hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 01:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add some comments and docs

Browse Source
This commit is contained in:
Sim4n6
2024-02-13 04:31:07 +01:00
committed by yoff
parent 5cc9170249
commit 1f767b887e
1 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql
View File

@@ -17,6 +17,8 @@ import semmle.python.dataflow.new.TaintTracking
import semmle.python.dataflow.new.internal.DataFlowPublic
import semmle.python.dataflow.new.RemoteFlowSources
// The Unicode compatibility normalization calls from unicodedata, unidecode, pyunormalize
// and textnorm modules. The use of argIdx is to constraint the argument being normalized.
class UnicodeCompatibilityNormalize extends API::CallNode {
int argIdx;
@@ -66,10 +68,12 @@ predicate underAValue(DataFlow::GuardNode g, ControlFlowNode node, boolean branc
exists(API::CallNode lenCall, Cmpop op_gt, Cmpop op_lt, Node n |
lenCall = n.getALocalSource() and
(
// arg <= LIMIT OR arg < LIMIT
(op_lt = any(LtE lte) or op_lt = any(Lt lt)) and
branch = true and
cn.operands(n.asCfgNode(), op_lt, _)
or
// LIMIT >= arg OR LIMIT > arg
(op_gt = any(GtE gte) or op_gt = any(Gt gt)) and
branch = true and
cn.operands(_, op_gt, n.asCfgNode())
@@ -88,12 +92,16 @@ class Configuration extends TaintTracking::Configuration {
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSanitizer(DataFlow::Node sanitizer) {
// underAValue is a check to ensure that the length of the user-provided value is limited to a certain amount
sanitizer = DataFlow::BarrierGuard<underAValue/3>::getABarrierNode()
}
override predicate isSink(DataFlow::Node sink) {
// Any call to the Unicode compatibility normalization is a costly operation
sink = any(UnicodeCompatibilityNormalize ucn).getPathArg()
or
// The call to secure_filename() from pallets/werkzeug uses the Unicode compatibility normalization
// under the hood, https://github.com/pallets/werkzeug/blob/d3dd65a27388fbd39d146caacf2563639ba622f0/src/werkzeug/utils.py#L218
sink = API::moduleImport("werkzeug").getMember("secure_filename").getACall().getArg(_)
or
sink =
@@ -102,7 +110,6 @@ class Configuration extends TaintTracking::Configuration {
.getMember("secure_filename")
.getACall()
.getArg(_)
}
}