Merge branch 'main' into python/port-tarslip

2026-04-28 02:05:14 +02:00 · 2022-06-28 22:17:28 +02:00
parent ac0c8d238f f97cc9e37c
commit 1105cd569b
202 changed files with 1233 additions and 518 deletions
--- a/python/ql/src/CHANGELOG.md
+++ b/python/ql/src/CHANGELOG.md
@@ -1,3 +1,13 @@
+## 0.2.0
+
+### Major Analysis Improvements
+
+* Improved library modeling for the query "Request without certificate validation" (`py/request-without-cert-validation`), so it now also covers `httpx`, `aiohttp.client`, and `urllib3`.
+
+### Minor Analysis Improvements
+
+* The query "Use of a broken or weak cryptographic algorithm" (`py/weak-cryptographic-algorithm`) now reports if a cryptographic operation is potentially insecure due to use of a weak block mode.
+
 ## 0.1.4

 ## 0.1.3
--- a/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
+++ b/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
@@ -42,7 +42,7 @@ where
    not exists(call.getArgByName("autoescape"))
    or
    call.getKeywordParameter("autoescape")
-        .getAValueReachingRhs()
+        .getAValueReachingSink()
        .asExpr()
        .(ImmutableLiteral)
        .booleanValue() = false
--- a/python/ql/src/Security/CWE-285/PamAuthorization.ql
+++ b/python/ql/src/Security/CWE-285/PamAuthorization.ql
@@ -18,9 +18,9 @@ import semmle.python.dataflow.new.TaintTracking
 API::Node libPam() {
  exists(API::CallNode findLibCall, API::CallNode cdllCall |
    findLibCall = API::moduleImport("ctypes").getMember("util").getMember("find_library").getACall() and
-    findLibCall.getParameter(0).getAValueReachingRhs().asExpr().(StrConst).getText() = "pam" and
+    findLibCall.getParameter(0).getAValueReachingSink().asExpr().(StrConst).getText() = "pam" and
    cdllCall = API::moduleImport("ctypes").getMember("CDLL").getACall() and
-    cdllCall.getParameter(0).getAValueReachingRhs() = findLibCall
+    cdllCall.getParameter(0).getAValueReachingSink() = findLibCall
  |
    result = cdllCall.getReturn()
  )
--- a/python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql
+++ b/python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql
@@ -29,7 +29,7 @@ where
  call = paramikoSSHClientInstance().getMember("set_missing_host_key_policy").getACall() and
  arg in [call.getArg(0), call.getArgByName("policy")] and
  (
-    arg = unsafe_paramiko_policy(name).getAUse() or
-    arg = unsafe_paramiko_policy(name).getReturn().getAUse()
+    arg = unsafe_paramiko_policy(name).getAValueReachableFromSource() or
+    arg = unsafe_paramiko_policy(name).getReturn().getAValueReachableFromSource()
  )
 select call, "Setting missing host key policy to " + name + " may be unsafe."
--- a/python/ql/src/Security/CWE-327/PyOpenSSL.qll
+++ b/python/ql/src/Security/CWE-327/PyOpenSSL.qll
@@ -17,7 +17,8 @@ class PyOpenSSLContextCreation extends ContextCreation, DataFlow::CallCfgNode {
      protocolArg in [this.getArg(0), this.getArgByName("method")]
    |
      protocolArg in [
-          pyo.specific_version(result).getAUse(), pyo.unspecific_version(result).getAUse()
+          pyo.specific_version(result).getAValueReachableFromSource(),
+          pyo.unspecific_version(result).getAValueReachableFromSource()
        ]
    )
  }
@@ -43,9 +44,10 @@ class SetOptionsCall extends ProtocolRestriction, DataFlow::CallCfgNode {
  }

  override ProtocolVersion getRestriction() {
-    API::moduleImport("OpenSSL").getMember("SSL").getMember("OP_NO_" + result).getAUse() in [
-        this.getArg(0), this.getArgByName("options")
-      ]
+    API::moduleImport("OpenSSL")
+          .getMember("SSL")
+          .getMember("OP_NO_" + result)
+          .getAValueReachableFromSource() in [this.getArg(0), this.getArgByName("options")]
  }
 }

