hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Python: Account for other 'falsey' values in query.

Browse Source
This commit is contained in:
Mark Shannon
2018-11-22 18:44:15 +00:00
parent 06e5bc8359
commit 6588606739
5 changed files with 15 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
python/ql/src/Security/CWE-295/RequestWithoutValidation.qhelp
View File

@@ -21,7 +21,7 @@ Never use <code>verify=False</code> when making a request.
<example>
<p>
The example shows an unsafe call to <a href="https://semmle.com">semmle.com</a>, followed by various safe alternatives.
The example shows two unsafe calls to <a href="https://semmle.com">semmle.com</a>, followed by various safe alternatives.
</p>
<sample src="examples/make_request.py" />

12
python/ql/src/Security/CWE-295/RequestWithoutValidation.ql
View File

@@ -21,10 +21,16 @@ FunctionObject requestFunction() {
)
}
from CallNode call, FunctionObject func, ControlFlowNode false_
/** requests treats None as the default and all other "falsey" values as False */
predicate falseNotNone(Object o) {
o.booleanValue() = false and not o = theNoneObject()
}
from CallNode call, FunctionObject func, Object falsey, ControlFlowNode origin
where
func = requestFunction() and
func.getACall() = call and
call.getArgByName("verify").refersTo(theFalseObject(), false_)
falseNotNone(falsey) and
call.getArgByName("verify").refersTo(falsey, origin)
select call, "Call to $@ with verify=$@", func, "requests." + func.getName(), false_, "False"
select call, "Call to $@ with verify=$@", func, "requests." + func.getName(), origin, "False"

3
python/ql/src/Security/CWE-295/examples/make_request.py
View File

@@ -1,8 +1,9 @@
import requests
#An unsafe request
#Unsafe requests
requests.get('https://semmle.com', verify=False) # UNSAFE
requests.get('https://semmle.com', verify=0) # UNSAFE
#Various safe options

1
python/ql/test/query-tests/Security/CWE-295/RequestWithoutValidation.expected
View File

@@ -2,3 +2,4 @@
| make_request.py:7:1:7:49 | ControlFlowNode for Attribute() | Call to $@ with verify=$@ | ../lib/requests.py:11:1:11:46 | Function post | requests.post | make_request.py:7:44:7:48 | ControlFlowNode for False | False |
| make_request.py:12:1:12:39 | ControlFlowNode for put() | Call to $@ with verify=$@ | ../lib/requests.py:14:1:14:34 | Function put | requests.put | make_request.py:12:34:12:38 | ControlFlowNode for False | False |
| make_request.py:28:5:28:46 | ControlFlowNode for patch() | Call to $@ with verify=$@ | ../lib/requests.py:17:1:17:36 | Function patch | requests.patch | make_request.py:30:6:30:10 | ControlFlowNode for False | False |
| make_request.py:34:1:34:45 | ControlFlowNode for Attribute() | Call to $@ with verify=$@ | ../lib/requests.py:11:1:11:46 | Function post | requests.post | make_request.py:34:44:34:44 | ControlFlowNode for IntegerLiteral | False |

2
python/ql/test/query-tests/Security/CWE-295/make_request.py
View File

@@ -30,3 +30,5 @@ def req2(verify):
req2(False) # BAD (at line 28)
req2("/path/to/cert/") # GOOD
#Falsey value
requests.post('https://semmle.com', verify=0) # BAD