hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Organisation TarSlip/UnsafeUnpack into two folders

Browse Source
This commit is contained in:
Sim4n6
2023-02-12 10:51:53 +01:00
parent eed19a3e15
commit 80d4fb5e33
13 changed files with 28 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
python/ql/test/experimental/query-tests/Security/CWE-022/TarSlip.expected → python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlip.expected
View File

0
python/ql/test/experimental/query-tests/Security/CWE-022/TarSlip.qlref → python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlip.qlref
View File

0
python/ql/test/experimental/query-tests/Security/CWE-022/TarSlipImprov.py → python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlipImprov.py
View File

0
python/ql/test/experimental/query-tests/Security/CWE-022/ZipSlip.expected → python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/ZipSlip.expected
View File

0
python/ql/test/experimental/query-tests/Security/CWE-022/ZipSlip.qlref → python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/ZipSlip.qlref
View File

0
python/ql/test/experimental/query-tests/Security/CWE-022/zipslip_bad.py → python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/zipslip_bad.py
View File

0
python/ql/test/experimental/query-tests/Security/CWE-022/zipslip_good.py → python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/zipslip_good.py
View File

15
python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DataflowQueryTest.expected Normal file
View File

@@ -0,0 +1,15 @@
missingAnnotationOnSink
failures
| UnsafeUnpack.py:19:35:19:41 | ControlFlowNode for tarpath | Unexpected result: result=BAD |
| UnsafeUnpack.py:34:23:34:38 | ControlFlowNode for local_ziped_path | Unexpected result: result=BAD |
| UnsafeUnpack.py:48:23:48:37 | ControlFlowNode for compressed_file | Unexpected result: result=BAD |
| UnsafeUnpack.py:52:23:52:37 | ControlFlowNode for compressed_file | Unexpected result: result=BAD |
| UnsafeUnpack.py:66:23:66:37 | ControlFlowNode for compressed_file | Unexpected result: result=BAD |
| UnsafeUnpack.py:87:23:87:29 | ControlFlowNode for tarpath | Unexpected result: result=BAD |
| UnsafeUnpack.py:105:35:105:42 | ControlFlowNode for savepath | Unexpected result: result=BAD |
| UnsafeUnpack.py:112:35:112:43 | ControlFlowNode for file_path | Unexpected result: result=BAD |
| UnsafeUnpack.py:120:41:120:58 | ControlFlowNode for uploaded_file_path | Unexpected result: result=BAD |
| UnsafeUnpack.py:142:49:142:51 | ControlFlowNode for tar | Unexpected result: result=BAD |
| UnsafeUnpack.py:167:67:167:72 | ControlFlowNode for result | Unexpected result: result=BAD |
| UnsafeUnpack.py:176:1:176:34 | ControlFlowNode for Attribute() | Unexpected result: result=BAD |
| UnsafeUnpack.py:201:29:201:36 | ControlFlowNode for Attribute | Unexpected result: result=BAD |

0
python/ql/test/experimental/query-tests/Security/CWE-022/DataflowQueryTest.ql → python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DataflowQueryTest.ql
View File

0
python/ql/test/experimental/query-tests/Security/CWE-022/UnsafeUnpack.expected → python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/UnsafeUnpack.expected
View File

26
python/ql/test/experimental/query-tests/Security/CWE-022/UnsafeUnpack.py → python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/UnsafeUnpack.py
View File

