Python: Add meta-query for "interesting" taint sinks

python/ql/src/meta/alerts/InterestingTaintSinks.ql

@@ -0,0 +1,87 @@
+/**
+ * @name Interesting taint sinks
+ * @description Interesting sinks from TaintTracking queries.
+ * @kind problem
+ * @problem.severity recommendation
+ * @id py/meta/alerts/interesting-taint-sinks
+ * @tags meta
+ * @precision very-low
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import meta.MetaMetrics
+import semmle.python.security.dataflow.CleartextLoggingCustomizations
+import semmle.python.security.dataflow.CleartextStorageCustomizations
+import semmle.python.security.dataflow.CodeInjectionCustomizations
+import semmle.python.security.dataflow.CommandInjectionCustomizations
+import semmle.python.security.dataflow.LdapInjectionCustomizations
+import semmle.python.security.dataflow.LogInjectionCustomizations
+import semmle.python.security.dataflow.PathInjectionCustomizations
+import semmle.python.security.dataflow.PolynomialReDoSCustomizations
+import semmle.python.security.dataflow.ReflectedXSSCustomizations
+import semmle.python.security.dataflow.RegexInjectionCustomizations
+import semmle.python.security.dataflow.ServerSideRequestForgeryCustomizations
+import semmle.python.security.dataflow.SqlInjectionCustomizations
+import semmle.python.security.dataflow.StackTraceExposureCustomizations
+import semmle.python.security.dataflow.TarSlipCustomizations
+import semmle.python.security.dataflow.UnsafeDeserializationCustomizations
+import semmle.python.security.dataflow.UrlRedirectCustomizations
+import semmle.python.security.dataflow.WeakSensitiveDataHashingCustomizations
+import semmle.python.security.dataflow.XmlBombCustomizations
+import semmle.python.security.dataflow.XpathInjectionCustomizations
+import semmle.python.security.dataflow.XxeCustomizations
+
+/**
+ * Gets a node corresponding to a taint sink of the specified `kind`. Excludes sinks that are too
+ * noisy (at the time of writing this was the various logging-related taint sinks).
+ */
+DataFlow::Node relevantTaintSink(string kind) {
+  not result.getLocation().getFile() instanceof IgnoredFile and
+  (
+    kind = "CleartextStorage" and result instanceof CleartextStorage::Sink
+    or
+    kind = "CodeInjection" and result instanceof CodeInjection::Sink
+    or
+    kind = "CommandInjection" and result instanceof CommandInjection::Sink
+    or
+    kind = "LdapInjection (DN)" and result instanceof LdapInjection::DnSink
+    or
+    kind = "LdapInjection (Filter)" and result instanceof LdapInjection::FilterSink
+    or
+    kind = "PathInjection" and result instanceof PathInjection::Sink
+    or
+    kind = "PolynomialReDoS" and result instanceof PolynomialReDoS::Sink
+    or
+    kind = "ReflectedXss" and result instanceof ReflectedXss::Sink
+    or
+    kind = "RegexInjection" and result instanceof RegexInjection::Sink
+    or
+    kind = "ServerSideRequestForgery" and result instanceof ServerSideRequestForgery::Sink
+    or
+    kind = "SqlInjection" and result instanceof SqlInjection::Sink
+    or
+    kind = "StackTraceExposure" and result instanceof StackTraceExposure::Sink
+    or
+    kind = "TarSlip" and result instanceof TarSlip::Sink
+    or
+    kind = "UnsafeDeserialization" and result instanceof UnsafeDeserialization::Sink
+    or
+    kind = "UrlRedirect" and result instanceof UrlRedirect::Sink
+    or
+    kind = "WeakSensitiveDataHashing (NormalHashFunction)" and
+    result instanceof NormalHashFunction::Sink
+    or
+    kind = "WeakSensitiveDataHashing (ComputationallyExpensiveHashFunction)" and
+    result instanceof ComputationallyExpensiveHashFunction::Sink
+    or
+    kind = "XmlBomb" and result instanceof XmlBomb::Sink
+    or
+    kind = "XpathInjection" and result instanceof XpathInjection::Sink
+    or
+    kind = "Xxe" and result instanceof Xxe::Sink
+  )
+}
+
+from string kind
+select relevantTaintSink(kind), kind + " sink"