hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 03:36:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add Unicode Bypass Validation query tests and help

Browse Source
This commit is contained in:
Sim4n6
2023-05-02 15:09:16 +01:00
parent 2e5a04854e
commit 1fa1a4e268
9 changed files with 225 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
python/ql/lib/semmle/python/security/dataflow/UnicodeBypassValidationCustomizations.qll Normal file
View File

@@ -0,0 +1,30 @@
/**
* Provides default sources, sinks and sanitizers for detecting
* "Unicode transformation"
* vulnerabilities, as well as extension points for adding your own.
*/
private import python
private import semmle.python.dataflow.new.DataFlow
/**
* Provides default sources, sinks and sanitizers for detecting
* "Unicode transformation"
* vulnerabilities, as well as extension points for adding your own.
*/
module UnicodeBypassValidation {
/**
* A data flow source for "Unicode transformation" vulnerabilities.
*/
abstract class Source extends DataFlow::Node { }
/**
* A data flow sink for "Unicode transformation" vulnerabilities.
*/
abstract class Sink extends DataFlow::Node { }
/**
* A sanitizer for "Unicode transformation" vulnerabilities.
*/
abstract class Sanitizer extends DataFlow::Node { }
}

62
python/ql/lib/semmle/python/security/dataflow/UnicodeBypassValidationQuery.qll Normal file
View File

@@ -0,0 +1,62 @@
/**
* Provides a taint-tracking configuration for detecting "Unicode transformation mishandling" vulnerabilities.
*/
private import python
import semmle.python.ApiGraphs
import semmle.python.Concepts
import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.internal.DataFlowPublic
import semmle.python.dataflow.new.TaintTracking
import semmle.python.dataflow.new.internal.TaintTrackingPrivate
import semmle.python.dataflow.new.RemoteFlowSources
import UnicodeBypassValidationCustomizations::UnicodeBypassValidation
/** A state signifying that a logical validation has not been performed. */
class PreValidation extends DataFlow::FlowState {
PreValidation() { this = "PreValidation" }
}
/** A state signifying that a logical validation has been performed. */
class PostValidation extends DataFlow::FlowState {
PostValidation() { this = "PostValidation" }
}
/**
* A taint-tracking configuration for detecting "Unicode transformation mishandling" vulnerabilities.
*
* This configuration uses two flow states, `PreValidation` and `PostValidation`,
* to track the requirement that a logical validation has been performed before the Unicode Transformation.
*/
class Configuration extends TaintTracking::Configuration {
Configuration() { this = "UnicodeBypassValidation" }
override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
source instanceof RemoteFlowSource and state instanceof PreValidation
}
override predicate isAdditionalTaintStep(
DataFlow::Node nodeFrom, DataFlow::FlowState stateFrom, DataFlow::Node nodeTo,
DataFlow::FlowState stateTo
) {
(
exists(Escaping escaping | nodeFrom = escaping.getAnInput() and nodeTo = escaping.getOutput())
or
exists(RegexExecution re | nodeFrom = re.getString() and nodeTo = re)
or
stringManipulation(nodeFrom, nodeTo)
) and
stateFrom instanceof PreValidation and
stateTo instanceof PostValidation
}
/* A Unicode Tranformation (Unicode tranformation) is considered a sink when the algorithm used is either NFC or NFKC. */
override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
exists(API::CallNode cn |
cn = API::moduleImport("unicodedata").getMember("normalize").getACall() and
cn.getArg(0).asExpr().(Str).getS() = ["NFC", "NFKC"] and
sink = cn.getArg(1) and
state instanceof PostValidation
)
}
}

36
python/ql/src/experimental/Security/CWE-176/UnicodeBypassValidation.qhelp Normal file
View File

@@ -0,0 +1,36 @@
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
<qhelp>
<overview>
<p>Security checks bypass due to a Unicode transformation</p>
<p>
If ever a unicode tranformation is performed after some security checks or logical
validation, the
latter could be bypassed due to a potential Unicode characters collision.
The validation of concern are any character escaping, any regex validation or any string
verification.
</p>
<img src="./vulnerability-flow.png" alt="Security checks bypassed" />
</overview>
<recommendation>
<p> Perform a Unicode normalization before the logical validation. </p>
</recommendation>
<example>
<p> The following example showcases the bypass of all checks performed by <code>
flask.escape()</code> due to a post-unicode normalization.</p>
<p>For instance: the character U+FE64 (<code>﹤</code>) is not filtered-out by the flask
escape function. But due to the Unicode normalization, the character is transformed and
would become U+003C (<code> &lt; </code> ).</p>
<sample src="escape-bypass.py" />
</example>
<references>
<li> Research study: <a
href="https://gosecure.github.io/presentations/2021-02-unicode-owasp-toronto/philippe_arteau_owasp_unicode_v4.pdf">
Unicode vulnerabilities that could bYte you
</a> and <a
href="https://gosecure.github.io/unicode-pentester-cheatsheet/">Unicode pentest
cheatsheet</a>. </li>
</references>
</qhelp>

24
python/ql/src/experimental/Security/CWE-176/UnicodeBypassValidation.ql Normal file
View File

@@ -0,0 +1,24 @@
/**
* @name Bypass Logical Validation Using Unicode Characters
* @description A Unicode transformation is using a remote user-controlled data. The transformation is a Unicode normalization using the algorithms "NFC" or "NFKC". In all cases, the security measures implemented or the logical validation performed to escape any injection characters, to validate using regex patterns or to perform string-based checks, before the Unicode transformation are **bypassable** by special Unicode characters.
* @kind path-problem
* @id py/unicode-bypass-validation
* @precision high
* @problem.severity error
* @tags security
* experimental
* external/cwe/cwe-176
* external/cwe/cwe-179
* external/cwe/cwe-180
*/
import python
import semmle.python.security.dataflow.UnicodeBypassValidationQuery
import DataFlow::PathGraph
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
"This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters.",
sink.getNode(), "Unicode transformation (Unicode normalization)", source.getNode(),
"remote user-controlled data"

