Python: Weak file permissions query.

python/ql/test/query-tests/Security/CWE-732/WeakFilePermissions.expected

@@ -0,0 +1,6 @@
+| test.py:7:1:7:19 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to world writable. |
+| test.py:8:1:8:20 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to world writable. |
+| test.py:9:1:9:21 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to world writable. |
+| test.py:11:1:11:21 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to group readable. |
+| test.py:13:1:13:28 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to group writable. |
+| test.py:14:1:14:19 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to group writable. |

python/ql/test/query-tests/Security/CWE-732/WeakFilePermissions.qlref

@@ -0,0 +1 @@
+Security/CWE-732/WeakFilePermissions.ql

python/ql/test/query-tests/Security/CWE-732/options

@@ -0,0 +1,2 @@
+semmle-extractor-options: --max-import-depth=2 -p ../lib
+optimize: true

python/ql/test/query-tests/Security/CWE-732/test.py

@@ -0,0 +1,14 @@
+import os
+import stat
+
+file = 'semmle/important_secrets'
+
+
+os.chmod(file, 0o7) # BAD
+os.chmod(file, 0o77) # BAD
+os.chmod(file, 0o777) # BAD
+os.chmod(file, 0o600) # GOOD
+os.chmod(file, 0o550) # BAD
+os.chmod(file, stat.S_IRWXU) # GOOD
+os.chmod(file, stat.S_IWGRP) # BAD
+os.chmod(file, 400) # BAD -- Decimal format.

python/ql/test/query-tests/Security/lib/os/__init__.py

@@ -3,3 +3,6 @@ def system(cmd, *args, **kwargs):
 
 def popen(cmd, *args, **kwargs):
     return None
+
+def chmod(path, mode):
+    pass