mirror of
https://github.com/github/codeql.git
synced 2025-12-24 04:36:35 +01:00
Merge pull request #13402 from erik-krogh/deps-some-py
Py: delete some old deprecations
This commit is contained in:
Erik Krogh Kristensen
9
python/ql/lib/change-notes/2023-06-09-delete-deps.md
Normal file
9
python/ql/lib/change-notes/2023-06-09-delete-deps.md
Normal file
@@ -0,0 +1,9 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Deleted many deprecated predicates and classes with uppercase `API`, `HTTP`, `XSS`, `SQL`, etc. in their names. Use the PascalCased versions instead.
|
||||
* Deleted the deprecated `getName()` predicate from the `Container` class, use `getAbsolutePath()` instead.
|
||||
* Deleted many deprecated module names that started with a lowercase letter, use the versions that start with an uppercase letter instead.
|
||||
* Deleted many deprecated predicates in `PointsTo.qll`.
|
||||
* Deleted many deprecated files from the `semmle.python.security` package.
|
||||
* Deleted the deprecated `BottleRoutePointToExtension` class from `Extensions.qll`.
|
||||
@@ -154,12 +154,6 @@ abstract class Container extends @container {
|
||||
*/
|
||||
string toString() { result = this.getAbsolutePath() }
|
||||
|
||||
/**
|
||||
* Gets the name of this container.
|
||||
* DEPRECATED: Use `getAbsolutePath` instead.
|
||||
*/
|
||||
deprecated string getName() { result = this.getAbsolutePath() }
|
||||
|
||||
/**
|
||||
* Gets the relative path of this file or folder from the root folder of the
|
||||
* analyzed source location. The relative path of the root folder itself is
|
||||
|
||||
@@ -664,14 +664,6 @@ module DataFlow {
|
||||
}
|
||||
}
|
||||
|
||||
deprecated private class DataFlowType extends TaintKind {
|
||||
// this only exists to avoid an empty recursion error in the type checker
|
||||
DataFlowType() {
|
||||
this = "Data flow" and
|
||||
1 = 2
|
||||
}
|
||||
}
|
||||
|
||||
pragma[noinline]
|
||||
private predicate dict_construct(ControlFlowNode itemnode, ControlFlowNode dictnode) {
|
||||
dictnode.(DictNode).getAValue() = itemnode
|
||||
|
||||
@@ -534,9 +534,6 @@ module PrivateDjango {
|
||||
/** Gets a reference to the `django` module. */
|
||||
API::Node django() { result = API::moduleImport("django") }
|
||||
|
||||
/** DEPRECATED: Alias for `DjangoImpl` */
|
||||
deprecated module django = DjangoImpl;
|
||||
|
||||
/** Provides models for the `django` module. */
|
||||
module DjangoImpl {
|
||||
// -------------------------------------------------------------------------
|
||||
@@ -552,9 +549,6 @@ module PrivateDjango {
|
||||
DjangoDb() { this = API::moduleImport("django").getMember("db") }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for `DB` */
|
||||
deprecated module db = DB;
|
||||
|
||||
/** Provides models for the `django.db` module. */
|
||||
module DB {
|
||||
/** Gets a reference to the `django.db.connection` object. */
|
||||
@@ -571,9 +565,6 @@ module PrivateDjango {
|
||||
/** Gets a reference to the `django.db.models` module. */
|
||||
API::Node models() { result = db().getMember("models") }
|
||||
|
||||
/** DEPRECATED: Alias for `Models` */
|
||||
deprecated module models = Models;
|
||||
|
||||
/** Provides models for the `django.db.models` module. */
|
||||
module Models {
|
||||
/**
|
||||
@@ -819,9 +810,6 @@ module PrivateDjango {
|
||||
/** Gets a reference to the `django.db.models.expressions` module. */
|
||||
API::Node expressions() { result = models().getMember("expressions") }
|
||||
|
||||
/** DEPRECATED: Alias for `Expressions` */
|
||||
deprecated module expressions = Expressions;
|
||||
|
||||
/** Provides models for the `django.db.models.expressions` module. */
|
||||
module Expressions {
|
||||
/** Provides models for the `django.db.models.expressions.RawSql` class. */
|
||||
@@ -858,9 +846,6 @@ module PrivateDjango {
|
||||
instance(DataFlow::TypeTracker::end(), sql).flowsTo(result)
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for RawSql */
|
||||
deprecated module RawSQL = RawSql;
|
||||
}
|
||||
|
||||
/** This internal module provides data-flow modeling of Django ORM. */
|
||||
@@ -1099,9 +1084,6 @@ module PrivateDjango {
|
||||
/** Gets a reference to the `django.urls` module. */
|
||||
API::Node urls() { result = django().getMember("urls") }
|
||||
|
||||
/** DEPRECATED: Alias for `Urls` */
|
||||
deprecated module urls = Urls;
|
||||
|
||||
/** Provides models for the `django.urls` module */
|
||||
module Urls {
|
||||
/**
|
||||
@@ -1123,14 +1105,8 @@ module PrivateDjango {
|
||||
/** Gets a reference to the `django.conf` module. */
|
||||
API::Node conf() { result = django().getMember("conf") }
|
||||
|
||||
/** DEPRECATED: Alias for `Conf` */
|
||||
deprecated module conf = Conf;
|
||||
|
||||
/** Provides models for the `django.conf` module */
|
||||
module Conf {
|
||||
/** DEPRECATED: Alias for `ConfUrls` */
|
||||
deprecated module conf_urls = ConfUrls;
|
||||
|
||||
/** Provides models for the `django.conf.urls` module */
|
||||
module ConfUrls {
|
||||
// -------------------------------------------------------------------------
|
||||
@@ -1166,9 +1142,6 @@ module PrivateDjango {
|
||||
/** Gets a reference to the `django.http.request` module. */
|
||||
API::Node request() { result = http().getMember("request") }
|
||||
|
||||
/** DEPRECATED: Alias for `Request` */
|
||||
deprecated module request = Request;
|
||||
|
||||
/** Provides models for the `django.http.request` module. */
|
||||
module Request {
|
||||
/**
|
||||
@@ -1331,9 +1304,6 @@ module PrivateDjango {
|
||||
/** Gets a reference to the `django.http.response` module. */
|
||||
API::Node response() { result = http().getMember("response") }
|
||||
|
||||
/** DEPRECATED: Alias for `Response` */
|
||||
deprecated module response = Response;
|
||||
|
||||
/** Provides models for the `django.http.response` module */
|
||||
module Response {
|
||||
/**
|
||||
@@ -2189,9 +2159,6 @@ module PrivateDjango {
|
||||
/** Gets a reference to the `django.shortcuts` module. */
|
||||
API::Node shortcuts() { result = django().getMember("shortcuts") }
|
||||
|
||||
/** DEPRECATED: Alias for `Shortcuts` */
|
||||
deprecated module shortcuts = Shortcuts;
|
||||
|
||||
/** Provides models for the `django.shortcuts` module */
|
||||
module Shortcuts {
|
||||
/**
|
||||
|
||||
@@ -37,9 +37,6 @@ private module FastApi {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for ApiRouter */
|
||||
deprecated module APIRouter = ApiRouter;
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// routing modeling
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -359,7 +359,4 @@ private module RestFramework {
|
||||
override string getMimetypeDefault() { none() }
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for ApiException */
|
||||
deprecated module APIException = ApiException;
|
||||
}
|
||||
|
||||
@@ -169,9 +169,6 @@ module SqlAlchemy {
|
||||
DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for DBApiConnection */
|
||||
deprecated module DBAPIConnection = DBApiConnection;
|
||||
|
||||
/**
|
||||
* Provides models for the `sqlalchemy.orm.Session` class
|
||||
*
|
||||
|
||||
@@ -130,9 +130,6 @@ module Stdlib {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for HttpMessage */
|
||||
deprecated module HTTPMessage = HttpMessage;
|
||||
|
||||
/**
|
||||
* Provides models for the `http.cookies.Morsel` class
|
||||
*
|
||||
@@ -1821,9 +1818,6 @@ private module StdlibPrivate {
|
||||
/** Gets a reference to the `BaseHttpServer` module. */
|
||||
API::Node baseHttpServer() { result = API::moduleImport("BaseHTTPServer") }
|
||||
|
||||
/** DEPRECATED: Alias for baseHttpServer */
|
||||
deprecated API::Node baseHTTPServer() { result = baseHttpServer() }
|
||||
|
||||
/** Provides models for the `BaseHttpServer` module. */
|
||||
module BaseHttpServer {
|
||||
/**
|
||||
@@ -1833,23 +1827,14 @@ private module StdlibPrivate {
|
||||
/** Gets a reference to the `BaseHttpServer.BaseHttpRequestHandler` class. */
|
||||
API::Node classRef() { result = baseHttpServer().getMember("BaseHTTPRequestHandler") }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for BaseHttpRequestHandler */
|
||||
deprecated module BaseHTTPRequestHandler = BaseHttpRequestHandler;
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for BaseHttpServer */
|
||||
deprecated module BaseHTTPServer = BaseHttpServer;
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// SimpleHTTPServer (Python 2 only)
|
||||
// ---------------------------------------------------------------------------
|
||||
/** Gets a reference to the `SimpleHttpServer` module. */
|
||||
API::Node simpleHttpServer() { result = API::moduleImport("SimpleHTTPServer") }
|
||||
|
||||
/** DEPRECATED: Alias for simpleHttpServer */
|
||||
deprecated API::Node simpleHTTPServer() { result = simpleHttpServer() }
|
||||
|
||||
/** Provides models for the `SimpleHttpServer` module. */
|
||||
module SimpleHttpServer {
|
||||
/**
|
||||
@@ -1859,23 +1844,14 @@ private module StdlibPrivate {
|
||||
/** Gets a reference to the `SimpleHttpServer.SimpleHttpRequestHandler` class. */
|
||||
API::Node classRef() { result = simpleHttpServer().getMember("SimpleHTTPRequestHandler") }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SimpleHttpRequestHandler */
|
||||
deprecated module SimpleHTTPRequestHandler = SimpleHttpRequestHandler;
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SimpleHttpServer */
|
||||
deprecated module SimpleHTTPServer = SimpleHttpServer;
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// CGIHTTPServer (Python 2 only)
|
||||
// ---------------------------------------------------------------------------
|
||||
/** Gets a reference to the `CGIHTTPServer` module. */
|
||||
API::Node cgiHttpServer() { result = API::moduleImport("CGIHTTPServer") }
|
||||
|
||||
/** DEPRECATED: Alias for cgiHttpServer */
|
||||
deprecated API::Node cgiHTTPServer() { result = cgiHttpServer() }
|
||||
|
||||
/** Provides models for the `CGIHTTPServer` module. */
|
||||
module CgiHttpServer {
|
||||
/**
|
||||
@@ -1919,9 +1895,6 @@ private module StdlibPrivate {
|
||||
API::Node classRef() { result = server().getMember("BaseHTTPRequestHandler") }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for BaseHttpRequestHandler */
|
||||
deprecated module BaseHTTPRequestHandler = BaseHttpRequestHandler;
|
||||
|
||||
/**
|
||||
* Provides models for the `http.server.SimpleHTTPRequestHandler` class (Python 3 only).
|
||||
*
|
||||
@@ -1932,9 +1905,6 @@ private module StdlibPrivate {
|
||||
API::Node classRef() { result = server().getMember("SimpleHTTPRequestHandler") }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SimpleHttpRequestHandler */
|
||||
deprecated module SimpleHTTPRequestHandler = SimpleHttpRequestHandler;
|
||||
|
||||
/**
|
||||
* Provides models for the `http.server.CGIHTTPRequestHandler` class (Python 3 only).
|
||||
*
|
||||
@@ -1978,9 +1948,6 @@ private module StdlibPrivate {
|
||||
HttpRequestHandlerClassDef() { this.getParent() = subclassRef().asSource().asExpr() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for HttpRequestHandlerClassDef */
|
||||
deprecated class HTTPRequestHandlerClassDef = HttpRequestHandlerClassDef;
|
||||
|
||||
/**
|
||||
* A source of instances of the `BaseHTTPRequestHandler` class or any subclass, extend this class to model new instances.
|
||||
*
|
||||
@@ -2352,9 +2319,6 @@ private module StdlibPrivate {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for HttpConnection */
|
||||
deprecated module HTTPConnection = HttpConnection;
|
||||
|
||||
/**
|
||||
* Provides models for the `http.client.HTTPResponse` class
|
||||
*
|
||||
@@ -2424,9 +2388,6 @@ private module StdlibPrivate {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for HttpResponse */
|
||||
deprecated module HTTPResponse = HttpResponse;
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// sqlite3
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -64,9 +64,6 @@ module Tornado {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for HttpHeaders */
|
||||
deprecated module HTTPHeaders = HttpHeaders;
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// tornado
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -1445,14 +1445,6 @@ module Expressions {
|
||||
)
|
||||
}
|
||||
|
||||
deprecated predicate subscriptPointsTo(
|
||||
SubscriptNode subscr, PointsToContext context, ObjectInternal value, ControlFlowNode origin,
|
||||
ControlFlowNode obj, ObjectInternal objvalue
|
||||
) {
|
||||
subscriptPointsTo(subscr, context, value, obj, objvalue) and
|
||||
origin = subscr
|
||||
}
|
||||
|
||||
pragma[noinline]
|
||||
private predicate subscriptPointsTo(
|
||||
SubscriptNode subscr, PointsToContext context, ObjectInternal value, ControlFlowNode obj,
|
||||
@@ -1489,14 +1481,6 @@ module Expressions {
|
||||
index = subscr.getIndex()
|
||||
}
|
||||
|
||||
deprecated predicate binaryPointsTo(
|
||||
BinaryExprNode b, PointsToContext context, ObjectInternal value, ControlFlowNode origin,
|
||||
ControlFlowNode operand, ObjectInternal opvalue
|
||||
) {
|
||||
binaryPointsTo(b, context, value, operand, opvalue) and
|
||||
origin = b
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracking too many binary expressions is likely to kill performance, so just say anything other than addition or bitwise or is 'unknown'.
