hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 16:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #21288 from microsoft/azure_python_sanitizer_upstream2

Browse Source 
Azure python sanitizer upstream2
This commit is contained in:
Taus
2026-02-18 14:59:59 +01:00
committed by GitHub
parent df35f9f98b a1eaf42cbf
commit 6b6d8862b0
11 changed files with 921 additions and 412 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
python/ql/lib/change-notes/2026-02-09-ssrf_test_case_cleanup_and_new_ssrf_barriers.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added new full SSRF sanitization barrier from the new AntiSSRF library.

32
python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll
View File

@@ -176,4 +176,36 @@ module ServerSideRequestForgery {
strNode = [call.getArg(0), call.getArgByName("string")]
)
}
/** A validation of a URI using the `AntiSSRF` library, considered as a full-ssrf sanitizer. */
private class UriValidator extends FullUrlControlSanitizer {
UriValidator() { this = DataFlow::BarrierGuard<uri_validator/3>::getABarrierNode() }
}
import semmle.python.dataflow.new.internal.DataFlowPublic
private predicate uri_validator(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
exists(DataFlow::CallCfgNode call, string funcs |
funcs in ["in_domain", "in_azure_keyvault_domain", "in_azure_storage_domain"] and
call = API::moduleImport("AntiSSRF").getMember("URIValidator").getMember(funcs).getACall() and
call.getArg(0).asCfgNode() = node
|
// validator call directly (e.g., if URIValidator.in_domain(...) )
g = call.asCfgNode() and
branch = true
or
// validator used in a comparison
exists(Cmpop op, Node n, ControlFlowNode l |
n.getALocalSource() = call and g.(CompareNode).operands(n.asCfgNode(), op, l)
|
// validator == true or validator == false or validator is True or validator is False
(op instanceof Eq or op instanceof Is) and
branch = l.getNode().(BooleanLiteral).booleanValue()
or
// validator != false or validator != true or validator is not True or validator is not False
(op instanceof NotEq or op instanceof IsNot) and
branch = l.getNode().(BooleanLiteral).booleanValue().booleanNot()
)
)
}
}