hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 13:45:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add Unicode Bypass Validation query tests and help

Browse Source
This commit is contained in:
Sim4n6
2023-05-02 15:09:16 +01:00
parent 2e5a04854e
commit 1fa1a4e268
9 changed files with 225 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
python/ql/test/experimental/query-tests/Security/CWE-176/UnicodeBypassValidation.expected Normal file
View File

@@ -0,0 +1,31 @@
edges
| samples.py:0:0:0:0 | ModuleVariableNode for samples.request | samples.py:9:25:9:31 | ControlFlowNode for request |
| samples.py:0:0:0:0 | ModuleVariableNode for samples.request | samples.py:16:25:16:31 | ControlFlowNode for request |
| samples.py:2:26:2:32 | ControlFlowNode for ImportMember | samples.py:2:26:2:32 | GSSA Variable request |
| samples.py:2:26:2:32 | GSSA Variable request | samples.py:0:0:0:0 | ModuleVariableNode for samples.request |
| samples.py:9:18:9:47 | ControlFlowNode for escape() | samples.py:10:59:10:68 | ControlFlowNode for user_input |
| samples.py:9:25:9:31 | ControlFlowNode for request | samples.py:9:25:9:36 | ControlFlowNode for Attribute |
| samples.py:9:25:9:36 | ControlFlowNode for Attribute | samples.py:9:25:9:46 | ControlFlowNode for Attribute() |
| samples.py:9:25:9:46 | ControlFlowNode for Attribute() | samples.py:9:18:9:47 | ControlFlowNode for escape() |
| samples.py:16:18:16:47 | ControlFlowNode for escape() | samples.py:20:62:20:71 | ControlFlowNode for user_input |
| samples.py:16:25:16:31 | ControlFlowNode for request | samples.py:16:25:16:36 | ControlFlowNode for Attribute |
| samples.py:16:25:16:36 | ControlFlowNode for Attribute | samples.py:16:25:16:46 | ControlFlowNode for Attribute() |
| samples.py:16:25:16:46 | ControlFlowNode for Attribute() | samples.py:16:18:16:47 | ControlFlowNode for escape() |
nodes
| samples.py:0:0:0:0 | ModuleVariableNode for samples.request | semmle.label | ModuleVariableNode for samples.request |
| samples.py:2:26:2:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
| samples.py:2:26:2:32 | GSSA Variable request | semmle.label | GSSA Variable request |
| samples.py:9:18:9:47 | ControlFlowNode for escape() | semmle.label | ControlFlowNode for escape() |
| samples.py:9:25:9:31 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| samples.py:9:25:9:36 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| samples.py:9:25:9:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| samples.py:10:59:10:68 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input |
| samples.py:16:18:16:47 | ControlFlowNode for escape() | semmle.label | ControlFlowNode for escape() |
| samples.py:16:25:16:31 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| samples.py:16:25:16:36 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| samples.py:16:25:16:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| samples.py:20:62:20:71 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input |
subpaths
#select
| samples.py:10:59:10:68 | ControlFlowNode for user_input | samples.py:2:26:2:32 | ControlFlowNode for ImportMember | samples.py:10:59:10:68 | ControlFlowNode for user_input | This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters. | samples.py:10:59:10:68 | ControlFlowNode for user_input | Unicode transformation (Unicode normalization) | samples.py:2:26:2:32 | ControlFlowNode for ImportMember | remote user-controlled data |
| samples.py:20:62:20:71 | ControlFlowNode for user_input | samples.py:2:26:2:32 | ControlFlowNode for ImportMember | samples.py:20:62:20:71 | ControlFlowNode for user_input | This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters. | samples.py:20:62:20:71 | ControlFlowNode for user_input | Unicode transformation (Unicode normalization) | samples.py:2:26:2:32 | ControlFlowNode for ImportMember | remote user-controlled data |

1
python/ql/test/experimental/query-tests/Security/CWE-176/UnicodeBypassValidation.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE-176/UnicodeBypassValidation.ql

30
python/ql/test/experimental/query-tests/Security/CWE-176/samples.py Normal file
View File

@@ -0,0 +1,30 @@
import unicodedata
from flask import Flask, request, escape, render_template
app = Flask(__name__)
@app.route("/unsafe1")
def unsafe1():
user_input = escape(request.args.get("ui"))
normalized_user_input = unicodedata.normalize("NFKC", user_input) # $result=BAD
return render_template("result.html", normalized_user_input=normalized_user_input)
@app.route("/unsafe2")
def unsafe1bis():
user_input = escape(request.args.get("ui"))
if user_input.isascii():
normalized_user_input = user_input
else:
normalized_user_input = unicodedata.normalize("NFC", user_input) # $result=BAD
return render_template("result.html", normalized_user_input=normalized_user_input)
@app.route("/safe1")
def safe1():
normalized_user_input = unicodedata.normalize(
"NFKC", request.args.get("ui")
) # $result=OK
user_input = escape(normalized_user_input)
return render_template("result.html", normalized_user_input=user_input)