hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Attempt to apply TaintTracking2

Browse Source
This commit is contained in:
jorgectf
2021-03-31 18:49:41 +02:00
parent f0a50eb67a
commit 3a47a45e47
3 changed files with 24 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
python/ql/src/experimental/Security/CWE-943/NoSQLInjection.ql
View File

@@ -12,5 +12,8 @@
import python import python
import experimental.semmle.python.security.injection.NoSQLInjection import experimental.semmle.python.security.injection.NoSQLInjection
import DataFlow::PathGraph
// from, where, select statements // https://github.com/github/codeql/blob/e266cedc84cf73d01c9b2d4b0e4313e5d96755ba/python/ql/src/semmle/python/security/dataflow/PathInjection.qll#L103
from CustomPathNode source, CustomPathNode sink
where noSQLInjectionFlow(source, sink)
select source, sink

2
python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
View File

@@ -62,7 +62,7 @@ private module NoSQL {
override DataFlow::Node getQueryNode() { result = this.getArg(0) } override DataFlow::Node getQueryNode() { result = this.getArg(0) }
} }
// pending: look for more Sanitizer libs // more sanitizer libs?
private class MongoSanitizerCall extends DataFlow::CallCfgNode, NoSQLSanitizer::Range { private class MongoSanitizerCall extends DataFlow::CallCfgNode, NoSQLSanitizer::Range {
MongoSanitizerCall() { MongoSanitizerCall() {
this = this =

24
python/ql/src/experimental/semmle/python/security/injection/NoSQLInjection.qll
View File

@@ -1,13 +1,14 @@
import python import python
import experimental.semmle.python.Concepts
import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.DataFlow2
import semmle.python.dataflow.new.TaintTracking import semmle.python.dataflow.new.TaintTracking
// https://ghsecuritylab.slack.com/archives/CQJU6RN49/p1617022135088100
import semmle.python.dataflow.new.TaintTracking2 import semmle.python.dataflow.new.TaintTracking2
import experimental.semmle.python.Concepts
import semmle.python.dataflow.new.RemoteFlowSources import semmle.python.dataflow.new.RemoteFlowSources
import semmle.python.ApiGraphs import semmle.python.ApiGraphs
// temporary imports (change after query normalization)
import semmle.python.security.dataflow.ChainedConfigs12
// custom no-Concepts classes
class JsonLoadsCall extends DataFlow::CallCfgNode { class JsonLoadsCall extends DataFlow::CallCfgNode {
JsonLoadsCall() { this = API::moduleImport("json").getMember("loads").getACall() } JsonLoadsCall() { this = API::moduleImport("json").getMember("loads").getACall() }
@@ -47,9 +48,9 @@ class NoSQLInjectionConfig extends TaintTracking::Configuration {
} }
} }
// I hate the name ObjectBuilderFunctionConfig so this can be renamed // better name?
class ObjectBuilderFunctionConfig extends TaintTracking2::Configuration { class FromJSONConfig extends TaintTracking2::Configuration {
ObjectBuilderFunctionConfig() { this = "ObjectBuilderFunctionConfig" } FromJSONConfig() { this = "FromJSONConfig" }
override predicate isSource(DataFlow::Node source) { source instanceof JSONRelatedSink } override predicate isSource(DataFlow::Node source) { source instanceof JSONRelatedSink }
@@ -61,3 +62,14 @@ class ObjectBuilderFunctionConfig extends TaintTracking2::Configuration {
sanitizer = any(NoSQLSanitizer noSQLSanitizer).getSanitizerNode() sanitizer = any(NoSQLSanitizer noSQLSanitizer).getSanitizerNode()
} }
} }
predicate noSQLInjectionFlow(CustomPathNode source, CustomPathNode sink) {
exists(
FromJSONConfig config, DataFlow::PathNode mid1, DataFlow2::PathNode mid2,
NoSQLInjectionConfig config2
|
config.hasFlowPath(source.asNode1(), mid1) and
config2.hasFlowPath(mid2, sink.asNode2()) and
mid1.getNode().asCfgNode() = mid2.getNode().asCfgNode()
)
}