Python: Port py/clear-text-logging-sensitive-data

2026-04-30 19:26:02 +02:00 · 2021-06-25 14:35:31 +02:00
parent 68cfeb0b5c
commit 9573048ee8
5 changed files with 141 additions and 27 deletions
--- a/python/ql/src/Security/CWE-312/CleartextLogging.ql
+++ b/python/ql/src/Security/CWE-312/CleartextLogging.ql
@@ -14,25 +14,13 @@
 */

 import python
-import semmle.python.security.Paths
-import semmle.python.dataflow.TaintTracking
-import semmle.python.security.SensitiveData
-import semmle.python.security.ClearText
+private import semmle.python.dataflow.new.DataFlow
+import DataFlow::PathGraph
+import semmle.python.security.dataflow.CleartextLogging::CleartextLogging

-class CleartextLoggingConfiguration extends TaintTracking::Configuration {
-  CleartextLoggingConfiguration() { this = "ClearTextLogging" }
-
-  override predicate isSource(DataFlow::Node src, TaintKind kind) {
-    src.asCfgNode().(SensitiveData::Source).isSourceOf(kind)
-  }
-
-  override predicate isSink(DataFlow::Node sink, TaintKind kind) {
-    sink.asCfgNode() instanceof ClearTextLogging::Sink and
-    kind instanceof SensitiveData
-  }
-}
-
-from CleartextLoggingConfiguration config, TaintedPathSource source, TaintedPathSink sink
-where config.hasFlowPath(source, sink)
-select sink.getSink(), source, sink, "Sensitive data returned by $@ is logged here.",
-  source.getSource(), source.getCfgNode().(SensitiveData::Source).repr()
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, string classification
+where
+  config.hasFlowPath(source, sink) and
+  classification = source.getNode().(Source).getClassification()
+select sink.getNode(), source, sink, "$@ is logged here.", source.getNode(),
+  "Sensitive data (" + classification + ")"
--- a/python/ql/src/semmle/python/security/dataflow/CleartextLogging.qll
+++ b/python/ql/src/semmle/python/security/dataflow/CleartextLogging.qll
@@ -0,0 +1,39 @@
+/**
+ * Provides a taint-tracking configuration for "Clear-text logging of sensitive information".
+ *
+ * Note, for performance reasons: only import this file if
+ * `CleartextLogging::Configuration` is needed, otherwise
+ * `CleartextLoggingCustomizations` should be imported instead.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.dataflow.new.BarrierGuards
+private import semmle.python.dataflow.new.SensitiveDataSources
+
+/**
+ * Provides a taint-tracking configuration for detecting "Clear-text logging of sensitive information".
+ */
+module CleartextLogging {
+  import CleartextLoggingCustomizations::CleartextLogging
+
+  /**
+   * A taint-tracking configuration for detecting "Clear-text logging of sensitive information".
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "CleartextLogging" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isSanitizer(DataFlow::Node node) {
+      super.isSanitizer(node)
+      or
+      node instanceof Sanitizer
+    }
+  }
+}
--- a/python/ql/src/semmle/python/security/dataflow/CleartextLoggingCustomizations.qll
+++ b/python/ql/src/semmle/python/security/dataflow/CleartextLoggingCustomizations.qll
@@ -0,0 +1,68 @@
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "Clear-text logging of sensitive information"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import semmle.python.dataflow.new.SensitiveDataSources
+private import semmle.python.dataflow.new.BarrierGuards
+
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "Clear-text logging of sensitive information"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+module CleartextLogging {
+  /**
+   * A data flow source for "Clear-text logging of sensitive information" vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node {
+    /** Gets the classification of the sensitive data. */
+    abstract string getClassification();
+  }
+
+  /**
+   * A data flow sink for "Clear-text logging of sensitive information" vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for "Clear-text logging of sensitive information" vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A source of sensitive data, considered as a flow source.
+   */
+  class SensitiveDataSourceAsSource extends Source, SensitiveDataSource {
+    override SensitiveDataClassification getClassification() {
+      result = SensitiveDataSource.super.getClassification()
+    }
+  }
+
+  /** A piece of data logged, considered as a flow sink. */
+  class LoggingAsSink extends Sink {
+    LoggingAsSink() { this = any(Logging write).getAnInput() }
+  }
+
+  /** A piece of data printed, considered as a flow sink. */
+  class PrintedDataAsSink extends Sink, DataFlow::CallCfgNode {
+    PrintedDataAsSink() {
+      this = API::builtin("print").getACall().getArg(_)
+      or
+      // special handling of writing to `sys.stdout` and `sys.stderr`, which is
+      // essentially the same as printing
+      this =
+        API::moduleImport("sys")
+            .getMember(["stdout", "stderr"])
+            .getMember("write")
+            .getACall()
+            .getArg(0)
+    }
