Attempt to apply TaintTracking2

2025-12-20 10:46:30 +01:00 · 2021-03-31 18:49:41 +02:00
parent f0a50eb67a
commit 3a47a45e47
3 changed files with 24 additions and 9 deletions
--- a/python/ql/src/experimental/Security/CWE-943/NoSQLInjection.ql
+++ b/python/ql/src/experimental/Security/CWE-943/NoSQLInjection.ql
@@ -12,5 +12,8 @@

 import python
 import experimental.semmle.python.security.injection.NoSQLInjection
-import DataFlow::PathGraph
-// from, where, select statements
+
+// https://github.com/github/codeql/blob/e266cedc84cf73d01c9b2d4b0e4313e5d96755ba/python/ql/src/semmle/python/security/dataflow/PathInjection.qll#L103
+from CustomPathNode source, CustomPathNode sink
+where noSQLInjectionFlow(source, sink)
+select source, sink
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -62,7 +62,7 @@ private module NoSQL {
    override DataFlow::Node getQueryNode() { result = this.getArg(0) }
  }

-  // pending: look for more Sanitizer libs
+  // more sanitizer libs?
  private class MongoSanitizerCall extends DataFlow::CallCfgNode, NoSQLSanitizer::Range {
    MongoSanitizerCall() {
      this =
--- a/python/ql/src/experimental/semmle/python/security/injection/NoSQLInjection.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/NoSQLInjection.qll
@@ -1,13 +1,14 @@
 import python
-import experimental.semmle.python.Concepts
 import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.DataFlow2
 import semmle.python.dataflow.new.TaintTracking
-// https://ghsecuritylab.slack.com/archives/CQJU6RN49/p1617022135088100
 import semmle.python.dataflow.new.TaintTracking2
+import experimental.semmle.python.Concepts
 import semmle.python.dataflow.new.RemoteFlowSources
 import semmle.python.ApiGraphs
+// temporary imports (change after query normalization)
+import semmle.python.security.dataflow.ChainedConfigs12

-// custom no-Concepts classes
 class JsonLoadsCall extends DataFlow::CallCfgNode {
  JsonLoadsCall() { this = API::moduleImport("json").getMember("loads").getACall() }

@@ -47,9 +48,9 @@ class NoSQLInjectionConfig extends TaintTracking::Configuration {
  }
 }

-// I hate the name ObjectBuilderFunctionConfig so this can be renamed
-class ObjectBuilderFunctionConfig extends TaintTracking2::Configuration {
-  ObjectBuilderFunctionConfig() { this = "ObjectBuilderFunctionConfig" }
+// better name?
+class FromJSONConfig extends TaintTracking2::Configuration {
+  FromJSONConfig() { this = "FromJSONConfig" }

  override predicate isSource(DataFlow::Node source) { source instanceof JSONRelatedSink }

@@ -61,3 +62,14 @@ class ObjectBuilderFunctionConfig extends TaintTracking2::Configuration {
    sanitizer = any(NoSQLSanitizer noSQLSanitizer).getSanitizerNode()
  }
 }
+
+predicate noSQLInjectionFlow(CustomPathNode source, CustomPathNode sink) {
+  exists(
+    FromJSONConfig config, DataFlow::PathNode mid1, DataFlow2::PathNode mid2,
+    NoSQLInjectionConfig config2
+  |
+    config.hasFlowPath(source.asNode1(), mid1) and
+    config2.hasFlowPath(mid2, sink.asNode2()) and
+    mid1.getNode().asCfgNode() = mid2.getNode().asCfgNode()
+  )
+}