|
||||
*/
|
||||
@@ -1521,14 +1505,6 @@ module Expressions {
|
||||
)
|
||||
}
|
||||
|
||||
deprecated predicate addPointsTo(
|
||||
BinaryExprNode b, PointsToContext context, ObjectInternal value, ControlFlowNode origin,
|
||||
ControlFlowNode operand, ObjectInternal opvalue
|
||||
) {
|
||||
addPointsTo(b, context, value, operand, opvalue) and
|
||||
origin = b
|
||||
}
|
||||
|
||||
pragma[noinline]
|
||||
private predicate addPointsTo(
|
||||
BinaryExprNode b, PointsToContext context, ObjectInternal value, ControlFlowNode operand,
|
||||
@@ -1545,14 +1521,6 @@ module Expressions {
|
||||
)
|
||||
}
|
||||
|
||||
deprecated predicate bitOrPointsTo(
|
||||
BinaryExprNode b, PointsToContext context, ObjectInternal value, ControlFlowNode origin,
|
||||
ControlFlowNode operand, ObjectInternal opvalue
|
||||
) {
|
||||
bitOrPointsTo(b, context, value, operand, opvalue) and
|
||||
origin = b
|
||||
}
|
||||
|
||||
pragma[noinline]
|
||||
private predicate bitOrPointsTo(
|
||||
BinaryExprNode b, PointsToContext context, ObjectInternal value, ControlFlowNode operand,
|
||||
@@ -1577,14 +1545,6 @@ module Expressions {
|
||||
value = obj.intValue()
|
||||
}
|
||||
|
||||
deprecated predicate unaryPointsTo(
|
||||
UnaryExprNode u, PointsToContext context, ObjectInternal value, ControlFlowNode origin,
|
||||
ControlFlowNode operand, ObjectInternal opvalue
|
||||
) {
|
||||
unaryPointsTo(u, context, value, operand, opvalue) and
|
||||
origin = u
|
||||
}
|
||||
|
||||
pragma[noinline]
|
||||
private predicate unaryPointsTo(
|
||||
UnaryExprNode u, PointsToContext context, ObjectInternal value, ControlFlowNode operand,
|
||||
@@ -1603,14 +1563,6 @@ module Expressions {
|
||||
)
|
||||
}
|
||||
|
||||
deprecated predicate builtinCallPointsTo(
|
||||
CallNode call, PointsToContext context, ObjectInternal value, ControlFlowNode origin,
|
||||
ControlFlowNode arg, ObjectInternal argvalue
|
||||
) {
|
||||
builtinCallPointsTo(call, context, value, arg, argvalue) and
|
||||
origin = call
|
||||
}
|
||||
|
||||
pragma[noinline]
|
||||
private predicate builtinCallPointsTo(
|
||||
CallNode call, PointsToContext context, ObjectInternal value, ControlFlowNode arg,
|
||||
|
||||
@@ -1,54 +0,0 @@
|
||||
import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.SensitiveData
|
||||
import semmle.python.dataflow.Files
|
||||
import semmle.python.web.Http
|
||||
|
||||
deprecated module ClearTextStorage {
|
||||
abstract class Sink extends TaintSink {
|
||||
override predicate sinks(TaintKind kind) { kind instanceof SensitiveData }
|
||||
}
|
||||
|
||||
class CookieStorageSink extends Sink {
|
||||
CookieStorageSink() { any(CookieSet cookie).getValue() = this }
|
||||
}
|
||||
|
||||
class FileStorageSink extends Sink {
|
||||
FileStorageSink() {
|
||||
exists(CallNode call, AttrNode meth, string name |
|
||||
any(OpenFile fd).taints(meth.getObject(name)) and
|
||||
call.getFunction() = meth and
|
||||
call.getAnArg() = this
|
||||
|
|
||||
name = "write"
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
deprecated module ClearTextLogging {
|
||||
abstract class Sink extends TaintSink {
|
||||
override predicate sinks(TaintKind kind) { kind instanceof SensitiveData }
|
||||
}
|
||||
|
||||
class PrintSink extends Sink {
|
||||
PrintSink() {
|
||||
exists(CallNode call |
|
||||
call.getAnArg() = this and
|
||||
call = Value::named("print").getACall()
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
class LoggingSink extends Sink {
|
||||
LoggingSink() {
|
||||
exists(CallNode call, AttrNode meth, string name |
|
||||
call.getFunction() = meth and
|
||||
meth.getObject(name).(NameNode).getId().matches("logg%") and
|
||||
call.getAnArg() = this
|
||||
|
|
||||
name = ["error", "warn", "warning", "debug", "info"]
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,139 +0,0 @@
|
||||
import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
private import semmle.python.security.SensitiveData
|
||||
private import semmle.crypto.Crypto as CryptoLib
|
||||
|
||||
abstract deprecated class WeakCryptoSink extends TaintSink {
|
||||
override predicate sinks(TaintKind taint) { taint instanceof SensitiveData }
|
||||
}
|
||||
|
||||
/** Modeling the 'pycrypto' package https://github.com/dlitz/pycrypto (latest release 2013) */
|
||||
deprecated module Pycrypto {
|
||||
ModuleValue cipher(string name) { result = Module::named("Crypto.Cipher").attr(name) }
|
||||
|
||||
class CipherInstance extends TaintKind {
|
||||
string name;
|
||||
|
||||
CipherInstance() {
|
||||
this = "Crypto.Cipher." + name and
|
||||
exists(cipher(name))
|
||||
}
|
||||
|
||||
string getName() { result = name }
|
||||
|
||||
CryptoLib::CryptographicAlgorithm getAlgorithm() { result.getName() = name }
|
||||
|
||||
predicate isWeak() { this.getAlgorithm().isWeak() }
|
||||
}
|
||||
|
||||
class CipherInstanceSource extends TaintSource {
|
||||
CipherInstance instance;
|
||||
|
||||
CipherInstanceSource() {
|
||||
exists(AttrNode attr |
|
||||
this.(CallNode).getFunction() = attr and
|
||||
attr.getObject("new").pointsTo(cipher(instance.getName()))
|
||||
)
|
||||
}
|
||||
|
||||
override string toString() { result = "Source of " + instance }
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) { kind = instance }
|
||||
}
|
||||
|
||||
class PycryptoWeakCryptoSink extends WeakCryptoSink {
|
||||
string name;
|
||||
|
||||
PycryptoWeakCryptoSink() {
|
||||
exists(CallNode call, AttrNode method, CipherInstance cipher |
|
||||
call.getAnArg() = this and
|
||||
call.getFunction() = method and
|
||||
cipher.taints(method.getObject("encrypt")) and
|
||||
cipher.isWeak() and
|
||||
cipher.getName() = name
|
||||
)
|
||||
}
|
||||
|
||||
override string toString() { result = "Use of weak crypto algorithm " + name }
|
||||
}
|
||||
}
|
||||
|
||||
deprecated module Cryptography {
|
||||
ModuleValue ciphers() {
|
||||
result = Module::named("cryptography.hazmat.primitives.ciphers") and
|
||||
result.isPackage()
|
||||
}
|
||||
|
||||
class CipherClass extends ClassValue {
|
||||
CipherClass() { ciphers().attr("Cipher") = this }
|
||||
}
|
||||
|
||||
class AlgorithmClass extends ClassValue {
|
||||
AlgorithmClass() { ciphers().attr("algorithms").attr(_) = this }
|
||||
|
||||
string getAlgorithmName() { result = this.declaredAttribute("name").(StringValue).getText() }
|
||||
|
||||
predicate isWeak() {
|
||||
exists(CryptoLib::CryptographicAlgorithm algo |
|
||||
algo.getName() = this.getAlgorithmName() and
|
||||
algo.isWeak()
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
class CipherInstance extends TaintKind {
|
||||
AlgorithmClass cls;
|
||||
|
||||
CipherInstance() { this = "cryptography.Cipher." + cls.getAlgorithmName() }
|
||||
|
||||
AlgorithmClass getAlgorithm() { result = cls }
|
||||
|
||||
predicate isWeak() { cls.isWeak() }
|
||||
|
||||
override TaintKind getTaintOfMethodResult(string name) {
|
||||
name = "encryptor" and
|
||||
result.(Encryptor).getAlgorithm() = this.getAlgorithm()
|
||||
}
|
||||
}
|
||||
|
||||
class CipherSource extends TaintSource {
|
||||
CipherSource() { this.(CallNode).getFunction().pointsTo(any(CipherClass cls)) }
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) {
|
||||
this.(CallNode).getArg(0).pointsTo().getClass() = kind.(CipherInstance).getAlgorithm()
|
||||
}
|
||||
|
||||
override string toString() { result = "cryptography.Cipher.source" }
|
||||
}
|
||||
|
||||
class Encryptor extends TaintKind {
|
||||
AlgorithmClass cls;
|
||||
|
||||
Encryptor() { this = "cryptography.encryptor." + cls.getAlgorithmName() }
|
||||
|
||||
AlgorithmClass getAlgorithm() { result = cls }
|
||||
}
|
||||
|
||||
class CryptographyWeakCryptoSink extends WeakCryptoSink {
|
||||
CryptographyWeakCryptoSink() {
|
||||
exists(CallNode call, AttrNode method, Encryptor encryptor |
|
||||
call.getAnArg() = this and
|
||||
call.getFunction() = method and
|
||||
encryptor.taints(method.getObject("update")) and
|
||||
encryptor.getAlgorithm().isWeak()
|
||||
)
|
||||
}
|
||||
|
||||
override string toString() { result = "Use of weak crypto algorithm" }
|
||||
}
|
||||
}
|
||||
|
||||
deprecated private class CipherConfig extends TaintTracking::Configuration {
|
||||
CipherConfig() { this = "Crypto cipher config" }
|
||||
|
||||
override predicate isSource(TaintTracking::Source source) {
|
||||
source instanceof Pycrypto::CipherInstanceSource
|
||||
or
|
||||
source instanceof Cryptography::CipherSource
|
||||
}
|
||||
}
|
||||
@@ -1,118 +0,0 @@
|
||||
/**
|
||||
* Provides classes and predicates for identifying sensitive data and methods for security.
|
||||
*
|
||||
* 'Sensitive' data in general is anything that should not be sent around in unencrypted form. This
|
||||
* library tries to guess where sensitive data may either be stored in a variable or produced by a
|
||||
* method.
|
||||
*
|
||||
* In addition, there are methods that ought not to be executed or not in a fashion that the user
|
||||
* can control. This includes authorization methods such as logins, and sending of data, etc.
|
||||
*/
|
||||
|
||||
import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.security.internal.SensitiveDataHeuristics
|
||||
private import HeuristicNames
|
||||
|
||||
abstract deprecated class SensitiveData extends TaintKind {
|
||||
bindingset[this]
|
||||
SensitiveData() { this = this }
|
||||
|
||||
/** Gets the classification of this sensitive data taint kind. */
|
||||
abstract SensitiveDataClassification getClassification();
|
||||
}
|
||||
|
||||
deprecated module SensitiveData {
|
||||
class Secret extends SensitiveData {
|
||||
Secret() { this = "sensitive.data.secret" }
|
||||
|
||||
override string repr() { result = "a secret" }
|
||||
|
||||
override SensitiveDataClassification getClassification() {
|
||||
result = SensitiveDataClassification::secret()
|
||||
}
|
||||
}
|
||||
|
||||
class Id extends SensitiveData {
|
||||
Id() { this = "sensitive.data.id" }
|
||||
|
||||
override string repr() { result = "an ID" }
|
||||
|
||||
override SensitiveDataClassification getClassification() {
|
||||
result = SensitiveDataClassification::id()
|
||||
}
|
||||
}
|
||||
|
||||
class Password extends SensitiveData {
|
||||
Password() { this = "sensitive.data.password" }
|
||||
|
||||
override string repr() { result = "a password" }
|
||||
|
||||
override SensitiveDataClassification getClassification() {
|
||||
result = SensitiveDataClassification::password()
|
||||
}
|
||||
}
|
||||
|
||||
class Certificate extends SensitiveData {
|
||||
Certificate() { this = "sensitive.data.certificate" }
|
||||
|
||||
override string repr() { result = "a certificate or key" }
|
||||
|
||||
override SensitiveDataClassification getClassification() {
|
||||
result = SensitiveDataClassification::certificate()
|
||||
}
|
||||
}
|
||||
|
||||
private SensitiveData fromFunction(Value func) {
|
||||
nameIndicatesSensitiveData(func.getName(), result.getClassification())
|
||||
}
|
||||
|
||||
abstract class Source extends TaintSource {
|
||||
abstract string repr();
|
||||
}
|
||||
|
||||
private class SensitiveCallSource extends Source {
|
||||
SensitiveData data;
|
||||
|
||||
SensitiveCallSource() {
|
||||
exists(Value callee | callee.getACall() = this | data = fromFunction(callee))
|
||||
}
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) { kind = data }
|
||||
|
||||
override string repr() { result = "a call returning " + data.repr() }
|
||||
}
|
||||
|
||||
/** An access to a variable or property that might contain sensitive data. */
|
||||
private class SensitiveVariableAccess extends SensitiveData::Source {
|
||||
SensitiveData data;
|
||||
|
||||
SensitiveVariableAccess() {
|
||||
nameIndicatesSensitiveData(this.(AttrNode).getName(), data.getClassification())
|
||||
}
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) { kind = data }
|
||||
|
||||
override string repr() { result = "an attribute or property containing " + data.repr() }
|
||||
}
|
||||
|
||||
private class SensitiveRequestParameter extends SensitiveData::Source {
|
||||
SensitiveData data;
|
||||
|
||||
SensitiveRequestParameter() {
|
||||
this.(CallNode).getFunction().(AttrNode).getName() = "get" and
|
||||
exists(StringValue sensitive |
|
||||
this.(CallNode).getAnArg().pointsTo(sensitive) and
|
||||
nameIndicatesSensitiveData(sensitive.getText(), data.getClassification())
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) { kind = data }
|
||||
|
||||
override string repr() { result = "a request parameter containing " + data.repr() }
|
||||
}
|
||||
}
|
||||
|
||||
//Backwards compatibility
|
||||
deprecated class SensitiveDataSource = SensitiveData::Source;
|
||||
@@ -1,95 +0,0 @@
|
||||
/**
|
||||
* DEPRECATED -- use flow state instead
|
||||
*
|
||||
* This defines a `PathGraph` where sinks from `TaintTracking::Configuration`s are identified with
|
||||
* sources from `TaintTracking2::Configuration`s if they represent the same `ControlFlowNode`.
|
||||
*
|
||||
* Paths are then connected appropriately.
|
||||
*/
|
||||
|
||||
import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.DataFlow2
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
import semmle.python.dataflow.new.TaintTracking2
|
||||
|
||||
/**
|
||||
* A `DataFlow::Node` that appears as a sink in Config1 and a source in Config2.
|
||||
*/
|
||||
private predicate crossoverNode(DataFlow::Node n) {
|
||||
any(TaintTracking::Configuration t1).isSink(n) and
|
||||
any(TaintTracking2::Configuration t2).isSource(n)
|
||||
}
|
||||
|
||||
/**
|
||||
* A new type which represents the union of the two sets of nodes.
