hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 11:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Remove flow out of CommandInjection sinks

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2020-09-30 13:29:21 +02:00
parent a2d12f0440
commit 9c1253c8af
2 changed files with 11 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
python/ql/src/experimental/Security-new-dataflow/CWE-078/CommandInjection.ql
View File

@@ -29,6 +29,17 @@ class CommandInjectionConfiguration extends TaintTracking::Configuration {
override predicate isSink(DataFlow::Node sink) {
sink = any(SystemCommandExecution e).getCommand()
}
// Since the implementation of os.popen looks like
// ```py
// def popen(cmd, mode="r", buffering=-1):
// ...
// proc = subprocess.Popen(cmd, ...)
// ```
// any time we would report flow to the `os.popen` sink, we can ALSO report the flow
// from the `cmd` parameter to the `subprocess.Popen` sink -- obviously we don't want
// that, so to prevent that we remove any taint edges out of a sink.
override predicate isSanitizerOut(DataFlow::Node node) { isSink(node) }
}
from CommandInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink

10
python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-078/CommandInjection.expected
View File

@@ -2,10 +2,6 @@ edges
| command_injection.py:10:13:10:24 | ControlFlowNode for Attribute | command_injection.py:12:15:12:27 | ControlFlowNode for BinaryExpr |
| command_injection.py:24:11:24:22 | ControlFlowNode for Attribute | command_injection.py:25:23:25:25 | ControlFlowNode for cmd |
| command_injection.py:30:13:30:24 | ControlFlowNode for Attribute | command_injection.py:32:14:32:26 | ControlFlowNode for BinaryExpr |
| command_injection.py:30:13:30:24 | ControlFlowNode for Attribute | command_injection.py:32:14:32:26 | ControlFlowNode for BinaryExpr |
| command_injection.py:32:14:32:26 | ControlFlowNode for BinaryExpr | file:///home/rasmus/.pyenv/versions/3.8.0/lib/python3.8/os.py:972:11:972:13 | SSA variable cmd |
| file:///home/rasmus/.pyenv/versions/3.8.0/lib/python3.8/os.py:972:11:972:13 | SSA variable cmd | file:///home/rasmus/.pyenv/versions/3.8.0/lib/python3.8/os.py:981:33:981:35 | ControlFlowNode for cmd |
| file:///home/rasmus/.pyenv/versions/3.8.0/lib/python3.8/os.py:972:11:972:13 | SSA variable cmd | file:///home/rasmus/.pyenv/versions/3.8.0/lib/python3.8/os.py:987:33:987:35 | ControlFlowNode for cmd |
nodes
| command_injection.py:10:13:10:24 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| command_injection.py:12:15:12:27 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
@@ -13,13 +9,7 @@ nodes
| command_injection.py:25:23:25:25 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
| command_injection.py:30:13:30:24 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| command_injection.py:32:14:32:26 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
| command_injection.py:32:14:32:26 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
| file:///home/rasmus/.pyenv/versions/3.8.0/lib/python3.8/os.py:972:11:972:13 | SSA variable cmd | semmle.label | SSA variable cmd |
| file:///home/rasmus/.pyenv/versions/3.8.0/lib/python3.8/os.py:981:33:981:35 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
| file:///home/rasmus/.pyenv/versions/3.8.0/lib/python3.8/os.py:987:33:987:35 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
#select
| command_injection.py:12:15:12:27 | ControlFlowNode for BinaryExpr | command_injection.py:10:13:10:24 | ControlFlowNode for Attribute | command_injection.py:12:15:12:27 | ControlFlowNode for BinaryExpr | This command depends on $@. | command_injection.py:10:13:10:24 | ControlFlowNode for Attribute | a user-provided value |
| command_injection.py:25:23:25:25 | ControlFlowNode for cmd | command_injection.py:24:11:24:22 | ControlFlowNode for Attribute | command_injection.py:25:23:25:25 | ControlFlowNode for cmd | This command depends on $@. | command_injection.py:24:11:24:22 | ControlFlowNode for Attribute | a user-provided value |
| command_injection.py:32:14:32:26 | ControlFlowNode for BinaryExpr | command_injection.py:30:13:30:24 | ControlFlowNode for Attribute | command_injection.py:32:14:32:26 | ControlFlowNode for BinaryExpr | This command depends on $@. | command_injection.py:30:13:30:24 | ControlFlowNode for Attribute | a user-provided value |
| file:///home/rasmus/.pyenv/versions/3.8.0/lib/python3.8/os.py:981:33:981:35 | ControlFlowNode for cmd | command_injection.py:30:13:30:24 | ControlFlowNode for Attribute | file:///home/rasmus/.pyenv/versions/3.8.0/lib/python3.8/os.py:981:33:981:35 | ControlFlowNode for cmd | This command depends on $@. | command_injection.py:30:13:30:24 | ControlFlowNode for Attribute | a user-provided value |
| file:///home/rasmus/.pyenv/versions/3.8.0/lib/python3.8/os.py:987:33:987:35 | ControlFlowNode for cmd | command_injection.py:30:13:30:24 | ControlFlowNode for Attribute | file:///home/rasmus/.pyenv/versions/3.8.0/lib/python3.8/os.py:987:33:987:35 | ControlFlowNode for cmd | This command depends on $@. | command_injection.py:30:13:30:24 | ControlFlowNode for Attribute | a user-provided value |