hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Propagate taint through parse_qsl

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2020-04-23 12:14:22 +02:00
parent 30e2592701
commit 94ae2febe5
4 changed files with 41 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
python/ql/src/semmle/python/security/strings/External.qll
View File

@@ -24,6 +24,8 @@ abstract class ExternalStringKind extends StringKind {
urlparse(fromnode, tonode) and result.(ExternalUrlParseResult).getItem() = this
or
parse_qs(fromnode, tonode) and result.(ExternalStringDictKind).getValue() = this
or
parse_qsl(fromnode, tonode) and result.(SequenceKind).getItem().(SequenceKind).getItem() = this
}
}
@@ -209,6 +211,32 @@ private predicate parse_qs(ControlFlowNode fromnode, CallNode tonode) {
)
}
private predicate parse_qsl(ControlFlowNode fromnode, CallNode tonode) {
// This could be implemented as `exists(FunctionValue` without the explicit six part,
// but then our tests will need to import +100 modules, so for now this slightly
// altered version gets to live on.
exists(Value parse_qsl |
(
parse_qsl = Value::named("six.moves.urllib.parse.parse_qsl")
or
// Python 2
parse_qsl = Value::named("urlparse.parse_qsl")
or
// Python 2 deprecated version of `urlparse.parse_qsl`
parse_qsl = Value::named("cgi.parse_qsl")
or
// Python 3
parse_qsl = Value::named("urllib.parse.parse_qsl")
) and
tonode = parse_qsl.getACall() and
(
tonode.getArg(0) = fromnode
or
tonode.getArgByName("qs") = fromnode
)
)
}
/** A kind of "taint", representing an open file-like object from an external source. */
class ExternalFileObject extends TaintKind {
ExternalFileObject() { this = "file[" + any(ExternalStringKind key) + "]" }

