Python: Add modelling for zstd.compression

See https://docs.python.org/3/library/compression.zstd.html for information about this library. As far as I can tell, the `zstd` library is not vulnerable to things like ZipSlip, but it _could_ be vulnerable to a decompression bomb attack, so I extended those models accordingly.
2025-12-16 16:53:25 +01:00 · 2025-12-09 22:50:51 +00:00
parent fe18e0e414
commit ad68a5e4e9
1 changed files with 40 additions and 0 deletions
--- a/python/ql/src/experimental/semmle/python/security/DecompressionBomb.qll
+++ b/python/ql/src/experimental/semmle/python/security/DecompressionBomb.qll
@@ -364,6 +364,46 @@ module Lzma {
  }
 }

+/** Provides sinks and additional taint steps related to the `zstd` library in Python 3.14+. */
+module Zstd {
+  private API::Node zstdInstance() {
+    result = API::moduleImport("compression").getMember("zstd").getMember(["ZstdFile", "open"])
+  }
+
+  /**
+   * The Decompression Sinks of `zstd` library
+   *
+   * `zstd.open(sink)`
+   * `zstd.ZstdFile(sink)`
+   *
+   * only read mode is sink
+   */
+  class DecompressionSink extends DecompressionBomb::Sink {
+    DecompressionSink() {
+      exists(API::CallNode zstdCall | zstdCall = zstdInstance().getACall() |
+        this = zstdCall.getParameter(0, "filename").asSink() and
+        (
+          not exists(
+            zstdCall
+                .getParameter(1, "mode")
+                .getAValueReachingSink()
+                .asExpr()
+                .(StringLiteral)
+                .getText()
+          ) or
+          zstdCall
+              .getParameter(1, "mode")
+              .getAValueReachingSink()
+              .asExpr()
+              .(StringLiteral)
+              .getText()
+              .matches("%r%")
+        )
+      )
+    }
+  }
+}
+
 /**
 * `io.TextIOWrapper(ip, encoding='utf-8')` like following:
 * ```python