mirror of
https://github.com/github/codeql.git
synced 2025-12-16 16:53:25 +01:00
Python: Improve API and representation of taint tracking nodes. Update queries and tests accordingly.
This commit is contained in:
Mark Shannon
@@ -26,8 +26,6 @@ import semmle.python.web.HttpRequest
|
|||||||
import semmle.python.security.injection.Path
|
import semmle.python.security.injection.Path
|
||||||
|
|
||||||
|
|
||||||
|
from TaintedPathSource src, TaintedPathSink sink
|
||||||
from TaintedNode srcnode, TaintedNode sinknode, TaintSource src, TaintSink sink
|
where src.flowsTo(sink)
|
||||||
where src.flowsToSink(sink) and srcnode.getNode() = src and sinknode.getNode() = sink
|
select sink.getSink(), src, sink, "This path depends on $@.", src.getSource(), "a user-provided value"
|
||||||
|
|
||||||
select sink, srcnode, sinknode, "This path depends on $@.", src, "a user-provided value"
|
|
||||||
@@ -23,7 +23,6 @@ import semmle.python.web.HttpRequest
|
|||||||
/* Sinks */
|
/* Sinks */
|
||||||
import semmle.python.security.injection.Command
|
import semmle.python.security.injection.Command
|
||||||
|
|
||||||
from TaintedNode srcnode, TaintedNode sinknode, TaintSource src, TaintSink sink
|
from TaintedPathSource src, TaintedPathSink sink
|
||||||
where src.flowsToSink(sink) and srcnode.getNode() = src and sinknode.getNode() = sink
|
where src.flowsTo(sink)
|
||||||
|
select sink.getSink(), src, sink, "This command depends on $@.", src.getSource(), "a user-provided value"
|
||||||
select sink, srcnode, sinknode, "This command depends on $@.", src, "a user-provided value"
|
|
||||||
|
|||||||
@@ -25,9 +25,6 @@ import semmle.python.web.HttpResponse
|
|||||||
/* Flow */
|
/* Flow */
|
||||||
import semmle.python.security.strings.Untrusted
|
import semmle.python.security.strings.Untrusted
|
||||||
|
|
||||||
from TaintedNode srcnode, TaintedNode sinknode, TaintSource src, TaintSink sink
|
from TaintedPathSource src, TaintedPathSink sink
|
||||||
where src.flowsToSink(sink) and srcnode.getNode() = src and sinknode.getNode() = sink
|
where src.flowsTo(sink)
|
||||||
|
select sink.getSink(), src, sink, "Cross-site scripting vulnerability due to $@.", src.getSource(), "user-provided value"
|
||||||
select sink, srcnode, sinknode, "Cross-site scripting vulnerability due to $@.",
|
|
||||||
src, "user-provided value"
|
|
||||||
|
|
||||||
|
|||||||
@@ -23,7 +23,6 @@ import semmle.python.web.django.Db
|
|||||||
import semmle.python.web.django.Model
|
import semmle.python.web.django.Model
|
||||||
|
|
||||||
|
|
||||||
from TaintedNode srcnode, TaintedNode sinknode, TaintSource src, TaintSink sink
|
from TaintedPathSource src, TaintedPathSink sink
|
||||||
where src.flowsToSink(sink) and srcnode.getNode() = src and sinknode.getNode() = sink
|
where src.flowsTo(sink)
|
||||||
|
select sink.getSink(), src, sink, "This SQL query depends on $@.", src.getSource(), "a user-provided value"
|
||||||
select sink, srcnode, sinknode, "This SQL query depends on $@.", src, "a user-provided value"
|
|
||||||
|
|||||||
@@ -24,7 +24,6 @@ import semmle.python.web.HttpRequest
|
|||||||
import semmle.python.security.injection.Exec
|
import semmle.python.security.injection.Exec
|
||||||
|
|
||||||
|
|
||||||
from TaintedNode srcnode, TaintedNode sinknode, TaintSource src, TaintSink sink
|
from TaintedPathSource src, TaintedPathSink sink
|
||||||
where src.flowsToSink(sink) and srcnode.getNode() = src and sinknode.getNode() = sink
|
where src.flowsTo(sink)
|
||||||
|
select sink.getSink(), src, sink, "$@ flows to here and is interpreted as code.", src.getSource(), "User-provided value"
|
||||||
select sink, srcnode, sinknode, "$@ flows to here and is interpreted as code.", src, "User-provided value"
|
|
||||||
|
|||||||
@@ -18,6 +18,6 @@ import semmle.python.security.Paths
|
|||||||
import semmle.python.security.Exceptions
|
import semmle.python.security.Exceptions
|
||||||
import semmle.python.web.HttpResponse
|
import semmle.python.web.HttpResponse
|
||||||
|
|
||||||
from TaintedNode srcnode, TaintedNode sinknode, TaintSource src, TaintSink sink
|
from TaintedPathSource src, TaintedPathSink sink
|
||||||
where src.flowsToSink(sink) and srcnode.getNode() = src and sinknode.getNode() = sink
|
where src.flowsTo(sink)
|
||||||
select sink, srcnode, sinknode, "$@ may be exposed to an external user", src, "Error information"
|
select sink.getSink(), src, sink, "$@ may be exposed to an external user", src.getSource(), "Error information"
|
||||||
|
|||||||
@@ -25,7 +25,6 @@ import semmle.python.security.injection.Marshal
|
|||||||
import semmle.python.security.injection.Yaml
|
import semmle.python.security.injection.Yaml
|
||||||
|
|
||||||
|
|
||||||
from TaintedNode srcnode, TaintedNode sinknode, TaintSource src, TaintSink sink
|
from TaintedPathSource src, TaintedPathSink sink
|
||||||
where src.flowsToSink(sink) and srcnode.getNode() = src and sinknode.getNode() = sink
|
where src.flowsTo(sink)
|
||||||
|
select sink.getSink(), src, sink, "Deserializing of $@.", src.getSource(), "untrusted input"
|
||||||
select sink, srcnode, sinknode, "Deserializing of $@.", src, "untrusted input"
|
|
||||||
|
|||||||
@@ -28,8 +28,7 @@ class UntrustedPrefixStringKind extends UntrustedStringKind {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
from TaintedNode srcnode, TaintedNode sinknode, TaintSource src, TaintSink sink
|
from TaintedPathSource src, TaintedPathSink sink
|
||||||
where src.flowsToSink(sink) and srcnode.getNode() = src and sinknode.getNode() = sink
|
where src.flowsTo(sink)
|
||||||
|
select sink.getSink(), src, sink, "Untrusted URL redirection due to $@.", src.getSource(), "a user-provided value"
|
||||||
select sink, srcnode, sinknode, "Untrusted URL redirection due to $@.", src, "a user-provided value"
|
|
||||||
|
|
||||||
|
|||||||
@@ -24,6 +24,11 @@ class ExceptionInfo extends StringKind {
|
|||||||
ExceptionInfo() {
|
ExceptionInfo() {
|
||||||
this = "exception.info"
|
this = "exception.info"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
override string repr() {
|
||||||
|
result = "exception info"
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@@ -36,6 +41,10 @@ class ExceptionKind extends TaintKind {
|
|||||||
this = "exception.kind"
|
this = "exception.kind"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
override string repr() {
|
||||||
|
result = "exception"
|
||||||
|
}
|
||||||
|
|
||||||
override TaintKind getTaintOfAttribute(string name) {
|
override TaintKind getTaintOfAttribute(string name) {
|
||||||
name = "args" and result instanceof ExceptionInfoSequence
|
name = "args" and result instanceof ExceptionInfoSequence
|
||||||
or
|
or
|
||||||
|
|||||||
@@ -148,6 +148,8 @@ abstract class TaintKind extends string {
|
|||||||
none()
|
none()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
string repr() { result = this }
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Taint kinds representing collections of other taint kind.
