Python: Remove duplicate results from azure blob query

2025-12-22 03:36:30 +01:00 · 2023-03-29 11:46:59 +02:00
parent 32d52c023e
commit 86333e3ba5
2 changed files with 21 additions and 20 deletions
--- a/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
+++ b/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
@@ -15,7 +15,8 @@ import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.ApiGraphs

-API::Node getBlobServiceClient() {
+API::Node getBlobServiceClient(boolean isSource) {
+  isSource = true and
  result =
    API::moduleImport("azure")
        .getMember("storage")
@@ -23,6 +24,7 @@ API::Node getBlobServiceClient() {
        .getMember("BlobServiceClient")
        .getReturn()
  or
+  isSource = true and
  result =
    API::moduleImport("azure")
        .getMember("storage")
@@ -33,14 +35,16 @@ API::Node getBlobServiceClient() {
 }

 API::CallNode getTransitionToContainerClient() {
-  result = getBlobServiceClient().getMember("get_container_client").getACall()
+  result = getBlobServiceClient(_).getMember("get_container_client").getACall()
  or
-  result = getBlobClient().getMember("_get_container_client").getACall()
+  result = getBlobClient(_).getMember("_get_container_client").getACall()
 }

-API::Node getContainerClient() {
+API::Node getContainerClient(boolean isSource) {
+  isSource = false and
  result = getTransitionToContainerClient().getReturn()
  or
+  isSource = true and
  result =
    API::moduleImport("azure")
        .getMember("storage")
@@ -48,6 +52,7 @@ API::Node getContainerClient() {
        .getMember("ContainerClient")
        .getReturn()
  or
+  isSource = true and
  result =
    API::moduleImport("azure")
        .getMember("storage")
@@ -58,12 +63,14 @@ API::Node getContainerClient() {
 }

 API::CallNode getTransitionToBlobClient() {
-  result = [getBlobServiceClient(), getContainerClient()].getMember("get_blob_client").getACall()
+  result = [getBlobServiceClient(_), getContainerClient(_)].getMember("get_blob_client").getACall()
 }

-API::Node getBlobClient() {
+API::Node getBlobClient(boolean isSource) {
+  isSource = false and
  result = getTransitionToBlobClient().getReturn()
  or
+  isSource = true and
  result =
    API::moduleImport("azure")
        .getMember("storage")
@@ -71,6 +78,7 @@ API::Node getBlobClient() {
        .getMember("BlobClient")
        .getReturn()
  or
+  isSource = true and
  result =
    API::moduleImport("azure")
        .getMember("storage")
@@ -80,7 +88,9 @@ API::Node getBlobClient() {
        .getReturn()
 }

-API::Node anyClient() { result in [getBlobServiceClient(), getContainerClient(), getBlobClient()] }
+API::Node anyClient(boolean isSource) {
+  result in [getBlobServiceClient(isSource), getContainerClient(isSource), getBlobClient(isSource)]
+}

 newtype TAzureFlowState =
  MkUsesV1Encryption() or
@@ -91,13 +101,13 @@ module AzureBlobClientConfig implements DataFlow::StateConfigSig {

  predicate isSource(DataFlow::Node node, FlowState state) {
    state = MkUsesNoEncryption() and
-    node = anyClient().asSource()
+    node = anyClient(true).asSource()
  }

