mirror of
https://github.com/github/codeql.git
synced 2026-04-26 09:15:12 +02:00
Remove experimental version + qhelp fixes
This commit is contained in:
Joe Farebrother
@@ -16,10 +16,10 @@
|
||||
<sample src="examples/JinjaBad.py" />
|
||||
|
||||
<p>The following is an example of a string that could be used to cause remote code execution when interpreted as a template:</p>
|
||||
<sample src="examples/template_exploit" />
|
||||
<sample src="examples/template_exploit.txt" />
|
||||
|
||||
<p>In the following case, user input is not used to construct the template; rather is only used for as the parameters to render the template, which is safe.</p>
|
||||
<sample scr="examples/JinjaGoodParam" />
|
||||
<sample src="examples/JinjaGoodParam.py" />
|
||||
|
||||
<p>In the following case, a <code>SandboxedEnvironment</code> is used, preventing remote code execution.</p>
|
||||
<sample src="examples/JinjaGoodSandbox.py" />
|
||||
|
||||
@@ -1,19 +0,0 @@
|
||||
from django.urls import path
|
||||
from django.http import HttpResponse
|
||||
from jinja2 import Template as Jinja2_Template
|
||||
from jinja2 import Environment, DictLoader, escape
|
||||
|
||||
|
||||
def a(request):
|
||||
# Load the template
|
||||
template = request.GET['template']
|
||||
t = Jinja2_Template(template)
|
||||
name = request.GET['name']
|
||||
# Render the template with the context data
|
||||
html = t.render(name=escape(name))
|
||||
return HttpResponse(html)
|
||||
|
||||
|
||||
urlpatterns = [
|
||||
path('a', a),
|
||||
]
|
||||
@@ -1,20 +0,0 @@
|
||||
from django.urls import path
|
||||
from django.http import HttpResponse
|
||||
from jinja2 import Template as Jinja2_Template
|
||||
from jinja2 import Environment, DictLoader, escape
|
||||
|
||||
|
||||
def a(request):
|
||||
# Load the template
|
||||
template = request.GET['template']
|
||||
env = SandboxedEnvironment(undefined=StrictUndefined)
|
||||
t = env.from_string(template)
|
||||
name = request.GET['name']
|
||||
# Render the template with the context data
|
||||
html = t.render(name=escape(name))
|
||||
return HttpResponse(html)
|
||||
|
||||
|
||||
urlpatterns = [
|
||||
path('a', a),
|
||||
]
|
||||
@@ -1,165 +0,0 @@
|
||||
private import python
|
||||
private import semmle.python.dataflow.new.DataFlow
|
||||
private import semmle.python.ApiGraphs
|
||||
|
||||
/**
|
||||
* A data-flow node that constructs a template.
|
||||
*
|
||||
* Extend this class to refine existing API models. If you want to model new APIs,
|
||||
* extend `TemplateConstruction::Range` instead.
|
||||
*/
|
||||
class TemplateConstruction extends DataFlow::Node instanceof TemplateConstruction::Range {
|
||||
/** Gets the argument that specifies the template source. */
|
||||
DataFlow::Node getSourceArg() { result = super.getSourceArg() }
|
||||
}
|
||||
|
||||
/** Provides a class for modeling new system-command execution APIs. */
|
||||
module TemplateConstruction {
|
||||
/**
|
||||
* A data-flow node that constructs a template.
|
||||
*
|
||||
* Extend this class to model new APIs. If you want to refine existing API models,
|
||||
* extend `TemplateConstruction` instead.
