Merge branch 'main' into promote-xxe

2026-04-29 02:35:15 +02:00 · 2022-04-20 13:42:02 +02:00
parent 517444b5ff 3d109a4051
commit bb6969a175
307 changed files with 6388 additions and 16068 deletions
--- a/python/ql/test/experimental/query-tests/Security/CWE-022/ZipSlip.expected
+++ b/python/ql/test/experimental/query-tests/Security/CWE-022/ZipSlip.expected
@@ -0,0 +1,34 @@
+edges
+| zipslip_bad.py:8:10:8:31 | ControlFlowNode for Attribute() | zipslip_bad.py:10:13:10:17 | SSA variable entry |
+| zipslip_bad.py:10:13:10:17 | SSA variable entry | zipslip_bad.py:11:25:11:29 | ControlFlowNode for entry |
+| zipslip_bad.py:14:10:14:28 | ControlFlowNode for Attribute() | zipslip_bad.py:16:13:16:17 | SSA variable entry |
+| zipslip_bad.py:16:13:16:17 | SSA variable entry | zipslip_bad.py:17:26:17:30 | ControlFlowNode for entry |
+| zipslip_bad.py:20:10:20:27 | ControlFlowNode for Attribute() | zipslip_bad.py:22:13:22:17 | SSA variable entry |
+| zipslip_bad.py:22:13:22:17 | SSA variable entry | zipslip_bad.py:23:29:23:33 | ControlFlowNode for entry |
+| zipslip_bad.py:27:10:27:22 | ControlFlowNode for Attribute() | zipslip_bad.py:29:13:29:13 | SSA variable x |
+| zipslip_bad.py:29:13:29:13 | SSA variable x | zipslip_bad.py:30:25:30:25 | ControlFlowNode for x |
+| zipslip_bad.py:34:16:34:28 | ControlFlowNode for Attribute() | zipslip_bad.py:35:9:35:9 | SSA variable x |
+| zipslip_bad.py:35:9:35:9 | SSA variable x | zipslip_bad.py:37:32:37:32 | ControlFlowNode for x |
+nodes
+| zipslip_bad.py:8:10:8:31 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| zipslip_bad.py:10:13:10:17 | SSA variable entry | semmle.label | SSA variable entry |
+| zipslip_bad.py:11:25:11:29 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry |
+| zipslip_bad.py:14:10:14:28 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| zipslip_bad.py:16:13:16:17 | SSA variable entry | semmle.label | SSA variable entry |
+| zipslip_bad.py:17:26:17:30 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry |
+| zipslip_bad.py:20:10:20:27 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| zipslip_bad.py:22:13:22:17 | SSA variable entry | semmle.label | SSA variable entry |
+| zipslip_bad.py:23:29:23:33 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry |
+| zipslip_bad.py:27:10:27:22 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| zipslip_bad.py:29:13:29:13 | SSA variable x | semmle.label | SSA variable x |
+| zipslip_bad.py:30:25:30:25 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| zipslip_bad.py:34:16:34:28 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| zipslip_bad.py:35:9:35:9 | SSA variable x | semmle.label | SSA variable x |
+| zipslip_bad.py:37:32:37:32 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+subpaths
+#select
+| zipslip_bad.py:11:25:11:29 | ControlFlowNode for entry | zipslip_bad.py:8:10:8:31 | ControlFlowNode for Attribute() | zipslip_bad.py:11:25:11:29 | ControlFlowNode for entry | Extraction of zipfile from $@ | zipslip_bad.py:8:10:8:31 | ControlFlowNode for Attribute() | a potentially untrusted source |
+| zipslip_bad.py:17:26:17:30 | ControlFlowNode for entry | zipslip_bad.py:14:10:14:28 | ControlFlowNode for Attribute() | zipslip_bad.py:17:26:17:30 | ControlFlowNode for entry | Extraction of zipfile from $@ | zipslip_bad.py:14:10:14:28 | ControlFlowNode for Attribute() | a potentially untrusted source |
+| zipslip_bad.py:23:29:23:33 | ControlFlowNode for entry | zipslip_bad.py:20:10:20:27 | ControlFlowNode for Attribute() | zipslip_bad.py:23:29:23:33 | ControlFlowNode for entry | Extraction of zipfile from $@ | zipslip_bad.py:20:10:20:27 | ControlFlowNode for Attribute() | a potentially untrusted source |
+| zipslip_bad.py:30:25:30:25 | ControlFlowNode for x | zipslip_bad.py:27:10:27:22 | ControlFlowNode for Attribute() | zipslip_bad.py:30:25:30:25 | ControlFlowNode for x | Extraction of zipfile from $@ | zipslip_bad.py:27:10:27:22 | ControlFlowNode for Attribute() | a potentially untrusted source |
+| zipslip_bad.py:37:32:37:32 | ControlFlowNode for x | zipslip_bad.py:34:16:34:28 | ControlFlowNode for Attribute() | zipslip_bad.py:37:32:37:32 | ControlFlowNode for x | Extraction of zipfile from $@ | zipslip_bad.py:34:16:34:28 | ControlFlowNode for Attribute() | a potentially untrusted source |
--- a/python/ql/test/experimental/query-tests/Security/CWE-022/ZipSlip.qlref
+++ b/python/ql/test/experimental/query-tests/Security/CWE-022/ZipSlip.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-022/ZipSlip.ql
--- a/python/ql/test/experimental/query-tests/Security/CWE-022/zipslip_bad.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-022/zipslip_bad.py
@@ -0,0 +1,39 @@
+import tarfile
+import shutil
+import bz2
+import gzip
+import zipfile
+
+def unzip(filename):
+    with tarfile.open(filename) as zipf:
+    #BAD : This could write any file on the filesystem.
+        for entry in zipf:
+            shutil.move(entry, "/tmp/unpack/")
+
+def unzip1(filename):
+    with gzip.open(filename) as zipf:
+    #BAD : This could write any file on the filesystem.
+        for entry in zipf:
+            shutil.copy2(entry, "/tmp/unpack/")
+
+def unzip2(filename):
+    with bz2.open(filename) as zipf:
+    #BAD : This could write any file on the filesystem.
+        for entry in zipf:
+            shutil.copyfile(entry, "/tmp/unpack/")
+
+def unzip3(filename):
+    zf = zipfile.ZipFile(filename)
+    with zf.namelist() as filelist:
+    #BAD : This could write any file on the filesystem.
+        for x in filelist:
+            shutil.copy(x, "/tmp/unpack/")
+
+def unzip4(filename):
+    zf = zipfile.ZipFile(filename)
+    filelist = zf.namelist()
+    for x in filelist:
+        with zf.open(x) as srcf:
+            shutil.copyfileobj(x, "/tmp/unpack/")
+
+import tty # to set the import root so we can identify the standard library
--- a/python/ql/test/experimental/query-tests/Security/CWE-022/zipslip_good.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-022/zipslip_good.py
@@ -0,0 +1,14 @@
+import zipfile 
+import tarfile
+import shutil
+
+def unzip(filename, dir):
+    zf = zipfile.ZipFile(filename)
+    zf.extractall(dir)
+    
+
+def unzip1(filename, dir):
+    zf = zipfile.ZipFile(filename)
+    zf.extract(dir)
+  
+