hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 01:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add change note

Browse Source
This commit is contained in:
Sylwia Budzynska
2024-04-05 14:56:06 +02:00
parent 84d69566c9
commit 112992585a
2 changed files with 97 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

173
python/ql/lib/semmle/python/frameworks/Gradio.qll
View File

@@ -16,36 +16,37 @@ module Gradio {
/**
* The event handlers in Gradio, which take untrusted data.
*/
class GradioInput extends API::CallNode {
GradioInput() { this = API::moduleImport("gradio")
.getMember([
"Button", "Textbox", "UploadButton", "Slider",
"JSON", "HTML", "Markdown", "File",
"AnnotatedImage", "Audio", "BarPlot", "Chatbot", "Checkbox",
"CheckboxGroup", "ClearButton", "Code", "ColorPicker", "Dataframe",
"Dataset", "DownloadButton", "Dropdown", "DuplicateButton", "FileExplorer",
"Gallery", "HighlightedText", "Image", "ImageEditor", "Label", "LinePlot",
"LoginButton", "LogoutButton", "Model3D", "Number", "ParamViewer",
"Plot", "Radio", "ScatterPlot", "SimpleImage", "State", "Video"])
.getReturn()
.getMember([
"change", "input", "click", "submit",
"edit", "clear", "play", "pause", "stop", "end", "start_recording",
"pause_recording", "stop_recording", "focus", "blur",
"upload", "release", "select", "stream", "like", "load",
"like", "key_up",])
.getACall()
}
GradioInput() {
this =
API::moduleImport("gradio")
.getMember([
"Button", "Textbox", "UploadButton", "Slider", "JSON", "HTML", "Markdown", "File",
"AnnotatedImage", "Audio", "BarPlot", "Chatbot", "Checkbox", "CheckboxGroup",
"ClearButton", "Code", "ColorPicker", "Dataframe", "Dataset", "DownloadButton",
"Dropdown", "DuplicateButton", "FileExplorer", "Gallery", "HighlightedText",
"Image", "ImageEditor", "Label", "LinePlot", "LoginButton", "LogoutButton",
"Model3D", "Number", "ParamViewer", "Plot", "Radio", "ScatterPlot", "SimpleImage",
"State", "Video"
])
.getReturn()
.getMember([
"change", "input", "click", "submit", "edit", "clear", "play", "pause", "stop",
"end", "start_recording", "pause_recording", "stop_recording", "focus", "blur",
"upload", "release", "select", "stream", "like", "load", "like", "key_up",
])
.getACall()
}
}
/**
* The high-level gradio.Interface and gradio.ChatInterface classes, which take untrusted data.
*/
class GradioInterface extends API::CallNode {
GradioInterface() { this = API::moduleImport("gradio").getMember(["Interface", "ChatInterface"]).getACall() }
/**
* The high-level gradio.Interface and gradio.ChatInterface classes, which take untrusted data.
*/
class GradioInterface extends API::CallNode {
GradioInterface() {
this = API::moduleImport("gradio").getMember(["Interface", "ChatInterface"]).getACall()
}
}
/**
* The `inputs` parameters in Gradio event handlers, that are lists and are sources of untrusted data.
@@ -53,24 +54,29 @@ module Gradio {
*/
class GradioInputList extends RemoteFlowSource::Range {
GradioInputList() {
exists(API::CallNode call |
(call instanceof GradioInput
or
call instanceof GradioInterface)
and
exists(API::CallNode call |
(
call instanceof GradioInput
or
call instanceof GradioInterface
) and
// limit only to lists of parameters given to `inputs`.
((call.getKeywordParameter("inputs").asSink().asCfgNode() instanceof ListNode
(
(
call.getKeywordParameter("inputs").asSink().asCfgNode() instanceof ListNode
or
call.getParameter(1).asSink().asCfgNode() instanceof ListNode)
and
(this = call.getKeywordParameter("inputs").getASuccessor().getAValueReachingSink()
or
this = call.getParameter(1).getASuccessor().getAValueReachingSink()))
)
call.getParameter(1).asSink().asCfgNode() instanceof ListNode
) and
(
