hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 18:25:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' of github.com:github/codeql into python-support-pathlib

Browse Source
This commit is contained in:
Rasmus Lerchedahl Petersen
2021-04-22 15:04:21 +02:00
parent b724e51cab 2b8afe55e8
commit 5a4e661e60
237 changed files with 5083 additions and 3039 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql
View File

@@ -32,21 +32,7 @@ private DataFlow::LocalSourceNode vulnerableHostnameRef(DataFlow::TypeTracker t,
result.asExpr() = allInterfacesStrConst
)
or
// Due to bad performance when using normal setup with `vulnerableHostnameRef(t2, hostname).track(t2, t)`
// we have inlined that code and forced a join
exists(DataFlow::TypeTracker t2 |
exists(DataFlow::StepSummary summary |
vulnerableHostnameRef_first_join(t2, hostname, result, summary) and
t = t2.append(summary)
)
)
}
pragma[nomagic]
private predicate vulnerableHostnameRef_first_join(
DataFlow::TypeTracker t2, string hostname, DataFlow::Node res, DataFlow::StepSummary summary
) {
DataFlow::StepSummary::step(vulnerableHostnameRef(t2, hostname), res, summary)
exists(DataFlow::TypeTracker t2 | result = vulnerableHostnameRef(t2, hostname).track(t2, t))
}
/** Gets a reference to a hostname that can be used to bind to all interfaces. */
@@ -59,21 +45,7 @@ private DataFlow::LocalSourceNode vulnerableAddressTuple(DataFlow::TypeTracker t
t.start() and
result.asExpr() = any(Tuple tup | tup.getElt(0) = vulnerableHostnameRef(hostname).asExpr())
or
// Due to bad performance when using normal setup with `vulnerableAddressTuple(t2, hostname).track(t2, t)`
// we have inlined that code and forced a join
exists(DataFlow::TypeTracker t2 |
exists(DataFlow::StepSummary summary |
vulnerableAddressTuple_first_join(t2, hostname, result, summary) and
t = t2.append(summary)
)
)
}
pragma[nomagic]
private predicate vulnerableAddressTuple_first_join(
DataFlow::TypeTracker t2, string hostname, DataFlow::Node res, DataFlow::StepSummary summary
) {
DataFlow::StepSummary::step(vulnerableAddressTuple(t2, hostname), res, summary)
exists(DataFlow::TypeTracker t2 | result = vulnerableAddressTuple(t2, hostname).track(t2, t))
}
/** Gets a reference to a tuple for which the first element is a hostname that can be used to bind to all interfaces. */

26
python/ql/src/semmle/python/ApiGraphs.qll
View File

@@ -422,9 +422,9 @@ module API {
}
/**
* Gets a data-flow node to which `nd`, which is a use of an API-graph node, flows.
* Gets a data-flow node to which `src`, which is a use of an API-graph node, flows.
*
* The flow from `nd` to that node may be inter-procedural.
* The flow from `src` to that node may be inter-procedural.
*/
private DataFlow::LocalSourceNode trackUseNode(
DataFlow::LocalSourceNode src, DataFlow::TypeTracker t
@@ -433,23 +433,19 @@ module API {
use(_, src) and
result = src
or
// Due to bad performance when using `trackUseNode(t2, attr_name).track(t2, t)`
// we have inlined that code and forced a join
exists(DataFlow::StepSummary summary |
t = trackUseNode_first_join(src, result, summary).append(summary)
)
}
pragma[nomagic]
private DataFlow::TypeTracker trackUseNode_first_join(
DataFlow::LocalSourceNode src, DataFlow::LocalSourceNode res, DataFlow::StepSummary summary
) {
DataFlow::StepSummary::step(trackUseNode(src, result), res, summary)
exists(DataFlow::TypeTracker t2 | result = trackUseNode(src, t2).track(t2, t))
}
/**
* Gets a data-flow node to which `src`, which is a use of an API-graph node, flows.
*
* The flow from `src` to that node may be inter-procedural.
*/
cached
DataFlow::LocalSourceNode trackUseNode(DataFlow::LocalSourceNode src) {
result = trackUseNode(src, DataFlow::TypeTracker::end())
result = trackUseNode(src, DataFlow::TypeTracker::end()) and
// We exclude module variable nodes, as these do not correspond to real uses.
not result instanceof DataFlow::ModuleVariableNode
}
/**

16
python/ql/src/semmle/python/Concepts.qll
View File

@@ -570,21 +570,7 @@ module Cryptography {
arg = any(KeyGeneration::Range r).getKeySizeArg() and
result = arg.getALocalSource()
or
// Due to bad performance when using normal setup with we have inlined that code and forced a join
exists(DataFlow::TypeBackTracker t2 |
exists(DataFlow::StepSummary summary |
keysizeBacktracker_first_join(t2, arg, result, summary) and
t = t2.prepend(summary)
)
)
}
pragma[nomagic]
private predicate keysizeBacktracker_first_join(
DataFlow::TypeBackTracker t2, DataFlow::Node arg, DataFlow::Node res,
DataFlow::StepSummary summary
) {
DataFlow::StepSummary::step(res, keysizeBacktracker(t2, arg), summary)
exists(DataFlow::TypeBackTracker t2 | result = keysizeBacktracker(t2, arg).backtrack(t2, t))
}
/** Gets a back-reference to the keysize argument `arg` that was used to generate a new key-pair. */

