hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 00:35:20 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Move experimental UnsafeUnpack to new dataflow API

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2023-08-25 17:23:50 +02:00
parent 3edb9d1011
commit 3cdd875e9f
3 changed files with 117 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpack.ql
View File

@@ -16,9 +16,9 @@
import python
import experimental.Security.UnsafeUnpackQuery
import DataFlow::PathGraph
import UnsafeUnpackFlow::PathGraph
from UnsafeUnpackingConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
from UnsafeUnpackFlow::PathNode source, UnsafeUnpackFlow::PathNode sink
where UnsafeUnpackFlow::flowPath(source, sink)
select sink.getNode(), source, sink,
"Unsafe extraction from a malicious tarball retrieved from a remote location."

13
python/ql/src/experimental/Security/UnsafeUnpackQuery.qll
View File

@@ -39,10 +39,8 @@ class AllTarfileOpens extends API::CallNode {
}
}
class UnsafeUnpackingConfig extends TaintTracking::Configuration {
UnsafeUnpackingConfig() { this = "UnsafeUnpackingConfig" }
override predicate isSource(DataFlow::Node source) {
private module UnsafeUnpackConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
// A source coming from a remote location
source instanceof RemoteFlowSource
or
@@ -92,7 +90,7 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
source.(AttrRead).getAttributeName() = "FILES"
}
override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
(
// A sink capturing method calls to `unpack_archive`.
sink = API::moduleImport("shutil").getMember("unpack_archive").getACall().getArg(0)
@@ -136,7 +134,7 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
not sink.getScope().getLocation().getFile().inStdlib()
}
override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
// Reading the response
nodeTo.(MethodCallNode).calls(nodeFrom, "read")
or
@@ -211,3 +209,6 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
)
}
}
/** Global taint-tracking for detecting "UnsafeUnpacking" vulnerabilities. */
module UnsafeUnpackFlow = TaintTracking::Global<UnsafeUnpackConfig>;