|
/** Taint kinds representing collections of other taint kind.
|
||||||
@@ -208,6 +210,10 @@ class SequenceKind extends CollectionKind {
|
|||||||
name = "pop" and result = this.getItem()
|
name = "pop" and result = this.getItem()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
override string repr() {
|
||||||
|
result = "sequence of " + itemKind
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Helper for getTaintForStep() */
|
/* Helper for getTaintForStep() */
|
||||||
@@ -281,6 +287,10 @@ class DictKind extends CollectionKind {
|
|||||||
name = "itervalues" and result.(SequenceKind).getItem() = valueKind
|
name = "itervalues" and result.(SequenceKind).getItem() = valueKind
|
||||||
}
|
}
|
||||||
|
|
||||||
|
override string repr() {
|
||||||
|
result = "dict of " + valueKind
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@@ -603,7 +613,9 @@ private predicate user_tainted_def(TaintedDefinition def, TaintFlowImplementatio
|
|||||||
*/
|
*/
|
||||||
class TaintedNode extends TTaintedNode {
|
class TaintedNode extends TTaintedNode {
|
||||||
|
|
||||||
string toString() { result = this.getTrackedValue().toString() + " at " + this.getLocation() }
|
string toString() { result = this.getTrackedValue().repr() }
|
||||||
|
|
||||||
|
string debug() { result = this.getTrackedValue().toString() + " at " + this.getNode().getLocation() }
|
||||||
|
|
||||||
TaintedNode getASuccessor() {
|
TaintedNode getASuccessor() {
|
||||||
exists(TaintFlowImplementation::TrackedValue tokind, CallContext tocontext, ControlFlowNode tonode |
|
exists(TaintFlowImplementation::TrackedValue tokind, CallContext tocontext, ControlFlowNode tonode |
|
||||||
@@ -675,25 +687,33 @@ class TaintedNode extends TTaintedNode {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
class TaintedNodeSource extends TaintedNode {
|
class TaintedPathSource extends TaintedNode {
|
||||||
|
|
||||||
TaintedNodeSource() {
|
TaintedPathSource() {
|
||||||
this.getNode().(TaintSource).isSourceOf(this.getTaintKind(), this.getContext())
|
this.getNode().(TaintSource).isSourceOf(this.getTaintKind(), this.getContext())
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Holds if taint can flow from this source to sink `sink` */
|
/** Holds if taint can flow from this source to sink `sink` */
|
||||||
final predicate flowsTo(TaintedNodeSink sink) {
|
final predicate flowsTo(TaintedPathSink sink) {
|
||||||
this.getASuccessor*() = sink
|
this.getASuccessor*() = sink
|
||||||
}
|
}
|
||||||
|
|
||||||
|
TaintSource getSource() {
|
||||||
|
result = this.getNode()
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
class TaintedNodeSink extends TaintedNode {
|
class TaintedPathSink extends TaintedNode {
|
||||||
|
|
||||||
TaintedNodeSink() {
|
TaintedPathSink() {
|
||||||
this.getNode().(TaintSink).sinks(this.getTaintKind())
|
this.getNode().(TaintSink).sinks(this.getTaintKind())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
TaintSink getSink() {
|
||||||
|
result = this.getNode()
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/** This module contains the implementation of taint-flow.
|
/** This module contains the implementation of taint-flow.
|
||||||
@@ -739,12 +759,18 @@ library module TaintFlowImplementation {
|
|||||||
|
|
||||||
abstract string toString();
|
abstract string toString();
|
||||||
|
|
||||||
|
abstract string repr();
|
||||||
|
|
||||||
abstract TrackedValue toKind(TaintKind kind);
|
abstract TrackedValue toKind(TaintKind kind);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
class TrackedTaint extends TrackedValue, TTrackedTaint {
|
class TrackedTaint extends TrackedValue, TTrackedTaint {
|
||||||
|
|
||||||
|
override string repr() {
|
||||||
|
result = this.getKind().repr()
|
||||||
|
}
|
||||||
|
|
||||||
override string toString() {
|
override string toString() {
|
||||||
result = "Taint " + this.getKind()
|
result = "Taint " + this.getKind()
|
||||||
}
|
}
|
||||||
@@ -761,6 +787,13 @@ library module TaintFlowImplementation {
|
|||||||
|
|
||||||
class TrackedAttribute extends TrackedValue, TTrackedAttribute {
|
class TrackedAttribute extends TrackedValue, TTrackedAttribute {
|
||||||
|
|
||||||
|
override string repr() {
|
||||||
|
exists(string name, TaintKind kind |
|
||||||
|
this = TTrackedAttribute(name, kind) and
|
||||||
|
result = "." + name + "=" + kind.repr()
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
override string toString() {
|
override string toString() {
|
||||||
exists(string name, TaintKind kind |
|
exists(string name, TaintKind kind |
|
||||||
this = TTrackedAttribute(name, kind) and
|
this = TTrackedAttribute(name, kind) and
|
||||||
|
|||||||
@@ -36,6 +36,9 @@ class FirstElementKind extends TaintKind {
|
|||||||
this = "sequence[" + any(ExternalStringKind key) + "][0]"
|
this = "sequence[" + any(ExternalStringKind key) + "][0]"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
override string repr() {
|
||||||
|
result = "first item in sequence of " + this.getItem().repr()
|
||||||
|
}
|
||||||
|
|
||||||
/** Gets the taint kind for item in this sequence. */
|
/** Gets the taint kind for item in this sequence. */
|
||||||
ExternalStringKind getItem() {
|
ExternalStringKind getItem() {
|
||||||
|
|||||||
@@ -36,6 +36,10 @@ class NormalizedPath extends TaintKind {
|
|||||||
this = "normalized.path.injection"
|
this = "normalized.path.injection"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
override string repr() {
|
||||||
|
result = "normalized path"
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private predicate abspath_call(CallNode call, ControlFlowNode arg) {
|
private predicate abspath_call(CallNode call, ControlFlowNode arg) {
|
||||||
|
|||||||
@@ -1,34 +1,34 @@
|
|||||||
edges
|
edges
|
||||||
| ../lib/os/path.py:4:14:4:14 | Taint externally controlled string at ../lib/os/path.py:4 | ../lib/os/path.py:5:12:5:12 | Taint externally controlled string at ../lib/os/path.py:5 |
|
| ../lib/os/path.py:4:14:4:14 | externally controlled string | ../lib/os/path.py:5:12:5:12 | externally controlled string |
|
||||||
| ../lib/os/path.py:4:14:4:14 | Taint externally controlled string at ../lib/os/path.py:4 | ../lib/os/path.py:5:12:5:12 | Taint externally controlled string at ../lib/os/path.py:5 |
|
| ../lib/os/path.py:4:14:4:14 | externally controlled string | ../lib/os/path.py:5:12:5:12 | externally controlled string |
|
||||||
| ../lib/os/path.py:4:14:4:14 | Taint externally controlled string at ../lib/os/path.py:4 | ../lib/os/path.py:5:12:5:12 | Taint externally controlled string at ../lib/os/path.py:5 |
|
| ../lib/os/path.py:4:14:4:14 | externally controlled string | ../lib/os/path.py:5:12:5:12 | externally controlled string |
|
||||||