26
python/ql/src/semmle/python/dataflow/new/TypeTracker.qll
View File

@@ -51,8 +51,8 @@ module StepSummary {
* heap and/or inter-procedural step from `nodeFrom` to `nodeTo`.
*/
cached
predicate step(LocalSourceNode nodeFrom, Node nodeTo, StepSummary summary) {
exists(Node mid | typePreservingStep*(nodeFrom, mid) and smallstep(mid, nodeTo, summary))
predicate step(LocalSourceNode nodeFrom, LocalSourceNode nodeTo, StepSummary summary) {
exists(Node mid | nodeFrom.flowsTo(mid) and smallstep(mid, nodeTo, summary))
}
/**
@@ -63,7 +63,7 @@ module StepSummary {
* type-preserving steps.
*/
predicate smallstep(Node nodeFrom, Node nodeTo, StepSummary summary) {
typePreservingStep(nodeFrom, nodeTo) and
jumpStep(nodeFrom, nodeTo) and
summary = LevelStep()
or
callStep(nodeFrom, nodeTo) and summary = CallStep()
@@ -80,12 +80,6 @@ module StepSummary {
}
}
/** Holds if it's reasonable to expect the data flow step from `nodeFrom` to `nodeTo` to preserve types. */
private predicate typePreservingStep(Node nodeFrom, Node nodeTo) {
simpleLocalFlowStep(nodeFrom, nodeTo) or
jumpStep(nodeFrom, nodeTo)
}
/**
* Gets a callable for the call where `nodeFrom` is used as the `i`'th argument.
*
@@ -274,10 +268,10 @@ class TypeTracker extends TTypeTracker {
* heap and/or inter-procedural step from `nodeFrom` to `nodeTo`.
*/
pragma[inline]
TypeTracker step(LocalSourceNode nodeFrom, Node nodeTo) {
TypeTracker step(LocalSourceNode nodeFrom, LocalSourceNode nodeTo) {
exists(StepSummary summary |
StepSummary::step(nodeFrom, nodeTo, summary) and
result = this.append(summary)
StepSummary::step(nodeFrom, pragma[only_bind_out](nodeTo), pragma[only_bind_into](summary)) and
result = this.append(pragma[only_bind_into](summary))
)
}
@@ -312,7 +306,7 @@ class TypeTracker extends TTypeTracker {
result = this.append(summary)
)
or
typePreservingStep(nodeFrom, nodeTo) and
simpleLocalFlowStep(nodeFrom, nodeTo) and
result = this
}
}
@@ -417,8 +411,8 @@ class TypeBackTracker extends TTypeBackTracker {
pragma[inline]
TypeBackTracker step(LocalSourceNode nodeFrom, LocalSourceNode nodeTo) {
exists(StepSummary summary |
StepSummary::step(nodeFrom, nodeTo, summary) and
this = result.prepend(summary)
StepSummary::step(pragma[only_bind_out](nodeFrom), nodeTo, pragma[only_bind_into](summary)) and
this = result.prepend(pragma[only_bind_into](summary))
)
}
@@ -453,7 +447,7 @@ class TypeBackTracker extends TTypeBackTracker {
this = result.prepend(summary)
)
or
typePreservingStep(nodeFrom, nodeTo) and
simpleLocalFlowStep(nodeFrom, nodeTo) and
this = result
}
}

16
python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
View File

@@ -119,22 +119,6 @@ class Node extends TNode {
/** Gets the expression corresponding to this node, if any. */
Expr asExpr() { none() }
/**
* Gets a node that this node may flow to using one heap and/or interprocedural step.
*
* See `TypeTracker` for more details about how to use this.
*/
pragma[inline]
Node track(TypeTracker t2, TypeTracker t) { t = t2.step(this, result) }
/**
* Gets a node that may flow into this one using one heap and/or interprocedural step.
*
* See `TypeBackTracker` for more details about how to use this.
*/
pragma[inline]
LocalSourceNode backtrack(TypeBackTracker t2, TypeBackTracker t) { t2 = t.step(result, this) }
/**
* Gets a local source node from which data may flow to this node in zero or more local data-flow steps.
*/

48
python/ql/src/semmle/python/dataflow/new/internal/LocalSources.qll
View File

@@ -10,23 +10,37 @@ import python
import DataFlowPublic
private import DataFlowPrivate
private predicate comes_from_cfgnode(Node node) {
exists(CfgNode first, Node second |
simpleLocalFlowStep(first, second) and
simpleLocalFlowStep*(second, node)
)
}
/**
* A data flow node that is a source of local flow. This includes things like
* - Expressions
* - Function parameters
*
*
* Local source nodes and the `flowsTo` relation should be thought of in terms of the reference
* semantics of the underlying object. For instance, in the following snippet of code
*
* ```python
* x = []
* x.append(1)
* x.append(2)
* ```
*
* the local source node corresponding to the occurrences of `x` is the empty list that is assigned to `x`
* originally. Even though the two `append` calls modify the value of `x`, they do not change the fact that
* `x` still points to the same object. If, however, we next do `x = x + [3]`, then the expression `x + [3]`
* will be the new local source of what `x` now points to.
*/
class LocalSourceNode extends Node {
cached
LocalSourceNode() {
not comes_from_cfgnode(this) and
not this instanceof ModuleVariableNode
not simpleLocalFlowStep(_, this) and
// Currently, we create synthetic post-update nodes for
// - arguments to calls that may modify said argument
// - direct reads a writes of object attributes
// Both of these preserve the identity of the underlying pointer, and hence we exclude these as
// local source nodes.
// We do, however, allow the post-update nodes that arise from object creation (which are non-synthetic).
not this instanceof SyntheticPostUpdateNode
or
this = any(ModuleVariableNode mvn).getARead()
}
@@ -63,6 +77,22 @@ class LocalSourceNode extends Node {
* Gets a call to this node.
*/
CallCfgNode getACall() { Cached::call(this, result) }
/**
* Gets a node that this node may flow to using one heap and/or interprocedural step.
*
* See `TypeTracker` for more details about how to use this.
*/
pragma[inline]
LocalSourceNode track(TypeTracker t2, TypeTracker t) { t = t2.step(this, result) }
/**
* Gets a node that may flow into this one using one heap and/or interprocedural step.
*
* See `TypeBackTracker` for more details about how to use this.
*/
pragma[inline]
LocalSourceNode backtrack(TypeBackTracker t2, TypeBackTracker t) { t2 = t.step(result, this) }
}
cached

