mirror of
https://github.com/github/codeql.git
synced 2025-12-22 19:56:32 +01:00
[mrthankyou] smtplib partial modeling.
This commit is contained in:
jorgectf
@@ -0,0 +1,90 @@
|
||||
private import python
|
||||
private import semmle.python.dataflow.new.DataFlow
|
||||
private import experimental.semmle.python.Concepts
|
||||
private import semmle.python.ApiGraphs
|
||||
|
||||
module SmtpLib {
|
||||
private API::Node smtpLib() { result = API::moduleImport("smtplib") }
|
||||
|
||||
private API::Node smtpConnectionInstance() { result = smtpLib().getMember("SMTP_SSL") }
|
||||
|
||||
API::Node smtpMimeMultipartInstance() {
|
||||
result = API::moduleImport("email.mime.multipart").getMember("MIMEMultipart")
|
||||
}
|
||||
|
||||
API::Node smtpMimeTextInstance() {
|
||||
result = API::moduleImport("email.mime.text").getMember("MIMEText")
|
||||
}
|
||||
|
||||
DataFlow::Node smtpMimeTextHTMLInstance() {
|
||||
// select SmtpLib::smtpMimeTextInstance().getAUse().getALocalSource().getACall()
|
||||
exists(API::Node mimeTextInstance, DataFlow::CallCfgNode callNode |
|
||||
mimeTextInstance = smtpMimeTextInstance().getReturn() and
|
||||
callNode = mimeTextInstance.getACall() and
|
||||
callNode.getArg(1).asExpr().(Unicode).getText() = "html" and
|
||||
result = callNode
|
||||
)
|
||||
}
|
||||
|
||||
class SmtpLibSendMail extends DataFlow::CallCfgNode, EmailSender {
|
||||
SmtpLibSendMail() { this = smtpConnectionInstance().getMember("sendmail").getACall() }
|
||||
|
||||
override DataFlow::Node getPlainTextBody() {
|
||||
result in [this.getArg(1), this.getArgByName("message")]
|
||||
}
|
||||
|
||||
override DataFlow::Node getHtmlBody() {
|
||||
result in [this.getArg(8), this.getArgByName("html_message")]
|
||||
}
|
||||
|
||||
override DataFlow::Node getTo() {
|
||||
result in [this.getArg(3), this.getArgByName("recipient_list")]
|
||||
}
|
||||
|
||||
override DataFlow::Node getFrom() {
|
||||
result in [this.getArg(2), this.getArgByName("from_email")]
|
||||
}
|
||||
|
||||
override DataFlow::Node getSubject() {
|
||||
result in [this.getArg(0), this.getArgByName("subject")]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// MIMEMultipart has two ways it can add tainted data:
|
||||
// MIMEMultipart(_subparts=(part1, part2))
|
||||
// or
|
||||
// message = MIMEMultipart("alternative")
|
||||
// message.attach(part1)
|
||||
//
|
||||
//
|
||||
// select SmtpLib::smtpMimeTextHTMLInstance()
|
||||
// select API::moduleImport("email.mime.multipart")
|
||||
// .getMember("MIMEMultipart")
|
||||
// .getACall()
|
||||
// .getArgByName("_subparts")
|
||||
//
|
||||
// from DataFlow::Node arg1
|
||||
// where
|
||||
// arg1 =
|
||||
// API::moduleImport("email.mime.multipart")
|
||||
// .getMember("MIMEMultipart")
|
||||
// .getReturn()
|
||||
// .getMember("attach")
|
||||
// .getACall()
|
||||
// .getArg(0)
|
||||
//
|
||||
// select SmtpLib::smtpMimeTextHTMLInstance() //.getReturn()
|
||||
//
|
||||
//.getArg(1) //.getAUse()
|
||||
//
|
||||
// Work on the smtpMimeTextHTMLInstance function
|
||||
from DataFlow::CallCfgNode result1
|
||||
where
|
||||
exists(API::Node mimeTextInstance, DataFlow::CallCfgNode callNode |
|
||||
mimeTextInstance = SmtpLib::smtpMimeTextInstance().getReturn() and
|
||||
callNode = mimeTextInstance.getACall() and
|
||||
callNode.getArg(1).asExpr().(Unicode).getText() = "html" and
|
||||
result1 = callNode
|
||||
)
|
||||
select result1
|
||||
Reference in New Issue
Block a user