| path_injection.py:9:12:9:23 | Taint {externally controlled string} at path_injection.py:9 | path_injection.py:9:12:9:39 | Taint externally controlled string at path_injection.py:9 |
|
| path_injection.py:9:12:9:23 | dict of externally controlled string | path_injection.py:9:12:9:39 | externally controlled string |
|
||||||
| path_injection.py:9:12:9:39 | Taint externally controlled string at path_injection.py:9 | path_injection.py:10:40:10:43 | Taint externally controlled string at path_injection.py:10 |
|
| path_injection.py:9:12:9:39 | externally controlled string | path_injection.py:10:40:10:43 | externally controlled string |
|
||||||
| path_injection.py:10:40:10:43 | Taint externally controlled string at path_injection.py:10 | path_injection.py:10:14:10:44 | Taint externally controlled string at path_injection.py:10 |
|
| path_injection.py:10:40:10:43 | externally controlled string | path_injection.py:10:14:10:44 | externally controlled string |
|
||||||
| path_injection.py:15:12:15:23 | Taint {externally controlled string} at path_injection.py:15 | path_injection.py:15:12:15:39 | Taint externally controlled string at path_injection.py:15 |
|
| path_injection.py:15:12:15:23 | dict of externally controlled string | path_injection.py:15:12:15:39 | externally controlled string |
|
||||||
| path_injection.py:15:12:15:39 | Taint externally controlled string at path_injection.py:15 | path_injection.py:16:56:16:59 | Taint externally controlled string at path_injection.py:16 |
|
| path_injection.py:15:12:15:39 | externally controlled string | path_injection.py:16:56:16:59 | externally controlled string |
|
||||||
| path_injection.py:16:13:16:61 | Taint normalized.path.injection at path_injection.py:16 | path_injection.py:17:14:17:18 | Taint normalized.path.injection at path_injection.py:17 |
|
| path_injection.py:16:13:16:61 | normalized path | path_injection.py:17:14:17:18 | normalized path |
|
||||||
| path_injection.py:16:30:16:60 | Taint externally controlled string at path_injection.py:16 | ../lib/os/path.py:4:14:4:14 | Taint externally controlled string at ../lib/os/path.py:4 |
|
| path_injection.py:16:30:16:60 | externally controlled string | ../lib/os/path.py:4:14:4:14 | externally controlled string |
|
||||||
| path_injection.py:16:30:16:60 | Taint externally controlled string at path_injection.py:16 | path_injection.py:16:13:16:61 | Taint normalized.path.injection at path_injection.py:16 |
|
| path_injection.py:16:30:16:60 | externally controlled string | path_injection.py:16:13:16:61 | normalized path |
|
||||||
| path_injection.py:16:56:16:59 | Taint externally controlled string at path_injection.py:16 | path_injection.py:16:30:16:60 | Taint externally controlled string at path_injection.py:16 |
|
| path_injection.py:16:56:16:59 | externally controlled string | path_injection.py:16:30:16:60 | externally controlled string |
|
||||||
| path_injection.py:24:12:24:23 | Taint {externally controlled string} at path_injection.py:24 | path_injection.py:24:12:24:39 | Taint externally controlled string at path_injection.py:24 |
|
| path_injection.py:24:12:24:23 | dict of externally controlled string | path_injection.py:24:12:24:39 | externally controlled string |
|
||||||
| path_injection.py:24:12:24:39 | Taint externally controlled string at path_injection.py:24 | path_injection.py:25:56:25:59 | Taint externally controlled string at path_injection.py:25 |
|
| path_injection.py:24:12:24:39 | externally controlled string | path_injection.py:25:56:25:59 | externally controlled string |
|
||||||
| path_injection.py:25:13:25:61 | Taint normalized.path.injection at path_injection.py:25 | path_injection.py:26:8:26:12 | Taint normalized.path.injection at path_injection.py:26 |
|
| path_injection.py:25:13:25:61 | normalized path | path_injection.py:26:8:26:12 | normalized path |
|
||||||
| path_injection.py:25:13:25:61 | Taint normalized.path.injection at path_injection.py:25 | path_injection.py:28:14:28:18 | Taint normalized.path.injection at path_injection.py:28 |
|
| path_injection.py:25:13:25:61 | normalized path | path_injection.py:28:14:28:18 | normalized path |
|
||||||
| path_injection.py:25:30:25:60 | Taint externally controlled string at path_injection.py:25 | ../lib/os/path.py:4:14:4:14 | Taint externally controlled string at ../lib/os/path.py:4 |
|
| path_injection.py:25:30:25:60 | externally controlled string | ../lib/os/path.py:4:14:4:14 | externally controlled string |
|
||||||
| path_injection.py:25:30:25:60 | Taint externally controlled string at path_injection.py:25 | path_injection.py:25:13:25:61 | Taint normalized.path.injection at path_injection.py:25 |
|
| path_injection.py:25:30:25:60 | externally controlled string | path_injection.py:25:13:25:61 | normalized path |
|
||||||
| path_injection.py:25:56:25:59 | Taint externally controlled string at path_injection.py:25 | path_injection.py:25:30:25:60 | Taint externally controlled string at path_injection.py:25 |
|
| path_injection.py:25:56:25:59 | externally controlled string | path_injection.py:25:30:25:60 | externally controlled string |
|
||||||
| path_injection.py:33:12:33:23 | Taint {externally controlled string} at path_injection.py:33 | path_injection.py:33:12:33:39 | Taint externally controlled string at path_injection.py:33 |
|
| path_injection.py:33:12:33:23 | dict of externally controlled string | path_injection.py:33:12:33:39 | externally controlled string |
|
||||||
| path_injection.py:33:12:33:39 | Taint externally controlled string at path_injection.py:33 | path_injection.py:34:56:34:59 | Taint externally controlled string at path_injection.py:34 |
|
| path_injection.py:33:12:33:39 | externally controlled string | path_injection.py:34:56:34:59 | externally controlled string |
|
||||||
| path_injection.py:34:13:34:61 | Taint normalized.path.injection at path_injection.py:34 | path_injection.py:35:8:35:12 | Taint normalized.path.injection at path_injection.py:35 |
|
| path_injection.py:34:13:34:61 | normalized path | path_injection.py:35:8:35:12 | normalized path |
|
||||||
| path_injection.py:34:30:34:60 | Taint externally controlled string at path_injection.py:34 | ../lib/os/path.py:4:14:4:14 | Taint externally controlled string at ../lib/os/path.py:4 |
|
| path_injection.py:34:30:34:60 | externally controlled string | ../lib/os/path.py:4:14:4:14 | externally controlled string |
|
||||||
| path_injection.py:34:30:34:60 | Taint externally controlled string at path_injection.py:34 | path_injection.py:34:13:34:61 | Taint normalized.path.injection at path_injection.py:34 |
|
| path_injection.py:34:30:34:60 | externally controlled string | path_injection.py:34:13:34:61 | normalized path |
|
||||||