  predicate isBarrier(DataFlow::Node node, FlowState state) {
    exists(state) and
    exists(DataFlow::AttrWrite attr |
-      node = anyClient().getAValueReachableFromSource() and
+      node = anyClient(_).getAValueReachableFromSource() and
      attr.accesses(node, "encryption_version") and
      attr.getValue().asExpr().(StrConst).getText() in ["'2.0'", "2.0"]
    )
@@ -118,7 +128,7 @@ module AzureBlobClientConfig implements DataFlow::StateConfigSig {
    state1 = MkUsesNoEncryption() and
    state2 = MkUsesV1Encryption() and
    exists(DataFlow::AttrWrite attr |
-      node1 = anyClient().getAValueReachableFromSource() and
+      node1 = anyClient(_).getAValueReachableFromSource() and
      attr.accesses(node1, ["key_encryption_key", "key_resolver_function"])
    )
  }
@@ -126,7 +136,7 @@ module AzureBlobClientConfig implements DataFlow::StateConfigSig {
  predicate isSink(DataFlow::Node node, FlowState state) {
    state = MkUsesV1Encryption() and
    exists(DataFlow::MethodCallNode call |
-      call = getBlobClient().getMember("upload_blob").getACall() and
+      call = getBlobClient(_).getMember("upload_blob").getACall() and
      node = call.getObject()
    )
  }
--- a/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/UnsafeUsageOfClientSideEncryptionVersion.expected
+++ b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/UnsafeUsageOfClientSideEncryptionVersion.expected
@@ -5,7 +5,6 @@ edges
 | test.py:3:1:3:3 | GSSA Variable BSC | test.py:0:0:0:0 | ModuleVariableNode for test.BSC |
 | test.py:3:7:3:51 | ControlFlowNode for Attribute() | test.py:3:1:3:3 | GSSA Variable BSC |
 | test.py:7:19:7:21 | ControlFlowNode for BSC | test.py:8:5:8:15 | ControlFlowNode for blob_client |
-| test.py:7:19:7:42 | ControlFlowNode for Attribute() | test.py:8:5:8:15 | ControlFlowNode for blob_client |
 | test.py:8:5:8:15 | ControlFlowNode for blob_client | test.py:9:5:9:15 | ControlFlowNode for blob_client |
 | test.py:9:5:9:15 | ControlFlowNode for blob_client | test.py:9:5:9:15 | ControlFlowNode for blob_client |
 | test.py:9:5:9:15 | ControlFlowNode for blob_client | test.py:11:9:11:19 | ControlFlowNode for blob_client |
@@ -18,12 +17,10 @@ edges
 | test.py:27:5:27:20 | ControlFlowNode for container_client | test.py:27:5:27:20 | ControlFlowNode for container_client |
 | test.py:27:5:27:20 | ControlFlowNode for container_client | test.py:31:9:31:19 | ControlFlowNode for blob_client |
 | test.py:35:19:35:21 | ControlFlowNode for BSC | test.py:36:5:36:15 | ControlFlowNode for blob_client |
-| test.py:35:19:35:42 | ControlFlowNode for Attribute() | test.py:36:5:36:15 | ControlFlowNode for blob_client |
 | test.py:36:5:36:15 | ControlFlowNode for blob_client | test.py:37:5:37:15 | ControlFlowNode for blob_client |
 | test.py:37:5:37:15 | ControlFlowNode for blob_client | test.py:37:5:37:15 | ControlFlowNode for blob_client |
 | test.py:37:5:37:15 | ControlFlowNode for blob_client | test.py:43:9:43:19 | ControlFlowNode for blob_client |
 | test.py:66:19:66:21 | ControlFlowNode for BSC | test.py:67:5:67:15 | ControlFlowNode for blob_client |
-| test.py:66:19:66:42 | ControlFlowNode for Attribute() | test.py:67:5:67:15 | ControlFlowNode for blob_client |
 | test.py:67:5:67:15 | ControlFlowNode for blob_client | test.py:68:5:68:15 | ControlFlowNode for blob_client |
 | test.py:68:5:68:15 | ControlFlowNode for blob_client | test.py:68:5:68:15 | ControlFlowNode for blob_client |
 | test.py:68:5:68:15 | ControlFlowNode for blob_client | test.py:69:12:69:22 | ControlFlowNode for blob_client |
@@ -34,7 +31,6 @@ nodes
 | test.py:3:1:3:3 | GSSA Variable BSC | semmle.label | GSSA Variable BSC |
 | test.py:3:7:3:51 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | test.py:7:19:7:21 | ControlFlowNode for BSC | semmle.label | ControlFlowNode for BSC |
-| test.py:7:19:7:42 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | test.py:8:5:8:15 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
 | test.py:9:5:9:15 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
 | test.py:9:5:9:15 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
@@ -50,13 +46,11 @@ nodes
 | test.py:27:5:27:20 | ControlFlowNode for container_client | semmle.label | ControlFlowNode for container_client |
 | test.py:31:9:31:19 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
 | test.py:35:19:35:21 | ControlFlowNode for BSC | semmle.label | ControlFlowNode for BSC |
-| test.py:35:19:35:42 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | test.py:36:5:36:15 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
 | test.py:37:5:37:15 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
 | test.py:37:5:37:15 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
 | test.py:43:9:43:19 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
 | test.py:66:19:66:21 | ControlFlowNode for BSC | semmle.label | ControlFlowNode for BSC |
-| test.py:66:19:66:42 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | test.py:67:5:67:15 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
 | test.py:68:5:68:15 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
 | test.py:68:5:68:15 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
@@ -66,10 +60,7 @@ nodes
 subpaths
 #select
 | test.py:11:9:11:19 | ControlFlowNode for blob_client | test.py:3:7:3:51 | ControlFlowNode for Attribute() | test.py:11:9:11:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption |
-| test.py:11:9:11:19 | ControlFlowNode for blob_client | test.py:7:19:7:42 | ControlFlowNode for Attribute() | test.py:11:9:11:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption |
 | test.py:21:9:21:19 | ControlFlowNode for blob_client | test.py:15:27:15:71 | ControlFlowNode for Attribute() | test.py:21:9:21:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption |
 | test.py:31:9:31:19 | ControlFlowNode for blob_client | test.py:25:24:25:66 | ControlFlowNode for Attribute() | test.py:31:9:31:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption |
 | test.py:43:9:43:19 | ControlFlowNode for blob_client | test.py:3:7:3:51 | ControlFlowNode for Attribute() | test.py:43:9:43:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption |
-| test.py:43:9:43:19 | ControlFlowNode for blob_client | test.py:35:19:35:42 | ControlFlowNode for Attribute() | test.py:43:9:43:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption |
 | test.py:75:9:75:10 | ControlFlowNode for bc | test.py:3:7:3:51 | ControlFlowNode for Attribute() | test.py:75:9:75:10 | ControlFlowNode for bc | Unsafe usage of v1 version of Azure Storage client-side encryption |
-| test.py:75:9:75:10 | ControlFlowNode for bc | test.py:66:19:66:42 | ControlFlowNode for Attribute() | test.py:75:9:75:10 | ControlFlowNode for bc | Unsafe usage of v1 version of Azure Storage client-side encryption |