hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 11:16:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

cherrypy framework file system access Sinks are added

Browse Source
This commit is contained in:
amammad
2023-10-21 19:42:50 +02:00
parent ad2631202d
commit 1fe565a46f
2 changed files with 56 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
python/ql/lib/semmle/python/frameworks/Cherrypy.qll Normal file
View File

@@ -0,0 +1,48 @@
/**
* Provides classes modeling security-relevant aspects of the `cherrypy` PyPI package.
*/
private import python
private import semmle.python.dataflow.new.DataFlow
private import semmle.python.dataflow.new.RemoteFlowSources
private import semmle.python.dataflow.new.TaintTracking
private import semmle.python.Concepts
private import semmle.python.ApiGraphs
/**
* Provides models for the `cherrypy` PyPI package.
* See https://cherrypy.dev/.
*/
private module Cherrypy {
/**
* Holds for an instance of `cherrypy.lib.static`
*/
API::Node libStatic() {
result = API::moduleImport("cherrypy").getMember("lib").getMember("static")
}
/**
* A call to the `serve_file` or `serve_download`or `staticfile` functions of `cherrypy.lib.static` as a sink for Filesystem access.
*/
class FileResponseCall extends FileSystemAccess::Range, API::CallNode {
string funcName;
FileResponseCall() {
this = libStatic().getMember("staticfile").getACall() and
funcName = "staticfile"
or
this = libStatic().getMember("serve_file").getACall() and
funcName = "serve_file"
or
this = libStatic().getMember("serve_download").getACall() and
funcName = "serve_download"
}
override DataFlow::Node getAPathArgument() {
result = this.getParameter(0, "path").asSink() and funcName = ["serve_download", "serve_file"]
or
result = this.getParameter(0, "filename").asSink() and
funcName = "staticfile"
}
}
}

8
python/ql/test/library-tests/frameworks/FileSystemAccess/cherrypy.py Normal file
View File

@@ -0,0 +1,8 @@
import cherrypy
from cherrypy.lib.static import serve_file, serve_download, staticfile
serve_file("file") # $ getAPathArgument="file"
serve_download("file") # $ getAPathArgument="file"
staticfile("file") # $ getAPathArgument="file"
# root won't make this safe
staticfile("file", root="/path/to/safe/dir") # $ getAPathArgument="file"