mirror of
https://github.com/github/codeql.git
synced 2026-05-02 04:05:14 +02:00
Merge branch 'master' into python-fix-django-taint-sinks
This commit is contained in:
Rasmus Wriedt Larsen
@@ -1,15 +0,0 @@
|
||||
| 19 | 0 | ControlFlowNode for w | Function f |
|
||||
| 19 | 1 | ControlFlowNode for x | Function f |
|
||||
| 19 | 2 | ControlFlowNode for y | Function f |
|
||||
| 21 | 0 | ControlFlowNode for y | Function f |
|
||||
| 21 | 1 | ControlFlowNode for w | Function f |
|
||||
| 21 | 2 | ControlFlowNode for z | Function f |
|
||||
| 23 | 0 | ControlFlowNode for c | Function f |
|
||||
| 23 | 1 | ControlFlowNode for w | Function f |
|
||||
| 23 | 2 | ControlFlowNode for z | Function f |
|
||||
| 24 | 0 | ControlFlowNode for c | Function n |
|
||||
| 24 | 1 | ControlFlowNode for x | Function n |
|
||||
| 25 | 0 | ControlFlowNode for y | Function n |
|
||||
| 25 | 1 | ControlFlowNode for z | Function n |
|
||||
| 33 | 0 | ControlFlowNode for IntegerLiteral | Function foo |
|
||||
| 34 | 0 | ControlFlowNode for IntegerLiteral | Function foo |
|
||||
@@ -1,5 +0,0 @@
|
||||
import python
|
||||
|
||||
from ControlFlowNode arg, FunctionObject func, int i
|
||||
where arg = func.getArgumentForCall(_, i)
|
||||
select arg.getLocation().getStartLine(), i, arg.toString(), func.toString()
|
||||
@@ -1,7 +0,0 @@
|
||||
| 19 | ControlFlowNode for f() | Function f |
|
||||
| 21 | ControlFlowNode for f() | Function f |
|
||||
| 23 | ControlFlowNode for Attribute() | Function f |
|
||||
| 24 | ControlFlowNode for Attribute() | Function n |
|
||||
| 25 | ControlFlowNode for Attribute() | Function n |
|
||||
| 33 | ControlFlowNode for Attribute() | Function foo |
|
||||
| 34 | ControlFlowNode for Attribute() | Function foo |
|
||||
@@ -0,0 +1,19 @@
|
||||
| 19 | ControlFlowNode for f() | Function f |
|
||||
| 21 | ControlFlowNode for f() | Function f |
|
||||
| 22 | ControlFlowNode for C() | class C |
|
||||
| 23 | ControlFlowNode for Attribute() | Method(Function f, C()) |
|
||||
| 24 | ControlFlowNode for Attribute() | Method(Function C.n, C()) |
|
||||
| 25 | ControlFlowNode for Attribute() | Function C.n |
|
||||
| 29 | ControlFlowNode for staticmethod() | builtin-class staticmethod |
|
||||
| 33 | ControlFlowNode for Attribute() | Function D.foo |
|
||||
| 34 | ControlFlowNode for Attribute() | Function D.foo |
|
||||
| 34 | ControlFlowNode for D() | class D |
|
||||
| 37 | ControlFlowNode for Attribute() | Method(builtin method append, List) |
|
||||
| 38 | ControlFlowNode for len() | Builtin-function len |
|
||||
| 40 | ControlFlowNode for f() | Function f |
|
||||
| 41 | ControlFlowNode for C() | class C |
|
||||
| 42 | ControlFlowNode for Attribute() | Method(Function C.n, C()) |
|
||||
| 45 | ControlFlowNode for open() | Builtin-function open |
|
||||
| 46 | ControlFlowNode for open() | Builtin-function open |
|
||||
| 51 | ControlFlowNode for foo() | Function foo |
|
||||
| 55 | ControlFlowNode for bar() | Function bar |
|
||||
@@ -0,0 +1,5 @@
|
||||
import python
|
||||
|
||||
from CallNode call, Value func
|
||||
where call.getFunction().pointsTo(func)
|
||||
select call.getLocation().getStartLine(), call.toString(), func.toString()
|
||||
@@ -0,0 +1,23 @@
|
||||
| 19 | ControlFlowNode for f() | Function f |
|
||||
| 21 | ControlFlowNode for f() | Function f |
|
||||
| 22 | ControlFlowNode for C() | class C |
|
||||
| 23 | ControlFlowNode for Attribute() | Function f |
|
||||
| 23 | ControlFlowNode for Attribute() | Method(Function f, C()) |
|
||||
| 24 | ControlFlowNode for Attribute() | Function C.n |
|
||||
| 24 | ControlFlowNode for Attribute() | Method(Function C.n, C()) |
|
||||
| 25 | ControlFlowNode for Attribute() | Function C.n |
|
||||
| 29 | ControlFlowNode for staticmethod() | builtin-class staticmethod |
|
||||
| 33 | ControlFlowNode for Attribute() | Function D.foo |
