hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 12:15:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Considering the use of contextlib.closing() method

Browse Source
This commit is contained in:
ALJI Mohamed
2022-12-08 12:26:59 +01:00
parent 2801b8495a
commit 9336f4f1a2
3 changed files with 59 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpack.ql
View File

@@ -34,8 +34,8 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
}
override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
// Writing the response data to the archive
(
// Writing the response data to the archive
exists(Stdlib::FileLikeObject::InstanceSource is, Node f, MethodCallNode mc |
is.flowsTo(f) and
mc.getMethodName() = "write" and
@@ -48,11 +48,18 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
exists(MethodCallNode mc |
nodeFrom = mc.getObject() and
mc.getMethodName() = "read" and
nodeTo = mc
mc.flowsTo(nodeTo)
)
or
// Accessing the name
exists(AttrRead ar | ar.accesses(nodeFrom, "name") and nodeTo = ar)
or
// Considering closing use
exists(API::Node closing |
closing = API::moduleImport("contextlib").getMember("closing") and
closing.getACall().flowsTo(nodeTo) and
nodeFrom = closing.getACall().getArg(0)
)
)
}
}