hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 03:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Fix CWE tag for py/use-of-input

Browse Source 
So it better matches what is in `py/code-injection`. I had my doubts
about CWE-95, but after reading
https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection
I think it's fine to add CWE-95 as well 👍

Definitions are:

CWE-78: Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')

CWE-94: Improper Control of Generation of Code ('Code Injection')

CWE-95: Improper Neutralization of Directives in Dynamically Evaluated
Code ('Eval Injection')
This commit is contained in:
Rasmus Wriedt Larsen
2021-06-14 14:01:19 +02:00
parent 02c017afec
commit 4eed94a262
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
python/ql/src/Expressions/UseofInput.ql
View File

@@ -4,7 +4,8 @@
* @kind problem
* @tags security
* correctness
* security/cwe/cwe-78
* security/cwe/cwe-94
* security/cwe/cwe-95
* @problem.severity error
* @security-severity 5.9
* @sub-severity high