Python: Model fabric/invoke command injection sinks

2026-05-05 05:35:13 +02:00 · 2020-03-23 17:06:34 +01:00
parent d475bb998e
commit a57eadaeb6
14 changed files with 257 additions and 0 deletions
--- a/python/ql/test/library-tests/security/command-execution/CommandSinks.expected
+++ b/python/ql/test/library-tests/security/command-execution/CommandSinks.expected
@@ -0,0 +1,14 @@
+| fabric_test.py:10:16:10:25 | InvokeContextRun | externally controlled string |
+| fabric_test.py:12:15:12:36 | InvokeContextRun | externally controlled string |
+| fabric_test.py:16:45:16:54 | FabricGroupRun | externally controlled string |
+| fabric_test.py:21:10:21:13 | FabricGroupRun | externally controlled string |
+| fabric_test.py:31:14:31:41 | InvokeContextRun | externally controlled string |
+| fabric_test.py:33:15:33:64 | InvokeContextRun | externally controlled string |
+| invoke_test.py:8:12:8:21 | InvokeRun | externally controlled string |
+| invoke_test.py:9:20:9:40 | InvokeRun | externally controlled string |
+| invoke_test.py:12:17:12:24 | InvokeRun | externally controlled string |
+| invoke_test.py:13:25:13:32 | InvokeRun | externally controlled string |
+| invoke_test.py:17:11:17:40 | InvokeContextRun | externally controlled string |
+| invoke_test.py:21:11:21:32 | InvokeContextRun | externally controlled string |
+| invoke_test.py:27:11:27:25 | InvokeContextRun | externally controlled string |
+| invoke_test.py:32:11:32:25 | InvokeContextRun | externally controlled string |
--- a/python/ql/test/library-tests/security/command-execution/CommandSinks.ql
+++ b/python/ql/test/library-tests/security/command-execution/CommandSinks.ql
@@ -0,0 +1,7 @@
+import python
+import semmle.python.security.injection.Command
+import semmle.python.security.strings.Untrusted
+
+from CommandSink sink, TaintKind kind
+where sink.sinks(kind)
+select sink, kind
--- a/python/ql/test/library-tests/security/command-execution/fabric-LICENSE
+++ b/python/ql/test/library-tests/security/command-execution/fabric-LICENSE
@@ -0,0 +1,22 @@
+Copyright (c) 2020 Jeff Forcier.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+      this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice,
+      this list of conditions and the following disclaimer in the documentation
+      and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/python/ql/test/library-tests/security/command-execution/fabric_test.py
+++ b/python/ql/test/library-tests/security/command-execution/fabric_test.py
@@ -0,0 +1,33 @@
+"""tests for the 'fabric' package (v2.x)
+
+Most of these examples are taken from the fabric documentation: http://docs.fabfile.org/en/2.5/getting-started.html
+See fabric-LICENSE for its' license.
+"""
+
+from fabric import Connection
+
+c = Connection('web1')
+result = c.run('uname -s')
+
+c.run(command='echo run with kwargs')
+
+
+from fabric import SerialGroup as Group
+results = Group('web1', 'web2', 'mac1').run('uname -s')
+
+
+from fabric import SerialGroup as Group
+pool = Group('web1', 'web2', 'web3')
+pool.run('ls')
+
+
+
+# using the 'fab' command-line tool
+
+from fabric import task
+
+@task
+def upload_and_unpack(c):
+    if c.run('test -f /opt/mydata/myfile', warn=True).failed:
+        c.put('myfiles.tgz', '/opt/mydata')
+        c.run('tar -C /opt/mydata -xzvf /opt/mydata/myfiles.tgz')
--- a/python/ql/test/library-tests/security/command-execution/invoke_test.py
+++ b/python/ql/test/library-tests/security/command-execution/invoke_test.py
@@ -0,0 +1,32 @@
+"""tests for the 'invoke' package
+
+see https://www.pyinvoke.org/
+"""
+
+import invoke
+
+invoke.run('echo run')
+invoke.run(command='echo run with kwarg')
+
+def with_sudo():
+    invoke.sudo('whoami')
+    invoke.sudo(command='whoami')
+
+def manual_context():
+    c = invoke.Context()
+    c.run('echo run from manual context')
+manual_context()
+
+def foo_helper(c):
+    c.run('echo from foo_helper')
+
+# for use with the 'invoke' command-line tool
+@invoke.task
+def foo(c):
+    # 'c' is a invoke.context.Context
+    c.run('echo task foo')
+    foo_helper(c)
+
+@invoke.task()
+def bar(c):
+    c.run('echo task bar')
--- a/python/ql/test/library-tests/security/command-execution/options
+++ b/python/ql/test/library-tests/security/command-execution/options
@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=2 -p ../../../query-tests/Security/lib/
				`@@ -0,0 +1 @@`
				`semmle-extractor-options: --max-import-depth=2 -p ../../../query-tests/Security/lib/`