Python: Remove flow out of CommandInjection sinks

2025-12-20 10:46:30 +01:00 · 2020-09-30 13:29:21 +02:00
parent a2d12f0440
commit 9c1253c8af
2 changed files with 11 additions and 10 deletions
--- a/python/ql/src/experimental/Security-new-dataflow/CWE-078/CommandInjection.ql
+++ b/python/ql/src/experimental/Security-new-dataflow/CWE-078/CommandInjection.ql
@@ -29,6 +29,17 @@ class CommandInjectionConfiguration extends TaintTracking::Configuration {
  override predicate isSink(DataFlow::Node sink) {
    sink = any(SystemCommandExecution e).getCommand()
  }
+
+  // Since the implementation of os.popen looks like
+  // ```py
+  // def popen(cmd, mode="r", buffering=-1):
+  //     ...
+  //     proc = subprocess.Popen(cmd, ...)
+  // ```
+  // any time we would report flow to the `os.popen` sink, we can ALSO report the flow
+  // from the `cmd` parameter to the `subprocess.Popen` sink -- obviously we don't want
+  // that, so to prevent that we remove any taint edges out of a sink.
+  override predicate isSanitizerOut(DataFlow::Node node) { isSink(node) }
 }

 from CommandInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink