hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Python: Suppress None.json.dumps from ExternalAPI queries

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2022-08-16 15:16:59 +02:00
parent 0bdc808a7a
commit 70cc986d5f
3 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll
View File

@@ -43,7 +43,12 @@ private class DefaultSafeExternalApi extends SafeExternalApi {
}
}
/** Gets a human readable representation of `node`. */
/**
* Gets a human readable representation of `node`.
*
* Note that this is only defined for API nodes that are allowed as external APIs,
* so `None.json.dumps` will for example not be allowed.
*/
string apiNodeToStringRepr(API::Node node) {
node = API::builtin(result)
or
@@ -51,7 +56,8 @@ string apiNodeToStringRepr(API::Node node) {
or
exists(API::Node base, string basename |
base.getDepth() < node.getDepth() and
basename = apiNodeToStringRepr(base)
basename = apiNodeToStringRepr(base) and
not base = API::builtin("None")
|
exists(string m | node = base.getMember(m) | result = basename + "." + m)
or

2
python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.expected
View File

@@ -1,5 +1,3 @@
| None.json.dumps [position 0] | 1 | 1 |
| builtins.None.json.dumps [position 0] | 1 | 1 |
| hmac.new [keyword msg] | 1 | 1 |
| hmac.new [position 1] | 1 | 1 |
| unknown.lib.func [keyword kw] | 2 | 1 |

2
python/ql/test/query-tests/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.expected
View File

@@ -51,5 +51,3 @@ subpaths
| test.py:36:13:36:16 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:36:13:36:16 | ControlFlowNode for data | Call to unknown.lib.func [keyword kw] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember |
| test.py:43:22:43:25 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:43:22:43:25 | ControlFlowNode for data | Call to unknown.lib.func [position 0] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember |
| test.py:44:25:44:28 | ControlFlowNode for data | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:44:25:44:28 | ControlFlowNode for data | Call to unknown.lib.func [keyword kw] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember |
| test.py:50:32:50:34 | ControlFlowNode for arg | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:50:32:50:34 | ControlFlowNode for arg | Call to None.json.dumps [position 0] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember |
| test.py:50:32:50:34 | ControlFlowNode for arg | test.py:5:26:5:32 | ControlFlowNode for ImportMember | test.py:50:32:50:34 | ControlFlowNode for arg | Call to builtins.None.json.dumps [position 0] with untrusted data from $@. | test.py:5:26:5:32 | ControlFlowNode for ImportMember | ControlFlowNode for ImportMember |