|
||||
| 34 | ControlFlowNode for Attribute() | Function D.foo |
|
||||
| 34 | ControlFlowNode for D() | class D |
|
||||
| 37 | ControlFlowNode for Attribute() | Method(builtin method append, List) |
|
||||
| 37 | ControlFlowNode for Attribute() | builtin method append |
|
||||
| 38 | ControlFlowNode for len() | Builtin-function len |
|
||||
| 40 | ControlFlowNode for f() | Function f |
|
||||
| 41 | ControlFlowNode for C() | class C |
|
||||
| 42 | ControlFlowNode for Attribute() | Function C.n |
|
||||
| 42 | ControlFlowNode for Attribute() | Method(Function C.n, C()) |
|
||||
| 45 | ControlFlowNode for open() | Builtin-function open |
|
||||
| 46 | ControlFlowNode for open() | Builtin-function open |
|
||||
| 51 | ControlFlowNode for foo() | Function foo |
|
||||
| 55 | ControlFlowNode for bar() | Function bar |
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
|
||||
from ControlFlowNode call, FunctionObject func
|
||||
from ControlFlowNode call, Value func
|
||||
where call = func.getACall()
|
||||
select call.getLocation().getStartLine(), call.toString(), func.toString()
|
||||
@@ -0,0 +1,34 @@
|
||||
| 19 | ControlFlowNode for f() | Function f | 0 | ControlFlowNode for w |
|
||||
| 19 | ControlFlowNode for f() | Function f | 1 | ControlFlowNode for x |
|
||||
| 19 | ControlFlowNode for f() | Function f | 2 | ControlFlowNode for y |
|
||||
| 21 | ControlFlowNode for f() | Function f | 0 | ControlFlowNode for y |
|
||||
| 21 | ControlFlowNode for f() | Function f | 1 | ControlFlowNode for w |
|
||||
| 21 | ControlFlowNode for f() | Function f | 2 | ControlFlowNode for z |
|
||||
| 23 | ControlFlowNode for Attribute() | Function f | 0 | ControlFlowNode for c |
|
||||
| 23 | ControlFlowNode for Attribute() | Function f | 1 | ControlFlowNode for w |
|
||||
| 23 | ControlFlowNode for Attribute() | Function f | 2 | ControlFlowNode for z |
|
||||
| 23 | ControlFlowNode for Attribute() | Method(Function f, C()) | 0 | ControlFlowNode for w |
|
||||
| 23 | ControlFlowNode for Attribute() | Method(Function f, C()) | 1 | ControlFlowNode for z |
|
||||
| 24 | ControlFlowNode for Attribute() | Function C.n | 0 | ControlFlowNode for c |
|
||||
| 24 | ControlFlowNode for Attribute() | Function C.n | 1 | ControlFlowNode for x |
|
||||
| 24 | ControlFlowNode for Attribute() | Method(Function C.n, C()) | 0 | ControlFlowNode for x |
|
||||
| 25 | ControlFlowNode for Attribute() | Function C.n | 0 | ControlFlowNode for y |
|
||||
| 25 | ControlFlowNode for Attribute() | Function C.n | 1 | ControlFlowNode for z |
|
||||
| 33 | ControlFlowNode for Attribute() | Function D.foo | 0 | ControlFlowNode for IntegerLiteral |
|
||||
| 34 | ControlFlowNode for Attribute() | Function D.foo | 0 | ControlFlowNode for IntegerLiteral |
|
||||
| 37 | ControlFlowNode for Attribute() | Method(builtin method append, List) | 0 | ControlFlowNode for IntegerLiteral |
|
||||
| 37 | ControlFlowNode for Attribute() | builtin method append | 0 | ControlFlowNode for l |
|
||||
| 37 | ControlFlowNode for Attribute() | builtin method append | 1 | ControlFlowNode for IntegerLiteral |
|
||||
| 38 | ControlFlowNode for len() | Builtin-function len | 0 | ControlFlowNode for l |
|
||||
| 40 | ControlFlowNode for f() | Function f | 0 | ControlFlowNode for IntegerLiteral |
|
||||
| 40 | ControlFlowNode for f() | Function f | 1 | ControlFlowNode for IntegerLiteral |
|
||||
| 40 | ControlFlowNode for f() | Function f | 2 | ControlFlowNode for IntegerLiteral |
|
||||
| 42 | ControlFlowNode for Attribute() | Function C.n | 0 | ControlFlowNode for c |
|
||||
| 42 | ControlFlowNode for Attribute() | Function C.n | 1 | ControlFlowNode for IntegerLiteral |
|
||||
| 42 | ControlFlowNode for Attribute() | Method(Function C.n, C()) | 0 | ControlFlowNode for IntegerLiteral |
|
||||
| 45 | ControlFlowNode for open() | Builtin-function open | 0 | ControlFlowNode for Str |
