hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Python: Move experimental ClientSuppliedIpUsedInSecurityCheck to new dataflow API

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2023-08-25 17:23:51 +02:00
parent d948e103fa
commit ace1e23c21
1 changed files with 13 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
python/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql
View File

@@ -16,21 +16,19 @@ import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.TaintTracking import semmle.python.dataflow.new.TaintTracking
import semmle.python.ApiGraphs import semmle.python.ApiGraphs
import ClientSuppliedIpUsedInSecurityCheckLib import ClientSuppliedIpUsedInSecurityCheckLib
import DataFlow::PathGraph import ClientSuppliedIpUsedInSecurityCheckFlow::PathGraph
/** /**
* A taint-tracking configuration tracing flow from obtaining a client ip from an HTTP header to a sensitive use. * A taint-tracking configuration tracing flow from obtaining a client ip from an HTTP header to a sensitive use.
*/ */
class ClientSuppliedIpUsedInSecurityCheckConfig extends TaintTracking::Configuration { private module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::ConfigSig {
ClientSuppliedIpUsedInSecurityCheckConfig() { this = "ClientSuppliedIpUsedInSecurityCheckConfig" } predicate isSource(DataFlow::Node source) {
override predicate isSource(DataFlow::Node source) {
source instanceof ClientSuppliedIpUsedInSecurityCheck source instanceof ClientSuppliedIpUsedInSecurityCheck
} }
override predicate isSink(DataFlow::Node sink) { sink instanceof PossibleSecurityCheck } predicate isSink(DataFlow::Node sink) { sink instanceof PossibleSecurityCheck }
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
exists(DataFlow::CallCfgNode ccn | exists(DataFlow::CallCfgNode ccn |
ccn = API::moduleImport("netaddr").getMember("IPAddress").getACall() and ccn = API::moduleImport("netaddr").getMember("IPAddress").getACall() and
ccn.getArg(0) = pred and ccn.getArg(0) = pred and
@@ -38,7 +36,7 @@ class ClientSuppliedIpUsedInSecurityCheckConfig extends TaintTracking::Configura
) )
} }
override predicate isSanitizer(DataFlow::Node node) { predicate isBarrier(DataFlow::Node node) {
// `client_supplied_ip.split(",")[n]` for `n` > 0 // `client_supplied_ip.split(",")[n]` for `n` > 0
exists(Subscript ss | exists(Subscript ss |
not ss.getIndex().(IntegerLiteral).getText() = "0" and not ss.getIndex().(IntegerLiteral).getText() = "0" and
@@ -49,9 +47,13 @@ class ClientSuppliedIpUsedInSecurityCheckConfig extends TaintTracking::Configura
} }
} }
/** Global taint-tracking for detecting "client ip used in security check" vulnerabilities. */
module ClientSuppliedIpUsedInSecurityCheckFlow = TaintTracking::Global<ClientSuppliedIpUsedInSecurityCheckConfig>;
from from
ClientSuppliedIpUsedInSecurityCheckConfig config, DataFlow::PathNode source, ClientSuppliedIpUsedInSecurityCheckFlow::PathNode source,
DataFlow::PathNode sink ClientSuppliedIpUsedInSecurityCheckFlow::PathNode sink
where config.hasFlowPath(source, sink) where ClientSuppliedIpUsedInSecurityCheckFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "IP address spoofing might include code from $@.", select sink.getNode(), source, sink, "IP address spoofing might include code from $@.",
source.getNode(), "this user input" source.getNode(), "this user input"