| path_injection.py:34:56:34:59 | Taint externally controlled string at path_injection.py:34 | path_injection.py:34:30:34:60 | Taint externally controlled string at path_injection.py:34 |
|
| path_injection.py:34:56:34:59 | externally controlled string | path_injection.py:34:30:34:60 | externally controlled string |
|
||||||
parents
|
parents
|
||||||
| ../lib/os/path.py:4:14:4:14 | Taint externally controlled string at ../lib/os/path.py:4 | path_injection.py:16:30:16:60 | Taint externally controlled string at path_injection.py:16 |
|
| ../lib/os/path.py:4:14:4:14 | externally controlled string | path_injection.py:16:30:16:60 | externally controlled string |
|
||||||
| ../lib/os/path.py:4:14:4:14 | Taint externally controlled string at ../lib/os/path.py:4 | path_injection.py:25:30:25:60 | Taint externally controlled string at path_injection.py:25 |
|
| ../lib/os/path.py:4:14:4:14 | externally controlled string | path_injection.py:25:30:25:60 | externally controlled string |
|
||||||
| ../lib/os/path.py:4:14:4:14 | Taint externally controlled string at ../lib/os/path.py:4 | path_injection.py:34:30:34:60 | Taint externally controlled string at path_injection.py:34 |
|
| ../lib/os/path.py:4:14:4:14 | externally controlled string | path_injection.py:34:30:34:60 | externally controlled string |
|
||||||
#select
|
#select
|
||||||
| path_injection.py:10:14:10:44 | argument to open() | path_injection.py:9:12:9:23 | Taint {externally controlled string} at path_injection.py:9 | path_injection.py:10:14:10:44 | Taint externally controlled string at path_injection.py:10 | This path depends on $@. | path_injection.py:9:12:9:23 | flask.request.args | a user-provided value |
|
| path_injection.py:10:14:10:44 | argument to open() | path_injection.py:9:12:9:23 | dict of externally controlled string | path_injection.py:10:14:10:44 | externally controlled string | This path depends on $@. | path_injection.py:9:12:9:23 | flask.request.args | a user-provided value |
|
||||||
| path_injection.py:17:14:17:18 | argument to open() | path_injection.py:15:12:15:23 | Taint {externally controlled string} at path_injection.py:15 | path_injection.py:17:14:17:18 | Taint normalized.path.injection at path_injection.py:17 | This path depends on $@. | path_injection.py:15:12:15:23 | flask.request.args | a user-provided value |
|
| path_injection.py:17:14:17:18 | argument to open() | path_injection.py:15:12:15:23 | dict of externally controlled string | path_injection.py:17:14:17:18 | normalized path | This path depends on $@. | path_injection.py:15:12:15:23 | flask.request.args | a user-provided value |
|
||||||
| path_injection.py:28:14:28:18 | argument to open() | path_injection.py:24:12:24:23 | Taint {externally controlled string} at path_injection.py:24 | path_injection.py:28:14:28:18 | Taint normalized.path.injection at path_injection.py:28 | This path depends on $@. | path_injection.py:24:12:24:23 | flask.request.args | a user-provided value |
|
| path_injection.py:28:14:28:18 | argument to open() | path_injection.py:24:12:24:23 | dict of externally controlled string | path_injection.py:28:14:28:18 | normalized path | This path depends on $@. | path_injection.py:24:12:24:23 | flask.request.args | a user-provided value |
|
||||||
|
|||||||
@@ -1,19 +1,18 @@
|
|||||||
edges
|
edges
|
||||||
| command_injection.py:10:13:10:24 | Taint {externally controlled string} at command_injection.py:10 | command_injection.py:10:13:10:41 | Taint externally controlled string at command_injection.py:10 |
|
| command_injection.py:10:13:10:24 | dict of externally controlled string | command_injection.py:10:13:10:41 | externally controlled string |
|
||||||
| command_injection.py:10:13:10:41 | Taint externally controlled string at command_injection.py:10 | command_injection.py:12:23:12:27 | Taint externally controlled string at command_injection.py:12 |
|
| command_injection.py:10:13:10:41 | externally controlled string | command_injection.py:12:23:12:27 | externally controlled string |
|
||||||
| command_injection.py:12:15:12:27 | Taint externally controlled string at command_injection.py:12 | ../lib/os/__init__.py:1:12:1:14 | Taint externally controlled string at ../lib/os/__init__.py:1 |
|
| command_injection.py:12:15:12:27 | externally controlled string | ../lib/os/__init__.py:1:12:1:14 | externally controlled string |
|
||||||
| command_injection.py:12:23:12:27 | Taint externally controlled string at command_injection.py:12 | command_injection.py:12:15:12:27 | Taint externally controlled string at command_injection.py:12 |
|
| command_injection.py:12:23:12:27 | externally controlled string | command_injection.py:12:15:12:27 | externally controlled string |
|
||||||
| command_injection.py:17:13:17:24 | Taint {externally controlled string} at command_injection.py:17 | command_injection.py:17:13:17:41 | Taint externally controlled string at command_injection.py:17 |
|
| command_injection.py:17:13:17:24 | dict of externally controlled string | command_injection.py:17:13:17:41 | externally controlled string |
|
||||||
| command_injection.py:17:13:17:41 | Taint externally controlled string at command_injection.py:17 | command_injection.py:19:29:19:33 | Taint externally controlled string at command_injection.py:19 |
|
| command_injection.py:17:13:17:41 | externally controlled string | command_injection.py:19:29:19:33 | externally controlled string |
|
||||||
| command_injection.py:19:29:19:33 | Taint externally controlled string at command_injection.py:19 | command_injection.py:19:22:19:34 | Taint [externally controlled string] at command_injection.py:19 |
|
| command_injection.py:19:29:19:33 | externally controlled string | command_injection.py:19:22:19:34 | sequence of externally controlled string |
|
||||||
| command_injection.py:24:11:24:22 | Taint {externally controlled string} at command_injection.py:24 | command_injection.py:24:11:24:37 | Taint externally controlled string at command_injection.py:24 |
|
| command_injection.py:24:11:24:22 | dict of externally controlled string | command_injection.py:24:11:24:37 | externally controlled string |
|
||||||
| command_injection.py:24:11:24:37 | Taint externally controlled string at command_injection.py:24 | command_injection.py:25:23:25:25 | Taint externally controlled string at command_injection.py:25 |
|
| command_injection.py:24:11:24:37 | externally controlled string | command_injection.py:25:23:25:25 | externally controlled string |
|
||||||
| command_injection.py:25:23:25:25 | Taint externally controlled string at command_injection.py:25 | command_injection.py:25:22:25:36 | Taint [externally controlled string] at command_injection.py:25 |
|
| command_injection.py:25:23:25:25 | externally controlled string | command_injection.py:25:22:25:36 | first item in sequence of externally controlled string |
