Python: Fix results outside DB for StackTraceExposure

2026-04-25 16:55:19 +02:00 · 2022-11-02 09:55:59 +01:00
parent 972cfa5cf6
commit 6646e98d20
2 changed files with 25 additions and 111 deletions
--- a/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureCustomizations.qll
@@ -42,7 +42,31 @@ module StackTraceExposure {
   * A source of exception info, considered as a flow source.
   */
  class ExceptionInfoAsSource extends Source {
-    ExceptionInfoAsSource() { this instanceof ExceptionInfo }
+    ExceptionInfoAsSource() {
+      this instanceof ExceptionInfo and
+      // since `traceback.format_exc()` in Python 2 is internally implemented as
+      // ```py
+      // def format_exc(limit=None):
+      //     """Like print_exc() but return a string."""
+      //     try:
+      //         etype, value, tb = sys.exc_info()
+      //         return ''.join(format_exception(etype, value, tb, limit))
+      //     finally:
+      //         etype = value = tb = None
+      // ```
+      // any time we would report flow to such from a call to format_exc, we can ALSO report
+      // the flow from the `sys.exc_info()` source -- obviously we don't want that.
+      //
+      //
+      // To avoid this, we use the same approach as for sinks in the command injection
+      // query (and others).
+      not exists(Module traceback |
+        traceback.getName() = "traceback" and
+        this.getScope().getEnclosingModule() = traceback and
+        // do allow this call if we're analyzing traceback.py as part of CPython though
+        not exists(traceback.getFile().getRelativePath())
+      )
+    }
  }

  /**