|
||||
*/
|
||||
abstract class Range extends DataFlow::Node {
|
||||
/** Gets the argument that specifies the template source. */
|
||||
abstract DataFlow::Node getSourceArg();
|
||||
}
|
||||
}
|
||||
|
||||
// -----------------------------------------------------------------------------
|
||||
/** A call to `airspeed.Template`. */
|
||||
class AirspeedTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
AirspeedTemplateConstruction() {
|
||||
this = API::moduleImport("airspeed").getMember("Template").getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
|
||||
/** A call to `bottle.SimpleTemplate`. */
|
||||
class BottleSimpleTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
BottleSimpleTemplateConstruction() {
|
||||
this = API::moduleImport("bottle").getMember("SimpleTemplate").getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
|
||||
/** A call to `bottle.template`. */
|
||||
class BottleTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
BottleTemplateConstruction() {
|
||||
this = API::moduleImport("bottle").getMember("template").getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
|
||||
/** A call to `chameleon.PageTemplate`. */
|
||||
class ChameleonTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
ChameleonTemplateConstruction() {
|
||||
this = API::moduleImport("chameleon").getMember("PageTemplate").getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
|
||||
/** A call to `Cheetah.Template.Template`. */
|
||||
class CheetahTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
CheetahTemplateConstruction() {
|
||||
this =
|
||||
API::moduleImport("Cheetah")
|
||||
.getMember("Template")
|
||||
.getMember("Template")
|
||||
.getASubclass*()
|
||||
.getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
|
||||
/** A call to `chevron.render`. */
|
||||
class ChevronRenderConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
ChevronRenderConstruction() { this = API::moduleImport("chevron").getMember("render").getACall() }
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
|
||||
/** A call to `django.template.Template` */
|
||||
class DjangoTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
DjangoTemplateConstruction() {
|
||||
this = API::moduleImport("django").getMember("template").getMember("Template").getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
|
||||
// TODO: support django.template.engines["django"]].from_string
|
||||
/** A call to `flask.render_template_string`. */
|
||||
class FlaskTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
FlaskTemplateConstruction() {
|
||||
this = API::moduleImport("flask").getMember("render_template_string").getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
|
||||
/** A call to `genshi.template.TextTemplate`. */
|
||||
class GenshiTextTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
GenshiTextTemplateConstruction() {
|
||||
this = API::moduleImport("genshi").getMember("template").getMember("TextTemplate").getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
|
||||
/** A call to `genshi.template.MarkupTemplate` */
|
||||
class GenshiMarkupTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
GenshiMarkupTemplateConstruction() {
|
||||
this = API::moduleImport("genshi").getMember("template").getMember("MarkupTemplate").getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
|
||||
//
|
||||
/** A call to `jinja2.Template`. */
|
||||
class Jinja2TemplateConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
Jinja2TemplateConstruction() {
|
||||
this = API::moduleImport("jinja2").getMember("Template").getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
|
||||
/** A call to `jinja2.from_string`. */
|
||||
class Jinja2FromStringConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
Jinja2FromStringConstruction() {
|
||||
this =
|
||||
API::moduleImport("jinja2")
|
||||
.getMember("Environment")
|
||||
.getReturn()
|
||||
.getMember("from_string")
|
||||
.getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
|
||||
/** A call to `mako.template.Template`. */
|
||||
class MakoTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
MakoTemplateConstruction() {
|
||||
this = API::moduleImport("mako").getMember("template").getMember("Template").getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
|
||||
/** A call to `trender.TRender`. */
|
||||
class TRenderTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
TRenderTemplateConstruction() {
|
||||
this = API::moduleImport("trender").getMember("TRender").getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
@@ -1,24 +0,0 @@
|
||||
<!DOCTYPE qhelp SYSTEM "qhelp.dtd">
|
||||
<qhelp>
|
||||
<overview>
|
||||
<p>
|
||||
Template Injection occurs when user input is embedded in a template in an unsafe manner.
|
||||
When an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side is results in Server Side Template Injection.
|
||||
</p>
|
||||
</overview>
|
||||
<recommendation>
|
||||
<p>
|
||||
To fix this, ensure that an untrusted value is not used as a template. If the application requirements do not alow this, use a sandboxed environment where access to unsafe attributes and methods is prohibited.
