hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-21 01:13:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

convert paramiko query to SecondaryServerCmdInjection query, Add inline tests

Browse Source
This commit is contained in:
amammad
2024-02-24 18:09:43 +04:00
parent d234a53c50
commit 70282f9ebe
10 changed files with 52 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
python/ql/src/experimental/Security/CWE-074/paramiko/paramiko.qhelp → python/ql/src/experimental/Security/CWE-074/secondaryCommandInjection/SecondaryServerCmdInjection.qhelp
View File

21
python/ql/src/experimental/Security/CWE-074/secondaryCommandInjection/SecondaryServerCmdInjection.ql Normal file
View File

@@ -0,0 +1,21 @@
/**
* @name RCE with user provided command with paramiko ssh client
* @description user provided command can lead to execute code on a external server that can be belong to other users or admins
* @kind path-problem
* @problem.severity error
* @security-severity 9.3
* @precision high
* @id py/paramiko-command-injection
* @tags security
* experimental
* external/cwe/cwe-074
*/
import python
import experimental.semmle.python.security.SecondaryServerCmdInjection
import ParamikoFlow::PathGraph
from ParamikoFlow::PathNode source, ParamikoFlow::PathNode sink
where ParamikoFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "This code execution depends on a $@.", source.getNode(),
"a user-provided value"

0
python/ql/src/experimental/Security/CWE-074/paramiko/paramikoBad.py → python/ql/src/experimental/Security/CWE-074/secondaryCommandInjection/paramikoBad.py
View File

42
python/ql/src/experimental/Security/CWE-074/paramiko/paramiko.ql → python/ql/src/experimental/semmle/python/security/SecondaryServerCmdInjection.qll
View File

@@ -1,27 +1,32 @@
/**
* @name RCE with user provided command with paramiko ssh client
* @description user provided command can lead to execute code on a external server that can be belong to other users or admins
* @kind path-problem
* @problem.severity error
* @security-severity 9.3
* @precision high
* @id py/paramiko-command-injection
* @tags security
* experimental
* external/cwe/cwe-074
*/
import python
import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.TaintTracking
import semmle.python.dataflow.new.RemoteFlowSources
import semmle.python.ApiGraphs
import semmle.python.dataflow.new.internal.DataFlowPublic
import codeql.util.Unit
module SecondaryCommandInjection {
/**
* The additional taint steps that need for creating taint tracking or dataflow.
*/
class AdditionalTaintStep extends Unit {
/**
* Holds if there is a additional taint step between pred and succ.
*/
abstract predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ);
}
/**
* A abstract class responsible for extending new decompression sinks
*/
abstract class Sink extends DataFlow::Node { }
}
private API::Node paramikoClient() {
result = API::moduleImport("paramiko").getMember("SSHClient").getReturn()
}
private module ParamikoConfig implements DataFlow::ConfigSig {
module ParamikoConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
/**
@@ -50,10 +55,3 @@ private module ParamikoConfig implements DataFlow::ConfigSig {
/** Global taint-tracking for detecting "paramiko command injection" vulnerabilities. */
module ParamikoFlow = TaintTracking::Global<ParamikoConfig>;
import ParamikoFlow::PathGraph
from ParamikoFlow::PathNode source, ParamikoFlow::PathNode sink
where ParamikoFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "This code execution depends on a $@.", source.getNode(),
"a user-provided value"

3
python/ql/test/experimental/query-tests/Security/CWE-074-SecondaryServerCmdInjection/DataflowQueryTest.expected Normal file
View File

@@ -0,0 +1,3 @@
missingAnnotationOnSink
testFailures
failures

4
python/ql/test/experimental/query-tests/Security/CWE-074-SecondaryServerCmdInjection/DataflowQueryTest.ql Normal file
View File

@@ -0,0 +1,4 @@
import python
import experimental.dataflow.TestUtil.DataflowQueryTest
import experimental.semmle.python.security.SecondaryServerCmdInjection
import FromTaintTrackingConfig<ParamikoConfig>

0
python/ql/test/experimental/query-tests/Security/CWE-074-paramiko/paramiko.expected → python/ql/test/experimental/query-tests/Security/CWE-074-SecondaryServerCmdInjection/SecondaryServerCmdInjection.expected
View File

1
python/ql/test/experimental/query-tests/Security/CWE-074-SecondaryServerCmdInjection/SecondaryServerCmdInjection.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE-074/secondaryCommandInjection/SecondaryServerCmdInjection.ql

6
python/ql/test/experimental/query-tests/Security/CWE-074-paramiko/paramiko.py → python/ql/test/experimental/query-tests/Security/CWE-074-SecondaryServerCmdInjection/paramiko.py
View File

@@ -13,15 +13,15 @@ app = FastAPI()
@app.get("/bad1")
async def read_item(cmd: str):
stdin, stdout, stderr = paramiko_ssh_client.exec_command(cmd)
stdin, stdout, stderr = paramiko_ssh_client.exec_command(cmd) # $ result=BAD
return {"success": stdout}
@app.get("/bad2")
async def read_item(cmd: str):
stdin, stdout, stderr = paramiko_ssh_client.exec_command(command=cmd)
stdin, stdout, stderr = paramiko_ssh_client.exec_command(command=cmd) # $ result=BAD
return {"success": "OK"}
@app.get("/bad3")
async def read_item(cmd: str):
stdin, stdout, stderr = paramiko_ssh_client.connect('hostname', username='user',password='yourpassword',sock=paramiko.ProxyCommand(cmd))
stdin, stdout, stderr = paramiko_ssh_client.connect('hostname', username='user',password='yourpassword',sock=paramiko.ProxyCommand(cmd)) # $ result=BAD
return {"success": "OK"}

1
python/ql/test/experimental/query-tests/Security/CWE-074-paramiko/paramiko.qlref
View File

@@ -1 +0,0 @@
experimental/Security/CWE-074/paramiko/paramiko.ql