hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-12 02:24:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Move isNetworkBind check into isSink

Browse Source
This commit is contained in:
Taus
2026-03-27 22:44:39 +00:00
parent 4f74d421b9
commit 187f7c7bcf
2 changed files with 6 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql
View File

@@ -34,7 +34,11 @@ private module BindToAllInterfacesConfig implements DataFlow::ConfigSig {
}
predicate isSink(DataFlow::Node sink) {
ModelOutput::sinkNode(sink, "bind-socket-all-interfaces")
ModelOutput::sinkNode(sink, "bind-socket-all-interfaces") and
// Network socket addresses are tuples like (host, port), so we require
// the bind() argument to originate from a tuple expression. This excludes
// AF_UNIX sockets, which pass a plain string path to bind().
any(DataFlow::LocalSourceNode n | n.asExpr() instanceof Tuple).flowsTo(sink)
}
}
@@ -42,20 +46,8 @@ private module BindToAllInterfacesFlow = TaintTracking::Global<BindToAllInterfac
private import BindToAllInterfacesFlow
/**
* Holds if `sink` is the address argument of a `bind()` call on a
* network socket (AF_INET or AF_INET6), as opposed to a Unix domain
* socket (AF_UNIX) which takes a plain string path.
*
* Network socket addresses are tuples like `(host, port)`, so we check
* that the sink argument is a tuple, by looking for flow from a tuple expression.
*/
private predicate isNetworkBind(DataFlow::Node sink) {
any(DataFlow::LocalSourceNode n | n.asExpr() instanceof Tuple).flowsTo(sink)
}
from PathNode source, PathNode sink
where flowPath(source, sink) and isNetworkBind(sink.getNode())
where flowPath(source, sink)
select sink.getNode(), source, sink,
"Binding a socket to all interfaces (using $@) is a security risk.", source.getNode(),
"'" + source.getNode().asExpr().(StringLiteral).getText() + "'"

1
python/ql/test/query-tests/Security/CVE-2018-1281/BindToAllInterfaces.expected
View File

@@ -60,5 +60,4 @@ nodes
| BindToAllInterfaces_test.py:53:10:53:25 | ControlFlowNode for Tuple | semmle.label | ControlFlowNode for Tuple |
| BindToAllInterfaces_test.py:58:10:58:18 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral |
| BindToAllInterfaces_test.py:58:10:58:25 | ControlFlowNode for Tuple | semmle.label | ControlFlowNode for Tuple |
| BindToAllInterfaces_test.py:62:9:62:10 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral |
subpaths