merge in main

2026-05-01 03:35:13 +02:00 · 2022-06-23 09:05:32 +00:00
parent 8bf60301da
commit 140dc1a61e
4448 changed files with 340100 additions and 31408 deletions
--- a/python/ql/test/query-tests/Security/CWE-079-Jinja2WithoutEscaping/Jinja2WithoutEscaping.expected
+++ b/python/ql/test/query-tests/Security/CWE-079-Jinja2WithoutEscaping/Jinja2WithoutEscaping.expected
@@ -2,4 +2,5 @@
 | jinja2_escaping.py:41:5:41:29 | ControlFlowNode for Environment() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
 | jinja2_escaping.py:43:1:43:3 | ControlFlowNode for E() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
 | jinja2_escaping.py:44:1:44:15 | ControlFlowNode for E() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
+| jinja2_escaping.py:50:13:50:40 | ControlFlowNode for Environment() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
 | jinja2_escaping.py:53:15:53:43 | ControlFlowNode for Template() | Using jinja2 templates with autoescape=False can potentially allow XSS attacks. |
--- a/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.expected
+++ b/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.expected
@@ -0,0 +1 @@
+| pam_test.py:48:18:48:44 | ControlFlowNode for pam_authenticate() | This PAM authentication call may lead to an authorization bypass, since 'pam_acct_mgmt' is not called afterwards. |
--- a/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.qlref
+++ b/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.qlref
@@ -0,0 +1 @@
+Security/CWE-285/PamAuthorization.ql
--- a/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/pam_test.py
+++ b/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/pam_test.py
@@ -0,0 +1,63 @@
+from ctypes import CDLL, POINTER, Structure, byref
+from ctypes import c_char_p, c_int
+from ctypes.util import find_library
+
+
+class PamHandle(Structure):
+    pass
+
+
+class PamMessage(Structure):
+    pass
+
+
+class PamResponse(Structure):
+    pass
+
+
+class PamConv(Structure):
+    pass
+
+# this is normal way to do things
+libpam = CDLL(find_library("pam"))
+
+# but we also handle assignment to temp variable
+temp = find_library("pam")
+libpam = CDLL(temp)
+
+pam_start = libpam.pam_start
+pam_start.restype = c_int
+pam_start.argtypes = [c_char_p, c_char_p, POINTER(PamConv), POINTER(PamHandle)]
+
+pam_authenticate = libpam.pam_authenticate
+pam_authenticate.restype = c_int
+pam_authenticate.argtypes = [PamHandle, c_int]
+
+pam_acct_mgmt = libpam.pam_acct_mgmt
+pam_acct_mgmt.restype = c_int
+pam_acct_mgmt.argtypes = [PamHandle, c_int]
+
+
+class pam():
+
+    def authenticate_bad(self, username, service='login'):
+        handle = PamHandle()
+        conv = PamConv(None, 0)
+        retval = pam_start(service, username, byref(conv), byref(handle))
+
+        retval = pam_authenticate(handle, 0)
+        auth_success = retval == 0
+
+        return auth_success
+
+    def authenticate_good(self, username, service='login'):
+        handle = PamHandle()
+        conv = PamConv(None, 0)
+        retval = pam_start(service, username, byref(conv), byref(handle))
+
+        retval = pam_authenticate(handle, 0)
+        if retval == 0:
+            retval = pam_acct_mgmt(handle, 0)
+        auth_success = retval == 0
+
+        return auth_success
--- a/python/ql/test/query-tests/Security/CWE-295-RequestWithoutValidation/RequestWithoutValidation.expected
+++ b/python/ql/test/query-tests/Security/CWE-295-RequestWithoutValidation/RequestWithoutValidation.expected
@@ -1,5 +1,6 @@
-| make_request.py:5:1:5:48 | ControlFlowNode for Attribute() | Call to requests.get with verify=$@ | make_request.py:5:43:5:47 | ControlFlowNode for False | False |
-| make_request.py:7:1:7:49 | ControlFlowNode for Attribute() | Call to requests.post with verify=$@ | make_request.py:7:44:7:48 | ControlFlowNode for False | False |