--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -15,7 +15,10 @@ class SSLContextCreation extends ContextCreation, DataFlow::CallCfgNode {
      protocolArg in [this.getArg(0), this.getArgByName("protocol")]
    |
      protocolArg =
-        [ssl.specific_version(result).getAUse(), ssl.unspecific_version(result).getAUse()]
+        [
+          ssl.specific_version(result).getAValueReachableFromSource(),
+          ssl.unspecific_version(result).getAValueReachableFromSource()
+        ]
    )
    or
    not exists(this.getArg(_)) and
@@ -54,7 +57,11 @@ class OptionsAugOr extends ProtocolRestriction, DataFlow::CfgNode {
      aa.getTarget() = attr.getNode() and
      attr.getName() = "options" and
      attr.getObject() = node and
-      flag = API::moduleImport("ssl").getMember("OP_NO_" + restriction).getAUse().asExpr() and
+      flag =
+        API::moduleImport("ssl")
+            .getMember("OP_NO_" + restriction)
+            .getAValueReachableFromSource()
+            .asExpr() and
      (
        aa.getValue() = flag
        or
@@ -79,7 +86,11 @@ class OptionsAugAndNot extends ProtocolUnrestriction, DataFlow::CfgNode {
      attr.getObject() = node and
      notFlag.getOp() instanceof Invert and
      notFlag.getOperand() = flag and
-      flag = API::moduleImport("ssl").getMember("OP_NO_" + restriction).getAUse().asExpr() and
+      flag =
+        API::moduleImport("ssl")
+            .getMember("OP_NO_" + restriction)
+            .getAValueReachableFromSource()
+            .asExpr() and
      (
        aa.getValue() = notFlag
        or
@@ -134,7 +145,10 @@ class ContextSetVersion extends ProtocolRestriction, ProtocolUnrestriction, Data
      this = aw.getObject() and
      aw.getAttributeName() = "minimum_version" and
      aw.getValue() =
-        API::moduleImport("ssl").getMember("TLSVersion").getMember(restriction).getAUse()
+        API::moduleImport("ssl")
+            .getMember("TLSVersion")
+            .getMember(restriction)
+            .getAValueReachableFromSource()
    )
  }

@@ -188,7 +202,8 @@ class Ssl extends TlsLibrary {

  override DataFlow::CallCfgNode insecure_connection_creation(ProtocolVersion version) {
    result = API::moduleImport("ssl").getMember("wrap_socket").getACall() and
-    this.specific_version(version).getAUse() = result.getArgByName("ssl_version") and
+    this.specific_version(version).getAValueReachableFromSource() =
+      result.getArgByName("ssl_version") and
    version.isInsecure()
  }

--- a/python/ql/src/Security/CWE-732/WeakFilePermissions.ql
+++ b/python/ql/src/Security/CWE-732/WeakFilePermissions.ql
@@ -36,13 +36,13 @@ string permissive_permission(int p) {

 predicate chmod_call(API::CallNode call, string name, int mode) {
  call = API::moduleImport("os").getMember("chmod").getACall() and
-  mode = call.getParameter(1, "mode").getAValueReachingRhs().asExpr().(IntegerLiteral).getValue() and
+  mode = call.getParameter(1, "mode").getAValueReachingSink().asExpr().(IntegerLiteral).getValue() and
  name = "chmod"
 }

 predicate open_call(API::CallNode call, string name, int mode) {
  call = API::moduleImport("os").getMember("open").getACall() and
-  mode = call.getParameter(2, "mode").getAValueReachingRhs().asExpr().(IntegerLiteral).getValue() and
+  mode = call.getParameter(2, "mode").getAValueReachingSink().asExpr().(IntegerLiteral).getValue() and
  name = "open"
 }