|
||||
*/
|
||||
private newtype TCustomPathNode =
|
||||
Config1Node(DataFlow::PathNode node1) { not crossoverNode(node1.getNode()) } or
|
||||
Config2Node(DataFlow2::PathNode node2) { not crossoverNode(node2.getNode()) } or
|
||||
CrossoverNode(DataFlow::Node node) { crossoverNode(node) }
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use flow state instead
|
||||
*
|
||||
* A class representing the set of all the path nodes in either config.
|
||||
*/
|
||||
deprecated class CustomPathNode extends TCustomPathNode {
|
||||
/** Gets the PathNode if it is in Config1. */
|
||||
DataFlow::PathNode asNode1() {
|
||||
this = Config1Node(result) or this = CrossoverNode(result.getNode())
|
||||
}
|
||||
|
||||
/** Gets the PathNode if it is in Config2. */
|
||||
DataFlow2::PathNode asNode2() {
|
||||
this = Config2Node(result) or this = CrossoverNode(result.getNode())
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if this element is at the specified location.
|
||||
* The location spans column `startcolumn` of line `startline` to
|
||||
* column `endcolumn` of line `endline` in file `filepath`.
|
||||
* For more information, see
|
||||
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
|
||||
*/
|
||||
predicate hasLocationInfo(
|
||||
string filepath, int startline, int startcolumn, int endline, int endcolumn
|
||||
) {
|
||||
this.asNode1().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
|
||||
or
|
||||
this.asNode2().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
|
||||
}
|
||||
|
||||
/** Gets a textual representation of this element. */
|
||||
string toString() {
|
||||
result = this.asNode1().toString()
|
||||
or
|
||||
result = this.asNode2().toString()
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use flow state instead
|
||||
*
|
||||
* Holds if `(a,b)` is an edge in the graph of data flow path explanations.
|
||||
*/
|
||||
deprecated query predicate edges(CustomPathNode a, CustomPathNode b) {
|
||||
// Edge is in Config1 graph
|
||||
DataFlow::PathGraph::edges(a.asNode1(), b.asNode1())
|
||||
or
|
||||
// Edge is in Config2 graph
|
||||
DataFlow2::PathGraph::edges(a.asNode2(), b.asNode2())
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use flow state instead
|
||||
*
|
||||
* Holds if `n` is a node in the graph of data flow path explanations.
|
||||
*/
|
||||
deprecated query predicate nodes(CustomPathNode n, string key, string val) {
|
||||
// Node is in Config1 graph
|
||||
DataFlow::PathGraph::nodes(n.asNode1(), key, val)
|
||||
or
|
||||
// Node is in Config2 graph
|
||||
DataFlow2::PathGraph::nodes(n.asNode2(), key, val)
|
||||
}
|
||||
@@ -1,14 +0,0 @@
|
||||
/** DEPRECATED. Import `CleartextLoggingQuery` instead. */
|
||||
|
||||
private import python
|
||||
private import semmle.python.dataflow.new.DataFlow
|
||||
private import semmle.python.dataflow.new.TaintTracking
|
||||
private import semmle.python.Concepts
|
||||
private import semmle.python.dataflow.new.RemoteFlowSources
|
||||
private import semmle.python.dataflow.new.BarrierGuards
|
||||
private import semmle.python.dataflow.new.SensitiveDataSources
|
||||
|
||||
/** DEPRECATED. Import `CleartextLoggingQuery` instead. */
|
||||
deprecated module CleartextLogging {
|
||||
import CleartextLoggingQuery // ignore-query-import
|
||||
}
|
||||
@@ -1,14 +0,0 @@
|
||||
/** DEPRECATED. Import `CleartextStorageQuery` instead. */
|
||||
|
||||
private import python
|
||||
private import semmle.python.dataflow.new.DataFlow
|
||||
private import semmle.python.dataflow.new.TaintTracking
|
||||
private import semmle.python.Concepts
|
||||
private import semmle.python.dataflow.new.RemoteFlowSources
|
||||
private import semmle.python.dataflow.new.BarrierGuards
|
||||
private import semmle.python.dataflow.new.SensitiveDataSources
|
||||
|
||||
/** DEPRECATED. Import `CleartextStorageQuery` instead. */
|
||||
deprecated module CleartextStorage {
|
||||
import CleartextStorageQuery // ignore-query-import
|
||||
}
|
||||
@@ -1,13 +0,0 @@
|
||||
/** DEPRECATED. Import `CodeInjectionQuery` instead. */
|
||||
|
||||
private import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
|
||||
/** DEPRECATED. Import `CodeInjectionQuery` instead. */
|
||||
deprecated module CodeInjection {
|
||||
import CodeInjectionQuery // ignore-query-import
|
||||
}
|
||||
|
||||
/** DEPRECATED. Import `CodeInjectionQuery` instead. */
|
||||
deprecated class CodeInjectionConfiguration = CodeInjection::Configuration;
|
||||
@@ -1,13 +0,0 @@
|
||||
/** DEPRECATED. Import `CommandInjectionQuery` instead. */
|
||||
|
||||
private import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
|
||||
/** DEPRECATED. Import `CommandInjectionQuery` instead. */
|
||||
deprecated module CommandInjection {
|
||||
import CommandInjectionQuery // ignore-query-import
|
||||
}
|
||||
|
||||
/** DEPRECATED. Import `CommandInjectionQuery` instead. */
|
||||
deprecated class CommandInjectionConfiguration = CommandInjection::Configuration;
|
||||
@@ -1,12 +0,0 @@
|
||||
/** DEPRECATED. Import `LdapInjectionQuery` instead. */
|
||||
|
||||
import python
|
||||
import semmle.python.Concepts
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
import semmle.python.dataflow.new.RemoteFlowSources
|
||||
|
||||
/** DEPRECATED. Import `LdapInjectionQuery` instead. */
|
||||
deprecated module LdapInjection {
|
||||
import LdapInjectionQuery // ignore-query-import
|
||||
}
|
||||
@@ -1,10 +0,0 @@
|
||||
/** DEPRECATED. Import `LogInjectionQuery` instead. */
|
||||
|
||||
import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
|
||||
/** DEPRECATED. Import `LogInjectionQuery` instead. */
|
||||
deprecated module LogInjection {
|
||||
import LogInjectionQuery // ignore-query-import
|
||||
}
|
||||
@@ -1,133 +0,0 @@
|
||||
/** DEPRECATED. Import `PathInjectionQuery` instead. */
|
||||
|
||||
private import python
|
||||
private import semmle.python.Concepts
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
|
||||
/** DEPRECATED. Import `PathInjectionQuery` instead. */
|
||||
deprecated module PathInjection {
|
||||
import PathInjectionQuery // ignore-query-import
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Old, deprecated code
|
||||
// ---------------------------------------------------------------------------
|
||||
private import semmle.python.dataflow.new.DataFlow2
|
||||
private import semmle.python.dataflow.new.TaintTracking2
|
||||
private import ChainedConfigs12
|
||||
import PathInjectionCustomizations::PathInjection
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Case 1. The path is never normalized.
|
||||
// ---------------------------------------------------------------------------
|
||||
/**
|
||||
* DEPRECATED: Import `PathInjectionQuery` instead.
|
||||
*
|
||||
* Configuration to find paths from sources to sinks that contain no normalization.
|
||||
*/
|
||||
deprecated class PathNotNormalizedConfiguration extends TaintTracking::Configuration {
|
||||
PathNotNormalizedConfiguration() { this = "PathNotNormalizedConfiguration" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
node instanceof Sanitizer
|
||||
or
|
||||
node instanceof Path::PathNormalization
|
||||
}
|
||||
|
||||
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
|
||||
guard instanceof SanitizerGuard
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Import `PathInjectionQuery` instead.
|
||||
*
|
||||
* Holds if there is a path injection from source to sink, where the (python) path is
|
||||
* not normalized.
|
||||
*/
|
||||
deprecated predicate pathNotNormalized(CustomPathNode source, CustomPathNode sink) {
|
||||
any(PathNotNormalizedConfiguration config).hasFlowPath(source.asNode1(), sink.asNode1())
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Case 2. The path is normalized at least once, but never checked afterwards.
|
||||
// ---------------------------------------------------------------------------
|
||||
/**
|
||||
* DEPRECATED: Import `PathInjectionQuery` instead.
|
||||
*
|
||||
* Configuration to find paths from sources to normalizations that contain no prior normalizations.
|
||||
*/
|
||||
deprecated class FirstNormalizationConfiguration extends TaintTracking::Configuration {
|
||||
FirstNormalizationConfiguration() { this = "FirstNormalizationConfiguration" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Path::PathNormalization }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
|
||||
override predicate isSanitizerOut(DataFlow::Node node) { node instanceof Path::PathNormalization }
|
||||
|
||||
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
|
||||
guard instanceof SanitizerGuard
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Import `PathInjectionQuery` instead.
|
||||
*
|
||||
* Configuration to find paths from normalizations to sinks that do not go through a check.
|
||||
*/
|
||||
deprecated class NormalizedPathNotCheckedConfiguration extends TaintTracking2::Configuration {
|
||||
NormalizedPathNotCheckedConfiguration() { this = "NormalizedPathNotCheckedConfiguration" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Path::PathNormalization }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
node instanceof Path::SafeAccessCheck
|
||||
or
|
||||
node instanceof Sanitizer
|
||||
}
|
||||
|
||||
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
|
||||
guard instanceof SanitizerGuard
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Import `PathInjectionQuery` instead.
|
||||
*
|
||||
* Holds if there is a path injection from source to sink, where the (python) path is
|
||||
* normalized at least once, but never checked afterwards.
|
||||
*/
|
||||
deprecated predicate pathNotCheckedAfterNormalization(CustomPathNode source, CustomPathNode sink) {
|
||||
exists(
|
||||
FirstNormalizationConfiguration config, DataFlow::PathNode mid1, DataFlow2::PathNode mid2,
|
||||
NormalizedPathNotCheckedConfiguration config2
|
||||
|
|
||||
config.hasFlowPath(source.asNode1(), mid1) and
|
||||
config2.hasFlowPath(mid2, sink.asNode2()) and
|
||||
mid1.getNode().asCfgNode() = mid2.getNode().asCfgNode()
|
||||
)
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Query: Either case 1 or case 2.
|
||||
// ---------------------------------------------------------------------------
|
||||
/**
|
||||
* DEPRECATED: Import `PathInjectionQuery` instead.
|
||||
*
|
||||
* Holds if there is a path injection from source to sink
|
||||
*/
|
||||
deprecated predicate pathInjection(CustomPathNode source, CustomPathNode sink) {
|
||||
pathNotNormalized(source, sink)
|
||||
or
|
||||
pathNotCheckedAfterNormalization(source, sink)
|
||||
}
|
||||
@@ -1,10 +0,0 @@
|
||||
/** DEPRECATED. Import `PolynomialReDoSQuery` instead. */
|
||||
|
||||
private import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
|
||||
/** DEPRECATED. Import `PolynomialReDoSQuery` instead. */
|
||||
deprecated module PolynomialReDoS {
|
||||
import PolynomialReDoSQuery // ignore-query-import
|
||||
}
|
||||
@@ -1,16 +0,0 @@
|
||||
/** DEPRECATED. Import `ReflectedXSSQuery` instead. */
|
||||
|
||||
private import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
|
||||
/** DEPRECATED. Import `ReflectedXSSQuery` instead. */
|
||||
deprecated module ReflectedXss {
|
||||
import ReflectedXssQuery // ignore-query-import
|
||||
}
|
||||
|
||||
/** DEPRECATED. Import `ReflectedXSSQuery` instead. */
|
||||
deprecated module ReflectedXSS = ReflectedXss;
|
||||
|
||||
/** DEPRECATED. Import `ReflectedXSSQuery` instead. */
|
||||
deprecated class ReflectedXssConfiguration = ReflectedXss::Configuration;
|
||||
@@ -76,6 +76,3 @@ module ReflectedXss {
|
||||
*/
|
||||
class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for ReflectedXss */
|
||||
deprecated module ReflectedXSS = ReflectedXss;
|
||||
|
||||
@@ -1,10 +0,0 @@
|
||||
/** DEPRECATED. Import `RegexInjectionQuery` instead. */
|
||||
|
||||
private import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
|
||||
/** DEPRECATED. Import `RegexInjectionQuery` instead. */
|
||||
deprecated module RegexInjection {
|
||||
import RegexInjectionQuery // ignore-query-import
|
||||
}
|
||||
@@ -1,25 +0,0 @@
|
||||
/** DEPRECATED. Import `ServerSideRequestForgeryQuery` instead. */
|
||||
|
||||
private import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
import semmle.python.Concepts
|
||||
import ServerSideRequestForgeryQuery as ServerSideRequestForgeryQuery // ignore-query-import
|
||||
|
||||
/** DEPRECATED. Import `ServerSideRequestForgeryQuery` instead. */
|
||||
deprecated module FullServerSideRequestForgery {
|
||||
import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery
|
||||
|
||||
class Configuration = ServerSideRequestForgeryQuery::FullServerSideRequestForgeryConfiguration;
|
||||
}
|
||||
|
||||
/** DEPRECATED. Import `ServerSideRequestForgeryQuery` instead. */
|
||||
deprecated predicate fullyControlledRequest =
|
||||
ServerSideRequestForgeryQuery::fullyControlledRequest/1;
|
||||
|
||||
/** DEPRECATED. Import `ServerSideRequestForgeryQuery` instead. */
|
||||
deprecated module PartialServerSideRequestForgery {
|
||||
import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery
|
||||
|
||||
class Configuration = ServerSideRequestForgeryQuery::PartialServerSideRequestForgeryConfiguration;
|
||||
}
|
||||
@@ -1,16 +0,0 @@
|
||||
/** DEPRECATED. Import `SqlInjectionQuery` instead. */
|
||||
|
||||
private import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
|
||||
/** DEPRECATED. Import `SqlInjectionQuery` instead. */
|
||||
deprecated module SqlInjection {
|
||||
import SqlInjectionQuery // ignore-query-import
|
||||
}
|
||||
|
||||
/** DEPRECATED. Import `SqlInjectionQuery` instead. */
|
||||
deprecated class SqlInjectionConfiguration = SqlInjection::Configuration;
|
||||
|
||||
/** DEPRECATED. Import `SqlInjectionQuery` instead. */
|
||||
deprecated class SQLInjectionConfiguration = SqlInjectionConfiguration;
|
||||
@@ -1,13 +0,0 @@
|
||||
/** DEPRECATED. Import `StackTraceExposureQuery` instead. */
|
||||
|
||||
private import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
|
||||
/** DEPRECATED. Import `StackTraceExposureQuery` instead. */
|
||||
deprecated module StackTraceExposure {
|
||||
import StackTraceExposureQuery // ignore-query-import
|
||||
}
|
||||
|
||||
/** DEPRECATED. Import `StackTraceExposureQuery` instead. */
|
||||
deprecated class StackTraceExposureConfiguration = StackTraceExposure::Configuration;
|
||||
@@ -1,13 +0,0 @@
|
||||
/** DEPRECATED. Import `UnsafeDeserializationQuery` instead. */
|
||||
|
||||
private import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
|
||||
/** DEPRECATED. Import `UnsafeDeserializationQuery` instead. */
|
||||
deprecated module UnsafeDeserialization {
|
||||
import UnsafeDeserializationQuery // ignore-query-import
|
||||
}
|
||||
|
||||
/** DEPRECATED. Import `UnsafeDeserializationQuery` instead. */
|
||||
deprecated class UnsafeDeserializationConfiguration = UnsafeDeserialization::Configuration;
|
||||
@@ -1,13 +0,0 @@
|
||||
/** DEPRECATED. Import `UrlRedirectQuery` instead. */
|
||||
|
||||
private import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
|
||||
/** DEPRECATED. Import `UrlRedirectQuery` instead. */
|
||||
deprecated module UrlRedirect {
|
||||
import UrlRedirectQuery // ignore-query-import
|
||||
}
|
||||
|
||||
/** DEPRECATED. Import `UrlRedirectQuery` instead. */
|
||||
deprecated class UrlRedirectConfiguration = UrlRedirect::Configuration;
|
||||
@@ -1,19 +0,0 @@
|
||||
/** DEPRECATED. Import `WeakSensitiveDataHashingQuery` instead. */
|
||||
|
||||
private import python
|
||||
private import semmle.python.dataflow.new.DataFlow
|
||||
private import semmle.python.dataflow.new.TaintTracking
|
||||
private import semmle.python.Concepts
|
||||
private import semmle.python.dataflow.new.RemoteFlowSources
|
||||
private import semmle.python.dataflow.new.BarrierGuards
|
||||
private import semmle.python.dataflow.new.SensitiveDataSources
|
||||
|
||||
/** DEPRECATED. Import `WeakSensitiveDataHashingQuery` instead. */
|
||||
deprecated module NormalHashFunction {
|
||||
import WeakSensitiveDataHashingQuery::NormalHashFunction // ignore-query-import
|
||||
}
|
||||
|
||||
/** DEPRECATED. Import `WeakSensitiveDataHashingQuery` instead. */
|
||||
deprecated module ComputationallyExpensiveHashFunction {
|
||||
import WeakSensitiveDataHashingQuery::ComputationallyExpensiveHashFunction // ignore-query-import
|
||||
}
|
||||
@@ -1,10 +0,0 @@
|
||||
/** DEPRECATED. Import `XpathInjectionQuery` instead. */
|
||||
|
||||
private import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
|
||||
/** DEPRECATED. Import `XpathInjectionQuery` instead. */
|
||||
deprecated module XpathInjection {
|
||||
import XpathInjectionQuery // ignore-query-import
|
||||
}
|
||||
@@ -1,9 +0,0 @@
|
||||
import python
|
||||
import semmle.python.security.strings.Basic
|
||||
|
||||
/** Assume that taint flows from argument to result for *any* call */
|
||||
deprecated class AnyCallStringFlow extends DataFlowExtension::DataFlowNode {
|
||||
AnyCallStringFlow() { any(CallNode call).getAnArg() = this }
|
||||
|
||||
override ControlFlowNode getASuccessorNode() { result.(CallNode).getAnArg() = this }
|
||||
}
|
||||
@@ -1,8 +0,0 @@
|
||||
import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
|
||||
/** `pickle.loads(untrusted)` vulnerability. */
|
||||
abstract deprecated class DeserializationSink extends TaintSink {
|
||||
bindingset[this]
|
||||
DeserializationSink() { this = this }
|
||||
}
|
||||
@@ -1,29 +0,0 @@
|
||||
/**
|
||||
* Provides class and predicates to track external data that
|
||||
* may represent malicious Python code.
