hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Fix untrusted data to external API example

Browse Source 
The hmac.digest function was only added in python 3.7, so obviously doesn't work
on Python 2
This commit is contained in:
Rasmus Wriedt Larsen
2020-11-30 10:42:30 +01:00
parent cbfcfdf883
commit 4ab3fff973
3 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.expected
View File

@@ -1 +1 @@
| hmac.digest [param 1] | 1 | 1 |
| hmac.new [param 1] | 1 | 1 |

6
python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.expected
View File

@@ -1,7 +1,7 @@
edges
| test.py:13:16:13:27 | ControlFlowNode for Attribute | test.py:15:38:15:41 | ControlFlowNode for data |
| test.py:13:16:13:27 | ControlFlowNode for Attribute | test.py:15:36:15:39 | ControlFlowNode for data |
nodes
| test.py:13:16:13:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| test.py:15:38:15:41 | ControlFlowNode for data | semmle.label | ControlFlowNode for data |
| test.py:15:36:15:39 | ControlFlowNode for data | semmle.label | ControlFlowNode for data |
#select
| test.py:15:38:15:41 | ControlFlowNode for data | test.py:13:16:13:27 | ControlFlowNode for Attribute | test.py:15:38:15:41 | ControlFlowNode for data | Call to hmac.digest [param 1] with untrusted data from $@. | test.py:13:16:13:27 | ControlFlowNode for Attribute | ControlFlowNode for Attribute |
| test.py:15:36:15:39 | ControlFlowNode for data | test.py:13:16:13:27 | ControlFlowNode for Attribute | test.py:15:36:15:39 | ControlFlowNode for data | Call to hmac.new [param 1] with untrusted data from $@. | test.py:13:16:13:27 | ControlFlowNode for Attribute | ControlFlowNode for Attribute |

4
python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/test.py
View File

@@ -12,7 +12,8 @@ SECRET_KEY = b"SECRET_KEY"
def hmac_example():
data_raw = request.args.get("data").encode('utf-8')
data = base64.decodebytes(data_raw)
digest = hmac.digest(SECRET_KEY, data, hashlib.sha256)
my_hmac = hmac.new(SECRET_KEY, data, hashlib.sha256)
digest = my_hmac.digest()
print(digest)
return "ok"
@@ -32,4 +33,5 @@ def unknown_lib_2():
if __name__ == "__main__":
# http://127.0.0.1:5000/hmac-example?data=aGVsbG8gd29ybGQh
app.run(debug=True)