hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Upgrade taint-tracking security queries to path-problem queries.

Browse Source
This commit is contained in:
Mark Shannon
2018-02-23 16:19:39 +00:00
committed by Mark Shannon
parent 24bf2922e0
commit 722d89fc75
10 changed files with 87 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
python/ql/src/Security/CWE-022/PathInjection.ql
View File

@@ -1,7 +1,7 @@
/**
* @name Uncontrolled data used in path expression
* @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
* @kind problem
* @kind path-problem
* @problem.severity error
* @sub-severity high
* @precision high
@@ -17,6 +17,7 @@
*/
import python
import semmle.python.security.Paths
/* Sources */
import semmle.python.web.HttpRequest
@@ -25,7 +26,8 @@ import semmle.python.web.HttpRequest
import semmle.python.security.injection.Path
from TaintSource src, TaintSink sink
where src.flowsToSink(sink)
select sink, "This path depends on $@.", src, "a user-provided value"
from TaintedNode srcnode, TaintedNode sinknode, TaintSource src, TaintSink sink
where src.flowsToSink(sink) and srcnode.getNode() = src and sinknode.getNode() = sink
select sink, srcnode, sinknode, "This path depends on $@.", src, "a user-provided value"

9
python/ql/src/Security/CWE-078/CommandInjection.ql
View File

@@ -2,7 +2,7 @@
* @name Uncontrolled command line
* @description Using externally controlled strings in a command line may allow a malicious
* user to change the meaning of the command.
* @kind problem
* @kind path-problem
* @problem.severity error
* @sub-severity high
* @precision high
@@ -15,6 +15,7 @@
*/
import python
import semmle.python.security.Paths
/* Sources */
import semmle.python.web.HttpRequest
@@ -22,7 +23,7 @@ import semmle.python.web.HttpRequest
/* Sinks */
import semmle.python.security.injection.Command
from TaintSource src, TaintSink sink
where src.flowsToSink(sink)
from TaintedNode srcnode, TaintedNode sinknode, TaintSource src, TaintSink sink
where src.flowsToSink(sink) and srcnode.getNode() = src and sinknode.getNode() = sink
select sink, "This command depends on $@.", src, "a user-provided value"
select sink, srcnode, sinknode, "This command depends on $@.", src, "a user-provided value"

9
python/ql/src/Security/CWE-079/ReflectedXss.ql
View File

@@ -2,7 +2,7 @@
* @name Reflected server-side cross-site scripting
* @description Writing user input directly to a web page
* allows for a cross-site scripting vulnerability.
* @kind problem
* @kind path-problem
* @problem.severity error
* @sub-severity high
* @precision high
@@ -13,6 +13,7 @@
*/
import python
import semmle.python.security.Paths
/* Sources */
import semmle.python.web.HttpRequest
@@ -24,9 +25,9 @@ import semmle.python.web.HttpResponse
/* Flow */
import semmle.python.security.strings.Untrusted
from TaintSource src, TaintSink sink
where src.flowsToSink(sink)
from TaintedNode srcnode, TaintedNode sinknode, TaintSource src, TaintSink sink
where src.flowsToSink(sink) and srcnode.getNode() = src and sinknode.getNode() = sink
select sink, "Cross-site scripting vulnerability due to $@.",
select sink, srcnode, sinknode, "Cross-site scripting vulnerability due to $@.",
src, "user-provided value"

9
python/ql/src/Security/CWE-089/SqlInjection.ql
View File

@@ -2,7 +2,7 @@
* @name SQL query built from user-controlled sources
* @description Building a SQL query from user-controlled sources is vulnerable to insertion of
* malicious SQL code by the user.
* @kind problem
* @kind path-problem
* @problem.severity error
* @precision high
* @id py/sql-injection
@@ -12,6 +12,7 @@
*/
import python
import semmle.python.security.Paths
/* Sources */
import semmle.python.web.HttpRequest
@@ -22,7 +23,7 @@ import semmle.python.web.django.Db
import semmle.python.web.django.Model
from TaintSource src, TaintSink sink
where src.flowsToSink(sink)
from TaintedNode srcnode, TaintedNode sinknode, TaintSource src, TaintSink sink
where src.flowsToSink(sink) and srcnode.getNode() = src and sinknode.getNode() = sink
select sink, "This SQL query depends on $@.", src, "a user-provided value"
select sink, srcnode, sinknode, "This SQL query depends on $@.", src, "a user-provided value"

