Merge branch 'main' into bazookamusic/cwe-1427

python/ql/src/CHANGELOG.md

@@ -1,3 +1,15 @@
+## 1.8.4
+
+No user-facing changes.
+
+## 1.8.3
+
+No user-facing changes.
+
+## 1.8.2
+
+No user-facing changes.
+
 ## 1.8.1
 
 ### Minor Analysis Improvements

python/ql/src/Security/CWE-502/UnsafeDeserialization.qhelp

@@ -5,22 +5,32 @@
 <p>
 Deserializing untrusted data using any deserialization framework that
 allows the construction of arbitrary serializable objects is easily exploitable
-and in many cases allows an attacker to execute arbitrary code.  Even before a
+and in many cases allows an attacker to execute arbitrary code. Even before a
 deserialized object is returned to the caller of a deserialization method a lot
 of code may have been executed, including static initializers, constructors,
-and finalizers.  Automatic deserialization of fields means that an attacker may
+and finalizers. Automatic deserialization of fields means that an attacker may
 craft a nested combination of objects on which the executed initialization code
 may have unforeseen effects, such as the execution of arbitrary code.
 </p>
 <p>
-There are many different serialization frameworks.  This query currently
+There are many different serialization frameworks. This query currently
 supports Pickle, Marshal and Yaml.
 </p>
+<p>
+Note that a deserialization method is only dangerous if it can instantiate
+arbitrary classes. Serialization frameworks that use a schema to instantiate
+only expected, predefined types are generally not tracked by this query. Such
+frameworks are generally safe with respect to arbitrary-class-instantiation and
+gadget-chain attacks when the schema is trusted and does not permit
+user-controlled type resolution. However, care must be taken to ensure the schema
+strictly limits the allowed types. Permitting common standard library classes
+can still leave the application vulnerable to gadget-chain attacks.
+</p>
 </overview>
 
 <recommendation>
 <p>
-Avoid deserialization of untrusted data if at all possible.  If the
+Avoid deserialization of untrusted data if at all possible. If the
 architecture permits it then use other formats instead of serialized objects,
 for example JSON.
 </p>

python/ql/src/Variables/LoopVariableCapture/LoopVariableCaptureQuery.qll

@@ -61,10 +61,11 @@ module EscapingCaptureFlowConfig implements DataFlow::ConfigSig {
   predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet cs) {
     isSink(node) and
     (
-      cs.(DataFlow::TupleElementContent).getIndex() in [0 .. 10] or
-      cs instanceof DataFlow::ListElementContent or
-      cs instanceof DataFlow::SetElementContent or
-      cs instanceof DataFlow::DictionaryElementAnyContent
+      cs.isAnyTupleOrDictionaryElement()
+      or
+      cs.getAStoreContent() instanceof DataFlow::ListElementContent
+      or
+      cs.getAStoreContent() instanceof DataFlow::SetElementContent
     )
   }
 }

python/ql/src/change-notes/released/1.8.2.md

@@ -0,0 +1,3 @@
+## 1.8.2
+
+No user-facing changes.

python/ql/src/change-notes/released/1.8.3.md

@@ -0,0 +1,3 @@
+## 1.8.3
+
+No user-facing changes.

python/ql/src/change-notes/released/1.8.4.md

@@ -0,0 +1,3 @@
+## 1.8.4
+
+No user-facing changes.

python/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.8.1
+lastReleaseVersion: 1.8.4

python/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/python-queries
-version: 1.8.2-dev
+version: 1.8.5-dev
 groups:
   - python
   - queries