14
python/ql/src/semmle/python/frameworks/Cryptography.qll
View File

@@ -83,23 +83,11 @@ private module CryptographyModel {
result.(DataFlow::CallCfgNode).getFunction() = curveClassWithKeySize(keySize) and
origin = result
or
// Due to bad performance when using normal setup with we have inlined that code and forced a join
exists(DataFlow::TypeTracker t2 |
exists(DataFlow::StepSummary summary |
curveClassInstanceWithKeySize_first_join(t2, keySize, origin, result, summary) and
t = t2.append(summary)
)
result = curveClassInstanceWithKeySize(t2, keySize, origin).track(t2, t)
)
}
pragma[nomagic]
private predicate curveClassInstanceWithKeySize_first_join(
DataFlow::TypeTracker t2, int keySize, DataFlow::Node origin, DataFlow::Node res,
DataFlow::StepSummary summary
) {
DataFlow::StepSummary::step(curveClassInstanceWithKeySize(t2, keySize, origin), res, summary)
}
/** Gets a reference to a predefined curve class instance with a specific key size (in bits), as well as the origin of the class. */
DataFlow::Node curveClassInstanceWithKeySize(int keySize, DataFlow::Node origin) {
curveClassInstanceWithKeySize(DataFlow::TypeTracker::end(), keySize, origin).flowsTo(result)