11
python/ql/src/experimental/Security/CWE-176/escape-bypass.py Normal file
View File

@@ -0,0 +1,11 @@
import unicodedata
from flask import Flask, request, escape, render_template
app = Flask(__name__)
@app.route("/unsafe1")
def unsafe1():
user_input = escape(request.args.get("ui"))
normalized_user_input = unicodedata.normalize("NFKC", user_input)
return render_template("result.html", normalized_user_input=normalized_user_input)

BIN
python/ql/src/experimental/Security/CWE-176/vulnerability-flow.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 37 KiB

31
python/ql/test/experimental/query-tests/Security/CWE-176/UnicodeBypassValidation.expected Normal file
View File

@@ -0,0 +1,31 @@
edges
| samples.py:0:0:0:0 | ModuleVariableNode for samples.request | samples.py:9:25:9:31 | ControlFlowNode for request |
| samples.py:0:0:0:0 | ModuleVariableNode for samples.request | samples.py:16:25:16:31 | ControlFlowNode for request |
| samples.py:2:26:2:32 | ControlFlowNode for ImportMember | samples.py:2:26:2:32 | GSSA Variable request |
| samples.py:2:26:2:32 | GSSA Variable request | samples.py:0:0:0:0 | ModuleVariableNode for samples.request |
| samples.py:9:18:9:47 | ControlFlowNode for escape() | samples.py:10:59:10:68 | ControlFlowNode for user_input |
| samples.py:9:25:9:31 | ControlFlowNode for request | samples.py:9:25:9:36 | ControlFlowNode for Attribute |
| samples.py:9:25:9:36 | ControlFlowNode for Attribute | samples.py:9:25:9:46 | ControlFlowNode for Attribute() |
| samples.py:9:25:9:46 | ControlFlowNode for Attribute() | samples.py:9:18:9:47 | ControlFlowNode for escape() |
| samples.py:16:18:16:47 | ControlFlowNode for escape() | samples.py:20:62:20:71 | ControlFlowNode for user_input |
| samples.py:16:25:16:31 | ControlFlowNode for request | samples.py:16:25:16:36 | ControlFlowNode for Attribute |
| samples.py:16:25:16:36 | ControlFlowNode for Attribute | samples.py:16:25:16:46 | ControlFlowNode for Attribute() |
| samples.py:16:25:16:46 | ControlFlowNode for Attribute() | samples.py:16:18:16:47 | ControlFlowNode for escape() |
nodes
| samples.py:0:0:0:0 | ModuleVariableNode for samples.request | semmle.label | ModuleVariableNode for samples.request |
| samples.py:2:26:2:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
| samples.py:2:26:2:32 | GSSA Variable request | semmle.label | GSSA Variable request |
| samples.py:9:18:9:47 | ControlFlowNode for escape() | semmle.label | ControlFlowNode for escape() |
| samples.py:9:25:9:31 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| samples.py:9:25:9:36 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| samples.py:9:25:9:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| samples.py:10:59:10:68 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input |
| samples.py:16:18:16:47 | ControlFlowNode for escape() | semmle.label | ControlFlowNode for escape() |
| samples.py:16:25:16:31 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| samples.py:16:25:16:36 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| samples.py:16:25:16:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| samples.py:20:62:20:71 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input |
subpaths
#select
| samples.py:10:59:10:68 | ControlFlowNode for user_input | samples.py:2:26:2:32 | ControlFlowNode for ImportMember | samples.py:10:59:10:68 | ControlFlowNode for user_input | This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters. | samples.py:10:59:10:68 | ControlFlowNode for user_input | Unicode transformation (Unicode normalization) | samples.py:2:26:2:32 | ControlFlowNode for ImportMember | remote user-controlled data |
| samples.py:20:62:20:71 | ControlFlowNode for user_input | samples.py:2:26:2:32 | ControlFlowNode for ImportMember | samples.py:20:62:20:71 | ControlFlowNode for user_input | This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters. | samples.py:20:62:20:71 | ControlFlowNode for user_input | Unicode transformation (Unicode normalization) | samples.py:2:26:2:32 | ControlFlowNode for ImportMember | remote user-controlled data |

1
python/ql/test/experimental/query-tests/Security/CWE-176/UnicodeBypassValidation.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE-176/UnicodeBypassValidation.ql

30
python/ql/test/experimental/query-tests/Security/CWE-176/samples.py Normal file
View File

@@ -0,0 +1,30 @@
import unicodedata
from flask import Flask, request, escape, render_template
app = Flask(__name__)
@app.route("/unsafe1")
def unsafe1():
user_input = escape(request.args.get("ui"))
normalized_user_input = unicodedata.normalize("NFKC", user_input) # $result=BAD
return render_template("result.html", normalized_user_input=normalized_user_input)
@app.route("/unsafe2")
def unsafe1bis():
user_input = escape(request.args.get("ui"))
if user_input.isascii():
normalized_user_input = user_input
else:
normalized_user_input = unicodedata.normalize("NFC", user_input) # $result=BAD
return render_template("result.html", normalized_user_input=normalized_user_input)
@app.route("/safe1")
def safe1():
normalized_user_input = unicodedata.normalize(
"NFKC", request.args.get("ui")
) # $result=OK
user_input = escape(normalized_user_input)
return render_template("result.html", normalized_user_input=user_input)