Python: PathCheck -> Path::SafeAccessCheck

2025-12-20 10:46:30 +01:00 · 2020-10-23 15:01:43 +02:00
parent cf8462fa58
commit 9eda84debb
3 changed files with 36 additions and 37 deletions
--- a/python/ql/src/experimental/Security-new-dataflow/CWE-022/PathInjection.ql
+++ b/python/ql/src/experimental/Security-new-dataflow/CWE-022/PathInjection.ql
@@ -56,7 +56,7 @@ class PathNotNormalizedConfiguration extends TaintTracking::Configuration {
    sink = any(FileSystemAccess e).getAPathArgument()
  }

-  override predicate isSanitizer(DataFlow::Node node) { node instanceof PathNormalization }
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Path::PathNormalization }
 }

 predicate pathNotNormalized(CustomPathNode source, CustomPathNode sink) {
@@ -72,22 +72,24 @@ class FirstNormalizationConfiguration extends TaintTracking::Configuration {

  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

-  override predicate isSink(DataFlow::Node sink) { sink instanceof PathNormalization }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Path::PathNormalization }

-  override predicate isSanitizerOut(DataFlow::Node node) { node instanceof PathNormalization }
+  override predicate isSanitizerOut(DataFlow::Node node) { node instanceof Path::PathNormalization }
 }

 /** Configuration to find paths from normalizations to sinks that do not go through a check. */
 class NormalizedPathNotCheckedConfiguration extends TaintTracking2::Configuration {
  NormalizedPathNotCheckedConfiguration() { this = "NormalizedPathNotCheckedConfiguration" }

-  override predicate isSource(DataFlow::Node source) { source instanceof PathNormalization }
+  override predicate isSource(DataFlow::Node source) { source instanceof Path::PathNormalization }

  override predicate isSink(DataFlow::Node sink) {
    sink = any(FileSystemAccess e).getAPathArgument()
  }

-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { guard instanceof PathCheck }
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof Path::SafeAccessCheck
+  }
 }

 predicate pathNotCheckedAfterNormalization(CustomPathNode source, CustomPathNode sink) {
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -71,44 +71,41 @@ module FileSystemAccess {
  }
 }

-/**
- * A data-flow node that performs path normlization. This is often needed in oder
- * to safely access paths.
- */
-class PathNormalization extends DataFlow::Node {
-  PathNormalization::Range range;
-
-  PathNormalization() { this = range }
-}
-
-/** Provides a class for modeling new path normalization APIs. */
-module PathNormalization {
+/** Provides classes for modeling path-related APIs. */
+module Path {
  /**
   * A data-flow node that performs path normlization. This is often needed in oder
   * to safely access paths.
   */
-  abstract class Range extends DataFlow::Node { }
-}
+  class PathNormalization extends DataFlow::Node {
+    PathNormalization::Range range;

-/**
- * A data-flow node that checks validates a path, for instance checking that it exists
- * or that it is safe to access.
- */
-class PathCheck extends DataFlow::BarrierGuard {
-  PathCheck::Range range;
+    PathNormalization() { this = range }
+  }

-  PathCheck() { this = range }
+  /** Provides a class for modeling new path normalization APIs. */
+  module PathNormalization {
+    /**
+     * A data-flow node that performs path normlization. This is often needed in oder
+     * to safely access paths.
+     */
+    abstract class Range extends DataFlow::Node { }
+  }

-  override predicate checks(ControlFlowNode node, boolean branch) { range.checks(node, branch) }
-}
+  /** A data-flow node that checks that a path is safe to access. */
+  class SafeAccessCheck extends DataFlow::BarrierGuard {
+    SafeAccessCheck::Range range;

-/** Provides a class for modeling new path normalization APIs. */
-module PathCheck {
-  /**
-   * A data-flow node that checks validates a path, for instance checking that it exists
-   * or that it is safe to access.
-   */
-  abstract class Range extends DataFlow::BarrierGuard { }
+    SafeAccessCheck() { this = range }
+
+    override predicate checks(ControlFlowNode node, boolean branch) { range.checks(node, branch) }
+  }
+
+  /** Provides a class for modeling new path safety checks. */
+  module SafeAccessCheck {
+    /** A data-flow node that checks that a path is safe to access. */
+    abstract class Range extends DataFlow::BarrierGuard { }
+  }
 }

 /**
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -135,7 +135,7 @@ private module Stdlib {
   * A call to `os.path.normpath`.
   * See https://docs.python.org/3/library/os.path.html#os.path.normpath
   */
-  private class NormpathCall extends PathNormalization::Range, DataFlow::CfgNode {
+  private class NormpathCall extends Path::PathNormalization::Range, DataFlow::CfgNode {
    override CallNode node;

    NormpathCall() { node.getFunction() = os::path::path_attr("normpath").asCfgNode() }
@@ -735,7 +735,7 @@ private class OpenCall extends FileSystemAccess::Range, DataFlow::CfgNode {
  }
 }

-private class StartswithCall extends PathCheck::Range {
+private class StartswithCall extends Path::SafeAccessCheck::Range {
  StartswithCall() { this.(CallNode).getFunction().(AttrNode).getName() = "startswith" }

  override predicate checks(ControlFlowNode node, boolean branch) {