Merge pull request #4435 from RasmusWL/python-port-code-injection

Python: port code injection query
2025-12-20 10:46:30 +01:00 · 2020-10-14 16:41:42 +02:00
parent 5f6f85c998 5db4f906d0
commit 466c22f4a8
21 changed files with 319 additions and 3 deletions
--- a/python/ql/src/experimental/Security-new-dataflow/CWE-094/CodeInjection.ql
+++ b/python/ql/src/experimental/Security-new-dataflow/CWE-094/CodeInjection.ql
@@ -0,0 +1,35 @@
+/**
+ * @name Code injection
+ * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary
+ *              code execution.
+ * @kind path-problem
+ * @problem.severity error
+ * @sub-severity high
+ * @precision high
+ * @id py/code-injection
+ * @tags security
+ *       external/owasp/owasp-a1
+ *       external/cwe/cwe-094
+ *       external/cwe/cwe-095
+ *       external/cwe/cwe-116
+ */
+
+import python
+import experimental.dataflow.DataFlow
+import experimental.dataflow.TaintTracking
+import experimental.semmle.python.Concepts
+import experimental.dataflow.RemoteFlowSources
+import DataFlow::PathGraph
+
+class CodeInjectionConfiguration extends TaintTracking::Configuration {
+  CodeInjectionConfiguration() { this = "CodeInjectionConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink = any(CodeExecution e).getCode() }
+}
+
+from CodeInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "$@ flows to here and is interpreted as code.",
+  source.getNode(), "A user-provided value"
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -17,12 +17,12 @@ private import experimental.dataflow.RemoteFlowSources
 * extend `SystemCommandExecution::Range` instead.
 */
 class SystemCommandExecution extends DataFlow::Node {
-  SystemCommandExecution::Range self;
+  SystemCommandExecution::Range range;

-  SystemCommandExecution() { this = self }
+  SystemCommandExecution() { this = range }

  /** Gets the argument that specifies the command to be executed. */
-  DataFlow::Node getCommand() { result = self.getCommand() }
+  DataFlow::Node getCommand() { result = range.getCommand() }
 }

 /** Provides a class for modeling new system-command execution APIs. */
@@ -40,6 +40,35 @@ module SystemCommandExecution {
  }
 }

+/**
+ * A data-flow node that dynamically executes Python code.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `CodeExecution::Range` instead.
+ */
+class CodeExecution extends DataFlow::Node {
+  CodeExecution::Range range;
+
+  CodeExecution() { this = range }
+
+  /** Gets the argument that specifies the code to be executed. */
+  DataFlow::Node getCode() { result = range.getCode() }
+}
+
+/** Provides a class for modeling new dynamic code execution APIs. */
+module CodeExecution {
+  /**
+   * A data-flow node that dynamically executes Python code.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `CodeExecution` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /** Gets the argument that specifies the code to be executed. */
+    abstract DataFlow::Node getCode();
+  }
+}
+
 /** Provides classes for modeling HTTP-related APIs. */
 module HTTP {
  /** Provides classes for modeling HTTP servers. */
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -327,4 +327,115 @@ private module Stdlib {
      )
    }
  }
+
+  // ---------------------------------------------------------------------------
+  // builtins
+  // ---------------------------------------------------------------------------
+  /** Gets a reference to the `builtins` module (called `__builtin__` in Python 2). */
+  private DataFlow::Node builtins(DataFlow::TypeTracker t) {
+    t.start() and
+    result = DataFlow::importNode(["builtins", "__builtin__"])
+    or
+    exists(DataFlow::TypeTracker t2 | result = builtins(t2).track(t2, t))
+  }
+
+  /** Gets a reference to the `builtins` module. */
+  DataFlow::Node builtins() { result = builtins(DataFlow::TypeTracker::end()) }
+
+  /**
+   * Gets a reference to the attribute `attr_name` of the `builtins` module.
+   * WARNING: Only holds for a few predefined attributes.
+   */
+  private DataFlow::Node builtins_attr(DataFlow::TypeTracker t, string attr_name) {
+    attr_name in ["exec", "eval", "compile"] and
+    (
+      t.start() and
+      result = DataFlow::importNode(["builtins", "__builtin__"] + "." + attr_name)
+      or
+      t.startInAttr(attr_name) and
+      result = DataFlow::importNode(["builtins", "__builtin__"])
+      or
+      // special handling of builtins, that are in scope without any imports
+      // TODO: Take care of overrides, either `def eval: ...`, `eval = ...`, or `builtins.eval = ...`
+      t.start() and
+      exists(NameNode ref | result.asCfgNode() = ref |
+        ref.isGlobal() and
+        ref.getId() = attr_name and
+        ref.isLoad()
+      )
+    )
+    or
+    // Due to bad performance when using normal setup with `builtins_attr(t2, attr_name).track(t2, t)`
+    // we have inlined that code and forced a join
+    exists(DataFlow::TypeTracker t2 |
+      exists(DataFlow::StepSummary summary |
+        builtins_attr_first_join(t2, attr_name, result, summary) and
+        t = t2.append(summary)
+      )
+    )
+  }
+
+  pragma[nomagic]
+  private predicate builtins_attr_first_join(
+    DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
+  ) {
+    DataFlow::StepSummary::step(builtins_attr(t2, attr_name), res, summary)
+  }
+
+  /**
+   * Gets a reference to the attribute `attr_name` of the `builtins` module.
+   * WARNING: Only holds for a few predefined attributes.
+   */
+  private DataFlow::Node builtins_attr(string attr_name) {
+    result = builtins_attr(DataFlow::TypeTracker::end(), attr_name)
+  }
+
+  /**
+   * A call to the builtin `exec` function.
+   * See https://docs.python.org/3/library/functions.html#exec
+   */
+  private class BuiltinsExecCall extends CodeExecution::Range, DataFlow::CfgNode {
+    override CallNode node;
+
+    BuiltinsExecCall() { node.getFunction() = builtins_attr("exec").asCfgNode() }
+
+    override DataFlow::Node getCode() { result.asCfgNode() = node.getArg(0) }
+  }
+
+  /**
+   * A call to the builtin `eval` function.
+   * See https://docs.python.org/3/library/functions.html#eval
+   */
+  private class BuiltinsEvalCall extends CodeExecution::Range, DataFlow::CfgNode {
+    override CallNode node;
+
+    BuiltinsEvalCall() { node.getFunction() = builtins_attr("eval").asCfgNode() }
+
+    override DataFlow::Node getCode() { result.asCfgNode() = node.getArg(0) }
+  }
+
+  /** An additional taint step for calls to the builtin function `compile` */
+  private class BuiltinsCompileCallAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
+    override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+      exists(CallNode call |
+        nodeTo.asCfgNode() = call and
+        call.getFunction() = builtins_attr("compile").asCfgNode() and
+        nodeFrom.asCfgNode() in [call.getArg(0), call.getArgByName("source")]
+      )
+    }
+  }
+}
+
+/**
+ * An exec statement (only Python 2).
+ * Se ehttps://docs.python.org/2/reference/simple_stmts.html#the-exec-statement.
+ */
+private class ExecStatement extends CodeExecution::Range {
+  ExecStatement() {
+    // since there are no DataFlow::Nodes for a Statement, we can't do anything like
+    // `this = any(Exec exec)`
+    this.asExpr() = any(Exec exec).getBody()
+  }
+
+  override DataFlow::Node getCode() { result = this }
 }