|
||||
| 45 | ControlFlowNode for open() | Builtin-function open | 1 | ControlFlowNode for Str |
|
||||
| 51 | ControlFlowNode for foo() | Function foo | 0 | ControlFlowNode for IntegerLiteral |
|
||||
| 51 | ControlFlowNode for foo() | Function foo | 1 | ControlFlowNode for IntegerLiteral |
|
||||
| 51 | ControlFlowNode for foo() | Function foo | 2 | ControlFlowNode for IntegerLiteral |
|
||||
| 55 | ControlFlowNode for bar() | Function bar | 0 | ControlFlowNode for IntegerLiteral |
|
||||
@@ -0,0 +1,5 @@
|
||||
import python
|
||||
|
||||
from CallNode call, CallableValue callable, int i
|
||||
select call.getLocation().getStartLine(), call.toString(), callable.toString(), i,
|
||||
callable.getArgumentForCall(call, i).toString()
|
||||
@@ -0,0 +1,31 @@
|
||||
| 19 | ControlFlowNode for f() | Function f | arg0 | ControlFlowNode for w |
|
||||
| 19 | ControlFlowNode for f() | Function f | arg1 | ControlFlowNode for x |
|
||||
| 19 | ControlFlowNode for f() | Function f | arg2 | ControlFlowNode for y |
|
||||
| 21 | ControlFlowNode for f() | Function f | arg0 | ControlFlowNode for y |
|
||||
| 21 | ControlFlowNode for f() | Function f | arg1 | ControlFlowNode for w |
|
||||
| 21 | ControlFlowNode for f() | Function f | arg2 | ControlFlowNode for z |
|
||||
| 23 | ControlFlowNode for Attribute() | Function f | arg1 | ControlFlowNode for w |
|
||||
| 23 | ControlFlowNode for Attribute() | Function f | arg2 | ControlFlowNode for z |
|
||||
| 23 | ControlFlowNode for Attribute() | Function f | self | ControlFlowNode for c |
|
||||
| 23 | ControlFlowNode for Attribute() | Method(Function f, C()) | arg1 | ControlFlowNode for w |
|
||||
| 23 | ControlFlowNode for Attribute() | Method(Function f, C()) | arg2 | ControlFlowNode for z |
|
||||
| 24 | ControlFlowNode for Attribute() | Function C.n | arg1 | ControlFlowNode for x |
|
||||
| 24 | ControlFlowNode for Attribute() | Function C.n | self | ControlFlowNode for c |
|
||||
| 24 | ControlFlowNode for Attribute() | Method(Function C.n, C()) | arg1 | ControlFlowNode for x |
|
||||
| 25 | ControlFlowNode for Attribute() | Function C.n | arg1 | ControlFlowNode for z |
|
||||
| 25 | ControlFlowNode for Attribute() | Function C.n | self | ControlFlowNode for y |
|
||||
| 33 | ControlFlowNode for Attribute() | Function D.foo | arg | ControlFlowNode for IntegerLiteral |
|
||||
| 34 | ControlFlowNode for Attribute() | Function D.foo | arg | ControlFlowNode for IntegerLiteral |
|
||||
| 37 | ControlFlowNode for Attribute() | builtin method append | self | ControlFlowNode for l |
|
||||
| 40 | ControlFlowNode for f() | Function f | arg0 | ControlFlowNode for IntegerLiteral |
|
||||
| 40 | ControlFlowNode for f() | Function f | arg1 | ControlFlowNode for IntegerLiteral |
|
||||
| 40 | ControlFlowNode for f() | Function f | arg2 | ControlFlowNode for IntegerLiteral |
|
||||
| 42 | ControlFlowNode for Attribute() | Function C.n | arg1 | ControlFlowNode for IntegerLiteral |
|
||||
| 42 | ControlFlowNode for Attribute() | Function C.n | self | ControlFlowNode for c |
|
||||
| 42 | ControlFlowNode for Attribute() | Method(Function C.n, C()) | arg1 | ControlFlowNode for IntegerLiteral |
|
||||
| 46 | ControlFlowNode for open() | Builtin-function open | file | ControlFlowNode for Str |
|
||||
| 46 | ControlFlowNode for open() | Builtin-function open | mode | ControlFlowNode for Str |
|
||||
| 51 | ControlFlowNode for foo() | Function foo | a | ControlFlowNode for IntegerLiteral |
|
||||
| 55 | ControlFlowNode for bar() | Function bar | a | ControlFlowNode for IntegerLiteral |
|
||||
| 55 | ControlFlowNode for bar() | Function bar | b | ControlFlowNode for IntegerLiteral |
|
||||
| 55 | ControlFlowNode for bar() | Function bar | c | ControlFlowNode for IntegerLiteral |
|
||||
@@ -0,0 +1,5 @@
|
||||
import python
|
||||
|
||||
