bad - * performance, instead use the new `ReflectedXSSCustomizations.qll` file, and extend - * its' classes. - */ -deprecated class ReflectedXssConfiguration = ReflectedXss::Configuration; diff --git a/python/ql/lib/semmle/python/security/dataflow/RegexInjection.qll b/python/ql/lib/semmle/python/security/dataflow/RegexInjection.qll new file mode 100644 index 00000000000..147c2b6ea84 --- /dev/null +++ b/python/ql/lib/semmle/python/security/dataflow/RegexInjection.qll @@ -0,0 +1,20 @@ +/** + * Provides a taint-tracking configuration for detecting regular expression injection + * vulnerabilities. + * + * Note, for performance reasons: only import this file if + * `RegexInjection::Configuration` is needed, otherwise + * `RegexInjectionCustomizations` should be imported instead. + */ + +private import python +import semmle.python.dataflow.new.DataFlow +import semmle.python.dataflow.new.TaintTracking + +/** + * Provides a taint-tracking configuration for detecting regular expression injection + * vulnerabilities. + */ +module RegexInjection { + import RegexInjectionQuery // ignore-query-import +} diff --git a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgery.qll b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgery.qll new file mode 100644 index 00000000000..49469a4869a --- /dev/null +++ b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgery.qll @@ -0,0 +1,45 @@ +/** + * Provides a taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities. + * + * Note, for performance reasons: only import this file if + * `ServerSideRequestForgery::Configuration` is needed, otherwise + * `ServerSideRequestForgeryCustomizations` should be imported instead. + */ + +private import python +import semmle.python.dataflow.new.DataFlow +import semmle.python.dataflow.new.TaintTracking +import semmle.python.Concepts +import ServerSideRequestForgeryQuery as ServerSideRequestForgeryQuery // ignore-query-import + +/** + * Provides a taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities. + * + * This configuration has a sanitizer to limit results to cases where attacker has full control of URL. + * See `PartialServerSideRequestForgery` for a variant without this requirement. + * + * You should use the `partOfFullyControlledRequest` to only select results where all + * URL parts are fully controlled. + */ +module FullServerSideRequestForgery { + import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery + + class Configuration = ServerSideRequestForgeryQuery::FullServerSideRequestForgeryConfiguration; +} + +/** + * Holds if all URL parts of `request` is fully user controlled. + */ +predicate fullyControlledRequest = ServerSideRequestForgeryQuery::fullyControlledRequest/1; + +/** + * Provides a taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities. + * + * This configuration has results, even when the attacker does not have full control over the URL. + * See `FullServerSideRequestForgery` for variant that has this requirement. + */ +module PartialServerSideRequestForgery { + import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery + + class Configuration = ServerSideRequestForgeryQuery::PartialServerSideRequestForgeryConfiguration; +} diff --git a/python/ql/lib/semmle/python/security/dataflow/SqlInjection.qll b/python/ql/lib/semmle/python/security/dataflow/SqlInjection.qll new file mode 100644 index 00000000000..ec22a55992c --- /dev/null +++ b/python/ql/lib/semmle/python/security/dataflow/SqlInjection.qll @@ -0,0 +1,28 @@ +/** + * Provides a taint-tracking configuration for detecting "SQL injection" vulnerabilities. + * + * Note, for performance reasons: only import this file if + * `SqlInjection::Configuration` is needed, otherwise + * `SqlInjectionCustomizations` should be imported instead. + */ + +private import python +import semmle.python.dataflow.new.DataFlow +import semmle.python.dataflow.new.TaintTracking + +/** + * Provides a taint-tracking configuration for detecting "SQL injection" vulnerabilities. + */ +module SqlInjection { + import SqlInjectionQuery // ignore-query-import +} + +/** + * DEPRECATED: Don't extend this class for customization, since this will lead to bad + * performance, instead use the new `SqlInjectionCustomizations.qll` file, and extend + * its' classes. + */ +deprecated class SqlInjectionConfiguration = SqlInjection::Configuration; + +/** DEPRECATED: Alias for SqlInjectionConfiguration */ +deprecated class SQLInjectionConfiguration = SqlInjectionConfiguration; diff --git