-| make_request.py:12:1:12:39 | ControlFlowNode for put() | Call to requests.put with verify=$@ | make_request.py:12:34:12:38 | ControlFlowNode for False | False |
-| make_request.py:28:5:28:46 | ControlFlowNode for patch() | Call to requests.patch with verify=$@ | make_request.py:30:6:30:10 | ControlFlowNode for False | False |
-| make_request.py:34:1:34:45 | ControlFlowNode for Attribute() | Call to requests.post with verify=$@ | make_request.py:34:44:34:44 | ControlFlowNode for IntegerLiteral | False |
+| make_request.py:5:1:5:48 | ControlFlowNode for Attribute() | This request may run without certificate validation because it is $@. | make_request.py:5:43:5:47 | ControlFlowNode for False | disabled here | make_request.py:5:43:5:47 | ControlFlowNode for False | here |
+| make_request.py:7:1:7:49 | ControlFlowNode for Attribute() | This request may run without certificate validation because it is $@. | make_request.py:7:44:7:48 | ControlFlowNode for False | disabled here | make_request.py:7:44:7:48 | ControlFlowNode for False | here |
+| make_request.py:12:1:12:39 | ControlFlowNode for put() | This request may run without certificate validation because it is $@. | make_request.py:12:34:12:38 | ControlFlowNode for False | disabled here | make_request.py:12:34:12:38 | ControlFlowNode for False | here |
+| make_request.py:28:5:28:46 | ControlFlowNode for patch() | This request may run without certificate validation because it is $@ by the value from $@. | make_request.py:28:40:28:45 | ControlFlowNode for verify | disabled here | make_request.py:30:6:30:10 | ControlFlowNode for False | here |
+| make_request.py:34:1:34:45 | ControlFlowNode for Attribute() | This request may run without certificate validation because it is $@. | make_request.py:34:44:34:44 | ControlFlowNode for IntegerLiteral | disabled here | make_request.py:34:44:34:44 | ControlFlowNode for IntegerLiteral | here |
+| make_request.py:41:1:41:26 | ControlFlowNode for Attribute() | This request may run without certificate validation because it is $@. | make_request.py:41:21:41:25 | ControlFlowNode for False | disabled here | make_request.py:41:21:41:25 | ControlFlowNode for False | here |
--- a/python/ql/test/query-tests/Security/CWE-295-RequestWithoutValidation/make_request.py
+++ b/python/ql/test/query-tests/Security/CWE-295-RequestWithoutValidation/make_request.py
@@ -36,3 +36,6 @@ requests.post('https://semmle.com', verify=0) # BAD
 # requests treat `None` as default value, which means it is turned on
 requests.get('https://semmle.com') # OK
 requests.get('https://semmle.com', verify=None) # OK
+
+s = requests.Session()
+s.get("url", verify=False) # BAD
--- a/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/BrokenCryptoAlgorithm.expected
+++ b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/BrokenCryptoAlgorithm.expected
@@ -1,2 +1,4 @@
 | test_cryptodome.py:11:13:11:42 | ControlFlowNode for Attribute() | The cryptographic algorithm ARC4 is broken or weak, and should not be used. |
+| test_cryptodome.py:16:13:16:42 | ControlFlowNode for Attribute() | The block mode ECB is broken or weak, and should not be used. |
 | test_cryptography.py:13:13:13:44 | ControlFlowNode for Attribute() | The cryptographic algorithm ARC4 is broken or weak, and should not be used. |
+| test_cryptography.py:22:13:22:58 | ControlFlowNode for Attribute() | The block mode ECB is broken or weak, and should not be used. |
--- a/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_cryptodome.py
+++ b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_cryptodome.py
@@ -1,5 +1,5 @@
 # snippet from python/ql/test/experimental/library-tests/frameworks/cryptodome/test_rc4.py
-from Cryptodome.Cipher import ARC4
+from Cryptodome.Cipher import ARC4, AES