797
python/ql/src/semmle/python/frameworks/Django.qll
View File

File diff suppressed because it is too large Load Diff

386
python/ql/src/semmle/python/frameworks/Fabric.qll
View File

@@ -11,6 +11,7 @@ private import python
private import semmle.python.dataflow.new.DataFlow
private import semmle.python.dataflow.new.RemoteFlowSources
private import semmle.python.Concepts
private import semmle.python.ApiGraphs
/**
* Provides classes modeling security-relevant aspects of the `fabric` PyPI package, for
@@ -20,54 +21,7 @@ private import semmle.python.Concepts
*/
private module FabricV1 {
/** Gets a reference to the `fabric` module. */
private DataFlow::Node fabric(DataFlow::TypeTracker t) {
t.start() and
result = DataFlow::importNode("fabric")
or
exists(DataFlow::TypeTracker t2 | result = fabric(t2).track(t2, t))
}
/** Gets a reference to the `fabric` module. */
DataFlow::Node fabric() { result = fabric(DataFlow::TypeTracker::end()) }
/**
* Gets a reference to the attribute `attr_name` of the `fabric` module.
* WARNING: Only holds for a few predefined attributes.
*/
private DataFlow::Node fabric_attr(DataFlow::TypeTracker t, string attr_name) {
attr_name in ["api"] and
(
t.start() and
result = DataFlow::importNode("fabric" + "." + attr_name)
or
t.startInAttr(attr_name) and
result = fabric()
)
or
// Due to bad performance when using normal setup with `fabric_attr(t2, attr_name).track(t2, t)`
// we have inlined that code and forced a join
exists(DataFlow::TypeTracker t2 |
exists(DataFlow::StepSummary summary |
fabric_attr_first_join(t2, attr_name, result, summary) and
t = t2.append(summary)
)
)
}
pragma[nomagic]
private predicate fabric_attr_first_join(
DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
) {
DataFlow::StepSummary::step(fabric_attr(t2, attr_name), res, summary)
}
/**
* Gets a reference to the attribute `attr_name` of the `fabric` module.
* WARNING: Only holds for a few predefined attributes.
*/
private DataFlow::Node fabric_attr(string attr_name) {
result = fabric_attr(DataFlow::TypeTracker::end(), attr_name)
}
API::Node fabric() { result = API::moduleImport("fabric") }
/** Provides models for the `fabric` module. */
module fabric {
@@ -75,50 +29,10 @@ private module FabricV1 {
// fabric.api
// -------------------------------------------------------------------------
/** Gets a reference to the `fabric.api` module. */
DataFlow::Node api() { result = fabric_attr("api") }
API::Node api() { result = fabric().getMember("api") }
/** Provides models for the `fabric.api` module */
module api {
/**
* Gets a reference to the attribute `attr_name` of the `fabric.api` module.
* WARNING: Only holds for a few predefined attributes.
*/
private DataFlow::Node api_attr(DataFlow::TypeTracker t, string attr_name) {
attr_name in ["run", "local", "sudo"] and
(
t.start() and
result = DataFlow::importNode("fabric.api" + "." + attr_name)
or
t.startInAttr(attr_name) and
result = api()
)
or
// Due to bad performance when using normal setup with `api_attr(t2, attr_name).track(t2, t)`
// we have inlined that code and forced a join
exists(DataFlow::TypeTracker t2 |
exists(DataFlow::StepSummary summary |
api_attr_first_join(t2, attr_name, result, summary) and
t = t2.append(summary)
)
)
}
pragma[nomagic]
private predicate api_attr_first_join(
DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
DataFlow::StepSummary summary
) {
DataFlow::StepSummary::step(api_attr(t2, attr_name), res, summary)
}
/**
* Gets a reference to the attribute `attr_name` of the `fabric.api` module.
* WARNING: Only holds for a few predefined attributes.
*/
private DataFlow::Node api_attr(string attr_name) {
result = api_attr(DataFlow::TypeTracker::end(), attr_name)
}
/**
* A call to either
* - `fabric.api.local`
@@ -130,12 +44,8 @@ private module FabricV1 {
* - https://docs.fabfile.org/en/1.14/api/core/operations.html#fabric.operations.sudo
*/
private class FabricApiLocalRunSudoCall extends SystemCommandExecution::Range,
DataFlow::CfgNode {
override CallNode node;
FabricApiLocalRunSudoCall() {
node.getFunction() = api_attr(["local", "run", "sudo"]).asCfgNode()
}
DataFlow::CallCfgNode {
FabricApiLocalRunSudoCall() { this = api().getMember(["local", "run", "sudo"]).getACall() }
override DataFlow::Node getCommand() {
result.asCfgNode() = [node.getArg(0), node.getArgByName("command")]
@@ -153,61 +63,7 @@ private module FabricV1 {
*/
private module FabricV2 {
/** Gets a reference to the `fabric` module. */
private DataFlow::Node fabric(DataFlow::TypeTracker t) {
t.start() and
result = DataFlow::importNode("fabric")
or
exists(DataFlow::TypeTracker t2 | result = fabric(t2).track(t2, t))
}
/** Gets a reference to the `fabric` module. */
DataFlow::Node fabric() { result = fabric(DataFlow::TypeTracker::end()) }
/**
* Gets a reference to the attribute `attr_name` of the `fabric` module.
* WARNING: Only holds for a few predefined attributes.
*/
private DataFlow::Node fabric_attr(DataFlow::TypeTracker t, string attr_name) {
attr_name in [
// connection.py
"connection", "Connection",
// group.py
"group", "SerialGroup", "ThreadingGroup",
// tasks.py
"tasks", "task"
] and
(
t.start() and
result = DataFlow::importNode("fabric" + "." + attr_name)
or
t.startInAttr(attr_name) and
result = fabric()
)
or
// Due to bad performance when using normal setup with `fabric_attr(t2, attr_name).track(t2, t)`
// we have inlined that code and forced a join
exists(DataFlow::TypeTracker t2 |
exists(DataFlow::StepSummary summary |
fabric_attr_first_join(t2, attr_name, result, summary) and
t = t2.append(summary)
)
)
}
pragma[nomagic]
private predicate fabric_attr_first_join(
DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
) {
DataFlow::StepSummary::step(fabric_attr(t2, attr_name), res, summary)
}
/**
* Gets a reference to the attribute `attr_name` of the `fabric` module.
* WARNING: Only holds for a few predefined attributes.
*/
private DataFlow::Node fabric_attr(string attr_name) {
result = fabric_attr(DataFlow::TypeTracker::end(), attr_name)
}
API::Node fabric() { result = API::moduleImport("fabric") }
