python: move log injection out of experimental

- move from custom concept `LogOutput` to standard concept `Logging` - remove `Log.qll` from experimental frameworks - fold models into standard models (naively for now) - stdlib: - make Logger module public - broaden definition of instance - add `extra` keyword as possible source - flak: add app.logger as logger instance - django: `add django.utils.log.request_logger` as logger instance (should we add the rest?) - remove LogOutput from experimental concepts
2025-12-21 19:26:31 +01:00 · 2022-01-25 10:15:15 +01:00
parent bb2feda8fb
commit 20d54543fd
16 changed files with 66 additions and 178 deletions
--- a/python/ql/lib/semmle/python/security/dataflow/LogInjection.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/LogInjection.qll
@@ -0,0 +1,24 @@
+import python
+import semmle.python.Concepts
+import semmle.python.Concepts
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import semmle.python.dataflow.new.RemoteFlowSources
+
+/**
+ * A taint-tracking configuration for tracking untrusted user input used in log entries.
+ */
+class LogInjectionFlowConfig extends TaintTracking::Configuration {
+  LogInjectionFlowConfig() { this = "LogInjectionFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink = any(Logging write).getAnInput() }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    exists(CallNode call |
+      node.asCfgNode() = call.getFunction().(AttrNode).getObject("replace") and
+      call.getArg(0).getNode().(StrConst).getText() in ["\r\n", "\n"]
+    )
+  }
+}