hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 05:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Model pickle.Unpickler

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2021-10-08 11:51:43 +02:00
parent 75b06d8a25
commit 5e6f042f6e
2 changed files with 24 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
python/ql/test/library-tests/frameworks/stdlib/Decoding.py
View File

@@ -9,6 +9,14 @@ pickle.loads(payload) # $ decodeInput=payload decodeOutput=pickle.loads(..) dec
# using this keyword argument is disallowed from Python 3.9
pickle.loads(data=payload) # $ decodeInput=payload decodeOutput=pickle.loads(..) decodeFormat=pickle decodeMayExecuteInput
# We don't really have a good way to model a decode happening over multiple statements
# like this. Since the important bit for `py/unsafe-deserialization` is the input, that
# is the main focus. We do a best effort to model the output though (but that will only
# work in local scope).
unpickler = pickle.Unpickler(file_) # $ decodeInput=file_ decodeFormat=pickle decodeMayExecuteInput
unpickler.load() # $ decodeOutput=unpickler.load()
unpickler = pickle.Unpickler(file=file_) # $ decodeInput=file_ decodeFormat=pickle decodeMayExecuteInput
marshal.load(file_) # $ decodeInput=file_ decodeOutput=marshal.load(..) decodeFormat=marshal decodeMayExecuteInput
marshal.loads(payload) # $ decodeInput=payload decodeOutput=marshal.loads(..) decodeFormat=marshal decodeMayExecuteInput