@@ -16,7 +16,7 @@ def download_from_url():
with open(tarpath, "wb") as f:
f.write(response.raw.read())
untarredpath = "/tmp/tmp123"
shutil.unpack_archive(tarpath, untarredpath) # $result=BAD
shutil.unpack_archive(tarpath, untarredpath)
# A source catching an S3 filename download
@@ -31,7 +31,7 @@ bucket_name = "mybucket"
s3 = boto3.client('s3')
s3.download_file(bucket_name, remote_ziped_name, local_ziped_path)
shutil.unpack_archive(local_ziped_path, base_dir) # $result=BAD
shutil.unpack_archive(local_ziped_path, base_dir)
# wget
@@ -45,11 +45,11 @@ base_dir = "/tmp/basedir"
# download(url, out, bar) contains out parameter
wget.download(url, compressed_file)
shutil.unpack_archive(compressed_file, base_dir) # $result=BAD
shutil.unpack_archive(compressed_file, base_dir)
# download(url) returns filename
compressed_file = wget.download(url)
shutil.unpack_archive(compressed_file, base_dir) # $result=BAD
shutil.unpack_archive(compressed_file, base_dir)
# A source coming from a CLI argparse module
@@ -63,7 +63,7 @@ parser.add_argument('filename', help='filename to be provided')
args = parser.parse_args()
compressed_file = args.filename
shutil.unpack_archive(compressed_file, base_dir) # $result=BAD
shutil.unpack_archive(compressed_file, base_dir)
# A source coming from a CLI and downloaded
@@ -84,7 +84,7 @@ tarpath = "/tmp/tmp456/tarball.tar.gz"
with open(tarpath, "wb") as f:
f.write(response.raw.read())
shutil.unpack_archive(tarpath, base_dir) # $result=BAD
shutil.unpack_archive(tarpath, base_dir)
# the django upload functionality
# see HttpRequest.FILES: https://docs.djangoproject.com/en/4.1/ref/request-response/#django.http.HttpRequest.FILES
@@ -102,14 +102,14 @@ def simple_upload(request):
with open(savepath, 'wb+') as wfile:
for chunk in request.FILES["ufile1"].chunks():
wfile.write(chunk)
shutil.unpack_archive(savepath, base_dir) # $result=BAD
shutil.unpack_archive(savepath, base_dir)
# Write in binary the uploaded tarball
myfile = request.FILES.get("ufile1")
file_path = os.path.join(base_dir, "tarball.tar")
with file_path.open('wb') as f:
f.write(myfile.read())
shutil.unpack_archive(file_path, base_dir) # $result=BAD
shutil.unpack_archive(file_path, base_dir)
# Save uploaded files using FileSystemStorage Django API
# see FileSystemStorage: https://docs.djangoproject.com/en/4.1/ref/files/storage/#django.core.files.storage.FileSystemStorage
@@ -117,7 +117,7 @@ def simple_upload(request):
fs = FileSystemStorage()
filename = fs.save(ufile.name, ufile)
uploaded_file_path = fs.path(filename)
shutil.unpack_archive(uploaded_file_path, base_dir) # $result=BAD
shutil.unpack_archive(uploaded_file_path, base_dir)
return render(request, 'simple_upload.html')
@@ -139,7 +139,7 @@ parser.add_argument('filename', help='filename to be provided')
args = parser.parse_args()
unsafe_filename_tar = args.filename
with tarfile.TarFile(unsafe_filename_tar, mode="r") as tar:
tar.extractall(path="/tmp/unpack/", members=tar) # $result=BAD
tar.extractall(path="/tmp/unpack/", members=tar)
tar = tarfile.open(unsafe_filename_tar)
@@ -164,7 +164,7 @@ def simple_upload(request):
if member.issym():
raise ValueError("But it is a symlink")
result.append(member)
tar.extractall(path=tempfile.mkdtemp(), members=result) # $result=BAD
tar.extractall(path=tempfile.mkdtemp(), members=result)
tar.close()
@@ -173,7 +173,7 @@ tarpath = "/tmp/tmp456/tarball.tar.gz"
with open(tarpath, "wb") as f:
f.write(response.raw.read())
target_dir = "/tmp/unpack"
tarfile.TarFile(tarpath, mode="r").extractall(path=target_dir) # $result=BAD
tarfile.TarFile(tarpath, mode="r").extractall(path=target_dir)
from pathlib import Path
@@ -198,4 +198,4 @@ with tempfile.NamedTemporaryFile(suffix=".tar.gz") as tmp:
target = cache_dir
else:
target = Path(tempfile.mkdtemp())
shutil.unpack_archive(tmp.name, target) # $result=BAD
shutil.unpack_archive(tmp.name, target)

0
python/ql/test/experimental/query-tests/Security/CWE-022/UnsafeUnpack.qlref → python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/UnsafeUnpack.qlref
View File

2
python/ql/test/experimental/query-tests/Security/CWE-022/DataflowQueryTest.expected
View File

@@ -1,2 +0,0 @@
missingAnnotationOnSink
failures