from CallNode call, CallableValue callable, string name
|
||||
select call.getLocation().getStartLine(), call.toString(), callable.toString(), name,
|
||||
callable.getNamedArgumentForCall(call, name).toString()
|
||||
@@ -0,0 +1,12 @@
|
||||
| Function C.n | 0 | ControlFlowNode for self |
|
||||
| Function C.n | 1 | ControlFlowNode for arg1 |
|
||||
| Function D.foo | 0 | ControlFlowNode for arg |
|
||||
| Function bar | 0 | ControlFlowNode for a |
|
||||
| Function f | 0 | ControlFlowNode for arg0 |
|
||||
| Function f | 1 | ControlFlowNode for arg1 |
|
||||
| Function f | 2 | ControlFlowNode for arg2 |
|
||||
| Function foo | 0 | ControlFlowNode for a |
|
||||
| Method(Function C.n, C()) | 0 | ControlFlowNode for arg1 |
|
||||
| Method(Function C.n, class C) | 0 | ControlFlowNode for arg1 |
|
||||
| Method(Function f, C()) | 0 | ControlFlowNode for arg1 |
|
||||
| Method(Function f, C()) | 1 | ControlFlowNode for arg2 |
|
||||
@@ -0,0 +1,4 @@
|
||||
import python
|
||||
|
||||
from CallableValue callable, int i
|
||||
select callable.toString(), i, callable.getParameter(i).toString()
|
||||
@@ -0,0 +1,12 @@
|
||||
| Function C.n | arg1 | ControlFlowNode for arg1 |
|
||||
| Function C.n | self | ControlFlowNode for self |
|
||||
| Function D.foo | arg | ControlFlowNode for arg |
|
||||
| Function bar | a | ControlFlowNode for a |
|
||||
| Function f | arg0 | ControlFlowNode for arg0 |
|
||||
| Function f | arg1 | ControlFlowNode for arg1 |
|
||||
| Function f | arg2 | ControlFlowNode for arg2 |
|
||||
| Function foo | a | ControlFlowNode for a |
|
||||
| Method(Function C.n, C()) | arg1 | ControlFlowNode for arg1 |
|
||||
| Method(Function C.n, class C) | arg1 | ControlFlowNode for arg1 |
|
||||
| Method(Function f, C()) | arg1 | ControlFlowNode for arg1 |
|
||||
| Method(Function f, C()) | arg2 | ControlFlowNode for arg2 |
|
||||
@@ -0,0 +1,4 @@
|
||||
import python
|
||||
|
||||
from CallableValue callable, string name
|
||||
select callable.toString(), name, callable.getParameterByName(name).toString()
|
||||
@@ -32,3 +32,24 @@ class D(object):
|
||||
|
||||
D.foo(1)
|
||||
D().foo(2)
|
||||
|
||||
l = [1,2,3]
|
||||
l.append(4)
|
||||
len(l)
|
||||
|
||||
f(arg0=0, arg1=1, arg2=2)
|
||||
c = C()
|
||||
c.n(arg1=1)
|
||||
|
||||
# positional/keyword arguments for a builtin function
|
||||
open("foo.txt", "rb") # TODO: Not handled by getNamedArgumentForCall
|
||||
open(file="foo.txt", mode="rb")
|
||||
|
||||
# Testing how arguments to *args and **kwargs are handled
|
||||
def foo(a, *args):
|
||||
pass
|
||||
foo(1, 2, 3)
|
||||
|
||||
def bar(a, **kwargs):
|
||||
pass
|
||||
bar(a=1, b=2, c=3)
|
||||
|
||||
@@ -2,7 +2,7 @@ import python
|
||||
import semmle.python.pointsto.PointsTo
|
||||
import semmle.python.objects.ObjectInternal
|
||||
|
||||
predicate ssa_sanity(string clsname, string problem, string what) {
|
||||
predicate ssa_consistency(string clsname, string problem, string what) {
|
||||
/* Exactly one definition of each SSA variable */
|
||||
exists(EssaVariable var | clsname = var.getAQlClass() |
|
||||
/* Exactly one definition of each SSA variable */
|
||||
@@ -130,7 +130,7 @@ predicate ssa_sanity(string clsname, string problem, string what) {
|
||||
)
|
||||
}
|
||||
|
||||
predicate undefined_sanity(string clsname, string problem, string what) {
|
||||
predicate undefined_consistency(string clsname, string problem, string what) {
|
||||
/* Variables may be undefined, but values cannot be */
|
||||
exists(ControlFlowNode f |
|
||||
PointsToInternal::pointsTo(f, _, ObjectInternal::undefined(), _) and
|
||||
@@ -142,5 +142,5 @@ predicate undefined_sanity(string clsname, string problem, string what) {
|
||||
}
|
||||
|
||||
from string clsname, string problem, string what
|
||||
where ssa_sanity(clsname, problem, what) or undefined_sanity(clsname, problem, what)
