hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 10:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python taint-tracking: Remove old implementation.

Browse Source
This commit is contained in:
Mark Shannon
2019-08-02 14:35:23 +01:00
parent 133909d7fe
commit a7845ae0e1
21 changed files with 1105 additions and 1281 deletions
Download Patch File Download Diff File Expand all files Collapse all files

86
python/ql/src/semmle/python/dataflow/Implementation.qll
View File

@@ -13,7 +13,7 @@ newtype TTaintTrackingContext =
class TaintTrackingContext extends TTaintTrackingContext {
string toString() {
this = TNoParam() and result = "No context"
this = TNoParam() and result = ""
or
exists(TaintKind param, AttributePath path, int n |
this = TParamContext(param, path, n) and
@@ -38,6 +38,10 @@ class TaintTrackingContext extends TTaintTrackingContext {
)
}
predicate isTop() {
this = TNoParam()
}
}
@@ -142,7 +146,16 @@ class TaintTrackingNode extends TTaintTrackingNode {
/** Holds if this node should be presented to the user as part of a path */
predicate isVisible() {
exists(this.getNode().asCfgNode())
exists(this.getCfgNode())
}
ControlFlowNode getCfgNode() {
result = this.getNode().asCfgNode()
}
/** Get the AST node for this node. */
AstNode getAstNode() {
result = this.getCfgNode().getNode()
}
}
@@ -217,23 +230,6 @@ class TaintTrackingImplementation extends string {
sanitizer.sanitizingEdge(kind, node.asVariable().getDefinition())
or
sanitizer.sanitizingSingleEdge(kind, node.asVariable().getDefinition())
or
exists(PyEdgeRefinement test |
test = node.asVariable().getDefinition()
|
exists(ControlFlowNode c, ClassValue cls |
Filters::isinstance(test.getTest(), c, test.getInput().getSourceVariable().getAUse()) and
c.pointsTo(cls)
|
test.getSense() = true and not exists(kind.getClass())
or
test.getSense() = true and kind.getType().getASuperType() = cls
or
test.getSense() = false and not kind.getType().getASuperType() = cls
)
or
test.getSense() = test_evaluates(test.getTest(), test.getInput().getSourceVariable().getAUse(), kind)
)
)
}
@@ -246,6 +242,11 @@ class TaintTrackingImplementation extends string {
test = use and result = kind.booleanValue()
or
result = test_evaluates(not_operand(test), use, kind).booleanNot()
or
exists(ControlFlowNode const |
Filters::equality_test(test, use, result.booleanNot(), const) and
const.getNode() instanceof ImmutableLiteral
)
}
/** Gets the operand of a unary `not` expression. */
@@ -297,8 +298,6 @@ class TaintTrackingImplementation extends string {
or
this.yieldStep(src, node, context, path, kind)
or
this.subscriptStep(src, node, context, path, kind)
or
this.parameterStep(src, node, context, path, kind)
or
this.ifExpStep(src, node, context, path, kind)
@@ -458,15 +457,6 @@ class TaintTrackingImplementation extends string {
)
}
pragma [noinline]
predicate subscriptStep(TaintTrackingNode src, DataFlow::Node node, TaintTrackingContext context, AttributePath path, TaintKind kind) {
exists(DataFlow::Node srcnode, SequenceKind seqkind |
src = TTaintTrackingNode_(srcnode, context, path, seqkind, this) and
srcnode.asCfgNode() = node.asCfgNode().(SubscriptNode).getObject() and
kind = seqkind.getItem()
)
}
pragma [noinline]
predicate ifExpStep(TaintTrackingNode src, DataFlow::Node node, TaintTrackingContext context, AttributePath path, TaintKind kind) {
exists(DataFlow::Node srcnode |
@@ -512,6 +502,8 @@ class TaintTrackingImplementation extends string {
this.taintedUniEdge(src, defn, context, path, kind)
or
this.taintedPiNode(src, defn, context, path, kind)
or
this.taintedArgument(src, defn, context, path, kind)
}
pragma [noinline]
@@ -585,10 +577,44 @@ class TaintTrackingImplementation extends string {
src = TTaintTrackingNode_(srcnode, context, path, kind, this) and
srcnode.asVariable() = defn.getInput() and
not this.(TaintTracking::Configuration).isBarrierTest(defn.getTest(), defn.getSense())
|
exists(ControlFlowNode c, ClassValue cls |
Filters::isinstance(defn.getTest(), c, defn.getInput().getSourceVariable().getAUse()) and
c.pointsTo(cls)
|
defn.getSense() = true and kind.getType().getASuperType() = cls
or
defn.getSense() = false and not kind.getType().getASuperType() = cls
)
or
defn.getSense() = test_evaluates(defn.getTest(), defn.getInput().getSourceVariable().getAUse(), kind)
)
}
pragma [noinline]
predicate taintedArgument(TaintTrackingNode src, ArgumentRefinement defn, TaintTrackingContext context, AttributePath path, TaintKind kind) {
exists(DataFlow::Node srcnode |
src = TTaintTrackingNode_(srcnode, context, path, kind, this) and
defn.getInput() = srcnode.asVariable()
)
}
}
module Implementation {
/* A call that returns a copy (or similar) of the argument */
predicate copyCall(ControlFlowNode fromnode, CallNode tonode) {
tonode.getFunction().(AttrNode).getObject("copy") = fromnode
or
exists(ModuleObject copy, string name |
name = "copy" or name = "deepcopy" |
copy.attr(name).(FunctionObject).getACall() = tonode and
tonode.getArg(0) = fromnode
)
or
tonode.getFunction().pointsTo(ObjectInternal::builtin("reversed")) and
tonode.getArg(0) = fromnode
}
}

2
python/ql/src/semmle/python/security/TaintTest.qll
View File

@@ -4,4 +4,4 @@
import python
import TaintTracking::TaintFlowImplementation as TaintFlowTest
import semmle.python.dataflow.Implementation as TaintFlowTest

1070
python/ql/src/semmle/python/security/TaintTracking.qll
View File

File diff suppressed because it is too large Load Diff

4
python/ql/src/semmle/python/web/Http.qll
View File

@@ -1,5 +1,5 @@
import python
import semmle.python.security.TaintTracking
import semmle.python.dataflow.Implementation
import semmle.python.security.strings.External
import HttpConstants
@@ -16,7 +16,7 @@ class WsgiEnvironment extends TaintKind {
WsgiEnvironment() { this = "wsgi.environment" }
override TaintKind getTaintForFlowStep(ControlFlowNode fromnode, ControlFlowNode tonode) {
result = this and TaintFlowImplementation::copyCall(fromnode, tonode)
result = this and Implementation::copyCall(fromnode, tonode)
or
result = this and
tonode.(CallNode).getFunction().refersTo(theDictType()) and