hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 11:16:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Python: slightly improve tarslip logic

Browse Source
This commit is contained in:
Rasmus Lerchedahl Petersen
2023-12-08 17:18:25 +01:00
parent 1087087acb
commit 2539e2ec1a
1 changed files with 4 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
python/ql/lib/semmle/python/security/dataflow/TarSlipCustomizations.qll
View File

@@ -84,26 +84,19 @@ module TarSlip {
* A sink capturing method calls to `extractall`. * A sink capturing method calls to `extractall`.
* *
* For a call to `file.extractall`, `file` is considered a sink if * For a call to `file.extractall`, `file` is considered a sink if
* * there is no `members` argument and the extraction filter is unsafe.
* - there are no other arguments, or
* - there are other arguments (except `members`), and the extraction filter is unsafe.
*/ */
class ExtractAllSink extends Sink { class ExtractAllSink extends Sink {
ExtractAllSink() { ExtractAllSink() {
exists(DataFlow::CallCfgNode call | exists(API::CallNode call |
call = call =
API::moduleImport("tarfile") API::moduleImport("tarfile")
.getMember("open") .getMember("open")
.getReturn() .getReturn()
.getMember("extractall") .getMember("extractall")
.getACall() and .getACall() and
( hasUnsafeFilter(call) and
not exists(call.getArg(_)) and not exists(call.getParameter(2, "members")) and
not exists(call.getArgByName(_))
or
hasUnsafeFilter(call)
) and
not exists(call.getArgByName("members")) and
this = call.(DataFlow::MethodCallNode).getObject() this = call.(DataFlow::MethodCallNode).getObject()
) )
} }