hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 13:45:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: TarSlip sanitizer: only clear taint on false edge

Browse Source 
maybe it was on purpose, will have to investigate FPs when query is good
This commit is contained in:
Rasmus Wriedt Larsen
2020-02-20 16:10:30 +01:00
parent 2d637e1cf7
commit 3c317ed0e6
3 changed files with 19 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
python/ql/test/query-tests/Security/CWE-022/TarSlip.expected
View File

@@ -15,8 +15,22 @@ edges
| tarslip.py:34:14:34:16 | tarfile.open | tarslip.py:34:1:34:17 | tarfile.entry |
| tarslip.py:40:7:40:39 | tarfile.open | tarslip.py:41:24:41:26 | tarfile.open |
| tarslip.py:40:7:40:39 | tarfile.open | tarslip.py:41:24:41:26 | tarfile.open |
| tarslip.py:56:7:56:39 | tarfile.open | tarslip.py:57:14:57:16 | tarfile.open |
| tarslip.py:56:7:56:39 | tarfile.open | tarslip.py:57:14:57:16 | tarfile.open |
| tarslip.py:57:1:57:17 | tarfile.entry | tarslip.py:59:21:59:25 | tarfile.entry |
| tarslip.py:57:1:57:17 | tarfile.entry | tarslip.py:59:21:59:25 | tarfile.entry |
| tarslip.py:57:14:57:16 | tarfile.open | tarslip.py:57:1:57:17 | tarfile.entry |
| tarslip.py:57:14:57:16 | tarfile.open | tarslip.py:57:1:57:17 | tarfile.entry |
| tarslip.py:63:7:63:39 | tarfile.open | tarslip.py:64:14:64:16 | tarfile.open |
| tarslip.py:63:7:63:39 | tarfile.open | tarslip.py:64:14:64:16 | tarfile.open |
| tarslip.py:64:1:64:17 | tarfile.entry | tarslip.py:68:21:68:25 | tarfile.entry |
| tarslip.py:64:1:64:17 | tarfile.entry | tarslip.py:68:21:68:25 | tarfile.entry |
| tarslip.py:64:14:64:16 | tarfile.open | tarslip.py:64:1:64:17 | tarfile.entry |
| tarslip.py:64:14:64:16 | tarfile.open | tarslip.py:64:1:64:17 | tarfile.entry |
#select
| tarslip.py:13:1:13:3 | tar | tarslip.py:12:7:12:39 | tarfile.open | tarslip.py:13:1:13:3 | tarfile.open | Extraction of tarfile from $@ | tarslip.py:12:7:12:39 | Attribute() | a potentially untrusted source |
| tarslip.py:18:17:18:21 | entry | tarslip.py:16:7:16:39 | tarfile.open | tarslip.py:18:17:18:21 | tarfile.entry | Extraction of tarfile from $@ | tarslip.py:16:7:16:39 | Attribute() | a potentially untrusted source |
| tarslip.py:37:17:37:21 | entry | tarslip.py:33:7:33:39 | tarfile.open | tarslip.py:37:17:37:21 | tarfile.entry | Extraction of tarfile from $@ | tarslip.py:33:7:33:39 | Attribute() | a potentially untrusted source |
| tarslip.py:41:24:41:26 | tar | tarslip.py:40:7:40:39 | tarfile.open | tarslip.py:41:24:41:26 | tarfile.open | Extraction of tarfile from $@ | tarslip.py:40:7:40:39 | Attribute() | a potentially untrusted source |
| tarslip.py:59:21:59:25 | entry | tarslip.py:56:7:56:39 | tarfile.open | tarslip.py:59:21:59:25 | tarfile.entry | Extraction of tarfile from $@ | tarslip.py:56:7:56:39 | Attribute() | a potentially untrusted source |
| tarslip.py:68:21:68:25 | entry | tarslip.py:63:7:63:39 | tarfile.open | tarslip.py:68:21:68:25 | tarfile.entry | Extraction of tarfile from $@ | tarslip.py:63:7:63:39 | Attribute() | a potentially untrusted source |

4
python/ql/test/query-tests/Security/CWE-022/tarslip.py
View File

@@ -56,7 +56,7 @@ tar.extractall(members=safemembers(tar))
tar = tarfile.open(unsafe_filename_tar)
for entry in tar:
if os.path.isabs(entry.name) or ".." in entry.name:
tar.extract(entry, "/tmp/unpack/") # TODO: FN
tar.extract(entry, "/tmp/unpack/")
# OK Sanitized using not
@@ -65,4 +65,4 @@ for entry in tar:
# using `if not (os.path.isabs(entry.name) or ".." in entry.name):`
# would make the sanitizer work, but for the wrong reasons since out library is a bit broken.
if not os.path.isabs(entry.name):
tar.extract(entry, "/tmp/unpack/")
tar.extract(entry, "/tmp/unpack/") # TODO: FP