|
||||||
| command_injection.py:25:23:25:25 | Taint externally controlled string at command_injection.py:25 | command_injection.py:25:22:25:36 | Taint sequence[externally controlled string][0] at command_injection.py:25 |
|
| command_injection.py:25:23:25:25 | externally controlled string | command_injection.py:25:22:25:36 | sequence of externally controlled string |
|
||||||
parents
|
parents
|
||||||
| ../lib/os/__init__.py:1:12:1:14 | Taint externally controlled string at ../lib/os/__init__.py:1 | command_injection.py:12:15:12:27 | Taint externally controlled string at command_injection.py:12 |
|
| ../lib/os/__init__.py:1:12:1:14 | externally controlled string | command_injection.py:12:15:12:27 | externally controlled string |
|
||||||
#select
|
#select
|
||||||
| command_injection.py:12:15:12:27 | shell command | command_injection.py:10:13:10:24 | Taint {externally controlled string} at command_injection.py:10 | command_injection.py:12:15:12:27 | Taint externally controlled string at command_injection.py:12 | This command depends on $@. | command_injection.py:10:13:10:24 | flask.request.args | a user-provided value |
|
| command_injection.py:12:15:12:27 | shell command | command_injection.py:10:13:10:24 | dict of externally controlled string | command_injection.py:12:15:12:27 | externally controlled string | This command depends on $@. | command_injection.py:10:13:10:24 | flask.request.args | a user-provided value |
|
||||||
| command_injection.py:19:22:19:34 | shell command | command_injection.py:17:13:17:24 | Taint {externally controlled string} at command_injection.py:17 | command_injection.py:19:22:19:34 | Taint [externally controlled string] at command_injection.py:19 | This command depends on $@. | command_injection.py:17:13:17:24 | flask.request.args | a user-provided value |
|
| command_injection.py:19:22:19:34 | shell command | command_injection.py:17:13:17:24 | dict of externally controlled string | command_injection.py:19:22:19:34 | sequence of externally controlled string | This command depends on $@. | command_injection.py:17:13:17:24 | flask.request.args | a user-provided value |
|
||||||
| command_injection.py:25:22:25:36 | OS command first argument | command_injection.py:24:11:24:22 | Taint {externally controlled string} at command_injection.py:24 | command_injection.py:25:22:25:36 | Taint [externally controlled string] at command_injection.py:25 | This command depends on $@. | command_injection.py:24:11:24:22 | flask.request.args | a user-provided value |
|
| command_injection.py:25:22:25:36 | OS command first argument | command_injection.py:24:11:24:22 | dict of externally controlled string | command_injection.py:25:22:25:36 | first item in sequence of externally controlled string | This command depends on $@. | command_injection.py:24:11:24:22 | flask.request.args | a user-provided value |
|
||||||
| command_injection.py:25:22:25:36 | OS command first argument | command_injection.py:24:11:24:22 | Taint {externally controlled string} at command_injection.py:24 | command_injection.py:25:22:25:36 | Taint sequence[externally controlled string][0] at command_injection.py:25 | This command depends on $@. | command_injection.py:24:11:24:22 | flask.request.args | a user-provided value |
|
|
||||||
|
|||||||
@@ -1,13 +1,13 @@
|
|||||||
edges
|
edges
|
||||||
| ../lib/flask/__init__.py:14:19:14:20 | Taint externally controlled string at ../lib/flask/__init__.py:14 | ../lib/flask/__init__.py:15:19:15:20 | Taint externally controlled string at ../lib/flask/__init__.py:15 |
|
| ../lib/flask/__init__.py:14:19:14:20 | externally controlled string | ../lib/flask/__init__.py:15:19:15:20 | externally controlled string |
|
||||||
| ../lib/flask/__init__.py:14:19:14:20 | Taint externally controlled string at ../lib/flask/__init__.py:14 | ../lib/flask/__init__.py:16:25:16:26 | Taint externally controlled string at ../lib/flask/__init__.py:16 |
|
| ../lib/flask/__init__.py:14:19:14:20 | externally controlled string | ../lib/flask/__init__.py:16:25:16:26 | externally controlled string |
|
||||||
| reflected_xss.py:7:18:7:29 | Taint {externally controlled string} at reflected_xss.py:7 | reflected_xss.py:7:18:7:45 | Taint externally controlled string at reflected_xss.py:7 |
|
| reflected_xss.py:7:18:7:29 | dict of externally controlled string | reflected_xss.py:7:18:7:45 | externally controlled string |
|
||||||
| reflected_xss.py:7:18:7:45 | Taint externally controlled string at reflected_xss.py:7 | reflected_xss.py:8:44:8:53 | Taint externally controlled string at reflected_xss.py:8 |
|
| reflected_xss.py:7:18:7:45 | externally controlled string | reflected_xss.py:8:44:8:53 | externally controlled string |
|
||||||
| reflected_xss.py:8:26:8:53 | Taint externally controlled string at reflected_xss.py:8 | ../lib/flask/__init__.py:14:19:14:20 | Taint externally controlled string at ../lib/flask/__init__.py:14 |
|
| reflected_xss.py:8:26:8:53 | externally controlled string | ../lib/flask/__init__.py:14:19:14:20 | externally controlled string |
|
||||||
| reflected_xss.py:8:44:8:53 | Taint externally controlled string at reflected_xss.py:8 | reflected_xss.py:8:26:8:53 | Taint externally controlled string at reflected_xss.py:8 |
|
| reflected_xss.py:8:44:8:53 | externally controlled string | reflected_xss.py:8:26:8:53 | externally controlled string |
|
||||||
| reflected_xss.py:12:18:12:29 | Taint {externally controlled string} at reflected_xss.py:12 | reflected_xss.py:12:18:12:45 | Taint externally controlled string at reflected_xss.py:12 |
|
| reflected_xss.py:12:18:12:29 | dict of externally controlled string | reflected_xss.py:12:18:12:45 | externally controlled string |
|
||||||
| reflected_xss.py:12:18:12:45 | Taint externally controlled string at reflected_xss.py:12 | reflected_xss.py:13:51:13:60 | Taint externally controlled string at reflected_xss.py:13 |
|
| reflected_xss.py:12:18:12:45 | externally controlled string | reflected_xss.py:13:51:13:60 | externally controlled string |
|
||||||
parents
|
parents
|
||||||
| ../lib/flask/__init__.py:14:19:14:20 | Taint externally controlled string at ../lib/flask/__init__.py:14 | reflected_xss.py:8:26:8:53 | Taint externally controlled string at reflected_xss.py:8 |
|
| ../lib/flask/__init__.py:14:19:14:20 | externally controlled string | reflected_xss.py:8:26:8:53 | externally controlled string |
|
||||||
#select
|
#select
|
||||||
| ../lib/flask/__init__.py:16:25:16:26 | flask.response.argument | reflected_xss.py:7:18:7:29 | Taint {externally controlled string} at reflected_xss.py:7 | ../lib/flask/__init__.py:16:25:16:26 | Taint externally controlled string at ../lib/flask/__init__.py:16 | Cross-site scripting vulnerability due to $@. | reflected_xss.py:7:18:7:29 | flask.request.args | user-provided value |
