hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Python: unsafe -> mayExecuteInput

Browse Source
This commit is contained in:
Rasmus Lerchedahl Petersen
2020-10-15 12:56:29 +02:00
parent 00566f0eee
commit 172e058438
9 changed files with 16 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
python/ql/src/experimental/Security-new-dataflow/CWE-502/UnsafeDeserialization.ql
View File

@@ -25,7 +25,7 @@ class UnsafeDeserializationConfiguration extends TaintTracking::Configuration {
override predicate isSink(DataFlow::Node sink) {
exists(Decoding d |
d.unsafe() and
d.mayExecuteInput() and
sink = d.getAnInput()
)
}

8
python/ql/src/experimental/semmle/python/Concepts.qll
View File

@@ -56,8 +56,8 @@ class Decoding extends DataFlow::Node {
Decoding() { this = range }
/** Holds if this call is unsafe, e.g. if it may execute arbitrary code. */
predicate unsafe() { range.unsafe() }
/** Holds if this call may execute code embedded in its input. */
predicate mayExecuteInput() { range.mayExecuteInput() }
/** Gets an input that is decoded by this function. */
DataFlow::Node getAnInput() { result = range.getAnInput() }
@@ -83,8 +83,8 @@ module Decoding {
* extend `Decoding` instead.
*/
abstract class Range extends DataFlow::Node {
/** Holds if this call is unsafe, e.g. if it may execute arbitrary code. */
abstract predicate unsafe();
/** Holds if this call may execute code embedded in its input. */
abstract predicate mayExecuteInput();
/** Gets an input that is decoded by this function. */
abstract DataFlow::Node getAnInput();

2
python/ql/src/experimental/semmle/python/frameworks/Dill.qll
View File

@@ -46,7 +46,7 @@ private module Dill {
private class DillLoadsCall extends Decoding::Range {
DillLoadsCall() { this.asCfgNode().(CallNode).getFunction() = Dill::dill::loads().asCfgNode() }
override predicate unsafe() { any() }
override predicate mayExecuteInput() { any() }
override DataFlow::Node getAnInput() {
result.asCfgNode() = this.asCfgNode().(CallNode).getArg(0)

4
python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
View File

@@ -365,7 +365,7 @@ private module Stdlib {
MarshalLoadsCall() { node.getFunction() = marshal::loads().asCfgNode() }
override predicate unsafe() { any() }
override predicate mayExecuteInput() { any() }
override DataFlow::Node getAnInput() { result.asCfgNode() = node.getArg(0) }
@@ -416,7 +416,7 @@ private module Stdlib {
PickleLoadsCall() { node.getFunction() = pickle::loads().asCfgNode() }
override predicate unsafe() { any() }
override predicate mayExecuteInput() { any() }
override DataFlow::Node getAnInput() { result.asCfgNode() = node.getArg(0) }

2
python/ql/src/experimental/semmle/python/frameworks/Yaml.qll
View File

@@ -83,7 +83,7 @@ private class YamlLoadCall extends Decoding::Range, DataFlow::CfgNode {
* Until 6.0 is released, we will mark `yaml.load` as possibly leading to arbitrary code execution.
* See https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation for more details.
*/
override predicate unsafe() {
override predicate mayExecuteInput() {
// If the `Loader` is not set to either `SafeLoader` or `BaseLoader` or not set at all,
// then the default loader will be used, which is not safe.
not node.getArgByName("Loader") =