|
||||
</p>
|
||||
</recommendation>
|
||||
<example>
|
||||
<p>Consider the example given below, an untrusted HTTP parameter `template` is used to generate a Jinja2 template string. This can lead to remote code execution. </p>
|
||||
<sample src="JinjaBad.py" />
|
||||
|
||||
<p>Here we have fixed the problem by using the Jinja sandbox environment for evaluating untrusted code.</p>
|
||||
<sample src="JinjaGood.py" />
|
||||
</example>
|
||||
<references>
|
||||
<li>Portswigger : [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection)</li>
|
||||
</references>
|
||||
</qhelp>
|
||||
@@ -1,20 +0,0 @@
|
||||
/**
|
||||
* @name Server Side Template Injection
|
||||
* @description Using user-controlled data to create a template can cause security issues.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @precision high
|
||||
* @id py/template-injection
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe/cwe-074
|
||||
*/
|
||||
|
||||
import python
|
||||
import TemplateInjectionQuery
|
||||
import TemplateInjectionFlow::PathGraph
|
||||
|
||||
from TemplateInjectionFlow::PathNode source, TemplateInjectionFlow::PathNode sink
|
||||
where TemplateInjectionFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "This Template depends on $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
@@ -1,59 +0,0 @@
|
||||
/**
|
||||
* Provides default sources, sinks and sanitizers for detecting
|
||||
* "template injection"
|
||||
* vulnerabilities, as well as extension points for adding your own.
|
||||
*/
|
||||
|
||||
private import python
|
||||
private import semmle.python.dataflow.new.DataFlow
|
||||
private import semmle.python.Concepts as C
|
||||
private import semmle.python.dataflow.new.RemoteFlowSources
|
||||
private import semmle.python.dataflow.new.BarrierGuards
|
||||
private import TemplateConstructionConcept
|
||||
|
||||
/**
|
||||
* Provides default sources, sinks and sanitizers for detecting
|
||||
* "template injection"
|
||||
* vulnerabilities, as well as extension points for adding your own.
|
||||
*/
|
||||
module TemplateInjection {
|
||||
/**
|
||||
* A data flow source for "template injection" vulnerabilities.
|
||||
*/
|
||||
abstract class Source extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* A data flow sink for "template injection" vulnerabilities.
|
||||
*/
|
||||
abstract class Sink extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* A sanitizer for "template injection" vulnerabilities.
|
||||
*/
|
||||
abstract class Sanitizer extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `ActiveThreatModelSource` from Concepts instead!
|
||||
*/
|
||||
deprecated class RemoteFlowSourceAsSource = ActiveThreatModelSourceAsSource;
|
||||
|
||||
/**
|
||||
* An active threat-model source, considered as a flow source.
|
||||
*/
|
||||
private class ActiveThreatModelSourceAsSource extends Source, C::ActiveThreatModelSource { }
|
||||
|
||||
/**
|
||||
* A SQL statement of a SQL construction, considered as a flow sink.
|
||||
*/
|
||||
class TemplateConstructionAsSink extends Sink {
|
||||
TemplateConstructionAsSink() { this = any(TemplateConstruction c).getSourceArg() }
|
||||
}
|
||||
|
||||
/**
|
||||
* A comparison with a constant, considered as a sanitizer-guard.
|
||||
*/
|
||||
class ConstCompareAsSanitizerGuard extends Sanitizer, ConstCompareBarrier { }
|
||||
|
||||
/** DEPRECATED: Use ConstCompareAsSanitizerGuard instead. */
|
||||
deprecated class StringConstCompareAsSanitizerGuard = ConstCompareAsSanitizerGuard;
|
||||
}
|
||||
@@ -1,18 +0,0 @@
|
||||
/**
|
||||
* Provides a taint-tracking configuration for detecting "template injection" vulnerabilities.
