hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 11:16:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Split into customizations file

Browse Source
This commit is contained in:
Joe Farebrother
2024-03-27 13:41:55 +00:00
parent 6021d9238c
commit 25ffcb2fde
2 changed files with 54 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
python/ql/lib/semmle/python/security/dataflow/HttpHeaderInjectionCustomizations.qll Normal file
View File

@@ -0,0 +1,49 @@
/**
* Provides default sources, sinks, and sanitizers for detecting
* "HTTP Header injection" vulnerabilities, as well as extension
* points for adding your own.
*/
import python
private import semmle.python.Concepts
private import semmle.python.dataflow.new.DataFlow
private import semmle.python.dataflow.new.TaintTracking
private import semmle.python.dataflow.new.RemoteFlowSources
/**
* Provides default sources, sinks, and sanitizers for detecting
* "HTTP Header injection" vulnerabilities, as well as extension
* points for adding your own.
*/
module HttpHeaderInjection {
/**
* A data flow source for "HTTP Header injection" vulnerabilities.
*/
abstract class Source extends DataFlow::Node { }
/**
* A data flow sink for "HTTP Header injection" vulnerabilities.
*/
abstract class Sink extends DataFlow::Node { }
/**
* A data flow sanitizer for "HTTP Header injection" vulnerabilities.
*/
abstract class Sanitizer extends DataFlow::Node { }
/**
* A source of remote user input, considered as a flow source.
*/
class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
/**
* A HTTP header write, considered as a flow sink.
*/
class HeaderWriteAsSink extends Sink {
HeaderWriteAsSink() {
exists(Http::Server::ResponseHeaderWrite headerDeclaration |
this in [headerDeclaration.getNameArg(), headerDeclaration.getValueArg()]
)
}
}
}

13
python/ql/lib/semmle/python/security/dataflow/HttpHeaderInjectionQuery.qll
View File

@@ -3,22 +3,19 @@
*/ */
import python import python
private import semmle.python.Concepts
private import semmle.python.dataflow.new.DataFlow private import semmle.python.dataflow.new.DataFlow
private import semmle.python.dataflow.new.TaintTracking private import semmle.python.dataflow.new.TaintTracking
private import semmle.python.dataflow.new.RemoteFlowSources private import HttpHeaderInjectionCustomizations
/** /**
* A taint-tracking configuration for detecting HTTP Header injection vulnerabilities. * A taint-tracking configuration for detecting HTTP Header injection vulnerabilities.
*/ */
private module HeaderInjectionConfig implements DataFlow::ConfigSig { private module HeaderInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } predicate isSource(DataFlow::Node node) { node instanceof HttpHeaderInjection::Source }
predicate isSink(DataFlow::Node sink) { predicate isSink(DataFlow::Node node) { node instanceof HttpHeaderInjection::Sink }
exists(Http::Server::ResponseHeaderWrite headerDeclaration |
sink in [headerDeclaration.getNameArg(), headerDeclaration.getValueArg()] predicate isBarrier(DataFlow::Node node) { node instanceof HttpHeaderInjection::Sanitizer }
)
}
} }
/** Global taint-tracking for detecting "HTTP Header injection" vulnerabilities. */ /** Global taint-tracking for detecting "HTTP Header injection" vulnerabilities. */