|
||||
*
|
||||
* This module is intended to be imported into a taint-tracking query
|
||||
* to extend `TaintKind` and `TaintSink`.
|
||||
*/
|
||||
|
||||
import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
/**
|
||||
* A taint sink that represents an argument to exec or eval that is vulnerable to malicious input.
|
||||
* The `vuln` in `exec(vuln)` or similar.
|
||||
*/
|
||||
deprecated class StringEvaluationNode extends TaintSink {
|
||||
override string toString() { result = "exec or eval" }
|
||||
|
||||
StringEvaluationNode() {
|
||||
exists(Exec exec | exec.getASubExpression().getAFlowNode() = this)
|
||||
or
|
||||
Value::named("exec").getACall().getAnArg() = this
|
||||
or
|
||||
Value::named("eval").getACall().getAnArg() = this
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
@@ -1,33 +0,0 @@
|
||||
/**
|
||||
* Provides class and predicates to track external data that
|
||||
* may represent malicious marshals.
|
||||
*
|
||||
* This module is intended to be imported into a taint-tracking query
|
||||
* to extend `TaintKind` and `TaintSink`.
|
||||
*/
|
||||
|
||||
import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
import semmle.python.security.injection.Deserialization
|
||||
|
||||
deprecated private FunctionObject marshalLoads() {
|
||||
result = ModuleObject::named("marshal").attr("loads")
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint sink that is potentially vulnerable to malicious marshaled objects.
|
||||
* The `vuln` in `marshal.loads(vuln)`.
|
||||
*/
|
||||
deprecated class UnmarshalingNode extends DeserializationSink {
|
||||
override string toString() { result = "unmarshaling vulnerability" }
|
||||
|
||||
UnmarshalingNode() {
|
||||
exists(CallNode call |
|
||||
marshalLoads().getACall() = call and
|
||||
call.getAnArg() = this
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
@@ -1,81 +0,0 @@
|
||||
import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
/**
|
||||
* Prevents taint flowing through ntpath.normpath()
|
||||
* NormalizedPath below handles that case.
|
||||
*/
|
||||
deprecated class PathSanitizer extends Sanitizer {
|
||||
PathSanitizer() { this = "path.sanitizer" }
|
||||
|
||||
override predicate sanitizingNode(TaintKind taint, ControlFlowNode node) {
|
||||
taint instanceof ExternalStringKind and
|
||||
abspath_call(node, _)
|
||||
}
|
||||
}
|
||||
|
||||
deprecated private FunctionObject abspath() {
|
||||
exists(ModuleObject os_path | ModuleObject::named("os").attr("path") = os_path |
|
||||
os_path.attr("abspath") = result
|
||||
or
|
||||
os_path.attr("normpath") = result
|
||||
)
|
||||
}
|
||||
|
||||
/** A path that has been normalized, but not verified to be safe */
|
||||
deprecated class NormalizedPath extends TaintKind {
|
||||
NormalizedPath() { this = "normalized.path.injection" }
|
||||
|
||||
override string repr() { result = "normalized path" }
|
||||
}
|
||||
|
||||
deprecated private predicate abspath_call(CallNode call, ControlFlowNode arg) {
|
||||
call.getFunction().refersTo(abspath()) and
|
||||
arg = call.getArg(0)
|
||||
}
|
||||
|
||||
deprecated class AbsPath extends DataFlowExtension::DataFlowNode {
|
||||
AbsPath() { abspath_call(_, this) }
|
||||
|
||||
override ControlFlowNode getASuccessorNode(TaintKind fromkind, TaintKind tokind) {
|
||||
abspath_call(result, this) and
|
||||
tokind instanceof NormalizedPath and
|
||||
fromkind instanceof ExternalStringKind
|
||||
}
|
||||
}
|
||||
|
||||
deprecated class NormalizedPathSanitizer extends Sanitizer {
|
||||
NormalizedPathSanitizer() { this = "normalized.path.sanitizer" }
|
||||
|
||||
override predicate sanitizingEdge(TaintKind taint, PyEdgeRefinement test) {
|
||||
taint instanceof NormalizedPath and
|
||||
test.getTest().(CallNode).getFunction().(AttrNode).getName() = "startswith" and
|
||||
test.getSense() = true
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint sink that is vulnerable to malicious paths.
|
||||
* The `vuln` in `open(vuln)` and similar.
|
||||
*/
|
||||
deprecated class OpenNode extends TaintSink {
|
||||
override string toString() { result = "argument to open()" }
|
||||
|
||||
OpenNode() {
|
||||
exists(CallNode call |
|
||||
call = Value::named("open").getACall() and
|
||||
(
|
||||
call.getArg(0) = this
|
||||
or
|
||||
call.getArgByName("file") = this
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) {
|
||||
kind instanceof ExternalStringKind
|
||||
or
|
||||
kind instanceof NormalizedPath
|
||||
}
|
||||
}
|
||||
@@ -1,36 +0,0 @@
|
||||
/**
|
||||
* Provides class and predicates to track external data that
|
||||
* may represent malicious pickles.
|
||||
*
|
||||
* This module is intended to be imported into a taint-tracking query
|
||||
* to extend `TaintKind` and `TaintSink`.
|
||||
*/
|
||||
|
||||
import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
import semmle.python.security.injection.Deserialization
|
||||
|
||||
deprecated private ModuleObject pickleModule() {
|
||||
result.getName() = "pickle"
|
||||
or
|
||||
result.getName() = "cPickle"
|
||||
or
|
||||
result.getName() = "dill"
|
||||
}
|
||||
|
||||
deprecated private FunctionObject pickleLoads() { result = pickleModule().attr("loads") }
|
||||
|
||||
/** `pickle.loads(untrusted)` vulnerability. */
|
||||
deprecated class UnpicklingNode extends DeserializationSink {
|
||||
override string toString() { result = "unpickling untrusted data" }
|
||||
|
||||
UnpicklingNode() {
|
||||
exists(CallNode call |
|
||||
pickleLoads().getACall() = call and
|
||||
call.getAnArg() = this
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
/** DEPRECATED: use semmle.python.security.dataflow.RegexInjection instead. */
|
||||
|
||||
private import semmle.python.security.dataflow.RegexInjection as New
|
||||
|
||||
/** DEPRECATED: use semmle.python.security.dataflow.RegexInjection instead. */
|
||||
deprecated module RegexInjection = New::RegexInjection;
|
||||
@@ -1,6 +0,0 @@
|
||||
/** DEPRECATED: use semmle.python.security.dataflow.RegexInjectionCustomizations instead. */
|
||||
|
||||
private import semmle.python.security.dataflow.RegexInjectionCustomizations as New
|
||||
|
||||
/** DEPRECATED: use semmle.python.security.dataflow.RegexInjectionCustomizations instead. */
|
||||
deprecated module RegexInjection = New::RegexInjection;
|
||||
@@ -1,70 +0,0 @@
|
||||
/**
|
||||
* Provides class and predicates to track external data that
|
||||
* may represent malicious XML objects.
|
||||
*
|
||||
* This module is intended to be imported into a taint-tracking query
|
||||
* to extend `TaintKind` and `TaintSink`.
|
||||
*/
|
||||
|
||||
import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
import semmle.python.security.injection.Deserialization
|
||||
|
||||
deprecated private ModuleObject xmlElementTreeModule() {
|
||||
result.getName() = "xml.etree.ElementTree"
|
||||
}
|
||||
|
||||
deprecated private ModuleObject xmlMiniDomModule() { result.getName() = "xml.dom.minidom" }
|
||||
|
||||
deprecated private ModuleObject xmlPullDomModule() { result.getName() = "xml.dom.pulldom" }
|
||||
|
||||
deprecated private ModuleObject xmlSaxModule() { result.getName() = "xml.sax" }
|
||||
|
||||
deprecated private class ExpatParser extends TaintKind {
|
||||
ExpatParser() { this = "expat.parser" }
|
||||
}
|
||||
|
||||
deprecated private FunctionObject expatCreateParseFunction() {
|
||||
result = ModuleObject::named("xml.parsers.expat").attr("ParserCreate")
|
||||
}
|
||||
|
||||
deprecated private class ExpatCreateParser extends TaintSource {
|
||||
ExpatCreateParser() { expatCreateParseFunction().getACall() = this }
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) { kind instanceof ExpatParser }
|
||||
|
||||
override string toString() { result = "expat.create.parser" }
|
||||
}
|
||||
|
||||
deprecated private FunctionObject xmlFromString() {
|
||||
result = xmlElementTreeModule().attr("fromstring")
|
||||
or
|
||||
result = xmlMiniDomModule().attr("parseString")
|
||||
or
|
||||
result = xmlPullDomModule().attr("parseString")
|
||||
or
|
||||
result = xmlSaxModule().attr("parseString")
|
||||
}
|
||||
|
||||
/** A (potentially) malicious XML string. */
|
||||
deprecated class ExternalXmlString extends ExternalStringKind {
|
||||
ExternalXmlString() { this = "external xml encoded object" }
|
||||
}
|
||||
|
||||
/**
|
||||
* A call to an XML library function that is potentially vulnerable to a
|
||||
* specially crafted XML string.
|
||||
*/
|
||||
deprecated class XmlLoadNode extends DeserializationSink {
|
||||
override string toString() { result = "xml.load vulnerability" }
|
||||
|
||||
XmlLoadNode() {
|
||||
exists(CallNode call | call.getAnArg() = this |
|
||||
xmlFromString().getACall() = call or
|
||||
any(ExpatParser parser).taints(call.getFunction().(AttrNode).getObject("Parse"))
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalXmlString }
|
||||
}
|
||||
@@ -1,28 +0,0 @@
|
||||
/**
|
||||
* Provides class and predicates to track external data that
|
||||
* may represent malicious yaml-encoded objects.
|
||||
*
|
||||
* This module is intended to be imported into a taint-tracking query
|
||||
* to extend `TaintKind` and `TaintSink`.
