hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 08:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Move experimental ZipSlip to new dataflow API

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2023-08-25 17:23:50 +02:00
parent 67cc3a3935
commit 5d8329d9c8
2 changed files with 9 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
python/ql/src/experimental/Security/CWE-022/ZipSlip.ql
View File

@@ -15,10 +15,10 @@
import python
import experimental.semmle.python.security.ZipSlip
import DataFlow::PathGraph
import ZipSlipFlow::PathGraph
from ZipSlipConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
from ZipSlipFlow::PathNode source, ZipSlipFlow::PathNode sink
where ZipSlipFlow::flowPath(source, sink)
select source.getNode(), source, sink,
"This unsanitized archive entry, which may contain '..', is used in a $@.", sink.getNode(),
"file system operation"

11
python/ql/src/experimental/semmle/python/security/ZipSlip.qll
View File

@@ -4,10 +4,8 @@ import semmle.python.dataflow.new.DataFlow
import semmle.python.ApiGraphs
import semmle.python.dataflow.new.TaintTracking
class ZipSlipConfig extends TaintTracking::Configuration {
ZipSlipConfig() { this = "ZipSlipConfig" }
override predicate isSource(DataFlow::Node source) {
private module ZipSlipConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
(
source =
API::moduleImport("zipfile").getMember("ZipFile").getReturn().getMember("open").getACall() or
@@ -29,7 +27,7 @@ class ZipSlipConfig extends TaintTracking::Configuration {
not source.getScope().getLocation().getFile().inStdlib()
}
override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
(
sink = any(CopyFile copyfile).getAPathArgument() or
sink = any(CopyFile copyfile).getfsrcArgument()
@@ -37,3 +35,6 @@ class ZipSlipConfig extends TaintTracking::Configuration {
not sink.getScope().getLocation().getFile().inStdlib()
}
}
/** Global taint-tracking for detecting "zip slip" vulnerabilities. */
module ZipSlipFlow = TaintTracking::Global<ZipSlipConfig>;