hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 11:16:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Python: slightly improve tarslip logic

Browse Source
This commit is contained in:
Rasmus Lerchedahl Petersen
2023-12-08 17:18:25 +01:00
parent 1087087acb
commit 2539e2ec1a
1 changed files with 4 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
python/ql/lib/semmle/python/security/dataflow/TarSlipCustomizations.qll
View File

@@ -84,26 +84,19 @@ module TarSlip {
* A sink capturing method calls to `extractall`.
*
* For a call to `file.extractall`, `file` is considered a sink if
*
* - there are no other arguments, or
* - there are other arguments (except `members`), and the extraction filter is unsafe.
* there is no `members` argument and the extraction filter is unsafe.
*/
class ExtractAllSink extends Sink {
ExtractAllSink() {
exists(DataFlow::CallCfgNode call |
exists(API::CallNode call |
call =
API::moduleImport("tarfile")
.getMember("open")
.getReturn()
.getMember("extractall")
.getACall() and
(
not exists(call.getArg(_)) and
not exists(call.getArgByName(_))
or
hasUnsafeFilter(call)
) and
not exists(call.getArgByName("members")) and
hasUnsafeFilter(call) and
not exists(call.getParameter(2, "members")) and
this = call.(DataFlow::MethodCallNode).getObject()
)
}