Python: Port query and add test

2026-05-03 20:58:03 +02:00 · 2020-10-09 16:11:37 +02:00
parent b0d01cfe8d
commit 0d8bd01e10
12 changed files with 186 additions and 0 deletions
--- a/python/ql/test/experimental/meta/ConceptsTest.qll
+++ b/python/ql/test/experimental/meta/ConceptsTest.qll
@@ -32,3 +32,20 @@ class SystemCommandExecutionTest extends InlineExpectationsTest {
    )
  }
 }
+
+class DeserializationSinkTest extends InlineExpectationsTest {
+  DeserializationSinkTest() { this = "DeserializationSinkTest" }
+
+  override string getARelevantTag() { result = "getData" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(DeserializationSink ds, DataFlow::Node data |
+      exists(location.getFile().getRelativePath()) and
+      data = ds.getData() and
+      location = data.getLocation() and
+      element = data.toString() and
+      value = value_from_expr(data.asExpr()) and
+      tag = "getData"
+    )
+  }
+}
--- a/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-502/ConceptsTest.expected
+++ b/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-502/ConceptsTest.expected
@@ -0,0 +1,4 @@
+| unsafe_deserialization.py:12:28:12:45 | Comment # $getData=payload | Missing result:getData=payload |
+| unsafe_deserialization.py:13:25:13:42 | Comment # $getData=payload | Missing result:getData=payload |
+| unsafe_deserialization.py:14:29:14:46 | Comment # $getData=payload | Missing result:getData=payload |
+| unsafe_deserialization.py:16:26:16:43 | Comment # $getData=payload | Missing result:getData=payload |
--- a/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-502/ConceptsTest.ql
+++ b/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-502/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
--- a/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-502/UnsafeDeserialization.expected
+++ b/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-502/UnsafeDeserialization.expected
@@ -0,0 +1,3 @@
+edges
+nodes
+#select
--- a/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-502/UnsafeDeserialization.qlref
+++ b/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-502/UnsafeDeserialization.qlref
@@ -0,0 +1 @@
+experimental/Security-new-dataflow/CWE-502/UnsafeDeserialization.ql
--- a/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-502/options
+++ b/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-502/options
@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=2 -p ../lib
--- a/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-502/unsafe_deserialization.py
+++ b/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-502/unsafe_deserialization.py
@@ -0,0 +1,16 @@
+import flask
+import pickle
+import yaml
+import marshal
+
+from flask import Flask, request
+app = Flask(__name__)
+
+@app.route("/")
+def hello():
+    payload = request.args.get('payload')
+    pickle.loads(payload)  # $getData=payload
+    yaml.load(payload)  # $getData=payload
+    marshal.loads(payload)  # $getData=payload
+    import dill
+    dill.loads(payload)  # $getData=payload
				`@@ -0,0 +1 @@`
				`experimental/Security-new-dataflow/CWE-502/UnsafeDeserialization.ql`
				`@@ -0,0 +1 @@`
				`semmle-extractor-options: --max-import-depth=2 -p ../lib`