9
python/ql/src/Security/CWE-094/CodeInjection.ql
View File

@@ -2,7 +2,7 @@
* @name Code injection
* @description Interpreting unsanitized user input as code allows a malicious user arbitrary
* code execution.
* @kind problem
* @kind path-problem
* @problem.severity error
* @sub-severity high
* @precision high
@@ -15,6 +15,7 @@
*/
import python
import semmle.python.security.Paths
/* Sources */
import semmle.python.web.HttpRequest
@@ -23,7 +24,7 @@ import semmle.python.web.HttpRequest
import semmle.python.security.injection.Exec
from TaintSource src, TaintSink sink
where src.flowsToSink(sink)
from TaintedNode srcnode, TaintedNode sinknode, TaintSource src, TaintSink sink
where src.flowsToSink(sink) and srcnode.getNode() = src and sinknode.getNode() = sink
select sink, "$@ flows to here and is interpreted as code.", src, "User-provided value"
select sink, srcnode, sinknode, "$@ flows to here and is interpreted as code.", src, "User-provided value"

9
python/ql/src/Security/CWE-209/StackTraceExposure.ql
View File

@@ -3,7 +3,7 @@
* @description Leaking information about an exception, such as messages and stack traces, to an
* external user can expose implementation details that are useful to an attacker for
* developing a subsequent exploit.
* @kind problem
* @kind path-problem
* @problem.severity error
* @precision high
* @id py/stack-trace-exposure
@@ -13,10 +13,11 @@
*/
import python
import semmle.python.security.Paths
import semmle.python.security.Exceptions
import semmle.python.web.HttpResponse
from TaintSource src, TaintSink sink
where src.flowsToSink(sink)
select sink, "$@ may be exposed to an external user", src, "Error information"
from TaintedNode srcnode, TaintedNode sinknode, TaintSource src, TaintSink sink
where src.flowsToSink(sink) and srcnode.getNode() = src and sinknode.getNode() = sink
select sink, srcnode, sinknode, "$@ may be exposed to an external user", src, "Error information"

9
python/ql/src/Security/CWE-502/UnsafeDeserialization.ql
View File

@@ -1,7 +1,7 @@
/**
* @name Deserializing untrusted input
* @description Deserializing user-controlled data may allow attackers to execute arbitrary code.
* @kind problem
* @kind path-problem
* @id py/unsafe-deserialization
* @problem.severity error
* @sub-severity high
@@ -14,6 +14,7 @@ import python
// Sources -- Any untrusted input
import semmle.python.web.HttpRequest
import semmle.python.security.Paths
// Flow -- untrusted string
import semmle.python.security.strings.Untrusted
@@ -23,8 +24,8 @@ import semmle.python.security.injection.Pickle
import semmle.python.security.injection.Marshal
import semmle.python.security.injection.Yaml
from TaintSource src, TaintSink sink
where src.flowsToSink(sink)
from TaintedNode srcnode, TaintedNode sinknode, TaintSource src, TaintSink sink
where src.flowsToSink(sink) and srcnode.getNode() = src and sinknode.getNode() = sink
select sink, "Deserializing of $@.", src, "untrusted input"
select sink, srcnode, sinknode, "Deserializing of $@.", src, "untrusted input"

10
python/ql/src/Security/CWE-601/UrlRedirect.ql
View File

@@ -2,7 +2,7 @@
* @name URL redirection from remote source
* @description URL redirection based on unvalidated user input
* may cause redirection to malicious web sites.
* @kind problem
* @kind path-problem
* @problem.severity error
* @sub-severity low
* @id py/url-redirection
@@ -12,7 +12,7 @@
*/
import python
import semmle.python.security.Paths
import semmle.python.web.HttpRedirect
import semmle.python.web.HttpRequest
@@ -28,8 +28,8 @@ class UntrustedPrefixStringKind extends UntrustedStringKind {
}
from TaintSource src, TaintSink sink
where src.flowsToSink(sink)
from TaintedNode srcnode, TaintedNode sinknode, TaintSource src, TaintSink sink
where src.flowsToSink(sink) and srcnode.getNode() = src and sinknode.getNode() = sink
select sink, "Untrusted URL redirection due to $@.", src, "a user-provided value"
select sink, srcnode, sinknode, "Untrusted URL redirection due to $@.", src, "a user-provided value"

21
python/ql/src/semmle/python/security/TaintTracking.qll
View File

@@ -675,6 +675,27 @@ class TaintedNode extends TTaintedNode {
}
class TaintedNodeSource extends TaintedNode {
TaintedNodeSource() {
this.getNode().(TaintSource).isSourceOf(this.getTaintKind(), this.getContext())
}
/** Holds if taint can flow from this source to sink `sink` */
final predicate flowsTo(TaintedNodeSink sink) {
this.getASuccessor*() = sink
}
}
class TaintedNodeSink extends TaintedNode {
TaintedNodeSink() {
this.getNode().(TaintSink).sinks(this.getTaintKind())
}
}
/** This module contains the implementation of taint-flow.
* It is recommended that users use the `TaintedNode` class, rather than using this module directly
* as the interface of this module may change without warning.