python: Add standard customization setup

- modernize the sanitizer, but do not make it less specific
2026-04-30 19:26:02 +02:00 · 2022-01-25 11:04:18 +01:00
parent 20d54543fd
commit 8b5114d10e
3 changed files with 90 additions and 14 deletions
--- a/python/ql/lib/semmle/python/security/dataflow/LogInjection.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/LogInjection.qll
@@ -1,24 +1,35 @@
+/**
+ * Provides a taint-tracking configuration for tracking untrusted user input used in log entries.
+ *
+ * Note, for performance reasons: only import this file if
+ * `LogInjection::Configuration` is needed, otherwise
+ * `LogInjectionCustomizations` should be imported instead.
+ */
+
 import python
-import semmle.python.Concepts
-import semmle.python.Concepts
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
-import semmle.python.dataflow.new.RemoteFlowSources

 /**
- * A taint-tracking configuration for tracking untrusted user input used in log entries.
+ * Provides a taint-tracking configuration for tracking untrusted user input used in log entries.
 */
-class LogInjectionFlowConfig extends TaintTracking::Configuration {
-  LogInjectionFlowConfig() { this = "LogInjectionFlowConfig" }
+module LogInjection {
+  import LogInjectionCustomizations::LogInjection

-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  /**
+   * A taint-tracking configuration for tracking untrusted user input used in log entries.
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "LogInjection" }

-  override predicate isSink(DataFlow::Node sink) { sink = any(Logging write).getAnInput() }
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }

-  override predicate isSanitizer(DataFlow::Node node) {
-    exists(CallNode call |
-      node.asCfgNode() = call.getFunction().(AttrNode).getObject("replace") and
-      call.getArg(0).getNode().(StrConst).getText() in ["\r\n", "\n"]
-    )
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+      guard instanceof SanitizerGuard
+    }
  }
 }
--- a/python/ql/lib/semmle/python/security/dataflow/LogInjectionCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/LogInjectionCustomizations.qll
@@ -0,0 +1,65 @@
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "command injection"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.dataflow.new.BarrierGuards
+
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "command injection"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+module LogInjection {
+  /**
+   * A data flow source for "command injection" vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for "command injection" vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for "command injection" vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A sanitizer guard for "command injection" vulnerabilities.
+   */
+  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+
+  /**
+   * A source of remote user input, considered as a flow source.
+   */
+  class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
+
+  /**
+   * A logging operation, considered as a flow sink.
+   */
+  class LoggingAsSink extends Sink {
+    LoggingAsSink() { this = any(Logging write).getAnInput() }
+  }
+
+  /**
+   * A comparison with a constant string, considered as a sanitizer-guard.
+   */
+  class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
+
+  /**
+   * A call to replace line breaks functions as a sanitizer.
+   */
+  class ReplaceLineBreaksSanitizer extends Sanitizer, DataFlow::CallCfgNode {
+    ReplaceLineBreaksSanitizer() {
+      this.getFunction().(DataFlow::AttrRead).getAttributeName() = "replace" and
+      this.getArg(0).asExpr().(StrConst).getText() in ["\r\n", "\n"]
+    }
+  }
+}
--- a/python/ql/src/Security/CWE-117/LogInjection.ql
+++ b/python/ql/src/Security/CWE-117/LogInjection.ql
@@ -14,7 +14,7 @@ import python
 import semmle.python.security.dataflow.LogInjection
 import DataFlow::PathGraph

-from LogInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
+from LogInjection::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "$@ flows to log entry.", source.getNode(),
  "User-provided value"