--- a/python/ql/src/change-notes/2022-05-16-broken-crypto-block-mode.md
+++ b/python/ql/src/change-notes/2022-05-16-broken-crypto-block-mode.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The query "Use of a broken or weak cryptographic algorithm" (`py/weak-cryptographic-algorithm`) now report if a cryptographic operation is potentially insecure due to use of a weak block mode.
--- a/python/ql/src/change-notes/2022-06-08-request-without-certificate-validation-modeling.md
+++ b/python/ql/src/change-notes/2022-06-08-request-without-certificate-validation-modeling.md
@@ -1,4 +0,0 @@
---
-category: majorAnalysis
---
-* Improved library modeling for the query "Request without certificate validation" (`py/request-without-cert-validation`), so it now also covers `httpx`, `aiohttp.client`, and `urllib3`.
--- a/python/ql/src/change-notes/released/0.2.0.md
+++ b/python/ql/src/change-notes/released/0.2.0.md
@@ -0,0 +1,9 @@
+## 0.2.0
+
+### Major Analysis Improvements
+
+* Improved library modeling for the query "Request without certificate validation" (`py/request-without-cert-validation`), so it now also covers `httpx`, `aiohttp.client`, and `urllib3`.
+
+### Minor Analysis Improvements
+
+* The query "Use of a broken or weak cryptographic algorithm" (`py/weak-cryptographic-algorithm`) now reports if a cryptographic operation is potentially insecure due to use of a weak block mode.
--- a/python/ql/src/codeql-pack.release.yml
+++ b/python/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.1.4
+lastReleaseVersion: 0.2.0
--- a/python/ql/src/experimental/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Django.qll
@@ -86,11 +86,13 @@ private module ExperimentalPrivateDjango {
            t.start() and
            (
              exists(SubscriptNode subscript |
-                subscript.getObject() = baseClassRef().getReturn().getAUse().asCfgNode() and
+                subscript.getObject() =
+                  baseClassRef().getReturn().getAValueReachableFromSource().asCfgNode() and
                result.asCfgNode() = subscript
              )
              or
-              result.(DataFlow::AttrRead).getObject() = baseClassRef().getReturn().getAUse()
+              result.(DataFlow::AttrRead).getObject() =
+                baseClassRef().getReturn().getAValueReachableFromSource()
            )
            or
            exists(DataFlow::TypeTracker t2 | result = headerInstance(t2).track(t2, t))
--- a/python/ql/src/experimental/semmle/python/frameworks/Flask.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Flask.qll
@@ -29,7 +29,11 @@ module ExperimentalFlask {

  /** Gets a reference to a header instance. */
  private DataFlow::LocalSourceNode headerInstance() {
-    result = [Flask::Response::classRef(), flaskMakeResponse()].getReturn().getAMember().getAUse()
+    result =
+      [Flask::Response::classRef(), flaskMakeResponse()]
+          .getReturn()
+          .getAMember()
+          .getAValueReachableFromSource()
  }

  /** Gets a reference to a header instance call/subscript */
--- a/python/ql/src/experimental/semmle/python/frameworks/LDAP.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/LDAP.qll
@@ -90,7 +90,9 @@ private module LDAP {

    /**List of SSL-demanding options */
    private class LDAPSSLOptions extends DataFlow::Node {
-      LDAPSSLOptions() { this = ldap().getMember("OPT_X_TLS_" + ["DEMAND", "HARD"]).getAUse() }
+      LDAPSSLOptions() {
+        this = ldap().getMember("OPT_X_TLS_" + ["DEMAND", "HARD"]).getAValueReachableFromSource()
+      }
    }

    /**
--- a/python/ql/src/experimental/semmle/python/frameworks/NoSQL.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/NoSQL.qll
@@ -50,11 +50,11 @@ private module NoSql {
    t.start() and
    (
      exists(SubscriptNode subscript |
-        subscript.getObject() = mongoClientInstance().getAUse().asCfgNode() and
+        subscript.getObject() = mongoClientInstance().getAValueReachableFromSource().asCfgNode() and
        result.asCfgNode() = subscript
      )
      or
-      result.(DataFlow::AttrRead).getObject() = mongoClientInstance().getAUse()
+      result.(DataFlow::AttrRead).getObject() = mongoClientInstance().getAValueReachableFromSource()
      or
      result = mongoEngine().getMember(["get_db", "connect"]).getACall()
      or
--- a/python/ql/src/qlpack.yml
+++ b/python/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/python-queries
-version: 0.2.0-dev
+version: 0.2.1-dev
 groups: 
  - python
  - queries