|
| ../lib/flask/__init__.py:16:25:16:26 | flask.response.argument | reflected_xss.py:7:18:7:29 | dict of externally controlled string | ../lib/flask/__init__.py:16:25:16:26 | externally controlled string | Cross-site scripting vulnerability due to $@. | reflected_xss.py:7:18:7:29 | flask.request.args | user-provided value |
|
||||||
|
|||||||
@@ -1,25 +1,25 @@
|
|||||||
edges
|
edges
|
||||||
| sql_injection.py:9:15:9:21 | Taint django.request.HttpRequest at sql_injection.py:9 | sql_injection.py:11:8:11:14 | Taint django.request.HttpRequest at sql_injection.py:11 |
|
| sql_injection.py:9:15:9:21 | django.request.HttpRequest | sql_injection.py:11:8:11:14 | django.request.HttpRequest |
|
||||||
| sql_injection.py:9:15:9:21 | Taint django.request.HttpRequest at sql_injection.py:9 | sql_injection.py:12:16:12:22 | Taint django.request.HttpRequest at sql_injection.py:12 |
|
| sql_injection.py:9:15:9:21 | django.request.HttpRequest | sql_injection.py:12:16:12:22 | django.request.HttpRequest |
|
||||||
| sql_injection.py:12:16:12:22 | Taint django.request.HttpRequest at sql_injection.py:12 | sql_injection.py:12:16:12:27 | Taint django.http.request.QueryDict at sql_injection.py:12 |
|
| sql_injection.py:12:16:12:22 | django.request.HttpRequest | sql_injection.py:12:16:12:27 | django.http.request.QueryDict |
|
||||||
| sql_injection.py:12:16:12:27 | Taint django.http.request.QueryDict at sql_injection.py:12 | sql_injection.py:12:16:12:39 | Taint externally controlled string at sql_injection.py:12 |
|
| sql_injection.py:12:16:12:27 | django.http.request.QueryDict | sql_injection.py:12:16:12:39 | externally controlled string |
|
||||||
| sql_injection.py:12:16:12:39 | Taint externally controlled string at sql_injection.py:12 | sql_injection.py:16:62:16:65 | Taint externally controlled string at sql_injection.py:16 |
|
| sql_injection.py:12:16:12:39 | externally controlled string | sql_injection.py:16:62:16:65 | externally controlled string |
|
||||||
| sql_injection.py:12:16:12:39 | Taint externally controlled string at sql_injection.py:12 | sql_injection.py:19:63:19:66 | Taint externally controlled string at sql_injection.py:19 |
|
| sql_injection.py:12:16:12:39 | externally controlled string | sql_injection.py:19:63:19:66 | externally controlled string |
|
||||||
| sql_injection.py:12:16:12:39 | Taint externally controlled string at sql_injection.py:12 | sql_injection.py:22:88:22:91 | Taint externally controlled string at sql_injection.py:22 |
|
| sql_injection.py:12:16:12:39 | externally controlled string | sql_injection.py:22:88:22:91 | externally controlled string |
|
||||||
| sql_injection.py:12:16:12:39 | Taint externally controlled string at sql_injection.py:12 | sql_injection.py:23:76:23:79 | Taint externally controlled string at sql_injection.py:23 |
|
| sql_injection.py:12:16:12:39 | externally controlled string | sql_injection.py:23:76:23:79 | externally controlled string |
|
||||||
| sql_injection.py:12:16:12:39 | Taint externally controlled string at sql_injection.py:12 | sql_injection.py:24:78:24:81 | Taint externally controlled string at sql_injection.py:24 |
|
| sql_injection.py:12:16:12:39 | externally controlled string | sql_injection.py:24:78:24:81 | externally controlled string |
|
||||||
| sql_injection.py:13:16:13:34 | Taint django.db.connection.cursor at sql_injection.py:13 | sql_injection.py:15:9:15:12 | Taint django.db.connection.cursor at sql_injection.py:15 |
|
| sql_injection.py:13:16:13:34 | django.db.connection.cursor | sql_injection.py:15:9:15:12 | django.db.connection.cursor |
|
||||||
| sql_injection.py:13:16:13:34 | Taint django.db.connection.cursor at sql_injection.py:13 | sql_injection.py:18:9:18:12 | Taint django.db.connection.cursor at sql_injection.py:18 |
|
| sql_injection.py:13:16:13:34 | django.db.connection.cursor | sql_injection.py:18:9:18:12 | django.db.connection.cursor |
|
||||||
| sql_injection.py:19:63:19:66 | Taint externally controlled string at sql_injection.py:19 | sql_injection.py:19:13:19:66 | Taint externally controlled string at sql_injection.py:19 |
|
| sql_injection.py:19:63:19:66 | externally controlled string | sql_injection.py:19:13:19:66 | externally controlled string |
|
||||||
| sql_injection.py:22:9:22:20 | Taint django.db.models.Model.objects at sql_injection.py:22 | sql_injection.py:22:9:22:93 | Taint django.db.models.Model.objects at sql_injection.py:22 |
|
| sql_injection.py:22:9:22:20 | django.db.models.Model.objects | sql_injection.py:22:9:22:93 | django.db.models.Model.objects |
|
||||||
| sql_injection.py:22:88:22:91 | Taint externally controlled string at sql_injection.py:22 | sql_injection.py:22:38:22:91 | Taint externally controlled string at sql_injection.py:22 |
|
| sql_injection.py:22:88:22:91 | externally controlled string | sql_injection.py:22:38:22:91 | externally controlled string |
|
||||||
| sql_injection.py:23:9:23:20 | Taint django.db.models.Model.objects at sql_injection.py:23 | sql_injection.py:23:9:23:80 | Taint django.db.models.Model.objects at sql_injection.py:23 |
|
| sql_injection.py:23:9:23:20 | django.db.models.Model.objects | sql_injection.py:23:9:23:80 | django.db.models.Model.objects |
|
||||||
| sql_injection.py:23:76:23:79 | Taint externally controlled string at sql_injection.py:23 | sql_injection.py:23:26:23:79 | Taint externally controlled string at sql_injection.py:23 |
|
| sql_injection.py:23:76:23:79 | externally controlled string | sql_injection.py:23:26:23:79 | externally controlled string |
|
||||||
| sql_injection.py:24:9:24:20 | Taint django.db.models.Model.objects at sql_injection.py:24 | sql_injection.py:24:9:24:82 | Taint django.db.models.Model.objects at sql_injection.py:24 |
|
| sql_injection.py:24:9:24:20 | django.db.models.Model.objects | sql_injection.py:24:9:24:82 | django.db.models.Model.objects |
|
||||||
| sql_injection.py:24:78:24:81 | Taint externally controlled string at sql_injection.py:24 | sql_injection.py:24:28:24:81 | Taint externally controlled string at sql_injection.py:24 |
|
| sql_injection.py:24:78:24:81 | externally controlled string | sql_injection.py:24:28:24:81 | externally controlled string |
|
||||||
parents
|
parents
|
||||||
#select
|
#select
|
||||||
| sql_injection.py:19:13:19:66 | db.connection.execute | sql_injection.py:9:15:9:21 | Taint django.request.HttpRequest at sql_injection.py:9 | sql_injection.py:19:13:19:66 | Taint externally controlled string at sql_injection.py:19 | This SQL query depends on $@. | sql_injection.py:9:15:9:21 | Django request source | a user-provided value |
|