|
||||
where ssa_consistency(clsname, problem, what) or undefined_consistency(clsname, problem, what)
|
||||
select clsname, what, problem
|
||||
@@ -57,7 +57,7 @@ def loop(seq):
|
||||
if v:
|
||||
use(v)
|
||||
|
||||
#This was causing the sanity check to fail,
|
||||
#This was causing the consistency check to fail,
|
||||
def double_attr_check(x, y):
|
||||
if x.b == 3:
|
||||
return
|
||||
|
||||
@@ -95,7 +95,7 @@ def h():
|
||||
if not x:
|
||||
pass
|
||||
|
||||
def complex_test(x): # Was failing sanity check.
|
||||
def complex_test(x): # Was failing consistency check.
|
||||
if not (foo(x) and bar(x)):
|
||||
use(x)
|
||||
pass
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
| test.py:6:5:6:22 | Function Foo.foo | test.py:9:1:9:11 | ControlFlowNode for Attribute() |
|
||||
@@ -0,0 +1,4 @@
|
||||
import python
|
||||
|
||||
from PythonFunctionValue func
|
||||
select func, func.getACall()
|
||||
@@ -0,0 +1,25 @@
|
||||
# Simple classmethod
|
||||
|
||||
class Foo(object):
|
||||
|
||||
@classmethod
|
||||
def foo(cls, arg):
|
||||
print(cls, arg)
|
||||
|
||||
Foo.foo(42)
|
||||
|
||||
|
||||
# classmethod defined by metaclass
|
||||
|
||||
class BarMeta(type):
|
||||
|
||||
def bar(cls, arg):
|
||||
print(cls, arg)
|
||||
|
||||
class Bar(metaclass=BarMeta):
|
||||
pass
|
||||
|
||||
Bar.bar(42) # TODO: No points-to
|
||||
|
||||
# If this is solved, please update python/ql/src/Variables/UndefinedExport.ql which has a
|
||||
# work-around for this behavior
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
class SimpleSource extends TaintSource {
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import Taint
|
||||
|
||||
from
|
||||
|
||||
@@ -110,7 +110,6 @@
|
||||
| ax{3,} | 5 | 6 |
|
||||
| ax{3} | 0 | 1 |
|
||||
| ax{3} | 1 | 2 |
|
||||
| ax{3} | 2 | 3 |
|
||||
| ax{3} | 3 | 4 |
|
||||
| ax{3} | 4 | 5 |
|
||||
| ax{,3} | 0 | 1 |
|
||||
|
||||
@@ -84,6 +84,8 @@
|
||||
| ax{3,} | last | 1 | 6 |
|
||||
| ax{3,} | last | 5 | 6 |
|
||||
| ax{3} | first | 0 | 1 |
|
||||
| ax{3} | last | 1 | 2 |
|
||||
| ax{3} | last | 1 | 5 |
|
||||
| ax{3} | last | 4 | 5 |
|
||||
| ax{,3} | first | 0 | 1 |
|
||||
| ax{,3} | last | 0 | 1 |
|
||||
|
||||
@@ -11,4 +11,5 @@
|
||||
| ^[A-Z_]+$(?<!not-this) | 1 | 8 | false |
|
||||
| ax{01,3} | 1 | 8 | false |
|
||||
| ax{3,} | 1 | 6 | false |
|
||||
| ax{3} | 1 | 5 | false |
|
||||
| ax{,3} | 1 | 6 | true |
|
||||
|
||||
@@ -207,9 +207,9 @@
|
||||
| ax{3,} | sequence | 0 | 6 |
|
||||
| ax{3} | char | 0 | 1 |
|
||||
| ax{3} | char | 1 | 2 |
|
||||
| ax{3} | char | 2 | 3 |
|
||||
| ax{3} | char | 3 | 4 |
|
||||
| ax{3} | char | 4 | 5 |
|
||||
| ax{3} | qualified | 1 | 5 |
|
||||
| ax{3} | sequence | 0 | 5 |
|
||||
| ax{,3} | char | 0 | 1 |
|
||||
| ax{,3} | char | 1 | 2 |
|
||||
|
||||
@@ -62,3 +62,7 @@ re.compile(r'(?:(?P<n1>^(?:|x)))')
|
||||
re.compile(r"\[(?P<txt>[^[]*)\]\((?P<uri>[^)]*)")
|
||||
|
||||
re.compile("", re.M) # ODASA-8056
|
||||
|
||||
# FP reported in https://github.com/github/codeql/issues/3712
|
||||
# This does not define a regex (but could be used by other code to do so)
|
||||
escaped = re.escape("https://www.humblebundle.com/home/library")
|
||||
|
||||
@@ -0,0 +1,24 @@
|
||||
import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
import semmle.python.security.injection.Command
|
||||
|
||||
class SimpleSource extends TaintSource {
|
||||
SimpleSource() { this.(NameNode).getId() = "TAINTED_STRING" }
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
|
||||
override string toString() { result = "taint source" }
|
||||
}
|
||||
|
||||
class FabricExecuteTestConfiguration extends TaintTracking::Configuration {
|
||||
FabricExecuteTestConfiguration() { this = "FabricExecuteTestConfiguration" }
|
||||
|
||||
override predicate isSource(TaintTracking::Source source) { source instanceof SimpleSource }
|
||||