9
python/ql/test/library-tests/taint/strings/TestStep.expected
View File

@@ -1,5 +1,6 @@
| Taint [externally controlled string] | test.py:67 | test.py:67:9:67:32 | urlsplit() | | --> | Taint [externally controlled string] | test.py:70 | test.py:70:10:70:10 | a | |
| Taint [externally controlled string] | test.py:68 | test.py:68:9:68:32 | urlparse() | | --> | Taint [externally controlled string] | test.py:70 | test.py:70:13:70:13 | b | |
| Taint [[externally controlled string]] | test.py:70 | test.py:70:9:70:33 | parse_qsl() | | --> | Taint [[externally controlled string]] | test.py:71 | test.py:71:19:71:19 | d | |
| Taint [externally controlled string] | test.py:67 | test.py:67:9:67:32 | urlsplit() | | --> | Taint [externally controlled string] | test.py:71 | test.py:71:10:71:10 | a | |
| Taint [externally controlled string] | test.py:68 | test.py:68:9:68:32 | urlparse() | | --> | Taint [externally controlled string] | test.py:71 | test.py:71:13:71:13 | b | |
| Taint exception.info | test.py:44 | test.py:44:22:44:26 | taint | p1 = exception.info | --> | Taint exception.info | test.py:45 | test.py:45:17:45:21 | taint | p1 = exception.info |
| Taint exception.info | test.py:45 | test.py:45:17:45:21 | taint | p1 = exception.info | --> | Taint exception.info | test.py:45 | test.py:45:12:45:22 | func() | p1 = exception.info |
| Taint exception.info | test.py:45 | test.py:45:17:45:21 | taint | p1 = exception.info | --> | Taint exception.info | test.py:52 | test.py:52:19:52:21 | arg | p0 = exception.info |
@@ -61,9 +62,11 @@
| Taint externally controlled string | test.py:66 | test.py:66:22:66:35 | TAINTED_STRING | | --> | Taint externally controlled string | test.py:67 | test.py:67:18:67:31 | tainted_string | |
| Taint externally controlled string | test.py:66 | test.py:66:22:66:35 | TAINTED_STRING | | --> | Taint externally controlled string | test.py:68 | test.py:68:18:68:31 | tainted_string | |
| Taint externally controlled string | test.py:66 | test.py:66:22:66:35 | TAINTED_STRING | | --> | Taint externally controlled string | test.py:69 | test.py:69:18:69:31 | tainted_string | |
| Taint externally controlled string | test.py:66 | test.py:66:22:66:35 | TAINTED_STRING | | --> | Taint externally controlled string | test.py:70 | test.py:70:19:70:32 | tainted_string | |
| Taint externally controlled string | test.py:67 | test.py:67:18:67:31 | tainted_string | | --> | Taint [externally controlled string] | test.py:67 | test.py:67:9:67:32 | urlsplit() | |
| Taint externally controlled string | test.py:68 | test.py:68:18:68:31 | tainted_string | | --> | Taint [externally controlled string] | test.py:68 | test.py:68:9:68:32 | urlparse() | |
| Taint externally controlled string | test.py:69 | test.py:69:18:69:31 | tainted_string | | --> | Taint {externally controlled string} | test.py:69 | test.py:69:9:69:32 | parse_qs() | |
| Taint externally controlled string | test.py:70 | test.py:70:19:70:32 | tainted_string | | --> | Taint [[externally controlled string]] | test.py:70 | test.py:70:9:70:33 | parse_qsl() | |
| Taint json[externally controlled string] | test.py:6 | test.py:6:20:6:45 | Attribute() | | --> | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:20 | tainted_json | |
| Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:20 | tainted_json | | --> | Taint externally controlled string | test.py:7 | test.py:7:9:7:25 | Subscript | |
| Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:20 | tainted_json | | --> | Taint json[externally controlled string] | test.py:7 | test.py:7:9:7:25 | Subscript | |
@@ -76,4 +79,4 @@
| Taint json[externally controlled string] | test.py:9 | test.py:9:9:9:9 | b | | --> | Taint externally controlled string | test.py:9 | test.py:9:9:9:14 | Subscript | |
| Taint json[externally controlled string] | test.py:9 | test.py:9:9:9:9 | b | | --> | Taint json[externally controlled string] | test.py:9 | test.py:9:9:9:14 | Subscript | |
| Taint json[externally controlled string] | test.py:9 | test.py:9:9:9:14 | Subscript | | --> | Taint json[externally controlled string] | test.py:10 | test.py:10:16:10:16 | c | |
| Taint {externally controlled string} | test.py:69 | test.py:69:9:69:32 | parse_qs() | | --> | Taint {externally controlled string} | test.py:70 | test.py:70:16:70:16 | c | |
| Taint {externally controlled string} | test.py:69 | test.py:69:9:69:32 | parse_qs() | | --> | Taint {externally controlled string} | test.py:71 | test.py:71:16:71:16 | c | |

7
python/ql/test/library-tests/taint/strings/TestTaint.expected
View File

@@ -20,6 +20,7 @@
| test.py:42 | test_str2 | c | externally controlled string |
| test.py:50 | test_exc_info | res | exception.info |
| test.py:58 | test_untrusted | res | externally controlled string |
| test.py:70 | test_urlsplit_urlparse | a | [externally controlled string] |
| test.py:70 | test_urlsplit_urlparse | b | [externally controlled string] |
| test.py:70 | test_urlsplit_urlparse | c | {externally controlled string} |
| test.py:71 | test_urlsplit_urlparse | a | [externally controlled string] |
| test.py:71 | test_urlsplit_urlparse | b | [externally controlled string] |
| test.py:71 | test_urlsplit_urlparse | c | {externally controlled string} |
| test.py:71 | test_urlsplit_urlparse | d | [[externally controlled string]] |

5
python/ql/test/library-tests/taint/strings/test.py
View File

@@ -60,11 +60,12 @@ def test_untrusted():
def exc_untrusted_call(arg):
return arg
from six.moves.urllib.parse import urlsplit, urlparse, parse_qs
from six.moves.urllib.parse import urlsplit, urlparse, parse_qs, parse_qsl
def test_urlsplit_urlparse():
tainted_string = TAINTED_STRING
a = urlsplit(tainted_string)
b = urlparse(tainted_string)
c = parse_qs(tainted_string)
test(a, b, c)
d = parse_qsl(tainted_string)
test(a, b, c, d)