|
||||
*/
|
||||
|
||||
private import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
import TemplateInjectionCustomizations::TemplateInjection
|
||||
|
||||
module TemplateInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node node) { node instanceof Source }
|
||||
|
||||
predicate isSink(DataFlow::Node node) { node instanceof Sink }
|
||||
|
||||
predicate isBarrierIn(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
}
|
||||
|
||||
module TemplateInjectionFlow = TaintTracking::Global<TemplateInjectionConfig>;
|
||||
@@ -1,11 +0,0 @@
|
||||
import airspeed
|
||||
from flask import Flask, request
|
||||
|
||||
|
||||
app = Flask(__name__)
|
||||
|
||||
|
||||
@route('/other')
|
||||
def a():
|
||||
template = request.args.get('template')
|
||||
return airspeed.Template(template)
|
||||
@@ -1,20 +0,0 @@
|
||||
from bottle import Bottle, route, request, redirect, response, SimpleTemplate
|
||||
from bottle import template as temp
|
||||
|
||||
|
||||
app = Bottle()
|
||||
|
||||
|
||||
@route('/other')
|
||||
def a():
|
||||
template = request.query.template
|
||||
tpl = SimpleTemplate(template)
|
||||
tpl.render(name='World')
|
||||
return tmp
|
||||
|
||||
|
||||
@route('/other2')
|
||||
def b():
|
||||
template = request.query.template
|
||||
temp(template, name='World')
|
||||
return tmp
|
||||
@@ -1,10 +0,0 @@
|
||||
from chameleon import PageTemplate
|
||||
from django.urls import path
|
||||
from django.http import HttpResponse
|
||||
|
||||
|
||||
def chameleon(request):
|
||||
template = request.GET['template']
|
||||
tmpl = PageTemplate(template)
|
||||
return HttpResponse(tmpl)
|
||||
|
||||
@@ -1,22 +0,0 @@
|
||||
from flask import Flask, request
|
||||
from Cheetah.Template import Template
|
||||
|
||||
|
||||
app = Flask(__name__)
|
||||
|
||||
|
||||
@app.route('/other')
|
||||
def a():
|
||||
template = request.args.get('template')
|
||||
return Template(template)
|
||||
|
||||
|
||||
class Template3(Template):
|
||||
title = 'Hello World Example!'
|
||||
contents = 'Hello World!'
|
||||
|
||||
|
||||
@app.route('/other2')
|
||||
def b():
|
||||
template = request.args.get('template')
|
||||
t3 = Template3(template)
|
||||
@@ -1,24 +0,0 @@
|
||||
from flask import Flask, request
|
||||
import chevron
|
||||
|
||||
|
||||
app = Flask(__name__)
|
||||
|
||||
|
||||
@app.route('/other')
|
||||
def a():
|
||||
template = request.args.get('template')
|
||||
return chevron.render(template, {"key": "value"})
|
||||
|
||||
|
||||
@app.route('/other2')
|
||||
def b():
|
||||
template = request.args.get('template')
|
||||
args = {
|
||||
'template': template,
|
||||
|
||||
'data': {
|
||||
'key': 'value'
|
||||
}
|
||||
}
|
||||
return chevron.render(**args)
|
||||
@@ -1,41 +0,0 @@
|
||||
from django.urls import path
|
||||
from django.http import HttpResponse
|
||||
from django.template import Template, Context, Engine, engines
|
||||
|
||||
|
||||
def dj(request):
|
||||
# Load the template
|
||||
template = request.GET['template']
|
||||
t = Template(template)
|
||||
ctx = Context(locals())
|
||||
html = t.render(ctx)
|
||||
return HttpResponse(html)
|
||||
|
||||
|
||||
def djEngine(request):
|
||||
# Load the template
|
||||
template = request.GET['template']
|
||||
|
||||
django_engine = engines['django']
|
||||
t = django_engine.from_string(template)
|
||||
ctx = Context(locals())
|
||||
html = t.render(ctx)
|
||||
return HttpResponse(html)
|
||||
|
||||
|
||||
def djEngineJinja(request):
|
||||
# Load the template
|
||||
template = request.GET['template']
|
||||
|
||||
django_engine = engines['jinja']
|
||||
t = django_engine.from_string(template)
|
||||
ctx = Context(locals())
|
||||
html = t.render(ctx)
|
||||
return HttpResponse(html)
|
||||
|
||||
|
||||
urlpatterns = [
|
||||
path('', dj),
|
||||
path('', djEngine),
|
||||
path('', djEngineJinja),
|
||||
]
|
||||
@@ -1,22 +0,0 @@
|
||||
from flask import Flask, request
|
||||
|
||||
|
||||
app = Flask(__name__)
|
||||
|
||||
|
||||
@app.route("/")
|
||||
def home():
|
||||
from flask import render_template_string