|
||||
override predicate isSink(TaintTracking::Sink sink) { sink instanceof CommandSink }
|
||||
|
||||
override predicate isExtension(TaintTracking::Extension extension) {
|
||||
extension instanceof FabricExecuteExtension
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
| test.py:8 | ok | unsafe | cmd | externally controlled string |
|
||||
| test.py:8 | ok | unsafe | cmd2 | externally controlled string |
|
||||
| test.py:9 | ok | unsafe | safe_arg | <NO TAINT> |
|
||||
| test.py:9 | ok | unsafe | safe_optional | <NO TAINT> |
|
||||
| test.py:16 | ok | unsafe | cmd | externally controlled string |
|
||||
| test.py:16 | ok | unsafe | cmd2 | externally controlled string |
|
||||
| test.py:17 | ok | unsafe | safe_arg | <NO TAINT> |
|
||||
| test.py:17 | ok | unsafe | safe_optional | <NO TAINT> |
|
||||
| test.py:23 | ok | some_http_handler | cmd | externally controlled string |
|
||||
| test.py:23 | ok | some_http_handler | cmd2 | externally controlled string |
|
||||
@@ -0,0 +1,34 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
import Taint
|
||||
|
||||
from
|
||||
Call call, Expr arg, boolean expected_taint, boolean has_taint, string test_res,
|
||||
string taint_string
|
||||
where
|
||||
call.getLocation().getFile().getShortName() = "test.py" and
|
||||
(
|
||||
call.getFunc().(Name).getId() = "ensure_tainted" and
|
||||
expected_taint = true
|
||||
or
|
||||
call.getFunc().(Name).getId() = "ensure_not_tainted" and
|
||||
expected_taint = false
|
||||
) and
|
||||
arg = call.getAnArg() and
|
||||
(
|
||||
not exists(TaintedNode tainted | tainted.getAstNode() = arg) and
|
||||
taint_string = "<NO TAINT>" and
|
||||
has_taint = false
|
||||
or
|
||||
exists(TaintedNode tainted | tainted.getAstNode() = arg |
|
||||
taint_string = tainted.getTaintKind().toString()
|
||||
) and
|
||||
has_taint = true
|
||||
) and
|
||||
if expected_taint = has_taint then test_res = "ok " else test_res = "fail"
|
||||
// if expected_taint = has_taint then test_res = "✓" else test_res = "✕"
|
||||
select arg.getLocation().toString(), test_res, call.getScope().(Function).getName(), arg.toString(),
|
||||
taint_string
|
||||
@@ -0,0 +1 @@
|
||||
semmle-extractor-options: --max-import-depth=2 -p ../../../query-tests/Security/lib/
|
||||
@@ -0,0 +1,28 @@
|
||||
"""Test that shows fabric.api.execute propagates taint"""
|
||||
|
||||
from fabric.api import run, execute
|
||||
|
||||
|
||||
def unsafe(cmd, safe_arg, cmd2=None, safe_optional=5):
|
||||
run('./venv/bin/activate && {}'.format(cmd))
|
||||
ensure_tainted(cmd, cmd2)
|
||||
ensure_not_tainted(safe_arg, safe_optional)
|
||||
|
||||
|
||||
class Foo(object):
|
||||
|
||||
def unsafe(self, cmd, safe_arg, cmd2=None, safe_optional=5):
|
||||
run('./venv/bin/activate && {}'.format(cmd))
|
||||
ensure_tainted(cmd, cmd2)
|
||||
ensure_not_tainted(safe_arg, safe_optional)
|
||||
|
||||
|
||||
def some_http_handler():
|
||||
cmd = TAINTED_STRING
|
||||
cmd2 = TAINTED_STRING
|
||||
ensure_tainted(cmd, cmd2)
|
||||
|
||||
execute(unsafe, cmd=cmd, safe_arg='safe_arg', cmd2=cmd2)
|
||||
|
||||
foo = Foo()
|
||||
execute(foo.unsafe, cmd, 'safe_arg', cmd2)
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
class SimpleSource extends TaintSource {
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import Taint
|
||||
|
||||
from TaintedNode n, TaintedNode s
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import Taint
|
||||
|
||||
from Call call, Expr arg, string taint_string
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
*/
|
||||
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import TaintLib
|
||||
import semmle.python.security.Paths
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
*/
|
||||
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import TaintLib
|
||||
import semmle.python.security.Paths
