Constrain the object & the call

2025-12-17 17:23:36 +01:00 · 2023-01-27 15:07:20 +01:00
parent 18d8bbc9a4
commit 207ed3da9c
1 changed files with 11 additions and 28 deletions
--- a/python/ql/src/experimental/Security/UnsafeUnpackQuery.qll
+++ b/python/ql/src/experimental/Security/UnsafeUnpackQuery.qll
@@ -61,13 +61,6 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
  }

  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    // Reading the response
-    exists(MethodCallNode mc |
-      nodeFrom = mc.getObject() and
-      mc.getMethodName() = "read" and
-      nodeTo = mc
-    )
-    or
    // Open for access
    exists(MethodCallNode cn |
      nodeTo = cn.getObject() and
@@ -77,21 +70,20 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
    or
    // Write for access
    exists(MethodCallNode cn |
-      nodeFrom = cn.getObject() and
-      cn.getMethodName() = "write" and
+      cn.calls(nodeFrom, "write") and
      nodeTo = cn.getArg(0)
    )
    or
    // Retrieve Django uploaded files
-    // see HttpRequest.FILES.getlist(): https://docs.djangoproject.com/en/4.1/ref/request-response/#django.http.QueryDict.getlist
-    exists(MethodCallNode mc |
-      nodeFrom = mc.getObject() and
-      mc.getMethodName() = ["getlist", "get"] and
-      nodeTo = mc
-    )
+    // see getlist(): https://docs.djangoproject.com/en/4.1/ref/request-response/#django.http.QueryDict.getlist
+    // see chunks(): https://docs.djangoproject.com/en/4.1/ref/files/uploads/#django.core.files.uploadedfile.UploadedFile.chunks
+    nodeTo.(MethodCallNode).calls(nodeFrom, ["getlist", "get", "chunks"])
+    or
+    // Reading the response
+    nodeTo.(MethodCallNode).calls(nodeFrom, "read")
    or
    // Accessing the name or raw content
-    exists(AttrRead ar | ar.accesses(nodeFrom, ["name", "raw"]) and ar.flowsTo(nodeTo))
+    nodeTo.(AttrRead).accesses(nodeFrom, ["name", "raw"])
    or
    // Considering the use of "fs"
    exists(API::CallNode fs, MethodCallNode mcn |
@@ -109,21 +101,12 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
    )
    or
    //Use of join of filename
-    exists(API::CallNode mcn |
-      mcn = API::moduleImport("os").getMember("path").getMember("join").getACall() and
-      nodeFrom = mcn.getArg(1) and
-      mcn.flowsTo(nodeTo)
-    )
-    or
-    // Read by chunks
-    exists(MethodCallNode mc |
-      nodeFrom = mc.getObject() and mc.getMethodName() = "chunks" and mc.flowsTo(nodeTo)
-    )
+    nodeTo = API::moduleImport("os").getMember("path").getMember("join").getACall() and
+    nodeFrom = nodeTo.(API::CallNode).getArg(1)
    or
    // Write access
    exists(MethodCallNode cn |
-      nodeTo = cn.getObject() and
-      cn.getMethodName() = "write" and
+      cn.calls(nodeTo, "write") and
      nodeFrom = cn.getArg(0)
    )
    or