this = call.getKeywordParameter("inputs").getASuccessor().getAValueReachingSink()
or
this = call.getParameter(1).getASuccessor().getAValueReachingSink()
)
)
)
}
override string getSourceType() { result = "Gradio untrusted input" }
}
/**
@@ -78,39 +84,39 @@ module Gradio {
*/
class GradioInputParameter extends RemoteFlowSource::Range {
GradioInputParameter() {
exists(API::CallNode call |
(call instanceof GradioInput
or
call instanceof GradioInterface)
and
(this = call.getKeywordParameter("fn").getParameter(_).asSource()
or
this = call.getParameter(0).getParameter(_).asSource())
and
// exclude lists of parameters given to `inputs`
not call.getKeywordParameter("inputs").asSink().asCfgNode() instanceof ListNode
and
not call.getParameter(1).asSink().asCfgNode() instanceof ListNode
exists(API::CallNode call |
(
call instanceof GradioInput
or
call instanceof GradioInterface
) and
(
this = call.getKeywordParameter("fn").getParameter(_).asSource()
or
this = call.getParameter(0).getParameter(_).asSource()
) and
// exclude lists of parameters given to `inputs`
not call.getKeywordParameter("inputs").asSink().asCfgNode() instanceof ListNode and
not call.getParameter(1).asSink().asCfgNode() instanceof ListNode
)
}
override string getSourceType() { result = "Gradio untrusted input" }
}
override string getSourceType() { result = "Gradio untrusted input" }
}
/**
* The `inputs` parameters in Gradio decorators to event handlers, that are sources of untrusted data.
*/
class GradioInputDecorator extends RemoteFlowSource::Range {
class GradioInputDecorator extends RemoteFlowSource::Range {
GradioInputDecorator() {
exists(API::CallNode call |
(call instanceof GradioInput or call instanceof GradioInterface)
and
(call instanceof GradioInput or call instanceof GradioInterface) and
this = call.getReturn().getACall().getParameter(0).getParameter(_).asSource()
)
}
override string getSourceType() { result = "Gradio untrusted input" }
}
override string getSourceType() { result = "Gradio untrusted input" }
}
/**
* Extra taint propagation for tracking `inputs` parameters in Gradio event handlers, that are lists.
@@ -118,27 +124,34 @@ module Gradio {
private class ListTaintStep extends TaintTracking::AdditionalTaintStep {
override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
exists(API::CallNode node |
(node instanceof GradioInput
or
node instanceof GradioInterface)
and
(
node instanceof GradioInput
or
node instanceof GradioInterface
) and
// handle cases where there are multiple arguments passed as a list to `inputs`
((
(node.getKeywordParameter("inputs").asSink().asCfgNode() instanceof ListNode
or
node.getParameter(1).asSink().asCfgNode() instanceof ListNode)
and
exists(int i |
(nodeTo = node.getParameter(0).getParameter(i).asSource()
or
nodeTo = node.getKeywordParameter("fn").getParameter(i).asSource())
and
(nodeFrom.asCfgNode() = node.getKeywordParameter("inputs").asSink().asCfgNode().(ListNode).getElement(i)
or
nodeFrom.asCfgNode() = node.getParameter(1).asSink().asCfgNode().(ListNode).getElement(i))))
(
(
node.getKeywordParameter("inputs").asSink().asCfgNode() instanceof ListNode
or
node.getParameter(1).asSink().asCfgNode() instanceof ListNode
) and
exists(int i |
(
nodeTo = node.getParameter(0).getParameter(i).asSource()
or
nodeTo = node.getKeywordParameter("fn").getParameter(i).asSource()
) and
(
nodeFrom.asCfgNode() =
node.getKeywordParameter("inputs").asSink().asCfgNode().(ListNode).getElement(i)
or
nodeFrom.asCfgNode() =
node.getParameter(1).asSink().asCfgNode().(ListNode).getElement(i)
)
)
)
)
}
}
}

4
python/ql/src/change-notes/2024-04-05-gradio-models.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added models of `gradio` PyPI package.