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
|
||||
class SimpleTest extends TaintKind {
|
||||
SimpleTest() { this = "simple.test" }
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import TaintLib
|
||||
import semmle.python.dataflow.Implementation
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.dataflow.Implementation
|
||||
import TaintLib
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import TaintLib
|
||||
|
||||
from TestConfig config, DataFlow::Node sink, TaintKind kind
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import TaintLib
|
||||
|
||||
from TestConfig config, DataFlow::Node source, TaintKind kind
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import TaintLib
|
||||
import semmle.python.dataflow.Implementation
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.dataflow.Implementation
|
||||
import DilbertConfig
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.dataflow.Implementation
|
||||
import DilbertConfig
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
|
||||
class SimpleTest extends TaintKind {
|
||||
SimpleTest() { this = "simple.test" }
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
class FooSource extends TaintSource {
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
/* Standard library sink */
|
||||
import semmle.python.security.injection.Command
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
|
||||
class SimpleTest extends TaintKind {
|
||||
SimpleTest() { this = "simple.test" }
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import TaintLib
|
||||
|
||||
from Sanitizer s, TaintKind taint, PyEdgeRefinement test
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import TaintLib
|
||||
|
||||
from TaintSource src, TaintSink sink, TaintKind srckind, TaintKind sinkkind
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import TaintLib
|
||||
|
||||
from TaintSource src, TaintKind kind
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import TaintLib
|
||||
|
||||
from TaintedNode n, TaintedNode s
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import TaintLib
|
||||
|
||||
from Call call, Expr arg, string taint_string
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
class SimpleSource extends TaintSource {
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import Taint
|
||||
|
||||
from Call call, Expr arg, string taint_string
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
import semmle.python.security.Exceptions
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import Taint
|
||||
|
||||
from TaintedNode n, TaintedNode s
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import Taint
|
||||
|
||||
from Call call, Expr arg, string taint_string
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
class SimpleSource extends TaintSource {
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import Taint
|
||||
|
||||
from TaintedNode n, TaintedNode s
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import Taint
|
||||
|
||||
from Call call, Expr arg, string taint_string
|
||||
|
||||
@@ -6,3 +6,11 @@
|
||||
| test.py:41:26:41:53 | flask.response.argument | externally controlled string |
|
||||
| test.py:46:12:46:62 | flask.routed.response | externally controlled string |
|
||||
| test.py:46:26:46:61 | flask.response.argument | externally controlled string |
|
||||
| test.py:50:12:50:48 | flask.routed.response | externally controlled string |
|
||||
| test.py:50:26:50:47 | flask.response.argument | externally controlled string |
|
||||
| test.py:54:12:54:53 | flask.routed.response | externally controlled string |
|
||||
| test.py:54:26:54:52 | flask.response.argument | externally controlled string |
|
||||
| test.py:60:12:60:62 | flask.routed.response | externally controlled string |
|
||||
| test.py:60:26:60:61 | flask.response.argument | externally controlled string |
