add jsonpickle and pexpect libs in case of unsafe decoding and secondary command execution, add proper test cases

2026-04-27 09:45:15 +02:00 · 2024-02-25 17:15:35 +04:00
parent 7e93102097
commit 0a765cc94a
13 changed files with 169 additions and 2 deletions
--- a/python/ql/test/experimental/query-tests/Security/CWE-074-SecondaryServerCmdInjection/Pexpect.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-074-SecondaryServerCmdInjection/Pexpect.py
@@ -0,0 +1,21 @@
+#!/usr/bin/env python
+
+from fastapi import FastAPI
+from pexpect import pxssh
+
+ssh = pxssh.pxssh()
+hostname = "localhost"
+username = "username"
+password = "password"
+ssh.login(hostname, username, password)
+
+app = FastAPI()
+
+@app.get("/bad1")
+async def bad1(cmd: str):
+    ssh.send(cmd)  # $ result=BAD getSecondaryCommand=cmd
+    ssh.prompt()
+    ssh.sendline(cmd)  # $ result=BAD getSecondaryCommand=cmd
+    ssh.prompt()
+    ssh.logout()
+    return {"success": stdout}
--- a/python/ql/test/library-tests/frameworks/jsonpickle/ConceptsTest.expected
+++ b/python/ql/test/library-tests/frameworks/jsonpickle/ConceptsTest.expected
@@ -0,0 +1,2 @@
+testFailures
+failures
--- a/python/ql/test/library-tests/frameworks/jsonpickle/ConceptsTest.ql
+++ b/python/ql/test/library-tests/frameworks/jsonpickle/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
--- a/python/ql/test/library-tests/frameworks/jsonpickle/Decode.py
+++ b/python/ql/test/library-tests/frameworks/jsonpickle/Decode.py
@@ -0,0 +1,15 @@
+import os
+
+import jsonpickle
+
+
+class Thing(object):
+    def __reduce__(self):
+        return os.system, ("curl 127.0.0.1:1234",)
+
+
+obj = Thing()
+
+pickledObj = jsonpickle.encode(obj)
+objUnPickled = jsonpickle.decode(pickledObj, safe=True)  # $ decodeInput=pickledObj decodeOutput=jsonpickle.decode(..) decodeFormat=pickle decodeMayExecuteInput
+print(objUnPickled.name)
--- a/python/ql/test/library-tests/frameworks/pexpect/ConceptsTest.expected
+++ b/python/ql/test/library-tests/frameworks/pexpect/ConceptsTest.expected
@@ -0,0 +1,2 @@
+testFailures
+failures
--- a/python/ql/test/library-tests/frameworks/pexpect/ConceptsTest.ql
+++ b/python/ql/test/library-tests/frameworks/pexpect/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
--- a/python/ql/test/library-tests/frameworks/pexpect/ExecCmd.py
+++ b/python/ql/test/library-tests/frameworks/pexpect/ExecCmd.py
@@ -0,0 +1,9 @@
+import pexpect
+from pexpect import popen_spawn
+
+cmd = "ls -la"
+result = pexpect.run(cmd) # $ getCommand=cmd
+result = pexpect.runu(cmd) # $ getCommand=cmd
+result = pexpect.spawn(cmd) # $ getCommand=cmd
+result = pexpect.spawnu(cmd) # $ getCommand=cmd
+result = popen_spawn.PopenSpawn(cmd) # $ getCommand=cmd