hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-30 15:46:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

Python: Port py/request-without-cert-validation to use API graphs

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2021-11-09 16:36:52 +01:00
parent 59581690fd
commit 985cd1ebdb
3 changed files with 35 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
python/ql/src/Security/CWE-295/RequestWithoutValidation.ql
View File

@@ -11,17 +11,37 @@
*/
import python
import semmle.python.web.Http
private import semmle.python.dataflow.new.DataFlow
private import semmle.python.Concepts
private import semmle.python.ApiGraphs
FunctionValue requestFunction() { result = Module::named("requests").attr(httpVerbLower()) }
/**
* Gets a call to a method that makes an outgoing request using the `requests` module,
* such as `requests.get` or `requests.put`, with the specified HTTP verb `verb`
*/
DataFlow::CallCfgNode outgoingRequestCall(string verb) {
verb = HTTP::httpVerbLower() and
result = API::moduleImport("requests").getMember(verb).getACall()
}
/** requests treats None as the default and all other "falsey" values as False */
predicate falseNotNone(Value v) { v.getDefiniteBooleanValue() = false and not v = Value::none_() }
/** Gets a reference to a falsey value (excluding None), with origin `origin`. */
private DataFlow::TypeTrackingNode falseyNotNone(DataFlow::TypeTracker t, DataFlow::Node origin) {
t.start() and
result.asExpr().(ImmutableLiteral).booleanValue() = false and
not result.asExpr() instanceof None and
origin = result
or
exists(DataFlow::TypeTracker t2 | result = falseyNotNone(t2, origin).track(t2, t))
}
from CallNode call, FunctionValue func, Value falsey, ControlFlowNode origin
/** Gets a reference to a falsey value (excluding None), with origin `origin`. */
DataFlow::Node falseyNotNone(DataFlow::Node origin) {
falseyNotNone(DataFlow::TypeTracker::end(), origin).flowsTo(result)
}
from DataFlow::CallCfgNode call, DataFlow::Node falseyOrigin, string verb
where
func = requestFunction() and
func.getACall() = call and
falseNotNone(falsey) and
call.getArgByName("verify").pointsTo(falsey, origin)
select call, "Call to $@ with verify=$@", func, "requests." + func.getName(), origin, "False"
call = outgoingRequestCall(verb) and
// requests treats `None` as the default and all other "falsey" values as `False`.
call.getArgByName("verify") = falseyNotNone(falseyOrigin)
select call, "Call to requests." + verb + " with verify=$@", falseyOrigin, "False"