hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 01:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Move experimental TokenBuiltFromUUID to new dataflow API

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2023-08-25 17:14:21 +02:00
parent acde1920e7
commit 3edb9d1011
1 changed files with 11 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
python/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql
View File

@@ -16,7 +16,6 @@ import python
import semmle.python.dataflow.new.DataFlow
import semmle.python.ApiGraphs
import semmle.python.dataflow.new.TaintTracking
import DataFlow::PathGraph
class PredictableResultSource extends DataFlow::Node {
PredictableResultSource() {
@@ -40,14 +39,12 @@ class TokenAssignmentValueSink extends DataFlow::Node {
}
}
class TokenBuiltFromUuidConfig extends TaintTracking::Configuration {
TokenBuiltFromUuidConfig() { this = "TokenBuiltFromUuidConfig" }
private module TokenBuiltFromUUIDConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof PredictableResultSource }
override predicate isSource(DataFlow::Node source) { source instanceof PredictableResultSource }
predicate isSink(DataFlow::Node sink) { sink instanceof TokenAssignmentValueSink }
override predicate isSink(DataFlow::Node sink) { sink instanceof TokenAssignmentValueSink }
override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
exists(DataFlow::CallCfgNode call |
call = API::builtin("str").getACall() and
nodeFrom = call.getArg(0) and
@@ -56,6 +53,11 @@ class TokenBuiltFromUuidConfig extends TaintTracking::Configuration {
}
}
from DataFlow::PathNode source, DataFlow::PathNode sink, TokenBuiltFromUuidConfig config
where config.hasFlowPath(source, sink)
/** Global taint-tracking for detecting "TokenBuiltFromUUID" vulnerabilities. */
module TokenBuiltFromUUIDFlow = TaintTracking::Global<TokenBuiltFromUUIDConfig>;
import TokenBuiltFromUUIDFlow::PathGraph
from TokenBuiltFromUUIDFlow::PathNode source, TokenBuiltFromUUIDFlow::PathNode sink
where TokenBuiltFromUUIDFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "Token built from $@.", source.getNode(), "predictable value"