|
||||
*/
|
||||
|
||||
import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
import semmle.python.security.injection.Deserialization
|
||||
|
||||
deprecated private FunctionObject yamlLoad() { result = ModuleObject::named("yaml").attr("load") }
|
||||
|
||||
/** `yaml.load(untrusted)` vulnerability. */
|
||||
deprecated class YamlLoadNode extends DeserializationSink {
|
||||
override string toString() { result = "yaml.load vulnerability" }
|
||||
|
||||
YamlLoadNode() {
|
||||
exists(CallNode call |
|
||||
yamlLoad().getACall() = call and
|
||||
call.getAnArg() = this
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
@@ -14,7 +14,6 @@ import python
|
||||
private import semmle.python.pointsto.PointsTo
|
||||
private import semmle.python.pointsto.PointsToContext
|
||||
private import semmle.python.objects.TObject
|
||||
private import semmle.python.web.HttpConstants
|
||||
/* Make ObjectInternal visible to save extra imports in user code */
|
||||
import semmle.python.objects.ObjectInternal
|
||||
|
||||
@@ -52,30 +51,6 @@ class RangeIterationVariableFact extends PointsToExtension {
|
||||
}
|
||||
}
|
||||
|
||||
/* bottle module route constants */
|
||||
deprecated class BottleRoutePointToExtension extends PointsToExtension {
|
||||
string name;
|
||||
|
||||
BottleRoutePointToExtension() {
|
||||
exists(DefinitionNode defn |
|
||||
defn.getScope().(Module).getName() = "bottle" and
|
||||
this = defn.getValue() and
|
||||
name = defn.(NameNode).getId()
|
||||
|
|
||||
name = "route" or
|
||||
name = httpVerbLower()
|
||||
)
|
||||
}
|
||||
|
||||
override predicate pointsTo(Context context, ObjectInternal value, ControlFlowNode origin) {
|
||||
context.isImport() and
|
||||
exists(CfgOrigin orig |
|
||||
Module::named("bottle").attr("Bottle").(ClassObjectInternal).attribute(name, value, orig) and
|
||||
origin = orig.asCfgNodeOrHere(this)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/* Python 3.6+ regex module constants */
|
||||
string short_flag(string flag) {
|
||||
flag in ["ASCII", "IGNORECASE", "LOCALE", "UNICODE", "MULTILINE", "TEMPLATE"] and
|
||||
|
||||
@@ -33,9 +33,6 @@ class SafeExternalApi extends Unit {
|
||||
DataFlowPrivate::DataFlowCallable getSafeCallable() { none() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SafeExternalApi */
|
||||
deprecated class SafeExternalAPI = SafeExternalApi;
|
||||
|
||||
/** The default set of "safe" external APIs. */
|
||||
private class DefaultSafeExternalApi extends SafeExternalApi {
|
||||
override DataFlow::CallCfgNode getSafeCall() {
|
||||
@@ -170,9 +167,6 @@ class ExternalApiDataNode extends DataFlow::Node {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for ExternalApiDataNode */
|
||||
deprecated class ExternalAPIDataNode = ExternalApiDataNode;
|
||||
|
||||
/** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
|
||||
class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
|
||||
UntrustedDataToExternalApiConfig() { this = "UntrustedDataToExternalAPIConfig" }
|
||||
@@ -182,9 +176,6 @@ class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for UntrustedDataToExternalApiConfig */
|
||||
deprecated class UntrustedDataToExternalAPIConfig = UntrustedDataToExternalApiConfig;
|
||||
|
||||
/** A node representing untrusted data being passed to an external API. */
|
||||
class UntrustedExternalApiDataNode extends ExternalApiDataNode {
|
||||
UntrustedExternalApiDataNode() { any(UntrustedDataToExternalApiConfig c).hasFlow(_, this) }
|
||||
@@ -195,9 +186,6 @@ class UntrustedExternalApiDataNode extends ExternalApiDataNode {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for UntrustedExternalApiDataNode */
|
||||
deprecated class UntrustedExternalAPIDataNode = UntrustedExternalApiDataNode;
|
||||
|
||||
/** An external API which is used with untrusted data. */
|
||||
private newtype TExternalApi =
|
||||
MkExternalApi(string repr, DataFlowPrivate::ArgumentPosition apos) {
|
||||
@@ -230,6 +218,3 @@ class ExternalApiUsedWithUntrustedData extends MkExternalApi {
|
||||
/** Gets a textual representation of this element. */
|
||||
string toString() { result = repr + " [" + apos + "]" }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for ExternalApiUsedWithUntrustedData */
|
||||
deprecated class ExternalAPIUsedWithUntrustedData = ExternalApiUsedWithUntrustedData;
|
||||
|
||||
@@ -90,9 +90,6 @@ module LdapQuery {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for LdapQuery */
|
||||
deprecated module LDAPQuery = LdapQuery;
|
||||
|
||||
/**
|
||||
* A data-flow node that collect methods executing a LDAP query.
|
||||
*
|
||||
@@ -106,9 +103,6 @@ class LdapQuery extends DataFlow::Node instanceof LdapQuery::Range {
|
||||
DataFlow::Node getQuery() { result = super.getQuery() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for LdapQuery */
|
||||
deprecated class LDAPQuery = LdapQuery;
|
||||
|
||||
/** Provides classes for modeling LDAP components escape-related APIs. */
|
||||
module LdapEscape {
|
||||
/**
|
||||
@@ -125,9 +119,6 @@ module LdapEscape {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for LdapEscape */
|
||||
deprecated module LDAPEscape = LdapEscape;
|
||||
|
||||
/**
|
||||
* A data-flow node that collects functions escaping LDAP components.
|
||||
*
|
||||
@@ -141,9 +132,6 @@ class LdapEscape extends DataFlow::Node instanceof LdapEscape::Range {
|
||||
DataFlow::Node getAnInput() { result = super.getAnInput() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for LdapEscape */
|
||||
deprecated class LDAPEscape = LdapEscape;
|
||||
|
||||
/** Provides classes for modeling LDAP bind-related APIs. */
|
||||
module LdapBind {
|
||||
/**
|
||||
@@ -173,9 +161,6 @@ module LdapBind {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for LdapBind */
|
||||
deprecated module LDAPBind = LdapBind;
|
||||
|
||||
/**
|
||||
* A data-flow node that collects methods binding a LDAP connection.
|
||||
*
|
||||
@@ -202,9 +187,6 @@ class LdapBind extends DataFlow::Node instanceof LdapBind::Range {
|
||||
deprecated predicate useSSL() { this.useSsl() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for LdapBind */
|
||||
deprecated class LDAPBind = LdapBind;
|
||||
|
||||
/** Provides classes for modeling SQL sanitization libraries. */
|
||||
module SqlEscape {
|
||||
/**
|
||||
@@ -221,9 +203,6 @@ module SqlEscape {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SqlEscape */
|
||||
deprecated module SQLEscape = SqlEscape;
|
||||
|
||||
/**
|
||||
* A data-flow node that collects functions escaping SQL statements.
|
||||
*
|
||||
@@ -237,9 +216,6 @@ class SqlEscape extends DataFlow::Node instanceof SqlEscape::Range {
|
||||
DataFlow::Node getAnInput() { result = super.getAnInput() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SqlEscape */
|
||||
deprecated class SQLEscape = SqlEscape;
|
||||
|
||||
/** Provides a class for modeling NoSql execution APIs. */
|
||||
module NoSqlQuery {
|
||||
/**
|
||||
@@ -254,9 +230,6 @@ module NoSqlQuery {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for NoSqlQuery */
|
||||
deprecated module NoSQLQuery = NoSqlQuery;
|
||||
|
||||
/**
|
||||
* A data-flow node that executes NoSQL queries.
|
||||
*
|
||||
@@ -268,9 +241,6 @@ class NoSqlQuery extends DataFlow::Node instanceof NoSqlQuery::Range {
|
||||
DataFlow::Node getQuery() { result = super.getQuery() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for NoSqlQuery */
|
||||
deprecated class NoSQLQuery = NoSqlQuery;
|
||||
|
||||
/** Provides classes for modeling NoSql sanitization-related APIs. */
|
||||
module NoSqlSanitizer {
|
||||
/**
|
||||
@@ -285,9 +255,6 @@ module NoSqlSanitizer {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for NoSqlSanitizer */
|
||||
deprecated module NoSQLSanitizer = NoSqlSanitizer;
|
||||
|
||||
/**
|
||||
* A data-flow node that collects functions sanitizing NoSQL queries.
|
||||
*
|
||||
@@ -299,9 +266,6 @@ class NoSqlSanitizer extends DataFlow::Node instanceof NoSqlSanitizer::Range {
|
||||
DataFlow::Node getAnInput() { result = super.getAnInput() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for NoSqlSanitizer */
|
||||
deprecated class NoSQLSanitizer = NoSqlSanitizer;
|
||||
|
||||
/** Provides classes for modeling HTTP Header APIs. */
|
||||
module HeaderDeclaration {
|
||||
/**
|
||||
@@ -450,9 +414,6 @@ module JwtEncoding {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for JwtEncoding */
|
||||
deprecated module JWTEncoding = JwtEncoding;
|
||||
|
||||
/**
|
||||
* A data-flow node that collects methods encoding a JWT token.
|
||||
*
|
||||
@@ -481,9 +442,6 @@ class JwtEncoding extends DataFlow::Node instanceof JwtEncoding::Range {
|
||||
string getAlgorithmString() { result = super.getAlgorithmString() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for JwtEncoding */
|
||||
deprecated class JWTEncoding = JwtEncoding;
|
||||
|
||||
/** Provides classes for modeling JWT decoding-related APIs. */
|
||||
module JwtDecoding {
|
||||
/**
|
||||
@@ -525,9 +483,6 @@ module JwtDecoding {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for JwtDecoding */
|
||||
deprecated module JWTDecoding = JwtDecoding;
|
||||
|
||||
/**
|
||||
* A data-flow node that collects methods encoding a JWT token.
|
||||
*
|
||||
@@ -566,9 +521,6 @@ class JwtDecoding extends DataFlow::Node instanceof JwtDecoding::Range {
|
||||
predicate verifiesSignature() { super.verifiesSignature() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for JwtDecoding */
|
||||
deprecated class JWTDecoding = JwtDecoding;
|
||||
|
||||
/** Provides classes for modeling Email APIs. */
|
||||
module EmailSender {
|
||||
/**
|
||||
|
||||
@@ -29,23 +29,14 @@ class LdapFullHost extends StrConst {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for LdapFullHost */
|
||||
deprecated class LDAPFullHost = LdapFullHost;
|
||||
|
||||
class LdapSchema extends StrConst {
|
||||
LdapSchema() { this.getText().regexpMatch(getSchemaRegex()) }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for LdapSchema */
|
||||
deprecated class LDAPSchema = LdapSchema;
|
||||
|
||||
class LdapPrivateHost extends StrConst {
|
||||
LdapPrivateHost() { this.getText().regexpMatch(getPrivateHostRegex()) }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for LdapPrivateHost */
|
||||
deprecated class LDAPPrivateHost = LdapPrivateHost;
|
||||
|
||||
predicate concatAndCompareAgainstFullHostRegex(LdapSchema schema, StrConst host) {
|
||||
not host instanceof LdapPrivateHost and
|
||||
(schema.getText() + host.getText()).regexpMatch(getFullHostRegex())
|
||||
@@ -56,9 +47,6 @@ class LdapBothStrings extends BinaryExpr {
|
||||
LdapBothStrings() { concatAndCompareAgainstFullHostRegex(this.getLeft(), this.getRight()) }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for LdapBothStrings */
|
||||
deprecated class LDAPBothStrings = LdapBothStrings;
|
||||
|
||||
// schema + host
|
||||
class LdapBothVar extends BinaryExpr {
|
||||
LdapBothVar() {
|
||||
@@ -73,9 +61,6 @@ class LdapBothVar extends BinaryExpr {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for LdapBothVar */
|
||||
deprecated class LDAPBothVar = LdapBothVar;
|
||||
|
||||
// schema + "somethingon.theinternet.com"
|
||||
class LdapVarString extends BinaryExpr {
|
||||
LdapVarString() {
|
||||
@@ -89,9 +74,6 @@ class LdapVarString extends BinaryExpr {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for LdapVarString */
|
||||
deprecated class LDAPVarString = LdapVarString;
|
||||
|
||||
// "ldap://" + host
|
||||
class LdapStringVar extends BinaryExpr {
|
||||
LdapStringVar() {
|
||||
@@ -103,9 +85,6 @@ class LdapStringVar extends BinaryExpr {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for LdapStringVar */
|
||||
deprecated class LDAPStringVar = LdapStringVar;
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for detecting LDAP insecure authentications.