a/python/ql/lib/semmle/python/security/dataflow/SqlInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/SqlInjectionQuery.qll index f21cf752971..3d15c9a7e62 100644 --- a/python/ql/lib/semmle/python/security/dataflow/SqlInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/SqlInjectionQuery.qll @@ -28,13 +28,3 @@ import semmle.python.dataflow.new.TaintTracking guard instanceof SanitizerGuard } } - -/** - * DEPRECATED: Don't extend this class for customization, since this will lead to bad - * performance, instead use the new `SqlInjectionCustomizations.qll` file, and extend - * its' classes. - */ -deprecated class SqlInjectionConfiguration = SqlInjection::Configuration; - -/** DEPRECATED: Alias for SqlInjectionConfiguration */ -deprecated class SQLInjectionConfiguration = SqlInjectionConfiguration; diff --git a/python/ql/lib/semmle/python/security/dataflow/StackTraceExposure.qll b/python/ql/lib/semmle/python/security/dataflow/StackTraceExposure.qll new file mode 100644 index 00000000000..e138e2b8eaa --- /dev/null +++ b/python/ql/lib/semmle/python/security/dataflow/StackTraceExposure.qll @@ -0,0 +1,25 @@ +/** + * Provides a taint-tracking configuration for detecting "stack trace exposure" vulnerabilities. + * + * Note, for performance reasons: only import this file if + * `StackTraceExposure::Configuration` is needed, otherwise + * `StackTraceExposureCustomizations` should be imported instead. + */ + +private import python +import semmle.python.dataflow.new.DataFlow +import semmle.python.dataflow.new.TaintTracking + +/** + * Provides a taint-tracking configuration for detecting "stack trace exposure" vulnerabilities. + */ +module StackTraceExposure { + import StackTraceExposureQuery // ignore-query-import +} + +/** + * DEPRECATED: Don't extend this class for customization, since this will lead to bad + * performance, instead use the new `StackTraceExposureCustomizations.qll` file, and extend + * its' classes. + */ +deprecated class StackTraceExposureConfiguration = StackTraceExposure::Configuration; diff --git a/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureQuery.qll b/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureQuery.qll index 4089a8fc170..8d86802d605 100644 --- a/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureQuery.qll @@ -37,10 +37,3 @@ import semmle.python.dataflow.new.TaintTracking ) } } - -/** - * DEPRECATED: Don't extend this class for customization, since this will lead to bad - * performance, instead use the new `StackTraceExposureCustomizations.qll` file, and extend - * its' classes. - */ -deprecated class StackTraceExposureConfiguration = StackTraceExposure::Configuration; diff --git a/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserialization.qll b/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserialization.qll new file mode 100644 index 00000000000..d9bdb9501ce --- /dev/null +++ b/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserialization.qll @@ -0,0 +1,25 @@ +/** + * Provides a taint-tracking configuration for detecting "code execution from deserialization" vulnerabilities. + * + * Note, for performance reasons: only import this file if + * `UnsafeDeserialization::Configuration` is needed, otherwise + * `UnsafeDeserializationCustomizations` should be imported instead. + */ + +private import python +import semmle.python.dataflow.new.DataFlow +import semmle.python.dataflow.new.TaintTracking + +/** + * Provides a taint-tracking configuration for detecting "code execution from deserialization" vulnerabilities. + */ +module UnsafeDeserialization { + import UnsafeDeserializationQuery // ignore-query-import +} + +/** + * DEPRECATED: Don't extend this class for customization, since this will lead to bad + * performance, instead use the new `UnsafeDeserializationCustomizations.qll` file, and extend + * its' classes. + */ +deprecated class UnsafeDeserializationConfiguration = UnsafeDeserialization::Configuration; diff --git a/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationQuery.qll b/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationQuery.qll index ba86b98e0e7..f0a815a9eea 100644 --- a/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationQuery.qll @@ -28,10 +28,3 @@ import semmle.python.dataflow.new.TaintTracking guard instanceof SanitizerGuard } } - -/** - * DEPRECATED: Don't extend this class for customization, since this will lead to bad - * performance, instead use the new `UnsafeDeserializationCustomizations.qll` file, and extend - * its' classes. - */ -deprecated class UnsafeDeserializationConfiguration = UnsafeDeserialization::Configuration; diff --git a/python/ql/lib/semmle/python/security/dataflow/UrlRedirect.qll b/python/ql/lib/semmle/python/security/dataflow/UrlRedirect.qll new file mode 100644 index 00000000000..ac3c1abd96c --- /dev/null +++ b/python/ql/lib/semmle/python/security/dataflow/UrlRedirect.qll @@ -0,0 +1,25 @@ +/** + * Provides a taint-tracking configuration for detecting "URL redirection" vulnerabilities. + * + * Note, for performance reasons: only import this file if + * `UrlRedirect::Configuration` is needed, otherwise + * `UrlRedirectCustomizations` should be imported instead. + */ + +private import python +import semmle.python.dataflow.new.DataFlow +import semmle.python.dataflow.new.TaintTracking + +/** + * Provides a taint-tracking configuration for detecting "URL redirection" vulnerabilities. + */ +module UrlRedirect { + import UrlRedirectQuery // ignore-query-import +} + +/** + * DEPRECATED: Don't extend this class for customization, since this will lead to bad + * performance, instead use the new `UrlRedirectCustomizations.qll` file, and extend + * its' classes. + */ +deprecated class UrlRedirectConfiguration = UrlRedirect::Configuration; diff --git a/python/ql/lib/semmle/python/security/dataflow/UrlRedirectQuery.qll b/python/ql/lib/semmle/python/security/dataflow/UrlRedirectQuery.qll index 23b6ed0850f..cbff7620949 100644 --- a/python/ql/lib/semmle/python/security/dataflow/UrlRedirectQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/UrlRedirectQuery.qll @@ -28,10 +28,3 @@ import semmle.python.dataflow.new.TaintTracking guard instanceof SanitizerGuard } } - -/** - * DEPRECATED: Don't extend this class for customization, since this will lead to bad - * performance, instead use the new `UrlRedirectCustomizations.qll` file, and extend - * its' classes. - */ -deprecated class UrlRedirectConfiguration = UrlRedirect::Configuration; diff --git a/python/ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashing.qll b/python/ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashing.qll new file mode 100644 index 00000000000..0e732c089f1 --- /dev/null +++ b/python/ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashing.qll @@ -0,0 +1,36 @@ +/** + * Provides a taint-tracking configuration for detecting use of a broken or weak + * cryptographic hashing algorithm on sensitive data. + * + * Note, for performance reasons: only import this file if + * `WeakSensitiveDataHashing::Configuration` is needed, otherwise + * `WeakSensitiveDataHashingCustomizations` should be imported instead. + */ + +private import python +private import semmle.python.dataflow.new.DataFlow +private import semmle.python.dataflow.new.TaintTracking +private import semmle.python.Concepts +private import semmle.python.dataflow.new.RemoteFlowSources +private import semmle.python.dataflow.new.BarrierGuards +private import semmle.python.dataflow.new.SensitiveDataSources + +/** + * Provides a taint-tracking configuration for detecting use of a broken or weak + * cryptographic hash function on sensitive data, that does NOT require a + * computationally expensive hash function. + */ +module NormalHashFunction { + import WeakSensitiveDataHashingQuery::NormalHashFunction // ignore-query-import +} + +/** + * Provides a taint-tracking configuration for detecting use of a broken or weak + * cryptographic hashing algorithm on passwords. + * + * Passwords has stricter requirements on the hashing algorithm used (must be + * computationally expensive to prevent brute-force attacks). + */ +module ComputationallyExpensiveHashFunction { + import WeakSensitiveDataHashingQuery::ComputationallyExpensiveHashFunction // ignore-query-import +} diff --git a/python/ql/lib/semmle/python/security/dataflow/XpathInjection.qll b/python/ql/lib/semmle/python/security/dataflow/XpathInjection.qll new file mode 100644 index 00000000000..13252710f9f --- /dev/null +++ b/python/ql/lib/semmle/python/security/dataflow/XpathInjection.qll @@ -0,0 +1,18 @@ +/** + * Provides a taint-tracking configuration for detecting "Xpath Injection" vulnerabilities. + * + * Note, for performance reasons: only import this file if + * `XpathInjection::Configuration` is needed, otherwise + * `XpathInjectionCustomizations` should be imported instead. + */ + +private import python +import semmle.python.dataflow.new.DataFlow +import semmle.python.dataflow.new.TaintTracking + +/** + * Provides a taint-tracking configuration for detecting "Xpath Injection" vulnerabilities. + */ +module XpathInjection { + import XpathInjectionQuery // ignore-query-import +}