diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-python.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-python.rst index 4bce178d41f..f8625eb9f0a 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-python.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-python.rst @@ -354,11 +354,50 @@ This data flow configuration tracks data flow from environment variables to open select fileOpen, "This call to 'os.open' uses data from $@.", environment, "call to 'os.getenv'" +Path Query Example +~~~~~~~~~~~~~~~~~~ + +Here is the first example above, converted into a path query: + +.. code-block:: ql + + /** + * @kind path-problem + * @problem.severity warning + * @id file-system-access-from-remote-input + */ + + import python + import semmle.python.dataflow.new.DataFlow + import semmle.python.dataflow.new.TaintTracking + import semmle.python.dataflow.new.RemoteFlowSources + import semmle.python.Concepts + + module RemoteToFileConfiguration implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + source instanceof RemoteFlowSource + } + + predicate isSink(DataFlow::Node sink) { + sink = any(FileSystemAccess fa).getAPathArgument() + } + } + + module RemoteToFileFlow = TaintTracking::Global; + + import RemoteToFileFlow::PathGraph + + from RemoteToFileFlow::PathNode input, RemoteToFileFlow::PathNode fileAccess + where RemoteToFileFlow::flowPath(input, fileAccess) + select fileAccess.getNode(), input, fileAccess, "This file access uses data from $@.", + input, "user-controllable input." + +For more information, see ":doc:`Creating path queries `". Further reading --------------- -- `Exploring data flow with path queries `__ in the GitHub documentation. +- `Creating path queries `__ in the GitHub documentation. .. include:: ../reusables/python-further-reading.rst