|
||||
*/
|
||||
@@ -125,6 +104,3 @@ class LdapInsecureAuthConfig extends TaintTracking::Configuration {
|
||||
exists(LdapBind ldapBind | not ldapBind.useSsl() and sink = ldapBind.getHost())
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for LdapInsecureAuthConfig */
|
||||
deprecated class LDAPInsecureAuthConfig = LdapInsecureAuthConfig;
|
||||
|
||||
@@ -52,6 +52,3 @@ module NoSqlInjection {
|
||||
ConvertedToDict() { this = "ConvertedToDict" }
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for NoSqlInjection */
|
||||
deprecated module NoSQLInjection = NoSqlInjection;
|
||||
|
||||
@@ -1,6 +0,0 @@
|
||||
WARNING: Module SensitiveData has been deprecated and may be removed in future (Sources.ql:4,6-19)
|
||||
| test.py:16:1:16:14 | test.py:16 | a call returning a password |
|
||||
| test.py:17:1:17:12 | test.py:17 | a call returning a password |
|
||||
| test.py:18:1:18:12 | test.py:18 | a call returning a secret |
|
||||
| test.py:19:1:19:19 | test.py:19 | a call returning a certificate or key |
|
||||
| test.py:20:1:20:12 | test.py:20 | a call returning an ID |
|
||||
@@ -1,5 +0,0 @@
|
||||
import python
|
||||
import semmle.python.security.SensitiveData
|
||||
|
||||
from SensitiveData::Source src
|
||||
select src.getLocation(), src.repr()
|
||||
@@ -1,21 +0,0 @@
|
||||
|
||||
from not_found import get_passwd, account_id
|
||||
|
||||
def get_password():
|
||||
pass
|
||||
|
||||
def get_secret():
|
||||
pass
|
||||
|
||||
def fetch_certificate():
|
||||
pass
|
||||
|
||||
def encrypt_password(pwd):
|
||||
pass
|
||||
|
||||
get_password()
|
||||
get_passwd()
|
||||
get_secret()
|
||||
fetch_certificate()
|
||||
account_id()
|
||||
safe_to_store = encrypt_password(pwd)
|
||||
@@ -1,5 +0,0 @@
|
||||
WARNING: Type HttpResponseTaintSink has been deprecated and may be removed in future (HttpResponseSinks.ql:5,6-27)
|
||||
| test.py:9:12:9:26 | bottle handler function result | externally controlled string |
|
||||
| test.py:13:12:13:24 | bottle handler function result | externally controlled string |
|
||||
| test.py:19:12:19:33 | bottle handler function result | externally controlled string |
|
||||
| test.py:36:21:36:51 | Taint sink | externally controlled string |
|
||||
@@ -1,7 +0,0 @@
|
||||
import python
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from HttpResponseTaintSink sink, TaintKind kind
|
||||
where sink.sinks(kind)
|
||||
select sink, kind
|
||||
@@ -1,9 +0,0 @@
|
||||
WARNING: Type HttpRequestTaintSource has been deprecated and may be removed in future (HttpSources.ql:5,6-28)
|
||||
| ../../../query-tests/Security/lib/bottle.py:64:11:64:24 | LocalRequest() | bottle.request |
|
||||
| test.py:3:35:3:41 | ImportMember | bottle.request |
|
||||
| test.py:8:11:8:14 | name | externally controlled string |
|
||||
| test.py:12:9:12:12 | name | externally controlled string |
|
||||
| test.py:18:12:18:18 | request | bottle.request |
|
||||
| test.py:27:12:27:16 | where | externally controlled string |
|
||||
| test.py:32:14:32:20 | request | bottle.request |
|
||||
| test.py:36:34:36:40 | request | bottle.request |
|
||||
@@ -1,7 +0,0 @@
|
||||
import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from HttpRequestTaintSource source, TaintKind kind
|
||||
where source.isSourceOf(kind)
|
||||
select source.(ControlFlowNode).getNode(), kind
|
||||
@@ -1,8 +0,0 @@
|
||||
WARNING: Type BottleRoute has been deprecated and may be removed in future (Routing.ql:4,6-17)
|
||||
| /args | test.py:31:1:31:14 | Function unsafe2 |
|
||||
| /bye/<name> | test.py:12:1:12:25 | Function bye |
|
||||
| /hello/<name> | test.py:8:1:8:27 | Function hello |
|
||||
| /other | test.py:17:1:17:12 | Function other |
|
||||
| /wrong/<where> | test.py:27:1:27:31 | Function unsafe |
|
||||
| /wrong/url | test.py:23:1:23:11 | Function safe |
|
||||
| /xss | test.py:35:1:35:16 | Function maybe_xss |
|
||||
@@ -1,5 +0,0 @@
|
||||
import python
|
||||
import semmle.python.web.bottle.General
|
||||
|
||||
from BottleRoute route
|
||||
select route.getUrl(), route.getFunction()
|
||||
@@ -1,23 +0,0 @@
|
||||
| ../../../query-tests/Security/lib/bottle.py:64 | LocalRequest() | bottle.request |
|
||||
| ../../../query-tests/Security/lib/bottle.py:68 | url | externally controlled string |
|
||||
| test.py:3 | ImportMember | bottle.request |
|
||||
| test.py:8 | name | externally controlled string |
|
||||
| test.py:9 | BinaryExpr | externally controlled string |
|
||||
| test.py:9 | name | externally controlled string |
|
||||
| test.py:12 | name | externally controlled string |
|
||||
| test.py:13 | BinaryExpr | externally controlled string |
|
||||
| test.py:13 | name | externally controlled string |
|
||||
| test.py:18 | Attribute | bottle.FormsDict |
|
||||
| test.py:18 | Attribute | externally controlled string |
|
||||
| test.py:18 | request | bottle.request |
|
||||
| test.py:19 | BinaryExpr | externally controlled string |
|
||||
| test.py:19 | name | externally controlled string |
|
||||
| test.py:27 | where | externally controlled string |
|
||||
| test.py:28 | where | externally controlled string |
|
||||
| test.py:32 | Attribute | bottle.FormsDict |
|
||||
| test.py:32 | Attribute | externally controlled string |
|
||||
| test.py:32 | request | bottle.request |
|
||||
| test.py:36 | Attribute | bottle.FormsDict |
|
||||
| test.py:36 | Attribute | externally controlled string |
|
||||
| test.py:36 | BinaryExpr | externally controlled string |
|
||||
| test.py:36 | request | bottle.request |
|
||||
@@ -1,7 +0,0 @@
|
||||
import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from TaintedNode node
|
||||
select node.getLocation().toString(), node.getAstNode().toString(), node.getTaintKind()
|
||||
@@ -1 +0,0 @@
|
||||
semmle-extractor-options: --max-import-depth=3 -p ../../../query-tests/Security/lib/
|
||||
@@ -1,36 +0,0 @@
|
||||
|
||||
|
||||
from bottle import Bottle, route, request, redirect, response
|
||||
|
||||
app = Bottle()
|
||||
|
||||
@app.route('/hello/<name>')
|
||||
def hello(name = "World!"):
|
||||
return "Hello " + name
|
||||
|
||||
@route('/bye/<name>')
|
||||
def bye(name = "World!"):
|
||||
return "Bye " + name
|
||||
|
||||
|
||||
@route('/other')
|
||||
def other():
|
||||
name = request.cookies.username
|
||||
return "User name is " + name
|
||||
|
||||
|
||||
@route('/wrong/url')
|
||||
def safe():
|
||||
redirect("/right/url")
|
||||
|
||||
@route('/wrong/<where>')
|
||||
def unsafe(where="/right/url"):
|
||||
redirect(where)
|
||||
|
||||
@route('/args')
|
||||
def unsafe2():
|
||||
redirect(request.query.where, code)
|
||||
|
||||
@route('/xss')
|
||||
def maybe_xss():
|
||||
response.body = "name is " + request.query.name
|
||||
@@ -1,4 +0,0 @@
|
||||
WARNING: Type HttpResponseTaintSink has been deprecated and may be removed in future (HttpResponseSinks.ql:5,6-27)
|
||||
| red.py:8:16:8:20 | cherrypy handler function result | externally controlled string |
|
||||
| test.py:11:16:11:29 | cherrypy handler function result | externally controlled string |
|
||||
| test.py:17:16:17:27 | cherrypy handler function result | externally controlled string |
|
||||
@@ -1,7 +0,0 @@
|
||||
import python
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from HttpResponseTaintSink sink, TaintKind kind
|
||||
where sink.sinks(kind)
|
||||
select sink, kind
|
||||
@@ -1,4 +0,0 @@
|
||||
WARNING: Type HttpRequestTaintSource has been deprecated and may be removed in future (HttpSources.ql:5,6-28)
|
||||
| ../../../query-tests/Security/lib/cherrypy/__init__.py:10:11:10:38 | _ThreadLocalProxy() | cherrypy.request |
|
||||
| test.py:10:17:10:19 | arg | externally controlled string |
|
||||
| test.py:16:17:16:19 | arg | externally controlled string |
|
||||
@@ -1,7 +0,0 @@
|
||||
import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from HttpRequestTaintSource source, TaintKind kind
|
||||
where source.isSourceOf(kind)
|
||||
select source.(ControlFlowNode).getNode(), kind
|
||||
@@ -1 +0,0 @@
|
||||
semmle-extractor-options: --max-import-depth=3 -p ../../../query-tests/Security/lib/
|
||||
@@ -1,11 +0,0 @@
|
||||
|
||||
import cherrypy
|
||||
|
||||
class MultiPath(object):
|
||||
|
||||
@cherrypy.expose(['color', 'colour'])
|
||||
def red(self):
|
||||
return "RED"
|
||||
|
||||
if __name__ == '__main__':
|
||||
cherrypy.quickstart(MultiPath())
|
||||
@@ -1,23 +0,0 @@
|
||||
|
||||
import random
|
||||
import string
|
||||
|
||||
import cherrypy
|
||||
|
||||
class A(object):
|
||||
|
||||
@cherrypy.expose
|
||||
def a(self, arg):
|
||||
return "hello " + arg
|
||||
|
||||
class B(object):
|
||||
|
||||
@cherrypy.expose
|
||||
def b(self, arg):
|
||||
return "bye " + arg
|
||||
|
||||
cherrypy.tree.mount(A(), '/a', a_conf)
|
||||
cherrypy.tree.mount(B(), '/b', b_conf)
|
||||
|
||||
cherrypy.engine.start()
|
||||
cherrypy.engine.block()
|
||||
@@ -1,3 +0,0 @@
|
||||
WARNING: Module Client has been deprecated and may be removed in future (ClientHttpRequests.ql:5,6-12)
|
||||
| test.py:3:1:3:27 | ControlFlowNode for Attribute() | test.py:3:14:3:26 | ControlFlowNode for Str | GET |
|
||||
| test.py:4:1:4:28 | ControlFlowNode for Attribute() | test.py:4:15:4:27 | ControlFlowNode for Str | POST |
|
||||
@@ -1,7 +0,0 @@
|
||||
import python
|
||||
import semmle.python.web.Http
|
||||
import semmle.python.web.ClientHttpRequest
|
||||
|
||||
from Client::HttpRequest req, string method
|
||||
where if exists(req.getMethodUpper()) then method = req.getMethodUpper() else method = "<NO METHOD>"
|
||||
select req, req.getAUrlPart(), method
|
||||
@@ -1 +0,0 @@
|
||||
semmle-extractor-options: -p ../../../../query-tests/Security/lib/ --max-import-depth=1
|
||||
@@ -1,4 +0,0 @@
|
||||
import requests
|
||||
|
||||
requests.get('example.com')
|
||||
requests.post('example.com')
|
||||
@@ -1,11 +0,0 @@
|
||||
WARNING: Module Client has been deprecated and may be removed in future (ClientHttpRequests.ql:5,6-12)
|
||||
| test.py:6:5:6:32 | ControlFlowNode for Attribute() | test.py:5:27:5:39 | ControlFlowNode for Str | GET |
|
||||
| test.py:6:5:6:32 | ControlFlowNode for Attribute() | test.py:6:25:6:31 | ControlFlowNode for Str | GET |
|
||||
| test.py:15:5:15:33 | ControlFlowNode for Attribute() | test.py:10:28:10:40 | ControlFlowNode for Str | POST |
|
||||
| test.py:15:5:15:33 | ControlFlowNode for Attribute() | test.py:15:26:15:32 | ControlFlowNode for Str | POST |
|
||||
| test.py:20:5:20:33 | ControlFlowNode for Attribute() | test.py:19:27:19:39 | ControlFlowNode for Str | <NO METHOD> |
|
||||
| test.py:20:5:20:33 | ControlFlowNode for Attribute() | test.py:20:26:20:32 | ControlFlowNode for Str | <NO METHOD> |
|
||||
| test.py:30:5:30:32 | ControlFlowNode for Attribute() | test.py:28:27:28:30 | ControlFlowNode for fake | GET |
|
||||
| test.py:30:5:30:32 | ControlFlowNode for Attribute() | test.py:30:25:30:31 | ControlFlowNode for Str | GET |
|
||||
| test.py:37:5:37:29 | ControlFlowNode for req_meth() | test.py:35:27:35:39 | ControlFlowNode for Str | HEAD |
|
||||
| test.py:37:5:37:29 | ControlFlowNode for req_meth() | test.py:37:22:37:28 | ControlFlowNode for Str | HEAD |
|
||||
@@ -1,7 +0,0 @@
|
||||
import python
|
||||
import semmle.python.web.Http
|
||||
import semmle.python.web.ClientHttpRequest
|
||||
|
||||
from Client::HttpRequest req, string method
|
||||
where if exists(req.getMethodUpper()) then method = req.getMethodUpper() else method = "<NO METHOD>"
|
||||
select req, req.getAUrlPart(), method
|
||||
@@ -1,2 +0,0 @@
|
||||
semmle-extractor-options: --max-import-depth=2
|
||||
optimize: true
|
||||
@@ -1,37 +0,0 @@
|
||||
from six.moves.http_client import HTTPConnection, HTTPSConnection
|
||||
|
||||
|
||||
def basic():
|
||||
conn = HTTPConnection('example.com')
|
||||
conn.request('GET', '/path')
|
||||
|
||||
|
||||
def indirect_caller():
|
||||
conn = HTTPSConnection('example.com')
|
||||
indirect_callee(conn)
|
||||
|
||||
|
||||
def indirect_callee(conn):
|
||||
conn.request('POST', '/path')
|
||||
|
||||
|
||||
def method_not_known(method):
|
||||
conn = HTTPConnection('example.com')
|
||||
conn.request(method, '/path')
|
||||
|
||||
|
||||
def sneaky_setting_host():
|
||||
# We don't handle that the host is overwritten directly.
|
||||
# A contrived example; you're not supposed to do this, but you certainly can.
|
||||
fake = 'fakehost.com'
|
||||
real = 'realhost.com'
|
||||
conn = HTTPConnection(fake)
|
||||
conn.host = real
|
||||
conn.request('GET', '/path')
|
||||
|
||||
|
||||
def tricky_not_attribute_node():
|
||||
# A contrived example; you're not supposed to do this, but you certainly can.
|
||||
conn = HTTPConnection('example.com')
|
||||
req_meth = conn.request
|
||||
req_meth('HEAD', '/path')
|
||||
@@ -1,11 +0,0 @@
|
||||
WARNING: Module Client has been deprecated and may be removed in future (ClientHttpRequests.ql:5,6-12)
|
||||
| test.py:13:5:13:32 | ControlFlowNode for Attribute() | test.py:12:27:12:39 | ControlFlowNode for Str | GET |
|
||||
| test.py:13:5:13:32 | ControlFlowNode for Attribute() | test.py:13:25:13:31 | ControlFlowNode for Str | GET |
|
||||
| test.py:22:5:22:33 | ControlFlowNode for Attribute() | test.py:17:28:17:40 | ControlFlowNode for Str | POST |
|
||||
| test.py:22:5:22:33 | ControlFlowNode for Attribute() | test.py:22:26:22:32 | ControlFlowNode for Str | POST |
|
||||
| test.py:27:5:27:33 | ControlFlowNode for Attribute() | test.py:26:27:26:39 | ControlFlowNode for Str | <NO METHOD> |
|
||||
| test.py:27:5:27:33 | ControlFlowNode for Attribute() | test.py:27:26:27:32 | ControlFlowNode for Str | <NO METHOD> |
|
||||
| test.py:37:5:37:32 | ControlFlowNode for Attribute() | test.py:35:27:35:30 | ControlFlowNode for fake | GET |
|
||||
| test.py:37:5:37:32 | ControlFlowNode for Attribute() | test.py:37:25:37:31 | ControlFlowNode for Str | GET |
|
||||
| test.py:44:5:44:29 | ControlFlowNode for req_meth() | test.py:42:27:42:39 | ControlFlowNode for Str | HEAD |
|
||||
| test.py:44:5:44:29 | ControlFlowNode for req_meth() | test.py:44:22:44:28 | ControlFlowNode for Str | HEAD |
|
||||
@@ -1,7 +0,0 @@
|
||||
import python
|
||||
import semmle.python.web.Http
|
||||
import semmle.python.web.ClientHttpRequest
|
||||
|
||||
from Client::HttpRequest req, string method
|
||||
where if exists(req.getMethodUpper()) then method = req.getMethodUpper() else method = "<NO METHOD>"
|
||||
select req, req.getAUrlPart(), method
|
||||
@@ -1 +0,0 @@
|
||||
semmle-extractor-options: --max-import-depth=1
|
||||
@@ -1,44 +0,0 @@
|
||||
import sys
|
||||
PY2 = sys.version_info[0] == 2
|
||||
PY3 = sys.version_info[0] == 3
|
||||
|
||||
if PY2:
|
||||
from httplib import HTTPConnection, HTTPSConnection
|
||||
if PY3:
|
||||
from http.client import HTTPConnection, HTTPSConnection
|
||||
|
||||
|
||||
def basic():
|
||||
conn = HTTPConnection('example.com')
|
||||
conn.request('GET', '/path')
|
||||
|
||||
|
||||
def indirect_caller():
|
||||
conn = HTTPSConnection('example.com')
|
||||
indirect_callee(conn)
|
||||
|
||||
|
||||
def indirect_callee(conn):
|
||||
conn.request('POST', '/path')
|
||||
|
||||
|
||||
def method_not_known(method):
|
||||
conn = HTTPConnection('example.com')
|
||||
conn.request(method, '/path')
|
||||
|
||||
|
||||
def sneaky_setting_host():
