hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 03:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4735 from RasmusWL/python-untrusted-flow

Browse Source 
Python: Untrusted data used in external APIs
This commit is contained in:
yoff
2020-12-18 00:15:08 +01:00
committed by GitHub
parent 9dd6439e3c a08e1db601
commit 39acc9a40b
16 changed files with 446 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.expected Normal file
View File

@@ -0,0 +1 @@
| hmac.new [param 1] | 1 | 1 |

1
python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql

7
python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.expected Normal file
View File

@@ -0,0 +1,7 @@
edges
| test.py:13:16:13:27 | ControlFlowNode for Attribute | test.py:15:36:15:39 | ControlFlowNode for data |
nodes
| test.py:13:16:13:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| test.py:15:36:15:39 | ControlFlowNode for data | semmle.label | ControlFlowNode for data |
#select
| test.py:15:36:15:39 | ControlFlowNode for data | test.py:13:16:13:27 | ControlFlowNode for Attribute | test.py:15:36:15:39 | ControlFlowNode for data | Call to hmac.new [param 1] with untrusted data from $@. | test.py:13:16:13:27 | ControlFlowNode for Attribute | ControlFlowNode for Attribute |

1
python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.ql

37
python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/test.py Normal file
View File

@@ -0,0 +1,37 @@
import hashlib
import hmac
import base64
from flask import Flask, request, make_response
app = Flask(__name__)
SECRET_KEY = b"SECRET_KEY"
@app.route("/hmac-example")
def hmac_example():
data_raw = request.args.get("data").encode('utf-8')
data = base64.decodebytes(data_raw)
my_hmac = hmac.new(SECRET_KEY, data, hashlib.sha256)
digest = my_hmac.digest()
print(digest)
return "ok"
@app.route("/unknown-lib-1")
def unknown_lib_1():
from unknown.lib import func
data = request.args.get("data")
func(data) # TODO: currently not recognized
@app.route("/unknown-lib-2")
def unknown_lib_2():
import unknown.lib
data = request.args.get("data")
unknown.lib.func(data) # TODO: currently not recognized
if __name__ == "__main__":
# http://127.0.0.1:5000/hmac-example?data=aGVsbG8gd29ybGQh
app.run(debug=True)