|
||||
if request.args.get('template'):
|
||||
return render_template_string(request.args.get('template'))
|
||||
|
||||
|
||||
@app.route("/a")
|
||||
def a():
|
||||
import flask
|
||||
return flask.render_template_string(request.args.get('template'))
|
||||
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
app.run(debug=True)
|
||||
@@ -1,18 +0,0 @@
|
||||
from django.urls import path
|
||||
from django.http import HttpResponse
|
||||
from genshi.template import TextTemplate,MarkupTemplate
|
||||
|
||||
def genshi1():
|
||||
template = request.GET['template']
|
||||
tmpl = MarkupTemplate(template)
|
||||
return HttpResponse(tmpl)
|
||||
|
||||
def genshi2():
|
||||
template = request.GET['template']
|
||||
tmpl = TextTemplate(template)
|
||||
return HttpResponse(tmpl)
|
||||
|
||||
urlpatterns = [
|
||||
path('', genshi1),
|
||||
path('', genshi2)
|
||||
]
|
||||
@@ -1,30 +0,0 @@
|
||||
from django.urls import path
|
||||
from django.http import HttpResponse
|
||||
from jinja2 import Template as Jinja2_Template
|
||||
from jinja2 import Environment, DictLoader, escape
|
||||
|
||||
|
||||
def a(request):
|
||||
# Load the template
|
||||
template = request.GET['template']
|
||||
t = Jinja2_Template(template)
|
||||
name = request.GET['name']
|
||||
# Render the template with the context data
|
||||
html = t.render(name=escape(name))
|
||||
return HttpResponse(html)
|
||||
|
||||
def b(request):
|
||||
import jinja2
|
||||
# Load the template
|
||||
template = request.GET['template']
|
||||
t = jinja2.from_string(template)
|
||||
name = request.GET['name']
|
||||
# Render the template with the context data
|
||||
html = t.render(name=escape(name))
|
||||
return HttpResponse(html)
|
||||
|
||||
|
||||
urlpatterns = [
|
||||
path('a', a),
|
||||
path('b', b)
|
||||
]
|
||||
@@ -1,15 +0,0 @@
|
||||
from django.urls import path
|
||||
from django.http import HttpResponse
|
||||
from mako.template import Template
|
||||
|
||||
|
||||
def mako(request):
|
||||
# Load the template
|
||||
template = request.GET['template']
|
||||
mytemplate = Template(template)
|
||||
return HttpResponse(mytemplate)
|
||||
|
||||
|
||||
urlpatterns = [
|
||||
path('', mako)
|
||||
]
|
||||
@@ -1,12 +0,0 @@
|
||||
from django.urls import path
|
||||
from django.http import HttpResponse
|
||||
from trender import TRender
|
||||
|
||||
def trender(request):
|
||||
template = request.GET['template']
|
||||
compiled = TRender(template)
|
||||
return HttpResponse(compiled)
|
||||
|
||||
urlpatterns = [
|
||||
path('', trender)
|
||||
]
|
||||
@@ -1,107 +0,0 @@
|
||||
edges
|
||||
| AirspeedSsti.py:2:26:2:32 | ControlFlowNode for ImportMember | AirspeedSsti.py:2:26:2:32 | ControlFlowNode for request | provenance | |
|
||||
| AirspeedSsti.py:2:26:2:32 | ControlFlowNode for request | AirspeedSsti.py:10:16:10:22 | ControlFlowNode for request | provenance | |
|
||||
| AirspeedSsti.py:10:5:10:12 | ControlFlowNode for template | AirspeedSsti.py:11:30:11:37 | ControlFlowNode for template | provenance | |
|
||||
| AirspeedSsti.py:10:16:10:22 | ControlFlowNode for request | AirspeedSsti.py:10:16:10:27 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
|
||||
| AirspeedSsti.py:10:16:10:27 | ControlFlowNode for Attribute | AirspeedSsti.py:10:16:10:43 | ControlFlowNode for Attribute() | provenance | dict.get |
|
||||
| AirspeedSsti.py:10:16:10:43 | ControlFlowNode for Attribute() | AirspeedSsti.py:10:5:10:12 | ControlFlowNode for template | provenance | |
|
||||
| CheetahSinks.py:1:26:1:32 | ControlFlowNode for ImportMember | CheetahSinks.py:1:26:1:32 | ControlFlowNode for request | provenance | |
|
||||
| CheetahSinks.py:1:26:1:32 | ControlFlowNode for request | CheetahSinks.py:10:16:10:22 | ControlFlowNode for request | provenance | |
|
||||
| CheetahSinks.py:1:26:1:32 | ControlFlowNode for request | CheetahSinks.py:21:16:21:22 | ControlFlowNode for request | provenance | |
|
||||
| CheetahSinks.py:10:5:10:12 | ControlFlowNode for template | CheetahSinks.py:11:21:11:28 | ControlFlowNode for template | provenance | |