/** Provides models for the `fabric` module. */
module fabric {
@@ -215,50 +71,10 @@ private module FabricV2 {
// fabric.connection
// -------------------------------------------------------------------------
/** Gets a reference to the `fabric.connection` module. */
DataFlow::Node connection() { result = fabric_attr("connection") }
API::Node connection() { result = fabric().getMember("connection") }
/** Provides models for the `fabric.connection` module */
module connection {
/**
* Gets a reference to the attribute `attr_name` of the `fabric.connection` module.
* WARNING: Only holds for a few predefined attributes.
*/
private DataFlow::Node connection_attr(DataFlow::TypeTracker t, string attr_name) {
attr_name in ["Connection"] and
(
t.start() and
result = DataFlow::importNode("fabric.connection" + "." + attr_name)
or
t.startInAttr(attr_name) and
result = connection()
)
or
// Due to bad performance when using normal setup with `connection_attr(t2, attr_name).track(t2, t)`
// we have inlined that code and forced a join
exists(DataFlow::TypeTracker t2 |
exists(DataFlow::StepSummary summary |
connection_attr_first_join(t2, attr_name, result, summary) and
t = t2.append(summary)
)
)
}
pragma[nomagic]
private predicate connection_attr_first_join(
DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
DataFlow::StepSummary summary
) {
DataFlow::StepSummary::step(connection_attr(t2, attr_name), res, summary)
}
/**
* Gets a reference to the attribute `attr_name` of the `fabric.connection` module.
* WARNING: Only holds for a few predefined attributes.
*/
private DataFlow::Node connection_attr(string attr_name) {
result = connection_attr(DataFlow::TypeTracker::end(), attr_name)
}
/**
* Provides models for the `fabric.connection.Connection` class
*
@@ -266,20 +82,12 @@ private module FabricV2 {
*/
module Connection {
/** Gets a reference to the `fabric.connection.Connection` class. */
private DataFlow::Node classRef(DataFlow::TypeTracker t) {
t.start() and
result = connection_attr("Connection")
API::Node classRef() {
result = fabric().getMember("Connection")
or
// handle `fabric.Connection` alias
t.start() and
result = fabric_attr("Connection")
or
exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
result = connection().getMember("Connection")
}
/** Gets a reference to the `fabric.connection.Connection` class. */
DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
/**
* A source of instances of `fabric.connection.Connection`, extend this class to model new instances.
*
@@ -289,16 +97,14 @@ private module FabricV2 {
*
* Use the predicate `Connection::instance()` to get references to instances of `fabric.connection.Connection`.
*/
abstract class InstanceSource extends DataFlow::Node { }
abstract class InstanceSource extends DataFlow::LocalSourceNode { }
private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
override CallNode node;
ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
ClassInstantiation() { this = classRef().getACall() }
}
/** Gets a reference to an instance of `fabric.connection.Connection`. */
private DataFlow::Node instance(DataFlow::TypeTracker t) {
private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
t.start() and
result instanceof InstanceSource
or
@@ -306,7 +112,7 @@ private module FabricV2 {
}
/** Gets a reference to an instance of `fabric.connection.Connection`. */
DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
/**
* Gets a reference to either `run`, `sudo`, or `local` method on a
@@ -317,7 +123,7 @@ private module FabricV2 {
* - https://docs.fabfile.org/en/2.5/api/connection.html#fabric.connection.Connection.sudo
* - https://docs.fabfile.org/en/2.5/api/connection.html#fabric.connection.Connection.local
*/
private DataFlow::Node instanceRunMethods(DataFlow::TypeTracker t) {
private DataFlow::LocalSourceNode instanceRunMethods(DataFlow::TypeTracker t) {
t.startInAttr(["run", "sudo", "local"]) and
result = instance()
or
@@ -334,7 +140,7 @@ private module FabricV2 {
* - https://docs.fabfile.org/en/2.5/api/connection.html#fabric.connection.Connection.local
*/
DataFlow::Node instanceRunMethods() {
result = instanceRunMethods(DataFlow::TypeTracker::end())
instanceRunMethods(DataFlow::TypeTracker::end()).flowsTo(result)
}
}
}
@@ -347,11 +153,9 @@ private module FabricV2 {
* - https://docs.fabfile.org/en/2.5/api/connection.html#fabric.connection.Connection.local
*/
private class FabricConnectionRunSudoLocalCall extends SystemCommandExecution::Range,
DataFlow::CfgNode {
override CallNode node;
DataFlow::CallCfgNode {
FabricConnectionRunSudoLocalCall() {
node.getFunction() = fabric::connection::Connection::instanceRunMethods().asCfgNode()
this.getFunction() = fabric::connection::Connection::instanceRunMethods()
}
override DataFlow::Node getCommand() {
@@ -363,34 +167,19 @@ private module FabricV2 {
// fabric.tasks
// -------------------------------------------------------------------------
/** Gets a reference to the `fabric.tasks` module. */
DataFlow::Node tasks() { result = fabric_attr("tasks") }
API::Node tasks() { result = fabric().getMember("tasks") }
/** Provides models for the `fabric.tasks` module */
module tasks {
/** Gets a reference to the `fabric.tasks.task` decorator. */
private DataFlow::Node task(DataFlow::TypeTracker t) {
t.start() and
result = DataFlow::importNode("fabric.tasks.task")
or
t.startInAttr("task") and
result = tasks()
or
// Handle `fabric.task` alias
t.startInAttr("task") and
result = fabric()
or
exists(DataFlow::TypeTracker t2 | result = task(t2).track(t2, t))
}
/** Gets a reference to the `fabric.tasks.task` decorator. */
DataFlow::Node task() { result = task(DataFlow::TypeTracker::end()) }
API::Node task() { result in [tasks().getMember("task"), fabric().getMember("task")] }
}
class FabricTaskFirstParamConnectionInstance extends fabric::connection::Connection::InstanceSource,
DataFlow::ParameterNode {
FabricTaskFirstParamConnectionInstance() {
exists(Function func |
func.getADecorator() = fabric::tasks::task().asExpr() and
