hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 05:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Expand tests for os.exec*, os.spawn*, and os.posix_spawn*

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2021-11-29 11:35:09 +01:00
parent 50d3592ad3
commit 14590436f9
2 changed files with 40 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
python/ql/test/library-tests/frameworks/stdlib/FileSystemAccess.py
View File

@@ -206,14 +206,8 @@ os.setxattr(path="path", attribute="attribute", value="value") # $ MISSING: getA
os.add_dll_directory("path") # $ MISSING: getAPathArgument="path"
os.add_dll_directory(path="path") # $ MISSING: getAPathArgument="path"
# TODO: os.exec* calls all take a path as first argument
# TODO: os.spawn* calls all take a path as second argument
# TODO: os.posix_spawn calls
# TODO: Maybe these should not be considered a command injection sink?
# since `os.execlp("bash -c 'echo hello'", "bash")`
# raises exception: `FileNotFoundError: [Errno 2] No such file or directory`
# and you're not able to execute arbitrary commands, but change what file is being run.
# for `os.exec*`, `os.spawn*`, and `os.posix_spawn*` functions, see the
# `SystemCommandExecution.py` file.
# Windows only
os.startfile("path") # $ MISSING: getAPathArgument="path"

57
python/ql/test/library-tests/frameworks/stdlib/SystemCommandExecution.py
View File

@@ -34,33 +34,52 @@ def os_members():
# VS Code extension will ignore rest of program if encountering one of these, which we
# don't want. We could use `if False`, but just to be 100% sure we don't do anything too
# clever in our analysis that discards that code, I used `if UNKNOWN` instead
#
# below, `path` is an relative/absolute path, for the `p` variants this could also be
# the name of a executable, which will be looked up in the PATH environment variable,
# which we call `file` to highlight this difference.
#
# These are also modeled as FileSystemAccess, although they are not super relevant for
# the path-injection query -- a user being able to control which program is executed
# doesn't sound safe even if that is restricted to be within a certain directory.
if UNKNOWN:
env = {"FOO": "foo"}
os.execl("executable", "<progname>", "arg0") # $getCommand="executable"
os.execle("executable", "<progname>", "arg0", env) # $getCommand="executable"
os.execlp("executable", "<progname>", "arg0") # $getCommand="executable"
os.execlpe("executable", "<progname>", "arg0", env) # $getCommand="executable"
os.execv("executable", ["<progname>", "arg0"]) # $getCommand="executable"
os.execve("executable", ["<progname>", "arg0"], env) # $getCommand="executable"
os.execvp("executable", ["<progname>", "arg0"]) # $getCommand="executable"
os.execvpe("executable", ["<progname>", "arg0"], env) # $getCommand="executable"
os.execl("path", "<progname>", "arg0") # $ getCommand="path" MISSING: getAPathArgument="path"
os.execle("path", "<progname>", "arg0", env) # $ getCommand="path" MISSING: getAPathArgument="path"
os.execlp("file", "<progname>", "arg0") # $ getCommand="file" MISSING: getAPathArgument="file"
os.execlpe("file", "<progname>", "arg0", env) # $ getCommand="file" MISSING: getAPathArgument="file"
os.execv("path", ["<progname>", "arg0"]) # $ getCommand="path" MISSING: getAPathArgument="path"
os.execve("path", ["<progname>", "arg0"], env) # $ getCommand="path" MISSING: getAPathArgument="path"
os.execvp("file", ["<progname>", "arg0"]) # $ getCommand="file" MISSING: getAPathArgument="file"
os.execvpe("file", ["<progname>", "arg0"], env) # $ getCommand="file" MISSING: getAPathArgument="file"
########################################
# https://docs.python.org/3.8/library/os.html#os.spawnl
env = {"FOO": "foo"}
os.spawnl(os.P_WAIT, "executable", "<progname>", "arg0") # $getCommand="executable"
os.spawnle(os.P_WAIT, "executable", "<progname>", "arg0", env) # $getCommand="executable"
os.spawnlp(os.P_WAIT, "executable", "<progname>", "arg0") # $getCommand="executable"
os.spawnlpe(os.P_WAIT, "executable", "<progname>", "arg0", env) # $getCommand="executable"
os.spawnv(os.P_WAIT, "executable", ["<progname>", "arg0"]) # $getCommand="executable"
os.spawnve(os.P_WAIT, "executable", ["<progname>", "arg0"], env) # $getCommand="executable"
os.spawnvp(os.P_WAIT, "executable", ["<progname>", "arg0"]) # $getCommand="executable"
os.spawnvpe(os.P_WAIT, "executable", ["<progname>", "arg0"], env) # $getCommand="executable"
os.spawnl(os.P_WAIT, "path", "<progname>", "arg0") # $ getCommand="path" MISSING: getAPathArgument="path"
os.spawnle(os.P_WAIT, "path", "<progname>", "arg0", env) # $ getCommand="path" MISSING: getAPathArgument="path"
os.spawnlp(os.P_WAIT, "file", "<progname>", "arg0") # $ getCommand="file" MISSING: getAPathArgument="file"
os.spawnlpe(os.P_WAIT, "file", "<progname>", "arg0", env) # $ getCommand="file" MISSING: getAPathArgument="file"
os.spawnv(os.P_WAIT, "path", ["<progname>", "arg0"]) # $ getCommand="path" MISSING: getAPathArgument="path"
os.spawnve(os.P_WAIT, "path", ["<progname>", "arg0"], env) # $ getCommand="path" MISSING: getAPathArgument="path"
os.spawnvp(os.P_WAIT, "file", ["<progname>", "arg0"]) # $ getCommand="file" MISSING: getAPathArgument="file"
os.spawnvpe(os.P_WAIT, "file", ["<progname>", "arg0"], env) # $ getCommand="file" MISSING: getAPathArgument="file"
# Added in Python 3.8
os.posix_spawn("executable", ["<progname>", "arg0"], env) # $getCommand="executable"
os.posix_spawnp("executable", ["<progname>", "arg0"], env) # $getCommand="executable"
# unlike os.exec*, some os.spawn* functions is usable with keyword arguments. However,
# despite the docs using both `file` and `path` as the parameter name, you actually need
# to use `file` in all cases.
os.spawnv(mode=os.P_WAIT, file="path", args=["<progname>", "arg0"]) # $ MISSING: getCommand="path" getAPathArgument="path"
os.spawnve(mode=os.P_WAIT, file="path", args=["<progname>", "arg0"], env=env) # $ MISSING: getCommand="path" getAPathArgument="path"
os.spawnvp(mode=os.P_WAIT, file="file", args=["<progname>", "arg0"]) # $ MISSING: getCommand="file" getAPathArgument="file"
os.spawnvpe(mode=os.P_WAIT, file="file", args=["<progname>", "arg0"], env=env) # $ MISSING: getCommand="file" getAPathArgument="file"
# `posix_spawn` Added in Python 3.8
os.posix_spawn("path", ["<progname>", "arg0"], env) # $ getCommand="path" MISSING: getAPathArgument="path"
os.posix_spawn(path="path", argv=["<progname>", "arg0"], env=env) # $ MISSING: getCommand="path" getAPathArgument="path"
os.posix_spawnp("path", ["<progname>", "arg0"], env) # $ getCommand="path" MISSING: getAPathArgument="path"
os.posix_spawnp(path="path", argv=["<progname>", "arg0"], env=env) # $ MISSING: getCommand="path" getAPathArgument="path"
########################################