hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

tarball path provided using CLI argument (source)

Browse Source
This commit is contained in:
ALJI Mohamed
2022-12-09 15:54:43 +01:00
parent 9336f4f1a2
commit 545aab0e07
1 changed files with 13 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpack.ql
View File

@@ -1,8 +1,9 @@
/**
* @name Arbitrary file write during a remotely downloaded tarball extraction
* @description Extracting files from a malicious tarball using `shutil.unpack_archive()` without validating
* @name Arbitrary file write during a tarball extraction from user controlled source
* @description Extracting files from a potentially malicious tarball using `shutil.unpack_archive()` without validating
* that the destination file path is within the destination directory can cause files outside
* the destination directory to be overwritten. More precisely, if the tarball comes from a remote location.
* the destination directory to be overwritten. More precisely, if the tarball comes from a user controlled
* location either a remote one or cli argument.
* @kind path-problem
* @id py/unsafe-unpacking
* @problem.severity error
@@ -26,6 +27,14 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
override predicate isSource(DataFlow::Node source) {
// A source coming from a remote location
exists(Http::Client::Request request | source = request)
or
// A source coming from a CLI argparse module
exists(Node o, API::Node ap, MethodCallNode args |
ap = API::moduleImport("argparse").getMember("ArgumentParser").getACall().getReturn() and
args = ap.getMember("parse_args").getACall() and
args.flowsTo(o) and
source.(AttrRead).accesses(o, any(string s))
)
}
override predicate isSink(DataFlow::Node sink) {
@@ -54,7 +63,7 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
// Accessing the name
exists(AttrRead ar | ar.accesses(nodeFrom, "name") and nodeTo = ar)
or
// Considering closing use
// Considering the use of closing()
exists(API::Node closing |
closing = API::moduleImport("contextlib").getMember("closing") and
closing.getACall().flowsTo(nodeTo) and