|
||||
| CheetahSinks.py:10:16:10:22 | ControlFlowNode for request | CheetahSinks.py:10:16:10:27 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
|
||||
| CheetahSinks.py:10:16:10:27 | ControlFlowNode for Attribute | CheetahSinks.py:10:16:10:43 | ControlFlowNode for Attribute() | provenance | dict.get |
|
||||
| CheetahSinks.py:10:16:10:43 | ControlFlowNode for Attribute() | CheetahSinks.py:10:5:10:12 | ControlFlowNode for template | provenance | |
|
||||
| CheetahSinks.py:21:5:21:12 | ControlFlowNode for template | CheetahSinks.py:22:20:22:27 | ControlFlowNode for template | provenance | |
|
||||
| CheetahSinks.py:21:16:21:22 | ControlFlowNode for request | CheetahSinks.py:21:16:21:27 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
|
||||
| CheetahSinks.py:21:16:21:27 | ControlFlowNode for Attribute | CheetahSinks.py:21:16:21:43 | ControlFlowNode for Attribute() | provenance | dict.get |
|
||||
| CheetahSinks.py:21:16:21:43 | ControlFlowNode for Attribute() | CheetahSinks.py:21:5:21:12 | ControlFlowNode for template | provenance | |
|
||||
| ChevronSsti.py:1:26:1:32 | ControlFlowNode for ImportMember | ChevronSsti.py:1:26:1:32 | ControlFlowNode for request | provenance | |
|
||||
| ChevronSsti.py:1:26:1:32 | ControlFlowNode for request | ChevronSsti.py:10:16:10:22 | ControlFlowNode for request | provenance | |
|
||||
| ChevronSsti.py:10:5:10:12 | ControlFlowNode for template | ChevronSsti.py:11:27:11:34 | ControlFlowNode for template | provenance | |
|
||||
| ChevronSsti.py:10:16:10:22 | ControlFlowNode for request | ChevronSsti.py:10:16:10:27 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
|
||||
| ChevronSsti.py:10:16:10:27 | ControlFlowNode for Attribute | ChevronSsti.py:10:16:10:43 | ControlFlowNode for Attribute() | provenance | dict.get |
|
||||
| ChevronSsti.py:10:16:10:43 | ControlFlowNode for Attribute() | ChevronSsti.py:10:5:10:12 | ControlFlowNode for template | provenance | |
|
||||
| DjangoTemplates.py:6:8:6:14 | ControlFlowNode for request | DjangoTemplates.py:8:5:8:12 | ControlFlowNode for template | provenance | AdditionalTaintStep |
|
||||
| DjangoTemplates.py:8:5:8:12 | ControlFlowNode for template | DjangoTemplates.py:9:18:9:25 | ControlFlowNode for template | provenance | |
|
||||
| FlaskTemplate.py:1:26:1:32 | ControlFlowNode for ImportMember | FlaskTemplate.py:1:26:1:32 | ControlFlowNode for request | provenance | |
|
||||
| FlaskTemplate.py:1:26:1:32 | ControlFlowNode for request | FlaskTemplate.py:10:8:10:14 | ControlFlowNode for request | provenance | |
|
||||
| FlaskTemplate.py:1:26:1:32 | ControlFlowNode for request | FlaskTemplate.py:11:39:11:45 | ControlFlowNode for request | provenance | |
|
||||
| FlaskTemplate.py:1:26:1:32 | ControlFlowNode for request | FlaskTemplate.py:17:41:17:47 | ControlFlowNode for request | provenance | |
|
||||
| FlaskTemplate.py:10:8:10:14 | ControlFlowNode for request | FlaskTemplate.py:11:39:11:50 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
|
||||
| FlaskTemplate.py:11:39:11:45 | ControlFlowNode for request | FlaskTemplate.py:11:39:11:50 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
|
||||
| FlaskTemplate.py:11:39:11:50 | ControlFlowNode for Attribute | FlaskTemplate.py:11:39:11:66 | ControlFlowNode for Attribute() | provenance | dict.get |
|
||||
| FlaskTemplate.py:17:41:17:47 | ControlFlowNode for request | FlaskTemplate.py:17:41:17:52 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep |
|
||||
| FlaskTemplate.py:17:41:17:52 | ControlFlowNode for Attribute | FlaskTemplate.py:17:41:17:68 | ControlFlowNode for Attribute() | provenance | dict.get |
|
||||
| JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | JinjaSsti.py:9:5:9:12 | ControlFlowNode for template | provenance | AdditionalTaintStep |
|
||||
| JinjaSsti.py:9:5:9:12 | ControlFlowNode for template | JinjaSsti.py:10:25:10:32 | ControlFlowNode for template | provenance | |
|
||||
| JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | JinjaSsti.py:19:5:19:12 | ControlFlowNode for template | provenance | AdditionalTaintStep |
