hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add taint test

Browse Source
This commit is contained in:
Joe Farebrother
2025-11-24 16:54:21 +00:00
parent a83c70f99d
commit b0be8184ac
5 changed files with 68 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
python/ql/lib/semmle/python/frameworks/Socketio.qll
View File

@@ -30,6 +30,15 @@ module SocketIO {
private class EventHandler extends Http::Server::RequestHandler::Range { private class EventHandler extends Http::Server::RequestHandler::Range {
EventHandler() { EventHandler() {
serverEventAnnotation().getAValueReachableFromSource().asExpr() = this.getADecorator() serverEventAnnotation().getAValueReachableFromSource().asExpr() = this.getADecorator()
or
exists(DataFlow::CallCfgNode c, DataFlow::Node arg | c = server().getMember("on").getACall() |
(
arg = c.getArg(1)
or
arg = c.getArgByName("handler")
) and
poorMansFunctionTracker(this) = arg
)
} }
override Parameter getARoutedParameter() { override Parameter getARoutedParameter() {
@@ -44,20 +53,13 @@ module SocketIO {
exists(DataFlow::CallCfgNode c | c = server().getMember(["emit", "send"]).getACall() | exists(DataFlow::CallCfgNode c | c = server().getMember(["emit", "send"]).getACall() |
this = c.getArgByName("callback") this = c.getArgByName("callback")
) )
or
exists(DataFlow::CallCfgNode c | c = server().getMember("on").getACall() |
this = c.getArg(1) or
this = c.getArgByName("handler")
)
} }
} }
private class CallbackHandler extends Http::Server::RequestHandler::Range { private class CallbackHandler extends Http::Server::RequestHandler::Range {
CallbackHandler() { any(CallbackArgument ca) = poorMansFunctionTracker(this) } CallbackHandler() { any(CallbackArgument ca) = poorMansFunctionTracker(this) }
override Parameter getARoutedParameter() { override Parameter getARoutedParameter() { result = this.getAnArg() }
result = this.getAnArg() and not result = this.getArg(0)
}
override string getFramework() { result = "socketio" } override string getFramework() { result = "socketio" }
} }

3
python/ql/test/library-tests/frameworks/socketio/InlineTaintTest.expected Normal file
View File

@@ -0,0 +1,3 @@
argumentToEnsureNotTaintedNotMarkedAsSpurious
untaintedArgumentToEnsureTaintedNotMarkedAsMissing
testFailures

2
python/ql/test/library-tests/frameworks/socketio/InlineTaintTest.ql Normal file
View File

@@ -0,0 +1,2 @@
import experimental.meta.InlineTaintTest
import MakeInlineTaintTest<TestTaintTrackingConfig>

48
python/ql/test/library-tests/frameworks/socketio/taint_test.py Normal file
View File

@@ -0,0 +1,48 @@
import sys
import socketio
import sys
def ensure_tainted(*args):
print("tainted", args)
def ensure_not_tainted(*args):
print("not tainted", args)
sio = socketio.Server()
@sio.event
def connect(sid, environ, auth): # $ requestHandler routedParameter=sid routedParameter=environ routedParameter=auth
ensure_not_tainted(sid)
ensure_tainted(environ, # $ tainted
auth) # $ tainted
@sio.event
def event1(sid, data): # $ requestHandler routedParameter=sid routedParameter=data
ensure_not_tainted(sid)
ensure_tainted(data) # $ tainted
res = sio.call("e1", sid=sid)
ensure_tainted(res) # $ tainted
sio.emit("e2", "hi", to=sid, callback=lambda x: ensure_tainted(x)) # $ tainted
sio.send("hi", to=sid, callback=lambda x: ensure_tainted(x)) # $ tainted
asio = socketio.AsyncServer(async_mode='asgi')
@asio.event
async def event2(sid, data): # $ requestHandler routedParameter=sid routedParameter=data
ensure_not_tainted(sid)
ensure_tainted(data) # $ tainted
res = await asio.call("e2", sid=sid)
ensure_tainted(res) # $ tainted
await asio.emit("e3", "hi", to=sid, callback=lambda x: ensure_tainted(x)) # $ tainted
await asio.send("hi", to=sid, callback=lambda x: ensure_tainted(x)) # $ tainted
if __name__ == "__main__":
if "--async" in sys.argv:
import uvicorn
app = socketio.ASGIApp(asio)
uvicorn.run(app, host='127.0.0.1', port=8000)
else:
import eventlet
app = socketio.WSGIApp(sio)
eventlet.wsgi.server(eventlet.listen(('', 8000)), app)

10
python/ql/test/library-tests/frameworks/socketio/test.py
View File

@@ -3,23 +3,23 @@ import socketio
sio = socketio.Server() sio = socketio.Server()
@sio.on("connect") @sio.on("connect")
def connect(sid, environ, auth): # $ requestHandler routedParameter=environ routedParameter=auth def connect(sid, environ, auth): # $ requestHandler routedParameter=sid routedParameter=environ routedParameter=auth
print("connect", sid, environ, auth) print("connect", sid, environ, auth)
@sio.on("event1") @sio.on("event1")
def handle(sid, data): # $ requestHandler routedParameter=data def handle(sid, data): # $ requestHandler routedParameter=sid routedParameter=data
print("e1", sid, data) print("e1", sid, data)
@sio.event @sio.event
def event2(sid, data): # $ requestHandler routedParameter=data def event2(sid, data): # $ requestHandler routedParameter=sid routedParameter=data
print("e2", sid, data) print("e2", sid, data)
def event3(sid, data): # $ requestHandler routedParameter=data def event3(sid, data): # $ requestHandler routedParameter=sid routedParameter=data
print("e3", sid, data) print("e3", sid, data)
sio.on("event3", handler=event3) sio.on("event3", handler=event3)
sio.on("event4", lambda sid,data: print("e4", sid, data)) # $ requestHandler routedParameter=data sio.on("event4", lambda sid,data: print("e4", sid, data)) # $ requestHandler routedParameter=sid routedParameter=data