hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 12:15:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Address many review comments

Browse Source 
still need to move concept tests
This commit is contained in:
Rasmus Lerchedahl Petersen
2020-10-13 12:03:23 +02:00
parent 433a36225b
commit 4685f2d5f2
16 changed files with 285 additions and 238 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
python/ql/test/experimental/meta/ConceptsTest.qll
View File

@@ -33,19 +33,41 @@ class SystemCommandExecutionTest extends InlineExpectationsTest {
}
}
class DeserializationSinkTest extends InlineExpectationsTest {
DeserializationSinkTest() { this = "DeserializationSinkTest" }
class UnmarshalingFunctionTest extends InlineExpectationsTest {
UnmarshalingFunctionTest() { this = "UnmarshalingFunctionTest" }
override string getARelevantTag() { result = "getData" }
override predicate hasActualResult(Location location, string element, string tag, string value) {
exists(DeserializationSink ds, DataFlow::Node data |
exists(location.getFile().getRelativePath()) and
data = ds.getData() and
location = data.getLocation() and
element = data.toString() and
value = value_from_expr(data.asExpr()) and
tag = "getData"
exists(location.getFile().getRelativePath()) and
exists(UnmarshalingFunction ds, string unsafe |
(
ds.unsafe() and unsafe = "UNSAFE_"
or
not ds.unsafe() and unsafe = ""
) and
(
exists(DataFlow::Node data |
location = data.getLocation() and
element = data.toString() and
value = value_from_expr(data.asExpr()) and
(
data = ds.getAnInput() and
tag = unsafe + "getAnInput"
or
data = ds.getOutput() and
tag = unsafe + "getOutput"
)
)
or
exists(string format |
location = ds.getLocation() and
element = format and
value = format and
format = ds.getFormat() and
tag = unsafe + "getFormat"
)
)
)
}
}

26
python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-502/UnsafeDeserialization.expected
View File