+  }
+}
--- a/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/CleartextLogging.expected
+++ b/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/CleartextLogging.expected
@@ -1,7 +1,27 @@
 edges
-| test.py:19:16:19:29 | a password | test.py:20:48:20:55 | a password |
-| test.py:19:16:19:29 | a password | test.py:20:48:20:55 | a password |
+| test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:20:48:20:55 | ControlFlowNode for password |
+| test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:22:58:22:65 | ControlFlowNode for password |
+| test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:23:58:23:65 | ControlFlowNode for password |
+| test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:27:40:27:47 | ControlFlowNode for password |
+| test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:30:58:30:65 | ControlFlowNode for password |
+nodes
+| test.py:19:16:19:29 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() |
+| test.py:20:48:20:55 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
+| test.py:22:58:22:65 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
+| test.py:23:58:23:65 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
+| test.py:27:40:27:47 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
+| test.py:30:58:30:65 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
+| test.py:34:30:34:39 | ControlFlowNode for get_cert() | semmle.label | ControlFlowNode for get_cert() |
+| test.py:37:11:37:24 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() |
+| test.py:39:22:39:35 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() |
+| test.py:40:22:40:35 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() |
 #select
-| test.py:20:48:20:55 | password | test.py:19:16:19:29 | a password | test.py:20:48:20:55 | a password | Sensitive data returned by $@ is logged here. | test.py:19:16:19:29 | get_password() | a call returning a password |
-| test.py:34:30:34:39 | get_cert() | test.py:34:30:34:39 | a certificate or key | test.py:34:30:34:39 | a certificate or key | Sensitive data returned by $@ is logged here. | test.py:34:30:34:39 | get_cert() | a call returning a certificate or key |
-| test.py:37:11:37:24 | get_password() | test.py:37:11:37:24 | a password | test.py:37:11:37:24 | a password | Sensitive data returned by $@ is logged here. | test.py:37:11:37:24 | get_password() | a call returning a password |
+| test.py:20:48:20:55 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:20:48:20:55 | ControlFlowNode for password | $@ is logged here. | test.py:19:16:19:29 | ControlFlowNode for get_password() | Sensitive data (password) |
+| test.py:22:58:22:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:22:58:22:65 | ControlFlowNode for password | $@ is logged here. | test.py:19:16:19:29 | ControlFlowNode for get_password() | Sensitive data (password) |
+| test.py:23:58:23:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:23:58:23:65 | ControlFlowNode for password | $@ is logged here. | test.py:19:16:19:29 | ControlFlowNode for get_password() | Sensitive data (password) |
+| test.py:27:40:27:47 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:27:40:27:47 | ControlFlowNode for password | $@ is logged here. | test.py:19:16:19:29 | ControlFlowNode for get_password() | Sensitive data (password) |
+| test.py:30:58:30:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:30:58:30:65 | ControlFlowNode for password | $@ is logged here. | test.py:19:16:19:29 | ControlFlowNode for get_password() | Sensitive data (password) |
+| test.py:34:30:34:39 | ControlFlowNode for get_cert() | test.py:34:30:34:39 | ControlFlowNode for get_cert() | test.py:34:30:34:39 | ControlFlowNode for get_cert() | $@ is logged here. | test.py:34:30:34:39 | ControlFlowNode for get_cert() | Sensitive data (certificate) |
+| test.py:37:11:37:24 | ControlFlowNode for get_password() | test.py:37:11:37:24 | ControlFlowNode for get_password() | test.py:37:11:37:24 | ControlFlowNode for get_password() | $@ is logged here. | test.py:37:11:37:24 | ControlFlowNode for get_password() | Sensitive data (password) |
+| test.py:39:22:39:35 | ControlFlowNode for get_password() | test.py:39:22:39:35 | ControlFlowNode for get_password() | test.py:39:22:39:35 | ControlFlowNode for get_password() | $@ is logged here. | test.py:39:22:39:35 | ControlFlowNode for get_password() | Sensitive data (password) |
+| test.py:40:22:40:35 | ControlFlowNode for get_password() | test.py:40:22:40:35 | ControlFlowNode for get_password() | test.py:40:22:40:35 | ControlFlowNode for get_password() | $@ is logged here. | test.py:40:22:40:35 | ControlFlowNode for get_password() | Sensitive data (password) |
--- a/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/options
+++ b/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/options
@@ -1 +0,0 @@
-semmle-extractor-options: -p ../lib/ --max-import-depth=3
				`@@ -1 +0,0 @@`
				`semmle-extractor-options: -p ../lib/ --max-import-depth=3`