 import os

@@ -11,3 +11,8 @@ cipher = ARC4.new(key)
 encrypted = cipher.encrypt(secret_message) # NOT OK

 print(secret_message, encrypted)
+
+cipher = AES.new(key, AES.MODE_ECB)
+encrypted = cipher.encrypt(secret_message) # NOT OK
+
+print(secret_message, encrypted)
--- a/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_cryptography.py
+++ b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_cryptography.py
@@ -1,5 +1,5 @@
 # snippet from python/ql/test/experimental/library-tests/frameworks/cryptography/test_rc4.py
-from cryptography.hazmat.primitives.ciphers import algorithms, Cipher
+from cryptography.hazmat.primitives.ciphers import algorithms, modes, Cipher
 import os

 key = os.urandom(256//8)
@@ -14,3 +14,12 @@ encrypted = encryptor.update(secret_message) # NOT OK
 encrypted += encryptor.finalize()

 print(secret_message, encrypted)
+
+algorithm = algorithms.AES(key)
+cipher = Cipher(algorithm, mode=modes.ECB())
+
+encryptor = cipher.encryptor()
+encrypted = encryptor.update(secret_message + b'\x80\x00') # NOT OK
+encrypted += encryptor.finalize()
+
+print(secret_message, encrypted)
--- a/python/ql/test/query-tests/Security/CWE-732-WeakFilePermissions/WeakFilePermissions.expected
+++ b/python/ql/test/query-tests/Security/CWE-732-WeakFilePermissions/WeakFilePermissions.expected
@@ -2,6 +2,5 @@
 | test.py:8:1:8:20 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to world writable. |
 | test.py:9:1:9:21 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to world writable. |
 | test.py:11:1:11:21 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to group readable. |
-| test.py:13:1:13:28 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to group writable. |
 | test.py:14:1:14:19 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to group writable. |
 | test.py:16:1:16:25 | ControlFlowNode for Attribute() | Overly permissive mask in open sets file to world readable. |
--- a/python/ql/test/query-tests/Security/CWE-732-WeakFilePermissions/options
+++ b/python/ql/test/query-tests/Security/CWE-732-WeakFilePermissions/options
@@ -1 +1 @@
-semmle-extractor-options: --max-import-depth=2 -p ../lib
+semmle-extractor-options: --max-import-depth=2 -p ../lib --lang=3
--- a/python/ql/test/query-tests/Statements/asserts/assert.py
+++ b/python/ql/test/query-tests/Statements/asserts/assert.py
@@ -61,8 +61,8 @@ def ok_assert_false(x):
    if x:
        assert 0==1, "Ok"

-class TestCase:
-    pass
+from unittest import TestCase
+

 class MyTest(TestCase):
    def test_ok_assert_in_test(self, x):
--- a/python/ql/test/query-tests/analysis/suppression/AlertSuppression.expected
+++ b/python/ql/test/query-tests/analysis/suppression/AlertSuppression.expected
@@ -21,6 +21,7 @@
 | test.py:36:21:36:33 | Comment # lgtm method |  lgtm method | lgtm | test.py:36:1:36:33 | suppression range |
 | test.py:39:4:39:8 | Comment #noqa | noqa | lgtm | test.py:39:1:39:8 | suppression range |
 | test.py:40:4:40:9 | Comment # noqa |  noqa | lgtm | test.py:40:1:40:9 | suppression range |
+| test.py:45:4:45:31 | Comment # noqa -- Some extra detail. |  noqa -- Some extra detail. | lgtm | test.py:45:1:45:31 | suppression range |
 | test.py:50:34:50:117 | Comment # noqa: E501; (line too long) pylint: disable=invalid-name; lgtm [py/missing-equals] |  noqa: E501; (line too long) pylint: disable=invalid-name; lgtm [py/missing-equals] | lgtm [py/missing-equals] | test.py:50:1:50:117 | suppression range |
 | test.py:52:4:52:67 | Comment # noqa: E501; (line too long) pylint: disable=invalid-name; lgtm |  noqa: E501; (line too long) pylint: disable=invalid-name; lgtm | lgtm | test.py:52:1:52:67 | suppression range |
 | test.py:53:4:53:78 | Comment # random nonsense lgtm [py/missing-equals] and then some more commentary... |  random nonsense lgtm [py/missing-equals] and then some more commentary... | lgtm [py/missing-equals] | test.py:53:1:53:78 | suppression range |
				`@@ -0,0 +1 @@`
				`\| pam_test.py:48:18:48:44 \| ControlFlowNode for pam_authenticate() \| This PAM authentication call may lead to an authorization bypass, since 'pam_acct_mgmt' is not called afterwards. \|`