@@ -1,16 +1,16 @@
edges
| unsafe_deserialization.py:11:15:11:26 | ControlFlowNode for Attribute | unsafe_deserialization.py:12:18:12:24 | ControlFlowNode for payload |
| unsafe_deserialization.py:11:15:11:26 | ControlFlowNode for Attribute | unsafe_deserialization.py:13:15:13:21 | ControlFlowNode for payload |
| unsafe_deserialization.py:11:15:11:26 | ControlFlowNode for Attribute | unsafe_deserialization.py:14:19:14:25 | ControlFlowNode for payload |
| unsafe_deserialization.py:11:15:11:26 | ControlFlowNode for Attribute | unsafe_deserialization.py:16:16:16:22 | ControlFlowNode for payload |
| unsafe_deserialization.py:14:15:14:26 | ControlFlowNode for Attribute | unsafe_deserialization.py:15:18:15:24 | ControlFlowNode for payload |
| unsafe_deserialization.py:14:15:14:26 | ControlFlowNode for Attribute | unsafe_deserialization.py:16:15:16:21 | ControlFlowNode for payload |
| unsafe_deserialization.py:14:15:14:26 | ControlFlowNode for Attribute | unsafe_deserialization.py:18:19:18:25 | ControlFlowNode for payload |
| unsafe_deserialization.py:14:15:14:26 | ControlFlowNode for Attribute | unsafe_deserialization.py:21:16:21:22 | ControlFlowNode for payload |
nodes
| unsafe_deserialization.py:11:15:11:26 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| unsafe_deserialization.py:12:18:12:24 | ControlFlowNode for payload | semmle.label | ControlFlowNode for payload |
| unsafe_deserialization.py:13:15:13:21 | ControlFlowNode for payload | semmle.label | ControlFlowNode for payload |
| unsafe_deserialization.py:14:19:14:25 | ControlFlowNode for payload | semmle.label | ControlFlowNode for payload |
| unsafe_deserialization.py:16:16:16:22 | ControlFlowNode for payload | semmle.label | ControlFlowNode for payload |
| unsafe_deserialization.py:14:15:14:26 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| unsafe_deserialization.py:15:18:15:24 | ControlFlowNode for payload | semmle.label | ControlFlowNode for payload |
| unsafe_deserialization.py:16:15:16:21 | ControlFlowNode for payload | semmle.label | ControlFlowNode for payload |
| unsafe_deserialization.py:18:19:18:25 | ControlFlowNode for payload | semmle.label | ControlFlowNode for payload |
| unsafe_deserialization.py:21:16:21:22 | ControlFlowNode for payload | semmle.label | ControlFlowNode for payload |
#select
| unsafe_deserialization.py:12:18:12:24 | ControlFlowNode for payload | unsafe_deserialization.py:11:15:11:26 | ControlFlowNode for Attribute | unsafe_deserialization.py:12:18:12:24 | ControlFlowNode for payload | Deserializing of $@. | unsafe_deserialization.py:11:15:11:26 | ControlFlowNode for Attribute | untrusted input |
| unsafe_deserialization.py:13:15:13:21 | ControlFlowNode for payload | unsafe_deserialization.py:11:15:11:26 | ControlFlowNode for Attribute | unsafe_deserialization.py:13:15:13:21 | ControlFlowNode for payload | Deserializing of $@. | unsafe_deserialization.py:11:15:11:26 | ControlFlowNode for Attribute | untrusted input |
| unsafe_deserialization.py:14:19:14:25 | ControlFlowNode for payload | unsafe_deserialization.py:11:15:11:26 | ControlFlowNode for Attribute | unsafe_deserialization.py:14:19:14:25 | ControlFlowNode for payload | Deserializing of $@. | unsafe_deserialization.py:11:15:11:26 | ControlFlowNode for Attribute | untrusted input |
| unsafe_deserialization.py:16:16:16:22 | ControlFlowNode for payload | unsafe_deserialization.py:11:15:11:26 | ControlFlowNode for Attribute | unsafe_deserialization.py:16:16:16:22 | ControlFlowNode for payload | Deserializing of $@. | unsafe_deserialization.py:11:15:11:26 | ControlFlowNode for Attribute | untrusted input |
| unsafe_deserialization.py:15:18:15:24 | ControlFlowNode for payload | unsafe_deserialization.py:14:15:14:26 | ControlFlowNode for Attribute | unsafe_deserialization.py:15:18:15:24 | ControlFlowNode for payload | Deserializing of $@. | unsafe_deserialization.py:14:15:14:26 | ControlFlowNode for Attribute | untrusted input |
| unsafe_deserialization.py:16:15:16:21 | ControlFlowNode for payload | unsafe_deserialization.py:14:15:14:26 | ControlFlowNode for Attribute | unsafe_deserialization.py:16:15:16:21 | ControlFlowNode for payload | Deserializing of $@. | unsafe_deserialization.py:14:15:14:26 | ControlFlowNode for Attribute | untrusted input |
| unsafe_deserialization.py:18:19:18:25 | ControlFlowNode for payload | unsafe_deserialization.py:14:15:14:26 | ControlFlowNode for Attribute | unsafe_deserialization.py:18:19:18:25 | ControlFlowNode for payload | Deserializing of $@. | unsafe_deserialization.py:14:15:14:26 | ControlFlowNode for Attribute | untrusted input |
| unsafe_deserialization.py:21:16:21:22 | ControlFlowNode for payload | unsafe_deserialization.py:14:15:14:26 | ControlFlowNode for Attribute | unsafe_deserialization.py:21:16:21:22 | ControlFlowNode for payload | Deserializing of $@. | unsafe_deserialization.py:14:15:14:26 | ControlFlowNode for Attribute | untrusted input |

1
python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-502/options
View File

@@ -1 +0,0 @@
semmle-extractor-options: --max-import-depth=2 -p ../lib

15
python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-502/unsafe_deserialization.py
View File

@@ -3,14 +3,19 @@ import pickle
import yaml
import marshal
from yaml import SafeLoader
from flask import Flask, request
app = Flask(__name__)
@app.route("/")
def hello():
payload = request.args.get('payload')
pickle.loads(payload) # $getData=payload
yaml.load(payload) # $getData=payload
marshal.loads(payload) # $getData=payload
payload = request.args.get("payload")
pickle.loads(payload) # $UNSAFE_getAnInput=payload $UNSAFE_getOutput=Attribute()
yaml.load(payload) # $UNSAFE_getAnInput=payload $UNSAFE_getOutput=Attribute()
yaml.load(payload, Loader=SafeLoader) # $getAnInput=payload $getOutput=Attribute()
marshal.loads(payload) # $UNSAFE_getAnInput=payload $UNSAFE_getOutput=Attribute()
import dill
dill.loads(payload) # $getData=payload
dill.loads(payload) # $UNSAFE_getAnInput=payload $UNSAFE_getOutput=Attribute()