|
||||
# We don't handle that the host is overwritten directly.
|
||||
# A contrived example; you're not supposed to do this, but you certainly can.
|
||||
fake = 'fakehost.com'
|
||||
real = 'realhost.com'
|
||||
conn = HTTPConnection(fake)
|
||||
conn.host = real
|
||||
conn.request('GET', '/path')
|
||||
|
||||
|
||||
def tricky_not_attribute_node():
|
||||
# A contrived example; you're not supposed to do this, but you certainly can.
|
||||
conn = HTTPConnection('example.com')
|
||||
req_meth = conn.request
|
||||
req_meth('HEAD', '/path')
|
||||
@@ -1,5 +0,0 @@
|
||||
WARNING: Type HttpRedirectTaintSink has been deprecated and may be removed in future (HttpRedirectSinks.ql:5,6-27)
|
||||
| test_1x.py:13:21:13:24 | DjangoShortcutsRedirectSink | externally controlled string |
|
||||
| test_2x_3x.py:13:21:13:24 | DjangoShortcutsRedirectSink | externally controlled string |
|
||||
| views_1x.py:99:33:99:55 | DjangoRedirectResponseSink | externally controlled string |
|
||||
| views_2x_3x.py:120:33:120:55 | DjangoRedirectResponseSink | externally controlled string |
|
||||
@@ -1,7 +0,0 @@
|
||||
import python
|
||||
import semmle.python.web.HttpRedirect
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from HttpRedirectTaintSink sink, TaintKind kind
|
||||
where sink.sinks(kind)
|
||||
select sink, kind
|
||||
@@ -1,32 +0,0 @@
|
||||
WARNING: Type HttpResponseTaintSink has been deprecated and may be removed in future (HttpResponseSinks.ql:5,6-27)
|
||||
| views_1x.py:8:25:8:63 | django.Response(...) | externally controlled string |
|
||||
| views_1x.py:12:25:12:52 | django.Response(...) | externally controlled string |
|
||||
| views_1x.py:16:25:16:53 | django.Response(...) | externally controlled string |
|
||||
| views_1x.py:21:15:21:42 | django.Response.write(...) | externally controlled string |
|
||||
| views_1x.py:30:29:30:60 | django.Response(...) | externally controlled string |
|
||||
| views_1x.py:36:29:36:65 | django.Response(...) | externally controlled string |
|
||||
| views_1x.py:41:25:41:63 | django.Response(...) | externally controlled string |
|
||||
| views_1x.py:45:25:45:70 | django.Response(...) | externally controlled string |
|
||||
| views_1x.py:66:25:66:55 | django.Response(...) | externally controlled string |
|
||||
| views_1x.py:75:25:75:33 | django.Response(...) | externally controlled string |
|
||||
| views_1x.py:90:25:90:33 | django.Response(...) | externally controlled string |
|
||||
| views_1x.py:94:25:94:58 | django.Response(...) | externally controlled string |
|
||||
| views_1x.py:103:33:103:55 | django.Response(...) | externally controlled string |
|
||||
| views_1x.py:107:25:107:47 | django.Response(...) | externally controlled string |
|
||||
| views_2x_3x.py:8:25:8:63 | django.Response(...) | externally controlled string |
|
||||
| views_2x_3x.py:12:25:12:52 | django.Response(...) | externally controlled string |
|
||||
| views_2x_3x.py:16:25:16:53 | django.Response(...) | externally controlled string |
|
||||
| views_2x_3x.py:21:15:21:42 | django.Response.write(...) | externally controlled string |
|
||||
| views_2x_3x.py:30:29:30:60 | django.Response(...) | externally controlled string |
|
||||
| views_2x_3x.py:36:29:36:65 | django.Response(...) | externally controlled string |
|
||||
| views_2x_3x.py:41:25:41:63 | django.Response(...) | externally controlled string |
|
||||
| views_2x_3x.py:45:25:45:70 | django.Response(...) | externally controlled string |
|
||||
| views_2x_3x.py:66:25:66:40 | django.Response(...) | externally controlled string |
|
||||
| views_2x_3x.py:79:25:79:61 | django.Response(...) | externally controlled string |
|
||||
| views_2x_3x.py:82:25:82:69 | django.Response(...) | externally controlled string |
|
||||
| views_2x_3x.py:85:25:85:64 | django.Response(...) | externally controlled string |
|
||||
| views_2x_3x.py:88:25:88:32 | django.Response(...) | externally controlled string |
|
||||
| views_2x_3x.py:111:25:111:33 | django.Response(...) | externally controlled string |
|
||||
| views_2x_3x.py:115:25:115:58 | django.Response(...) | externally controlled string |
|
||||
| views_2x_3x.py:124:33:124:55 | django.Response(...) | externally controlled string |
|
||||
| views_2x_3x.py:128:25:128:47 | django.Response(...) | externally controlled string |
|
||||
@@ -1,7 +0,0 @@
|
||||
import python
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from HttpResponseTaintSink sink, TaintKind kind
|
||||
where sink.sinks(kind)
|
||||
select sink, kind
|
||||
@@ -1,53 +0,0 @@
|
||||
WARNING: Type HttpRequestTaintSource has been deprecated and may be removed in future (HttpSources.ql:5,6-28)
|
||||
| test_1x.py:6:19:6:25 | request | django.request.HttpRequest |
|
||||
| test_1x.py:6:28:6:31 | path | externally controlled string |
|
||||
| test_1x.py:12:19:12:25 | request | django.request.HttpRequest |
|
||||
| test_1x.py:12:28:12:31 | path | externally controlled string |
|
||||
| test_2x_3x.py:6:19:6:25 | request | django.request.HttpRequest |
|
||||
| test_2x_3x.py:6:28:6:31 | path | externally controlled string |
|
||||
| test_2x_3x.py:12:19:12:25 | request | django.request.HttpRequest |
|
||||
| test_2x_3x.py:12:28:12:31 | path | externally controlled string |
|
||||
| views_1x.py:7:19:7:25 | request | django.request.HttpRequest |
|
||||
| views_1x.py:7:28:7:30 | foo | externally controlled string |
|
||||
| views_1x.py:7:33:7:35 | bar | externally controlled string |
|
||||
| views_1x.py:11:20:11:26 | request | django.request.HttpRequest |
|
||||
| views_1x.py:15:21:15:27 | request | django.request.HttpRequest |
|
||||
| views_1x.py:19:21:19:27 | request | django.request.HttpRequest |
|
||||
| views_1x.py:29:20:29:26 | request | django.request.HttpRequest |
|
||||
| views_1x.py:29:29:29:37 | untrusted | externally controlled string |
|
||||
| views_1x.py:35:19:35:25 | request | django.request.HttpRequest |
|
||||
| views_1x.py:35:28:35:36 | untrusted | externally controlled string |
|
||||
| views_1x.py:39:19:39:25 | request | django.request.HttpRequest |
|
||||
| views_1x.py:39:28:39:38 | page_number | externally controlled string |
|
||||
| views_1x.py:44:24:44:30 | request | django.request.HttpRequest |
|
||||
| views_1x.py:44:33:44:36 | arg0 | externally controlled string |
|
||||
| views_1x.py:44:39:44:42 | arg1 | externally controlled string |
|
||||
| views_1x.py:65:15:65:21 | request | django.request.HttpRequest |
|
||||
| views_1x.py:65:24:65:31 | username | externally controlled string |
|
||||
| views_1x.py:74:13:74:19 | request | django.request.HttpRequest |
|
||||
| views_2x_3x.py:7:19:7:25 | request | django.request.HttpRequest |
|
||||
| views_2x_3x.py:7:28:7:30 | foo | externally controlled string |
|
||||
| views_2x_3x.py:7:33:7:35 | bar | externally controlled string |
|
||||
| views_2x_3x.py:11:20:11:26 | request | django.request.HttpRequest |
|
||||
| views_2x_3x.py:15:21:15:27 | request | django.request.HttpRequest |
|
||||
| views_2x_3x.py:19:21:19:27 | request | django.request.HttpRequest |
|
||||
| views_2x_3x.py:29:20:29:26 | request | django.request.HttpRequest |
|
||||
| views_2x_3x.py:29:29:29:37 | untrusted | externally controlled string |
|
||||
| views_2x_3x.py:35:19:35:25 | request | django.request.HttpRequest |
|
||||
| views_2x_3x.py:35:28:35:36 | untrusted | externally controlled string |
|
||||
| views_2x_3x.py:39:19:39:25 | request | django.request.HttpRequest |
|
||||
| views_2x_3x.py:39:28:39:38 | page_number | externally controlled string |
|
||||
| views_2x_3x.py:44:24:44:30 | request | django.request.HttpRequest |
|
||||
| views_2x_3x.py:44:33:44:36 | arg0 | externally controlled string |
|
||||
| views_2x_3x.py:44:39:44:42 | arg1 | externally controlled string |
|
||||
| views_2x_3x.py:65:20:65:26 | request | django.request.HttpRequest |
|
||||
| views_2x_3x.py:78:17:78:23 | request | django.request.HttpRequest |
|
||||
| views_2x_3x.py:78:26:78:36 | page_number | externally controlled string |
|
||||
| views_2x_3x.py:81:17:81:23 | request | django.request.HttpRequest |
|
||||
| views_2x_3x.py:81:26:81:28 | foo | externally controlled string |
|
||||
| views_2x_3x.py:81:31:81:33 | bar | externally controlled string |
|
||||
| views_2x_3x.py:81:36:81:38 | baz | externally controlled string |
|
||||
| views_2x_3x.py:84:17:84:23 | request | django.request.HttpRequest |
|
||||
| views_2x_3x.py:84:26:84:28 | foo | externally controlled string |
|
||||
| views_2x_3x.py:84:31:84:33 | bar | externally controlled string |
|
||||
| views_2x_3x.py:87:26:87:32 | request | django.request.HttpRequest |
|
||||
@@ -1,7 +0,0 @@
|
||||
import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from HttpRequestTaintSource source, TaintKind kind
|
||||
where source.isSourceOf(kind)
|
||||
select source.(ControlFlowNode).getNode(), kind
|
||||
@@ -1,9 +0,0 @@
|
||||
| sql.py:13:24:13:64 | db.connection.execute | externally controlled string |
|
||||
| sql.py:14:26:14:66 | django.models.QuerySet.raw(sink,...) | externally controlled string |
|
||||
| sql.py:17:24:17:77 | db.connection.execute | externally controlled string |
|
||||
| sql.py:20:38:20:95 | django.db.models.expressions.RawSQL(sink,...) | externally controlled string |
|
||||
| sql.py:21:26:21:83 | django.models.QuerySet.raw(sink,...) | externally controlled string |
|
||||
| sql.py:22:28:22:85 | django.models.QuerySet.extra(sink,...) | externally controlled string |
|
||||
| sql.py:36:26:36:68 | django.models.QuerySet.raw(sink,...) | externally controlled string |
|
||||
| sql.py:42:11:42:52 | django.models.QuerySet.raw(sink,...) | externally controlled string |
|
||||
| sql.py:47:13:47:54 | django.models.QuerySet.extra(sink,...) | externally controlled string |
|
||||
@@ -1,8 +0,0 @@
|
||||
import python
|
||||
import semmle.python.security.injection.Sql
|
||||
import semmle.python.web.django.Db
|
||||
import semmle.python.web.django.Model
|
||||
|
||||
from SqlInjectionSink sink, TaintKind kind
|
||||
where sink.sinks(kind)
|
||||
select sink, kind
|
||||
@@ -1 +0,0 @@
|
||||
semmle-extractor-options: --lang=3 --max-import-depth=3 -p ../../../query-tests/Security/lib/
|
||||
@@ -1,53 +0,0 @@
|
||||
from django.db import connection, models
|
||||
from django.db.models.expressions import RawSQL
|
||||
|
||||
|
||||
class User(models.Model):
|
||||
username = models.CharField(max_length=100)
|
||||
description = models.TextField(blank=True)
|
||||
|
||||
|
||||
def show_user(username):
|
||||
with connection.cursor() as cursor:
|
||||
# GOOD -- Using parameters
|
||||
cursor.execute("SELECT * FROM users WHERE username = %s", username)
|
||||
User.objects.raw("SELECT * FROM users WHERE username = %s", (username,))
|
||||
|
||||
# BAD -- Using string formatting
|
||||
cursor.execute("SELECT * FROM users WHERE username = '%s'" % username)
|
||||
|
||||
# BAD -- other ways of executing raw SQL code with string interpolation
|
||||
User.objects.annotate(RawSQL("insert into names_file ('name') values ('%s')" % username))
|
||||
User.objects.raw("insert into names_file ('name') values ('%s')" % username)
|
||||
User.objects.extra("insert into names_file ('name') values ('%s')" % username)