func.getADecorator() = fabric::tasks::task().getAUse().asExpr() and
this.getParameter() = func.getArg(0)
)
}
@@ -400,50 +189,10 @@ private module FabricV2 {
// fabric.group
// -------------------------------------------------------------------------
/** Gets a reference to the `fabric.group` module. */
DataFlow::Node group() { result = fabric_attr("group") }
API::Node group() { result = fabric().getMember("group") }
/** Provides models for the `fabric.group` module */
module group {
/**
* Gets a reference to the attribute `attr_name` of the `fabric.group` module.
* WARNING: Only holds for a few predefined attributes.
*/
private DataFlow::Node group_attr(DataFlow::TypeTracker t, string attr_name) {
attr_name in ["SerialGroup", "ThreadingGroup"] and
(
t.start() and
result = DataFlow::importNode("fabric.group" + "." + attr_name)
or
t.startInAttr(attr_name) and
result = group()
)
or
// Due to bad performance when using normal setup with `group_attr(t2, attr_name).track(t2, t)`
// we have inlined that code and forced a join
exists(DataFlow::TypeTracker t2 |
exists(DataFlow::StepSummary summary |
group_attr_first_join(t2, attr_name, result, summary) and
t = t2.append(summary)
)
)
}
pragma[nomagic]
private predicate group_attr_first_join(
DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
DataFlow::StepSummary summary
) {
DataFlow::StepSummary::step(group_attr(t2, attr_name), res, summary)
}
/**
* Gets a reference to the attribute `attr_name` of the `fabric.group` module.
* WARNING: Only holds for a few predefined attributes.
*/
private DataFlow::Node group_attr(string attr_name) {
result = group_attr(DataFlow::TypeTracker::end(), attr_name)
}
/**
* Provides models for the `fabric.group.Group` class and its subclasses.
*
@@ -465,41 +214,20 @@ private module FabricV2 {
*
* Use `Group::subclassInstance()` predicate to get references to an instance of a subclass of `fabric.group.Group`.
*/
abstract class SubclassInstanceSource extends DataFlow::Node { }
/** Gets a reference to an instance of a subclass of `fabric.group.Group`. */
private DataFlow::Node subclassInstance(DataFlow::TypeTracker t) {
t.start() and
result instanceof SubclassInstanceSource
or
exists(DataFlow::TypeTracker t2 | result = subclassInstance(t2).track(t2, t))
abstract class ModeledSubclass extends API::Node {
/** Gets a string representation of this element. */
override string toString() { result = this.(API::Node).toString() }
}
/** Gets a reference to an instance of a subclass of `fabric.group.Group`. */
DataFlow::Node subclassInstance() {
result = subclassInstance(DataFlow::TypeTracker::end())
}
API::Node subclassInstance() { result = any(ModeledSubclass m).getASubclass*().getReturn() }
/**
* Gets a reference to the `run` method on an instance of a subclass of `fabric.group.Group`.
*
* See https://docs.fabfile.org/en/2.5/api/group.html#fabric.group.Group.run
*/
private DataFlow::Node subclassInstanceRunMethod(DataFlow::TypeTracker t) {
t.startInAttr("run") and
result = subclassInstance()
or
exists(DataFlow::TypeTracker t2 | result = subclassInstanceRunMethod(t2).track(t2, t))
}
/**
* Gets a reference to the `run` method on an instance of a subclass of `fabric.group.Group`.
*
* See https://docs.fabfile.org/en/2.5/api/group.html#fabric.group.Group.run
*/
DataFlow::Node subclassInstanceRunMethod() {
result = subclassInstanceRunMethod(DataFlow::TypeTracker::end())
}
API::Node subclassInstanceRunMethod() { result = subclassInstance().getMember("run") }
}
/**
@@ -507,12 +235,8 @@ private module FabricV2 {
*
* See https://docs.fabfile.org/en/2.5/api/group.html#fabric.group.Group.run
*/
private class FabricGroupRunCall extends SystemCommandExecution::Range, DataFlow::CfgNode {
override CallNode node;
FabricGroupRunCall() {
node.getFunction() = fabric::group::Group::subclassInstanceRunMethod().asCfgNode()
}
private class FabricGroupRunCall extends SystemCommandExecution::Range, DataFlow::CallCfgNode {
FabricGroupRunCall() { this = fabric::group::Group::subclassInstanceRunMethod().getACall() }
override DataFlow::Node getCommand() {
result.asCfgNode() = [node.getArg(0), node.getArgByName("command")]
@@ -525,25 +249,12 @@ private module FabricV2 {
* See https://docs.fabfile.org/en/2.5/api/group.html#fabric.group.SerialGroup.
*/
module SerialGroup {
/** Gets a reference to the `fabric.group.SerialGroup` class. */
private DataFlow::Node classRef(DataFlow::TypeTracker t) {
t.start() and
result = group_attr("SerialGroup")
or
// Handle `fabric.SerialGroup` alias
t.start() and
result = fabric_attr("SerialGroup")
or
exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
}
/** Gets a reference to the `fabric.group.SerialGroup` class. */
private DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
private class ClassInstantiation extends Group::SubclassInstanceSource, DataFlow::CfgNode {
override CallNode node;
ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
private class ClassInstantiation extends Group::ModeledSubclass {
ClassInstantiation() {
this = group().getMember("SerialGroup")
or
this = fabric().getMember("SerialGroup")
}
}
}
@@ -553,25 +264,12 @@ private module FabricV2 {
* See https://docs.fabfile.org/en/2.5/api/group.html#fabric.group.ThreadingGroup.
*/
module ThreadingGroup {
/** Gets a reference to the `fabric.group.ThreadingGroup` class. */
private DataFlow::Node classRef(DataFlow::TypeTracker t) {
t.start() and
result = group_attr("ThreadingGroup")
or
// Handle `fabric.ThreadingGroup` alias
t.start() and
result = fabric_attr("ThreadingGroup")
or
exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
}
/** Gets a reference to the `fabric.group.ThreadingGroup` class. */
DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
private class ClassInstantiation extends Group::SubclassInstanceSource, DataFlow::CfgNode {
override CallNode node;
ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
private class ClassInstantiation extends Group::ModeledSubclass {
ClassInstantiation() {
this = group().getMember("ThreadingGroup")
or
this = fabric().getMember("ThreadingGroup")
}
}
}
}