| sql_injection.py:19:13:19:66 | db.connection.execute | sql_injection.py:9:15:9:21 | django.request.HttpRequest | sql_injection.py:19:13:19:66 | externally controlled string | This SQL query depends on $@. | sql_injection.py:9:15:9:21 | Django request source | a user-provided value |
|
||||||
| sql_injection.py:22:38:22:91 | django.db.models.expressions.RawSQL(sink,...) | sql_injection.py:9:15:9:21 | Taint django.request.HttpRequest at sql_injection.py:9 | sql_injection.py:22:38:22:91 | Taint externally controlled string at sql_injection.py:22 | This SQL query depends on $@. | sql_injection.py:9:15:9:21 | Django request source | a user-provided value |
|
| sql_injection.py:22:38:22:91 | django.db.models.expressions.RawSQL(sink,...) | sql_injection.py:9:15:9:21 | django.request.HttpRequest | sql_injection.py:22:38:22:91 | externally controlled string | This SQL query depends on $@. | sql_injection.py:9:15:9:21 | Django request source | a user-provided value |
|
||||||
| sql_injection.py:23:26:23:79 | django.models.QuerySet.raw(sink,...) | sql_injection.py:9:15:9:21 | Taint django.request.HttpRequest at sql_injection.py:9 | sql_injection.py:23:26:23:79 | Taint externally controlled string at sql_injection.py:23 | This SQL query depends on $@. | sql_injection.py:9:15:9:21 | Django request source | a user-provided value |
|
| sql_injection.py:23:26:23:79 | django.models.QuerySet.raw(sink,...) | sql_injection.py:9:15:9:21 | django.request.HttpRequest | sql_injection.py:23:26:23:79 | externally controlled string | This SQL query depends on $@. | sql_injection.py:9:15:9:21 | Django request source | a user-provided value |
|
||||||
| sql_injection.py:24:28:24:81 | django.models.QuerySet.extra(sink,...) | sql_injection.py:9:15:9:21 | Taint django.request.HttpRequest at sql_injection.py:9 | sql_injection.py:24:28:24:81 | Taint externally controlled string at sql_injection.py:24 | This SQL query depends on $@. | sql_injection.py:9:15:9:21 | Django request source | a user-provided value |
|
| sql_injection.py:24:28:24:81 | django.models.QuerySet.extra(sink,...) | sql_injection.py:9:15:9:21 | django.request.HttpRequest | sql_injection.py:24:28:24:81 | externally controlled string | This SQL query depends on $@. | sql_injection.py:9:15:9:21 | Django request source | a user-provided value |
|
||||||
|
|||||||
@@ -1,12 +1,12 @@
|
|||||||
edges
|
edges
|
||||||
| code_injection.py:4:20:4:26 | Taint django.request.HttpRequest at code_injection.py:4 | code_injection.py:5:8:5:14 | Taint django.request.HttpRequest at code_injection.py:5 |
|
| code_injection.py:4:20:4:26 | django.request.HttpRequest | code_injection.py:5:8:5:14 | django.request.HttpRequest |
|
||||||
| code_injection.py:4:20:4:26 | Taint django.request.HttpRequest at code_injection.py:4 | code_injection.py:6:22:6:28 | Taint django.request.HttpRequest at code_injection.py:6 |
|
| code_injection.py:4:20:4:26 | django.request.HttpRequest | code_injection.py:6:22:6:28 | django.request.HttpRequest |
|
||||||
| code_injection.py:6:22:6:28 | Taint django.request.HttpRequest at code_injection.py:6 | code_injection.py:6:22:6:33 | Taint django.http.request.QueryDict at code_injection.py:6 |
|
| code_injection.py:6:22:6:28 | django.request.HttpRequest | code_injection.py:6:22:6:33 | django.http.request.QueryDict |
|
||||||
| code_injection.py:6:22:6:33 | Taint django.http.request.QueryDict at code_injection.py:6 | code_injection.py:6:22:6:55 | Taint externally controlled string at code_injection.py:6 |
|
| code_injection.py:6:22:6:33 | django.http.request.QueryDict | code_injection.py:6:22:6:55 | externally controlled string |
|
||||||
| code_injection.py:6:22:6:55 | Taint externally controlled string at code_injection.py:6 | code_injection.py:7:34:7:43 | Taint externally controlled string at code_injection.py:7 |
|
| code_injection.py:6:22:6:55 | externally controlled string | code_injection.py:7:34:7:43 | externally controlled string |
|
||||||
| code_injection.py:7:34:7:43 | Taint externally controlled string at code_injection.py:7 | ../lib/base64.py:1:18:1:18 | Taint externally controlled string at ../lib/base64.py:1 |
|
| code_injection.py:7:34:7:43 | externally controlled string | ../lib/base64.py:1:18:1:18 | externally controlled string |
|
||||||
| code_injection.py:7:34:7:43 | Taint externally controlled string at code_injection.py:7 | code_injection.py:7:14:7:44 | Taint externally controlled string at code_injection.py:7 |
|
| code_injection.py:7:34:7:43 | externally controlled string | code_injection.py:7:14:7:44 | externally controlled string |
|
||||||
parents
|
parents
|
||||||
| ../lib/base64.py:1:18:1:18 | Taint externally controlled string at ../lib/base64.py:1 | code_injection.py:7:34:7:43 | Taint externally controlled string at code_injection.py:7 |
|
| ../lib/base64.py:1:18:1:18 | externally controlled string | code_injection.py:7:34:7:43 | externally controlled string |
|
||||||
#select
|
#select
|
||||||
| code_injection.py:7:14:7:44 | exec or eval | code_injection.py:4:20:4:26 | Taint django.request.HttpRequest at code_injection.py:4 | code_injection.py:7:14:7:44 | Taint externally controlled string at code_injection.py:7 | $@ flows to here and is interpreted as code. | code_injection.py:4:20:4:26 | Django request source | User-provided value |
|
| code_injection.py:7:14:7:44 | exec or eval | code_injection.py:4:20:4:26 | django.request.HttpRequest | code_injection.py:7:14:7:44 | externally controlled string | $@ flows to here and is interpreted as code. | code_injection.py:4:20:4:26 | Django request source | User-provided value |
|
||||||
|
|||||||
@@ -1,11 +1,11 @@
|
|||||||
edges
|
edges
|
||||||
| test.py:33:15:33:36 | Taint exception.info at test.py:33 | test.py:34:29:34:31 | Taint exception.info at test.py:34 |
|
| test.py:33:15:33:36 | exception info | test.py:34:29:34:31 | exception info |
|
||||||
| test.py:34:29:34:31 | Taint exception.info at test.py:34 | test.py:36:18:36:20 | Taint exception.info at test.py:36 |
|
| test.py:34:29:34:31 | exception info | test.py:36:18:36:20 | exception info |
|
||||||
| test.py:36:18:36:20 | Taint exception.info at test.py:36 | test.py:37:25:37:27 | Taint exception.info at test.py:37 |
|
| test.py:36:18:36:20 | exception info | test.py:37:25:37:27 | exception info |
|
||||||
| test.py:37:12:37:27 | Taint exception.info at test.py:37 | test.py:34:16:34:32 | Taint exception.info at test.py:34 |
|
| test.py:37:12:37:27 | exception info | test.py:34:16:34:32 | exception info |
|
||||||
| test.py:37:25:37:27 | Taint exception.info at test.py:37 | test.py:37:12:37:27 | Taint exception.info at test.py:37 |
|
| test.py:37:25:37:27 | exception info | test.py:37:12:37:27 | exception info |
|
||||||
parents
|
parents
|
||||||
