Python: Check os.open as well as os.chmod for weak file permissions.

2026-04-30 19:26:02 +02:00 · 2019-01-28 14:26:16 +00:00
parent a3b5769c2c
commit 6d553ae2be
4 changed files with 21 additions and 4 deletions
--- a/python/ql/src/Security/CWE-732/WeakFilePermissions.ql
+++ b/python/ql/src/Security/CWE-732/WeakFilePermissions.ql
@@ -34,9 +34,20 @@ string permissive_permission(int p) {
    world_permission(p) = 0 and result = "group " + access(group_permission(p))
 }

-from FunctionObject chmod, CallNode call, NumericObject num, string permission
-where
+predicate chmod_call(CallNode call, FunctionObject chmod, NumericObject num) {
    any(ModuleObject os | os.getName() = "os").getAttribute("chmod") = chmod and
-    chmod.getACall() = call and call.getArg(1).refersTo(num) and
+    chmod.getACall() = call and call.getArg(1).refersTo(num)
+}
+
+predicate open_call(CallNode call, FunctionObject open, NumericObject num) {
+    any(ModuleObject os | os.getName() = "os").getAttribute("open") = open and
+    open.getACall() = call and call.getArg(2).refersTo(num)
+}
+
+
+from CallNode call, FunctionObject func, NumericObject num, string permission
+where
+    (chmod_call(call, func, num) or open_call(call, func, num))
+    and
    permission = permissive_permission(num.intValue())
-select call, "Overly permissive mask in chmod sets file to " + permission + "."
+select call, "Overly permissive mask in " + func.getName() + " sets file to " + permission + "."
--- a/python/ql/test/query-tests/Security/CWE-732/WeakFilePermissions.expected
+++ b/python/ql/test/query-tests/Security/CWE-732/WeakFilePermissions.expected
@@ -4,3 +4,4 @@
 | test.py:11:1:11:21 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to group readable. |
 | test.py:13:1:13:28 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to group writable. |
 | test.py:14:1:14:19 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to group writable. |
+| test.py:16:1:16:25 | ControlFlowNode for Attribute() | Overly permissive mask in open sets file to world readable. |
--- a/python/ql/test/query-tests/Security/CWE-732/test.py
+++ b/python/ql/test/query-tests/Security/CWE-732/test.py
@@ -12,3 +12,5 @@ os.chmod(file, 0o550) # BAD
 os.chmod(file, stat.S_IRWXU) # GOOD
 os.chmod(file, stat.S_IWGRP) # BAD
 os.chmod(file, 400) # BAD -- Decimal format.
+
+os.open(file, 'w', 0o704) # BAD
--- a/python/ql/test/query-tests/Security/lib/os/init.py
+++ b/python/ql/test/query-tests/Security/lib/os/init.py
@@ -6,3 +6,6 @@ def popen(cmd, *args, **kwargs):

 def chmod(path, mode):
    pass
+
+def open(path, flags, mode):
+    pass