102
python/ql/src/semmle/python/frameworks/Invoke.qll
View File

@@ -6,6 +6,7 @@
private import python
private import semmle.python.dataflow.new.DataFlow
private import semmle.python.Concepts
private import semmle.python.ApiGraphs
/**
* Provides models for the `invoke` PyPI package.
@@ -16,102 +17,44 @@ private module Invoke {
// invoke
// ---------------------------------------------------------------------------
/** Gets a reference to the `invoke` module. */
private DataFlow::Node invoke(DataFlow::TypeTracker t) {
t.start() and
result = DataFlow::importNode("invoke")
or
exists(DataFlow::TypeTracker t2 | result = invoke(t2).track(t2, t))
}
/** Gets a reference to the `invoke` module. */
DataFlow::Node invoke() { result = invoke(DataFlow::TypeTracker::end()) }
/**
* Gets a reference to the attribute `attr_name` of the `invoke` module.
* WARNING: Only holds for a few predefined attributes.
*/
private DataFlow::Node invoke_attr(DataFlow::TypeTracker t, string attr_name) {
attr_name in ["run", "sudo", "context", "Context", "task"] and
(
t.start() and
result = DataFlow::importNode("invoke." + attr_name)
or
t.startInAttr(attr_name) and
result = DataFlow::importNode("invoke")
)
or
// Due to bad performance when using normal setup with `invoke_attr(t2, attr_name).track(t2, t)`
// we have inlined that code and forced a join
exists(DataFlow::TypeTracker t2 |
exists(DataFlow::StepSummary summary |
invoke_attr_first_join(t2, attr_name, result, summary) and
t = t2.append(summary)
)
)
}
pragma[nomagic]
private predicate invoke_attr_first_join(
DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
) {
DataFlow::StepSummary::step(invoke_attr(t2, attr_name), res, summary)
}
/**
* Gets a reference to the attribute `attr_name` of the `invoke` module.
* WARNING: Only holds for a few predefined attributes.
*/
private DataFlow::Node invoke_attr(string attr_name) {
result = invoke_attr(DataFlow::TypeTracker::end(), attr_name)
}
API::Node invoke() { result = API::moduleImport("invoke") }
/** Provides models for the `invoke` module. */
module invoke {
/** Gets a reference to the `invoke.context` module. */
DataFlow::Node context() { result = invoke_attr("context") }
API::Node context() { result = invoke().getMember("context") }
/** Provides models for the `invoke.context` module */
module context {
/** Provides models for the `invoke.context.Context` class */
module Context {
/** Gets a reference to the `invoke.context.Context` class. */
private DataFlow::Node classRef(DataFlow::TypeTracker t) {
t.start() and
result = DataFlow::importNode("invoke.context.Context")
API::Node classRef() {
result = API::moduleImport("invoke").getMember("context").getMember("Context")
or
t.startInAttr("Context") and
result = invoke::context()
or
// handle invoke.Context alias
t.start() and
result = invoke_attr("Context")
or
exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
result = API::moduleImport("invoke").getMember("Context")
}
/** Gets a reference to the `invoke.context.Context` class. */
DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
/** Gets a reference to an instance of `invoke.context.Context`. */
private DataFlow::Node instance(DataFlow::TypeTracker t) {
private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
t.start() and
result.asCfgNode().(CallNode).getFunction() =
invoke::context::Context::classRef().asCfgNode()
or
t.start() and
exists(Function func |
func.getADecorator() = invoke_attr("task").asExpr() and
result.(DataFlow::ParameterNode).getParameter() = func.getArg(0)
(
result = invoke::context::Context::classRef().getACall()
or
exists(Function func |
func.getADecorator() = invoke().getMember("task").getAUse().asExpr() and
result.(DataFlow::ParameterNode).getParameter() = func.getArg(0)
)
)
or
exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t))
}
/** Gets a reference to an instance of `invoke.context.Context`. */
DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
/** Gets a reference to the `run` or `sudo` methods on a `invoke.context.Context` instance. */
private DataFlow::Node instanceRunMethods(DataFlow::TypeTracker t) {
private DataFlow::LocalSourceNode instanceRunMethods(DataFlow::TypeTracker t) {
t.startInAttr(["run", "sudo"]) and
result = invoke::context::Context::instance()
or
@@ -120,7 +63,7 @@ private module Invoke {
/** Gets a reference to the `run` or `sudo` methods on a `invoke.context.Context` instance. */
DataFlow::Node instanceRunMethods() {
result = instanceRunMethods(DataFlow::TypeTracker::end())
instanceRunMethods(DataFlow::TypeTracker::end()).flowsTo(result)
}
}
}
@@ -131,15 +74,10 @@ private module Invoke {
* - `invoke.run` or `invoke.sudo` functions (http://docs.pyinvoke.org/en/stable/api/__init__.html)
* - `run` or `sudo` methods on a `invoke.context.Context` instance (http://docs.pyinvoke.org/en/stable/api/context.html#invoke.context.Context.run)
*/
private class InvokeRunCommandCall extends SystemCommandExecution::Range, DataFlow::CfgNode {
override CallNode node;
private class InvokeRunCommandCall extends SystemCommandExecution::Range, DataFlow::CallCfgNode {
InvokeRunCommandCall() {
exists(DataFlow::Node callFunction | node.getFunction() = callFunction.asCfgNode() |
callFunction = invoke_attr(["run", "sudo"])
or
callFunction = invoke::context::Context::instanceRunMethods()
)
this = invoke().getMember(["run", "sudo"]).getACall() or
this.getFunction() = invoke::context::Context::instanceRunMethods()
}
override DataFlow::Node getCommand() {