|
||||
| JinjaSsti.py:19:5:19:12 | ControlFlowNode for template | JinjaSsti.py:20:28:20:35 | ControlFlowNode for template | provenance | |
|
||||
| MakoSsti.py:6:10:6:16 | ControlFlowNode for request | MakoSsti.py:8:5:8:12 | ControlFlowNode for template | provenance | AdditionalTaintStep |
|
||||
| MakoSsti.py:8:5:8:12 | ControlFlowNode for template | MakoSsti.py:9:27:9:34 | ControlFlowNode for template | provenance | |
|
||||
| TRender.py:5:13:5:19 | ControlFlowNode for request | TRender.py:6:5:6:12 | ControlFlowNode for template | provenance | AdditionalTaintStep |
|
||||
| TRender.py:6:5:6:12 | ControlFlowNode for template | TRender.py:7:24:7:31 | ControlFlowNode for template | provenance | |
|
||||
nodes
|
||||
| AirspeedSsti.py:2:26:2:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
|
||||
| AirspeedSsti.py:2:26:2:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| AirspeedSsti.py:10:5:10:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
| AirspeedSsti.py:10:16:10:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| AirspeedSsti.py:10:16:10:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||
| AirspeedSsti.py:10:16:10:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||
| AirspeedSsti.py:11:30:11:37 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
| CheetahSinks.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
|
||||
| CheetahSinks.py:1:26:1:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| CheetahSinks.py:10:5:10:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
| CheetahSinks.py:10:16:10:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| CheetahSinks.py:10:16:10:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||
| CheetahSinks.py:10:16:10:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||
| CheetahSinks.py:11:21:11:28 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
| CheetahSinks.py:21:5:21:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
| CheetahSinks.py:21:16:21:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| CheetahSinks.py:21:16:21:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||
| CheetahSinks.py:21:16:21:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||
| CheetahSinks.py:22:20:22:27 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
| ChevronSsti.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
|
||||
| ChevronSsti.py:1:26:1:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| ChevronSsti.py:10:5:10:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
| ChevronSsti.py:10:16:10:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| ChevronSsti.py:10:16:10:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||
| ChevronSsti.py:10:16:10:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||
| ChevronSsti.py:11:27:11:34 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
| DjangoTemplates.py:6:8:6:14 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| DjangoTemplates.py:8:5:8:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
| DjangoTemplates.py:9:18:9:25 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
| FlaskTemplate.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
|
||||
| FlaskTemplate.py:1:26:1:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| FlaskTemplate.py:10:8:10:14 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| FlaskTemplate.py:11:39:11:45 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| FlaskTemplate.py:11:39:11:50 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||
| FlaskTemplate.py:11:39:11:66 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||
| FlaskTemplate.py:17:41:17:47 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| FlaskTemplate.py:17:41:17:52 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||
| FlaskTemplate.py:17:41:17:68 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||
| JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| JinjaSsti.py:9:5:9:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
| JinjaSsti.py:10:25:10:32 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
| JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| JinjaSsti.py:19:5:19:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
| JinjaSsti.py:20:28:20:35 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
| MakoSsti.py:6:10:6:16 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| MakoSsti.py:8:5:8:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
| MakoSsti.py:9:27:9:34 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
| TRender.py:5:13:5:19 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| TRender.py:6:5:6:12 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
| TRender.py:7:24:7:31 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
subpaths
|
||||
#select
|
||||
| AirspeedSsti.py:11:30:11:37 | ControlFlowNode for template | AirspeedSsti.py:2:26:2:32 | ControlFlowNode for ImportMember | AirspeedSsti.py:11:30:11:37 | ControlFlowNode for template | This Template depends on $@. | AirspeedSsti.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |
|
||||
| CheetahSinks.py:11:21:11:28 | ControlFlowNode for template | CheetahSinks.py:1:26:1:32 | ControlFlowNode for ImportMember | CheetahSinks.py:11:21:11:28 | ControlFlowNode for template | This Template depends on $@. | CheetahSinks.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
|
||||
| CheetahSinks.py:22:20:22:27 | ControlFlowNode for template | CheetahSinks.py:1:26:1:32 | ControlFlowNode for ImportMember | CheetahSinks.py:22:20:22:27 | ControlFlowNode for template | This Template depends on $@. | CheetahSinks.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
|
||||
| ChevronSsti.py:11:27:11:34 | ControlFlowNode for template | ChevronSsti.py:1:26:1:32 | ControlFlowNode for ImportMember | ChevronSsti.py:11:27:11:34 | ControlFlowNode for template | This Template depends on $@. | ChevronSsti.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
|
||||
| DjangoTemplates.py:9:18:9:25 | ControlFlowNode for template | DjangoTemplates.py:6:8:6:14 | ControlFlowNode for request | DjangoTemplates.py:9:18:9:25 | ControlFlowNode for template | This Template depends on $@. | DjangoTemplates.py:6:8:6:14 | ControlFlowNode for request | user-provided value |
|
||||
| FlaskTemplate.py:11:39:11:66 | ControlFlowNode for Attribute() | FlaskTemplate.py:1:26:1:32 | ControlFlowNode for ImportMember | FlaskTemplate.py:11:39:11:66 | ControlFlowNode for Attribute() | This Template depends on $@. | FlaskTemplate.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
|
||||
| FlaskTemplate.py:17:41:17:68 | ControlFlowNode for Attribute() | FlaskTemplate.py:1:26:1:32 | ControlFlowNode for ImportMember | FlaskTemplate.py:17:41:17:68 | ControlFlowNode for Attribute() | This Template depends on $@. | FlaskTemplate.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
|
||||
| JinjaSsti.py:10:25:10:32 | ControlFlowNode for template | JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | JinjaSsti.py:10:25:10:32 | ControlFlowNode for template | This Template depends on $@. | JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | user-provided value |
|
||||
| JinjaSsti.py:20:28:20:35 | ControlFlowNode for template | JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | JinjaSsti.py:20:28:20:35 | ControlFlowNode for template | This Template depends on $@. | JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | user-provided value |
|
||||
| MakoSsti.py:9:27:9:34 | ControlFlowNode for template | MakoSsti.py:6:10:6:16 | ControlFlowNode for request | MakoSsti.py:9:27:9:34 | ControlFlowNode for template | This Template depends on $@. | MakoSsti.py:6:10:6:16 | ControlFlowNode for request | user-provided value |
|
||||
| TRender.py:7:24:7:31 | ControlFlowNode for template | TRender.py:5:13:5:19 | ControlFlowNode for request | TRender.py:7:24:7:31 | ControlFlowNode for template | This Template depends on $@. | TRender.py:5:13:5:19 | ControlFlowNode for request | user-provided value |
|
||||
@@ -1 +0,0 @@
|
||||
experimental/Security/CWE-074/TemplateInjection.ql
|
||||
Reference in New Issue
Block a user