Merge pull request #13781 from maikypedia/maikypedia/python-unsafe-deserialization

Python: Add unsafe deserialization sinks (CWE-502)

python/ql/test/library-tests/frameworks/joblib/ConceptsTest.expected

@@ -0,0 +1,2 @@
+failures
+testFailures

python/ql/test/library-tests/frameworks/joblib/ConceptsTest.ql

@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest

python/ql/test/library-tests/frameworks/joblib/Decoding.py

@@ -0,0 +1,4 @@
+import joblib
+
+joblib.load(file_)  # $ decodeInput=file_ decodeOutput=joblib.load(..) decodeFormat=joblib decodeMayExecuteInput
+joblib.load(filename=file_)  # $ decodeInput=file_ decodeOutput=joblib.load(..) decodeFormat=joblib decodeMayExecuteInput

python/ql/test/library-tests/frameworks/numpy/ConceptsTest.expected

@@ -0,0 +1,2 @@
+failures
+testFailures

python/ql/test/library-tests/frameworks/numpy/ConceptsTest.ql

@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest

python/ql/test/library-tests/frameworks/numpy/Decoding.py

@@ -0,0 +1,6 @@
+import numpy
+
+numpy.load(file_)  # $ decodeInput=file_ decodeOutput=numpy.load(..) decodeFormat=numpy
+numpy.load(filename=file_)  # $ decodeInput=file_ decodeOutput=numpy.load(..) decodeFormat=numpy
+numpy.load(file_, allow_pickle=True)  # $ decodeInput=file_ decodeOutput=numpy.load(..) decodeFormat=numpy decodeFormat=pickle decodeMayExecuteInput
+numpy.load(file_, None, True)  # $ decodeInput=file_ decodeOutput=numpy.load(..) decodeFormat=numpy decodeFormat=pickle decodeMayExecuteInput

python/ql/test/library-tests/frameworks/pandas/ConceptsTest.expected

@@ -0,0 +1,2 @@
+failures
+testFailures

python/ql/test/library-tests/frameworks/pandas/ConceptsTest.ql

@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest

python/ql/test/library-tests/frameworks/pandas/Decoding.py

@@ -0,0 +1,4 @@
+import pandas
+
+pandas.read_pickle(file_)  # $ decodeInput=file_ decodeOutput=pandas.read_pickle(..) decodeFormat=pickle decodeMayExecuteInput
+pandas.read_pickle(filepath_or_buffer=file_)  # $ decodeInput=file_ decodeOutput=pandas.read_pickle(..) decodeFormat=pickle decodeMayExecuteInput

python/ql/test/query-tests/Security/CWE-502-UnsafeDeserialization/UnsafeDeserialization.expected

@@ -5,6 +5,7 @@ edges
 | unsafe_deserialization.py:14:5:14:11 | SSA variable payload | unsafe_deserialization.py:16:15:16:21 | ControlFlowNode for payload |
 | unsafe_deserialization.py:14:5:14:11 | SSA variable payload | unsafe_deserialization.py:18:19:18:25 | ControlFlowNode for payload |
 | unsafe_deserialization.py:14:5:14:11 | SSA variable payload | unsafe_deserialization.py:21:16:21:22 | ControlFlowNode for payload |
+| unsafe_deserialization.py:14:5:14:11 | SSA variable payload | unsafe_deserialization.py:24:24:24:30 | ControlFlowNode for payload |
 | unsafe_deserialization.py:14:15:14:21 | ControlFlowNode for request | unsafe_deserialization.py:14:15:14:26 | ControlFlowNode for Attribute |
 | unsafe_deserialization.py:14:15:14:26 | ControlFlowNode for Attribute | unsafe_deserialization.py:14:15:14:41 | ControlFlowNode for Attribute() |
 | unsafe_deserialization.py:14:15:14:41 | ControlFlowNode for Attribute() | unsafe_deserialization.py:14:5:14:11 | SSA variable payload |
@@ -19,9 +20,11 @@ nodes
 | unsafe_deserialization.py:16:15:16:21 | ControlFlowNode for payload | semmle.label | ControlFlowNode for payload |
 | unsafe_deserialization.py:18:19:18:25 | ControlFlowNode for payload | semmle.label | ControlFlowNode for payload |
 | unsafe_deserialization.py:21:16:21:22 | ControlFlowNode for payload | semmle.label | ControlFlowNode for payload |
+| unsafe_deserialization.py:24:24:24:30 | ControlFlowNode for payload | semmle.label | ControlFlowNode for payload |
 subpaths
 #select
 | unsafe_deserialization.py:15:18:15:24 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:15:18:15:24 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value |
 | unsafe_deserialization.py:16:15:16:21 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:16:15:16:21 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value |
 | unsafe_deserialization.py:18:19:18:25 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:18:19:18:25 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value |
 | unsafe_deserialization.py:21:16:21:22 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:21:16:21:22 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value |
+| unsafe_deserialization.py:24:24:24:30 | ControlFlowNode for payload | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | unsafe_deserialization.py:24:24:24:30 | ControlFlowNode for payload | Unsafe deserialization depends on a $@. | unsafe_deserialization.py:8:26:8:32 | ControlFlowNode for ImportMember | user-provided value |

python/ql/test/query-tests/Security/CWE-502-UnsafeDeserialization/unsafe_deserialization.py

@@ -19,3 +19,6 @@ def hello():
 
     import dill
     dill.loads(payload) # NOT OK
+
+    import pandas
+    pandas.read_pickle(payload) # NOT OK