Python: Don't double report paths for platform.popen and popen2.*

I was a bit surprised that we hadn't double reported for popen2, but it turns out that the implementation (at least on unix) looks like: ``` def popen2(cmd, bufsize=-1, mode='t'): ... = Popen3(cmd, False, bufsize) ... ``` but since the modeling I did only considers calls to `Popen3` only if it has been imported from the `popen2` module, we don't consider that call as a sink.
2026-05-02 04:05:14 +02:00 · 2020-10-07 10:55:33 +02:00
parent 36812af2c2
commit 7721db206e
2 changed files with 5 additions and 21 deletions
--- a/python/ql/src/experimental/Security-new-dataflow/CWE-078/CommandInjection.ql
+++ b/python/ql/src/experimental/Security-new-dataflow/CWE-078/CommandInjection.ql
@@ -46,15 +46,16 @@ class CommandInjectionConfiguration extends TaintTracking::Configuration {
    // os.system(cmd)
    // ```
    //
-    // Best solution I could come up with is to exclude all sinks inside the `os` and
-    // `subprocess` modules. This does have a downside: If we have overlooked a function
-    // in any of these, that internally runs a command, we no longer give an alert :|
+    // Best solution I could come up with is to exclude all sinks inside the modules of
+    // known sinks. This does have a downside: If we have overlooked a function in any
+    // of these, that internally runs a command, we no longer give an alert :| -- and we
+    // need to keep them updated (which is hard to remember)
    //
    // This does not only affect `os.popen`, but also the helper functions in
    // `subprocess`. See:
    // https://github.com/python/cpython/blob/fa7ce080175f65d678a7d5756c94f82887fc9803/Lib/os.py#L974
    // https://github.com/python/cpython/blob/fa7ce080175f65d678a7d5756c94f82887fc9803/Lib/subprocess.py#L341
-    not sink.getScope().getEnclosingModule().getName() in ["os", "subprocess"]
+    not sink.getScope().getEnclosingModule().getName() in ["os", "subprocess", "platform", "popen2"]
  }
 }