16
python/ql/src/semmle/python/frameworks/PEP249.qll
View File

@@ -54,7 +54,7 @@ module Connection {
}
/** Gets a reference to an instance of `db.Connection`. */
private DataFlow::Node instance(DataFlow::TypeTracker t) {
private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
t.start() and
result instanceof InstanceSource
or
@@ -62,7 +62,7 @@ module Connection {
}
/** Gets a reference to an instance of `db.Connection`. */
DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
}
/**
@@ -71,7 +71,7 @@ module Connection {
*/
module cursor {
/** Gets a reference to the `cursor` method on a connection. */
private DataFlow::Node methodRef(DataFlow::TypeTracker t) {
private DataFlow::LocalSourceNode methodRef(DataFlow::TypeTracker t) {
t.startInAttr("cursor") and
result = Connection::instance()
or
@@ -79,10 +79,10 @@ module cursor {
}
/** Gets a reference to the `cursor` method on a connection. */
DataFlow::Node methodRef() { result = methodRef(DataFlow::TypeTracker::end()) }
DataFlow::Node methodRef() { methodRef(DataFlow::TypeTracker::end()).flowsTo(result) }
/** Gets a reference to a result of calling the `cursor` method on a connection. */
private DataFlow::Node methodResult(DataFlow::TypeTracker t) {
private DataFlow::LocalSourceNode methodResult(DataFlow::TypeTracker t) {
t.start() and
result.asCfgNode().(CallNode).getFunction() = methodRef().asCfgNode()
or
@@ -90,7 +90,7 @@ module cursor {
}
/** Gets a reference to a result of calling the `cursor` method on a connection. */
DataFlow::Node methodResult() { result = methodResult(DataFlow::TypeTracker::end()) }
DataFlow::Node methodResult() { methodResult(DataFlow::TypeTracker::end()).flowsTo(result) }
}
/**
@@ -101,7 +101,7 @@ module cursor {
*
* See https://www.python.org/dev/peps/pep-0249/#id15.
*/
private DataFlow::Node execute(DataFlow::TypeTracker t) {
private DataFlow::LocalSourceNode execute(DataFlow::TypeTracker t) {
t.startInAttr("execute") and
result in [cursor::methodResult(), Connection::instance()]
or
@@ -116,7 +116,7 @@ private DataFlow::Node execute(DataFlow::TypeTracker t) {
*
* See https://www.python.org/dev/peps/pep-0249/#id15.
*/
DataFlow::Node execute() { result = execute(DataFlow::TypeTracker::end()) }
DataFlow::Node execute() { execute(DataFlow::TypeTracker::end()).flowsTo(result) }
/** A call to the `execute` method on a cursor (or on a connection). */
private class ExecuteCall extends SqlExecution::Range, DataFlow::CallCfgNode {

14
python/ql/src/semmle/python/pointsto/PointsTo.qll
View File

@@ -1853,8 +1853,10 @@ module Expressions {
private boolean isinstanceEvaluatesTo(
CallNode call, PointsToContext context, ControlFlowNode use, ObjectInternal val
) {
exists(ObjectInternal cls | isinstance_call(call, use, context, val, cls) |
result = Types::improperSubclass(val.getClass(), cls)
exists(ObjectInternal cls, ObjectInternal val_cls |
isinstance_call(call, use, context, val, val_cls, cls)
|
result = Types::improperSubclass(val_cls, cls)
or
val = ObjectInternal::unknown() and result = maybe()
or
@@ -1866,12 +1868,13 @@ module Expressions {
private predicate isinstance_call(
CallNode call, ControlFlowNode use, PointsToContext context, ObjectInternal val,
ObjectInternal cls
ObjectInternal val_cls, ObjectInternal cls
) {
exists(ControlFlowNode func, ControlFlowNode arg1 |
call2(call, func, use, arg1) and
points_to_isinstance(func, context) and
PointsToInternal::pointsTo(use, context, val, _) and
val_cls = val.getClass() and
PointsToInternal::pointsTo(arg1, context, cls, _)
)
}
@@ -1993,10 +1996,7 @@ module Expressions {
exists(ObjectInternal sup_or_tuple |
issubclass_call(_, _, _, sub, sup_or_tuple) and sub.isClass() = true
or
exists(ObjectInternal val |
isinstance_call(_, _, _, val, sup_or_tuple) and
sub = val.getClass()
)
exists(ObjectInternal val | isinstance_call(_, _, _, val, sub, sup_or_tuple))
|
sup = sup_or_tuple
or

8
python/ql/src/semmle/python/pointsto/PointsToContext.qll
View File

@@ -100,10 +100,14 @@ private int total_call_cost(CallNode call) {
if call_to_init_or_del(call) then result = 1 else result = call_cost(call) + splay_cost(call)
}
pragma[nomagic]
private int relevant_call_cost(PointsToContext ctx, CallNode call) {
ctx.appliesTo(call) and result = total_call_cost(call)
}
pragma[noinline]
private int total_cost(CallNode call, PointsToContext ctx) {
ctx.appliesTo(call) and
result = total_call_cost(call) + context_cost(ctx)
result = relevant_call_cost(ctx, call) + context_cost(ctx)
}
cached

16
python/ql/src/semmle/python/regex.qll
View File

@@ -82,21 +82,7 @@ private DataFlow::LocalSourceNode re_flag_tracker(string flag_name, DataFlow::Ty
result.asCfgNode() = binop
)
or
// Due to bad performance when using normal setup with `re_flag_tracker(t2, attr_name).track(t2, t)`
// we have inlined that code and forced a join
exists(DataFlow::TypeTracker t2 |
exists(DataFlow::StepSummary summary |
re_flag_tracker_first_join(t2, flag_name, result, summary) and
t = t2.append(summary)
)
)
}
pragma[nomagic]
private predicate re_flag_tracker_first_join(
DataFlow::TypeTracker t2, string flag_name, DataFlow::Node res, DataFlow::StepSummary summary
) {
DataFlow::StepSummary::step(re_flag_tracker(flag_name, t2), res, summary)
exists(DataFlow::TypeTracker t2 | result = re_flag_tracker(flag_name, t2).track(t2, t))
}
/**