|
||||
|
||||
# BAD (but currently no custom query to find this)
|
||||
#
|
||||
# It is exposed to SQL injection (https://docs.djangoproject.com/en/2.2/ref/models/querysets/#extra)
|
||||
# For example, using name = "; DROP ALL TABLES -- "
|
||||
# will result in SQL: SELECT * FROM name WHERE name = ''; DROP ALL TABLES -- ''
|
||||
#
|
||||
# This shouldn't be very widespread, since using a normal string will result in invalid SQL
|
||||
# Using name = "example", will result in SQL: SELECT * FROM name WHERE name = ''example''
|
||||
# which in MySQL will give a syntax error
|
||||
#
|
||||
# When testing this out locally, none of the queries worked against SQLite3, but I could use
|
||||
# the SQL injection against MySQL.
|
||||
User.objects.raw("SELECT * FROM users WHERE username = '%s'", (username,))
|
||||
|
||||
|
||||
def raw3(arg):
|
||||
m = User.objects.filter('foo')
|
||||
m = m.filter('bar')
|
||||
m.raw("select foo from bar where baz = %s" % arg)
|
||||
|
||||
|
||||
def raw4(arg):
|
||||
m = User.objects.filter('foo')
|
||||
m.extra("select foo from bar where baz = %s" % arg)
|
||||
|
||||
|
||||
def update_user(key, description1):
|
||||
# Neither of these are exposed to sql-injections
|
||||
user = User.objects.get(pk=key)
|
||||
item.description = description
|
||||
@@ -1,19 +0,0 @@
|
||||
"""tests for Django 1.x"""
|
||||
from django.conf.urls import url
|
||||
from django.shortcuts import redirect, render
|
||||
|
||||
|
||||
def with_template(request, path='default'):
|
||||
env = {'path': path}
|
||||
# We would need to understand django templates to know if this is safe or not
|
||||
return render(request, 'possibly-vulnerable-template.html', env)
|
||||
|
||||
|
||||
def vuln_redirect(request, path):
|
||||
return redirect(path)
|
||||
|
||||
|
||||
urlpatterns = [
|
||||
url(r'^(?P<path>.*)$', with_template),
|
||||
url(r'^redirect/(?P<path>.*)$', vuln_redirect),
|
||||
]
|
||||
@@ -1,19 +0,0 @@
|
||||
"""tests for Django 2.x and 3.x"""
|
||||
from django.urls import path
|
||||
from django.shortcuts import redirect, render
|
||||
|
||||
|
||||
def with_template(request, path='default'):
|
||||
env = {'path': path}
|
||||
# We would need to understand django templates to know if this is safe or not
|
||||
return render(request, 'possibly-vulnerable-template.html', env)
|
||||
|
||||
|
||||
def vuln_redirect(request, path):
|
||||
return redirect(path)
|
||||
|
||||
|
||||
urlpatterns = [
|
||||
path('/<path>', with_template),
|
||||
path('/redirect/<path>', vuln_redirect),
|
||||
]
|
||||
@@ -1,107 +0,0 @@
|
||||
"""test of views for Django 1.x"""
|
||||
from django.conf.urls import patterns, url
|
||||
from django.http.response import HttpResponse, HttpResponseRedirect, JsonResponse, HttpResponseNotFound
|
||||
from django.views.generic import View
|
||||
|
||||
|
||||
def url_match_xss(request, foo, bar, no_taint=None):
|
||||
return HttpResponse('url_match_xss: {} {}'.format(foo, bar))
|
||||
|
||||
|
||||
def get_params_xss(request):
|
||||
return HttpResponse(request.GET.get("untrusted"))
|
||||
|
||||
|
||||
def post_params_xss(request):
|
||||
return HttpResponse(request.POST.get("untrusted"))
|
||||
|
||||
|
||||
def http_resp_write(request):
|
||||
rsp = HttpResponse()
|
||||
rsp.write(request.GET.get("untrusted"))
|
||||
return rsp
|
||||
|
||||
|
||||
class Foo(object):
|
||||
# Note: since Foo is used as the super type in a class view, it will be able to handle requests.
|
||||
|
||||
|
||||
def post(self, request, untrusted):
|
||||
return HttpResponse('Foo post: {}'.format(untrusted))
|
||||
|
||||
|
||||
class ClassView(View, Foo):
|
||||
|
||||
def get(self, request, untrusted):
|
||||
return HttpResponse('ClassView get: {}'.format(untrusted))
|
||||
|
||||
|
||||
def show_articles(request, page_number=1):
|
||||
page_number = int(page_number)
|
||||
return HttpResponse('articles page: {}'.format(page_number))
|
||||
|
||||
|
||||
def xxs_positional_arg(request, arg0, arg1, no_taint=None):
|
||||
return HttpResponse('xxs_positional_arg: {} {}'.format(arg0, arg1))
|
||||
|
||||
|
||||
urlpatterns = [
|
||||
url(r'^url_match/(?P<foo>[^/]+)/(?P<bar>[^/]+)$', url_match_xss),
|
||||
url(r'^get_params$', get_params_xss),
|
||||
url(r'^post_params$', post_params_xss),
|
||||
url(r'^http_resp_write$', http_resp_write),
|
||||
url(r'^class_view/(?P<untrusted>.+)$', ClassView.as_view()),
|
||||
|
||||
# one pattern to support `articles/page-<n>` and ensuring that articles/ goes to page-1
|
||||
url(r'articles/^(?:page-(?P<page_number>\d+)/)?$', show_articles),
|
||||
# passing as positional argument is not the recommended way of doing things, but it is certainly
|
||||
# possible
|
||||
url(r'^([^/]+)/(?:foo|bar)/([^/]+)$', xxs_positional_arg, name='xxs_positional_arg'),
|
||||
]
|
||||
|
||||
################################################################################
|
||||
# Using patterns() for routing
|
||||
|
||||
def show_user(request, username):
|
||||
return HttpResponse('show_user {}'.format(username))
|
||||
|
||||
|
||||
urlpatterns = patterns(url(r'^users/(?P<username>[^/]+)$', show_user))
|
||||
|
||||
################################################################################
|
||||
# Show we understand the keyword arguments to django.conf.urls.url
|
||||
|
||||
def kw_args(request):
|
||||
return HttpResponse('kw_args')
|
||||
|
||||
urlpatterns = [
|
||||
url(view=kw_args, regex=r'^kw_args$')
|
||||
]
|
||||
|
||||
# Not an XSS sink, since the Content-Type is not "text/html"
|
||||
# FP reported in https://github.com/github/codeql-python-team/issues/38
|
||||
def fp_json_response(request):
|
||||
# implicitly sets Content-Type to "application/json"
|
||||
return JsonResponse({"foo": request.GET.get("foo")})
|
||||
|
||||
# Not an XSS sink, since the Content-Type is not "text/html"
|
||||
def fp_manual_json_response(request):
|
||||
json_data = '{"json": "{}"}'.format(request.GET.get("foo"))
|
||||
return HttpResponse(json_data, content_type="application/json")
|
||||
|
||||
# Not an XSS sink, since the Content-Type is not "text/html"
|
||||
def fp_manual_content_type(reuqest):
|
||||
return HttpResponse('<img src="0" onerror="alert(1)">', content_type="text/plain")
|
||||
|
||||
# XSS FP reported in https://github.com/github/codeql/issues/3466
|
||||
# Note: This should be a open-redirect sink, but not a XSS sink.
|
||||
def fp_redirect(request):
|
||||
return HttpResponseRedirect(request.GET.get("next"))
|
||||
|
||||
# Ensure that simple subclasses are still vuln to XSS
|
||||
def tp_not_found(request):
|
||||
return HttpResponseNotFound(request.GET.get("name"))
|
||||
|
||||
# Ensure we still have a XSS sink when manually setting the content_type to HTML
|
||||
def tp_manual_response_type(request):
|
||||
return HttpResponse(request.GET.get("name"), content_type="text/html; charset=utf-8")
|
||||
@@ -1,128 +0,0 @@
|
||||
"""testing views for Django 2.x and 3.x"""
|
||||
from django.urls import path, re_path
|
||||
from django.http import HttpResponse, HttpResponseRedirect, JsonResponse, HttpResponseNotFound
|
||||
from django.views import View
|
||||
|
||||
|
||||
def url_match_xss(request, foo, bar, no_taint=None):
|
||||
return HttpResponse('url_match_xss: {} {}'.format(foo, bar))
|
||||
|
||||
|
||||
def get_params_xss(request):
|
||||
return HttpResponse(request.GET.get("untrusted"))
|
||||
|
||||
|
||||
def post_params_xss(request):
|
||||
return HttpResponse(request.POST.get("untrusted"))
|
||||
|
||||
|
||||
def http_resp_write(request):
|
||||
rsp = HttpResponse()
|
||||
rsp.write(request.GET.get("untrusted"))
|
||||
return rsp
|
||||
|
||||
|
||||
class Foo(object):
|
||||
# Note: since Foo is used as the super type in a class view, it will be able to handle requests.
|
||||
|
||||
|
||||
def post(self, request, untrusted):
|
||||
return HttpResponse('Foo post: {}'.format(untrusted))
|
||||
|
||||
|
||||
class ClassView(View, Foo):
|
||||
|
||||
def get(self, request, untrusted):
|
||||
return HttpResponse('ClassView get: {}'.format(untrusted))
|
||||
|
||||
|
||||
def show_articles(request, page_number=1):
|
||||
page_number = int(page_number)
|
||||
return HttpResponse('articles page: {}'.format(page_number))
|
||||
|
||||
|
||||
def xxs_positional_arg(request, arg0, arg1, no_taint=None):
|
||||
return HttpResponse('xxs_positional_arg: {} {}'.format(arg0, arg1))
|
||||
|
||||
|
||||
urlpatterns = [
|
||||
re_path(r'^url_match/(?P<foo>[^/]+)/(?P<bar>[^/]+)$', url_match_xss),
|
||||
re_path(r'^get_params$', get_params_xss),
|
||||
re_path(r'^post_params$', post_params_xss),
|
||||
re_path(r'^http_resp_write$', http_resp_write),
|
||||
re_path(r'^class_view/(?P<untrusted>.+)$', ClassView.as_view()),
|
||||
|
||||
# one pattern to support `articles/page-<n>` and ensuring that articles/ goes to page-1
|
||||
re_path(r'articles/^(?:page-(?P<page_number>\d+)/)?$', show_articles),
|
||||
# passing as positional argument is not the recommended way of doing things, but it is certainly
|
||||
# possible
|
||||
re_path(r'^([^/]+)/(?:foo|bar)/([^/]+)$', xxs_positional_arg, name='xxs_positional_arg'),
|
||||
]
|
||||
|
||||
|
||||
# Show we understand the keyword arguments to from django.urls.re_path
|
||||
|
||||
def re_path_kwargs(request):
|
||||
return HttpResponse('re_path_kwargs')
|
||||
|
||||
|
||||
urlpatterns = [
|
||||
re_path(view=re_path_kwargs, route=r'^specifying-as-kwargs-is-not-a-problem$')
|
||||
]
|
||||
|
||||
################################################################################
|
||||
# Using path
|
||||
################################################################################
|
||||
|
||||
# saying page_number is an externally controlled *string* is a bit strange, when we have an int converter :O
|
||||
def page_number(request, page_number=1):
|
||||
return HttpResponse('page_number: {}'.format(page_number))
|
||||
|
||||
def foo_bar_baz(request, foo, bar, baz):
|
||||
return HttpResponse('foo_bar_baz: {} {} {}'.format(foo, bar, baz))
|
||||
|
||||
def path_kwargs(request, foo, bar):
|
||||
return HttpResponse('path_kwargs: {} {} {}'.format(foo, bar))
|
||||
|
||||
def not_valid_identifier(request):
|
||||
return HttpResponse('<foo!>')
|
||||
|
||||
urlpatterns = [
|
||||
path('articles/', page_number),
|
||||
path('articles/page-<int:page_number>', page_number),
|
||||
path('<int:foo>/<str:bar>/<baz>', foo_bar_baz, name='foo-bar-baz'),
|
||||
|
||||
path(view=path_kwargs, route='<foo>/<bar>'),
|
||||
|
||||
# We should not report there is a request parameter called `not_valid!`
|
||||
path('not_valid/<not_valid!>', not_valid_identifier),
|
||||
]
|
||||
|
||||
|
||||
# Not an XSS sink, since the Content-Type is not "text/html"
|
||||
# FP reported in https://github.com/github/codeql-python-team/issues/38
|
||||
def fp_json_response(request):
|
||||
# implicitly sets Content-Type to "application/json"
|
||||
return JsonResponse({"foo": request.GET.get("foo")})
|
||||
|
||||
# Not an XSS sink, since the Content-Type is not "text/html"
|
||||
def fp_manual_json_response(request):
|
||||
json_data = '{"json": "{}"}'.format(request.GET.get("foo"))
|
||||
return HttpResponse(json_data, content_type="application/json")
|
||||
|
||||
# Not an XSS sink, since the Content-Type is not "text/html"
|
||||
def fp_manual_content_type(reuqest):
|
||||
return HttpResponse('<img src="0" onerror="alert(1)">', content_type="text/plain")
|
||||
|
||||
# XSS FP reported in https://github.com/github/codeql/issues/3466
|
||||
# Note: This should be a open-redirect sink, but not a XSS sink.
|
||||
def fp_redirect(request):
|
||||
return HttpResponseRedirect(request.GET.get("next"))
|
||||
|
||||
# Ensure that simple subclasses are still vuln to XSS
|
||||
def tp_not_found(request):
|
||||
return HttpResponseNotFound(request.GET.get("name"))
|
||||
|
||||
# Ensure we still have a XSS sink when manually setting the content_type to HTML
|
||||
def tp_manual_response_type(request):
|
||||
return HttpResponse(request.GET.get("name"), content_type="text/html; charset=utf-8")
|
||||
@@ -1 +0,0 @@
|
||||
| FIXME: temporarily disabled since it's not working |
|
||||
@@ -1,8 +0,0 @@
|
||||
import python
|
||||
import semmle.python.web.HttpResponse
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
// from HttpResponseTaintSink sink, TaintKind kind
|
||||
// where sink.sinks(kind)
|
||||
// select sink, kind
|
||||
select "FIXME: temporarily disabled since it's not working"
|
||||
@@ -1,4 +0,0 @@
|
||||
WARNING: Type HttpRequestTaintSource has been deprecated and may be removed in future (HttpSources.ql:5,6-28)
|
||||
| test.py:9:22:9:24 | req | falcon.request |
|
||||
| test.py:19:23:19:25 | req | falcon.request |
|
||||
| test.py:22:25:22:27 | req | falcon.request |
|
||||
@@ -1,7 +0,0 @@
|
||||
import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
from HttpRequestTaintSource source, TaintKind kind
|
||||
where source.isSourceOf(kind)
|
||||
select source.(ControlFlowNode).getNode(), kind
|
||||
@@ -1,4 +0,0 @@
|
||||
WARNING: Type FalconRoute has been deprecated and may be removed in future (Routing.ql:4,6-17)
|
||||
| /hello | delete | test.py:22:5:22:35 | Function on_delete |
|
||||
| /hello | get | test.py:9:5:9:32 | Function on_get |
|
||||
| /hello | post | test.py:19:5:19:33 | Function on_post |
|
||||
@@ -1,5 +0,0 @@
|
||||
import python
|
||||
import semmle.python.web.falcon.General
|
||||
|
||||
from FalconRoute route, string method
|
||||
select route.getUrl(), method, route.getHandlerFunction(method)
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user