Python: Use Value API for sensitive data analysis.

2026-05-01 11:45:14 +02:00 · 2019-08-22 11:19:43 +01:00
parent 81c65cd37c
commit 6cd0087d9d
5 changed files with 42 additions and 6 deletions
--- a/python/ql/src/semmle/python/objects/Modules.qll
+++ b/python/ql/src/semmle/python/objects/Modules.qll
@@ -398,8 +398,11 @@ class AbsentModuleAttributeObjectInternal extends ObjectInternal, TAbsentModuleA

    override predicate subscriptUnknown() { any() }

-    /* We know what this is called, but not its innate name */
-    override string getName() { none() }
+    /* We know what this is called, but not its innate name.
+     * However, if we are looking for things by name, this is a reasonable approximation */
+    override string getName() {
+        this = TAbsentModuleAttribute(_, result)
+    }

    override predicate contextSensitiveCallee() { none() }

--- a/python/ql/src/semmle/python/security/SensitiveData.qll
+++ b/python/ql/src/semmle/python/security/SensitiveData.qll
@@ -110,12 +110,12 @@ module SensitiveData {
        override string repr() { result = "a certificate or key" }
    }

-    private SensitiveData fromFunction(FunctionObject f) {
-        result = HeuristicNames::getSensitiveDataForName(f.getName())
+    private SensitiveData fromFunction(Value func) {
+        result = HeuristicNames::getSensitiveDataForName(func.getName())
        or
        // This is particularly to pick up methods with an argument like "password", which
        // may indicate a lookup.
-        exists(string name | name = f.getFunction().getAnArg().asName().getId() |
+        exists(string name | name = func.(PythonFunctionValue).getScope().getAnArg().asName().getId() |
            result = HeuristicNames::getSensitiveDataForName(name)
        )
    }
@@ -131,7 +131,7 @@ module SensitiveData {
        SensitiveData data;

        SensitiveCallSource() {
-            exists(FunctionObject callee |
+            exists(Value callee |
                callee.getACall() = this |
                data = fromFunction(callee)
            )
--- a/python/ql/test/library-tests/security/sensitive/Sources.expected
+++ b/python/ql/test/library-tests/security/sensitive/Sources.expected
@@ -0,0 +1,5 @@
+| test.py:16:1:16:14 | test.py:16 | a call returning a password |
+| test.py:17:1:17:12 | test.py:17 | a call returning a password |
+| test.py:18:1:18:12 | test.py:18 | a call returning a secret |
+| test.py:19:1:19:19 | test.py:19 | a call returning a certificate or key |
+| test.py:20:1:20:12 | test.py:20 | a call returning an ID |
--- a/python/ql/test/library-tests/security/sensitive/Sources.ql
+++ b/python/ql/test/library-tests/security/sensitive/Sources.ql
@@ -0,0 +1,7 @@
+
+import python
+
+import semmle.python.security.SensitiveData
+
+from SensitiveData::Source src
+select src.getLocation(), src.repr()
--- a/python/ql/test/library-tests/security/sensitive/test.py
+++ b/python/ql/test/library-tests/security/sensitive/test.py
@@ -0,0 +1,21 @@
+
+from not_found import get_passwd, account_id
+
+def get_password():
+    pass
+
+def get_secret():
+    pass
+
+def fetch_certificate():
+    pass
+
+def encrypt_password(pwd):
+    pass
+
+get_password()
+get_passwd()
+get_secret()
+fetch_certificate()
+account_id()
+safe_to_store = encrypt_password(pwd)