|
||||
| test.py:64:12:64:58 | flask.routed.response | externally controlled string |
|
||||
| test.py:64:26:64:57 | flask.response.argument | externally controlled string |
|
||||
|
||||
@@ -3,3 +3,7 @@
|
||||
| test.py:35:16:35:27 | Attribute | {externally controlled string} |
|
||||
| test.py:40:18:40:29 | Attribute | {externally controlled string} |
|
||||
| test.py:45:18:45:29 | Attribute | {externally controlled string} |
|
||||
| test.py:49:11:49:14 | name | externally controlled string |
|
||||
| test.py:53:9:53:15 | subpath | externally controlled string |
|
||||
| test.py:59:24:59:26 | bar | externally controlled string |
|
||||
| test.py:63:13:63:21 | lang_code | externally controlled string |
|
||||
|
||||
@@ -1,6 +1,10 @@
|
||||
| / | Function hello |
|
||||
| / | Function hello_world |
|
||||
| /complex/<string(length=2):lang_code> | Function complex |
|
||||
| /dangerous | Function dangerous |
|
||||
| /dangerous-with-cfg-split | Function dangerous2 |
|
||||
| /foo/<path:subpath> | Function foo |
|
||||
| /hello/<name> | Function hello |
|
||||
| /multiple/bar/<bar> | Function multiple |
|
||||
| /safe | Function safe |
|
||||
| /the/ | Function get |
|
||||
| /unsafe | Function unsafe |
|
||||
|
||||
@@ -15,3 +15,19 @@
|
||||
| test.py:45 | Attribute() | externally controlled string |
|
||||
| test.py:46 | first_name | externally controlled string |
|
||||
| test.py:46 | make_response() | flask.Response |
|
||||
| test.py:49 | name | externally controlled string |
|
||||
| test.py:50 | BinaryExpr | externally controlled string |
|
||||
| test.py:50 | make_response() | flask.Response |
|
||||
| test.py:50 | name | externally controlled string |
|
||||
| test.py:53 | subpath | externally controlled string |
|
||||
| test.py:54 | BinaryExpr | externally controlled string |
|
||||
| test.py:54 | make_response() | flask.Response |
|
||||
| test.py:54 | subpath | externally controlled string |
|
||||
| test.py:59 | bar | externally controlled string |
|
||||
| test.py:60 | Attribute() | externally controlled string |
|
||||
| test.py:60 | bar | externally controlled string |
|
||||
| test.py:60 | make_response() | flask.Response |
|
||||
| test.py:63 | lang_code | externally controlled string |
|
||||
| test.py:64 | Attribute() | externally controlled string |
|
||||
| test.py:64 | lang_code | externally controlled string |
|
||||
| test.py:64 | make_response() | flask.Response |
|
||||
|
||||
@@ -4,7 +4,7 @@ from flask import Flask, request, make_response
|
||||
app = Flask(__name__)
|
||||
|
||||
@app.route("/")
|
||||
def hello():
|
||||
def hello_world():
|
||||
return "Hello World!"
|
||||
|
||||
from flask.views import MethodView
|
||||
@@ -44,3 +44,24 @@ def unsafe():
|
||||
def safe():
|
||||
first_name = request.args.get('name', '')
|
||||
return make_response("Your name is " + escape(first_name))
|
||||
|
||||
@app.route('/hello/<name>')
|
||||
def hello(name):
|
||||
return make_response("Your name is " + name)
|
||||
|
||||
@app.route('/foo/<path:subpath>')
|
||||
def foo(subpath):
|
||||
return make_response("The subpath is " + subpath)
|
||||
|
||||
@app.route('/multiple/') # TODO: not recognized as route
|
||||
@app.route('/multiple/foo/<foo>') # TODO: not recognized as route
|
||||
@app.route('/multiple/bar/<bar>')
|
||||
def multiple(foo=None, bar=None):
|
||||
return make_response("foo={!r} bar={!r}".format(foo, bar))
|
||||
|
||||
@app.route('/complex/<string(length=2):lang_code>')
|
||||
def complex(lang_code):
|
||||
return make_response("lang_code {}".format(lang_code))
|
||||
|
||||
if __name__ == "__main__":
|
||||
app.run(debug=True)
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import python
|
||||
import semmle.python.security.TaintTracking
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
|
||||
Reference in New Issue
Block a user