| test.py:36:18:36:20 | Taint exception.info at test.py:36 | test.py:34:29:34:31 | Taint exception.info at test.py:34 |
|
| test.py:36:18:36:20 | exception info | test.py:34:29:34:31 | exception info |
|
||||||
#select
|
#select
|
||||||
| test.py:16:16:16:37 | flask.routed.response | test.py:16:16:16:37 | Taint exception.info at test.py:16 | test.py:16:16:16:37 | Taint exception.info at test.py:16 | $@ may be exposed to an external user | test.py:16:16:16:37 | exception.info.source | Error information |
|
| test.py:16:16:16:37 | flask.routed.response | test.py:16:16:16:37 | exception info | test.py:16:16:16:37 | exception info | $@ may be exposed to an external user | test.py:16:16:16:37 | exception.info.source | Error information |
|
||||||
| test.py:34:16:34:32 | flask.routed.response | test.py:33:15:33:36 | Taint exception.info at test.py:33 | test.py:34:16:34:32 | Taint exception.info at test.py:34 | $@ may be exposed to an external user | test.py:33:15:33:36 | exception.info.source | Error information |
|
| test.py:34:16:34:32 | flask.routed.response | test.py:33:15:33:36 | exception info | test.py:34:16:34:32 | exception info | $@ may be exposed to an external user | test.py:33:15:33:36 | exception.info.source | Error information |
|
||||||
|
|||||||
@@ -1,12 +1,12 @@
|
|||||||
edges
|
edges
|
||||||
| test.py:11:15:11:26 | Taint {externally controlled string} at test.py:11 | test.py:11:15:11:41 | Taint externally controlled string at test.py:11 |
|
| test.py:11:15:11:26 | dict of externally controlled string | test.py:11:15:11:41 | externally controlled string |
|
||||||
| test.py:11:15:11:41 | Taint externally controlled string at test.py:11 | test.py:12:18:12:24 | Taint externally controlled string at test.py:12 |
|
| test.py:11:15:11:41 | externally controlled string | test.py:12:18:12:24 | externally controlled string |
|
||||||
| test.py:11:15:11:41 | Taint externally controlled string at test.py:11 | test.py:13:15:13:21 | Taint externally controlled string at test.py:13 |
|
| test.py:11:15:11:41 | externally controlled string | test.py:13:15:13:21 | externally controlled string |
|
||||||
| test.py:11:15:11:41 | Taint externally controlled string at test.py:11 | test.py:14:19:14:25 | Taint externally controlled string at test.py:14 |
|
| test.py:11:15:11:41 | externally controlled string | test.py:14:19:14:25 | externally controlled string |
|
||||||
| test.py:13:15:13:21 | Taint externally controlled string at test.py:13 | ../lib/yaml.py:1:10:1:10 | Taint externally controlled string at ../lib/yaml.py:1 |
|
| test.py:13:15:13:21 | externally controlled string | ../lib/yaml.py:1:10:1:10 | externally controlled string |
|
||||||
parents
|
parents
|
||||||
| ../lib/yaml.py:1:10:1:10 | Taint externally controlled string at ../lib/yaml.py:1 | test.py:13:15:13:21 | Taint externally controlled string at test.py:13 |
|
| ../lib/yaml.py:1:10:1:10 | externally controlled string | test.py:13:15:13:21 | externally controlled string |
|
||||||
#select
|
#select
|
||||||
| test.py:12:18:12:24 | unpickling untrusted data | test.py:11:15:11:26 | Taint {externally controlled string} at test.py:11 | test.py:12:18:12:24 | Taint externally controlled string at test.py:12 | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
|
| test.py:12:18:12:24 | unpickling untrusted data | test.py:11:15:11:26 | dict of externally controlled string | test.py:12:18:12:24 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
|
||||||
| test.py:13:15:13:21 | yaml.load vulnerability | test.py:11:15:11:26 | Taint {externally controlled string} at test.py:11 | test.py:13:15:13:21 | Taint externally controlled string at test.py:13 | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
|
| test.py:13:15:13:21 | yaml.load vulnerability | test.py:11:15:11:26 | dict of externally controlled string | test.py:13:15:13:21 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
|
||||||
| test.py:14:19:14:25 | unmarshaling vulnerability | test.py:11:15:11:26 | Taint {externally controlled string} at test.py:11 | test.py:14:19:14:25 | Taint externally controlled string at test.py:14 | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
|
| test.py:14:19:14:25 | unmarshaling vulnerability | test.py:11:15:11:26 | dict of externally controlled string | test.py:14:19:14:25 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
|
||||||
|
|||||||
@@ -1,10 +1,10 @@
|
|||||||
edges
|
edges
|
||||||
| test.py:7:22:7:33 | Taint {externally controlled string} at test.py:7 | test.py:7:22:7:51 | Taint externally controlled string at test.py:7 |
|
| test.py:7:22:7:33 | dict of externally controlled string | test.py:7:22:7:51 | externally controlled string |
|
||||||
| test.py:7:22:7:51 | Taint externally controlled string at test.py:7 | test.py:8:21:8:26 | Taint externally controlled string at test.py:8 |
|
| test.py:7:22:7:51 | externally controlled string | test.py:8:21:8:26 | externally controlled string |
|
||||||
| test.py:8:21:8:26 | Taint externally controlled string at test.py:8 | ../lib/flask/__init__.py:11:14:11:21 | Taint externally controlled string at ../lib/flask/__init__.py:11 |
|
| test.py:8:21:8:26 | externally controlled string | ../lib/flask/__init__.py:11:14:11:21 | externally controlled string |
|
||||||
| test.py:15:17:15:28 | Taint {externally controlled string} at test.py:15 | test.py:15:17:15:42 | Taint externally controlled string at test.py:15 |
|
| test.py:15:17:15:28 | dict of externally controlled string | test.py:15:17:15:42 | externally controlled string |
|
||||||
| test.py:15:17:15:42 | Taint externally controlled string at test.py:15 | test.py:17:13:17:21 | Taint externally controlled string at test.py:17 |
|
| test.py:15:17:15:42 | externally controlled string | test.py:17:13:17:21 | externally controlled string |
|
||||||
parents
|
parents
|
||||||
| ../lib/flask/__init__.py:11:14:11:21 | Taint externally controlled string at ../lib/flask/__init__.py:11 | test.py:8:21:8:26 | Taint externally controlled string at test.py:8 |
|
| ../lib/flask/__init__.py:11:14:11:21 | externally controlled string | test.py:8:21:8:26 | externally controlled string |
|
||||||
#select
|
#select
|
||||||
| test.py:8:21:8:26 | flask.redirect | test.py:7:22:7:33 | Taint {externally controlled string} at test.py:7 | test.py:8:21:8:26 | Taint externally controlled string at test.py:8 | Untrusted URL redirection due to $@. | test.py:7:22:7:33 | flask.request.args | a user-provided value |
|
| test.py:8:21:8:26 | flask.redirect | test.py:7:22:7:33 | dict of externally controlled string | test.py:8:21:8:26 | externally controlled string | Untrusted URL redirection due to $@. | test.py:7:22:7:33 | flask.request.args | a user-provided value |
|
||||||
|
|||||||
Reference in New Issue
Block a user