hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 11:16:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Added Sanitizer Guard

Browse Source
This commit is contained in:
haby0
2022-03-29 14:29:33 +08:00
parent e11c74c580
commit bf8c7a2ea7
3 changed files with 21 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
python/ql/src/experimental/Security/CWE-1236/CsvInjection.qhelp
View File

@@ -5,7 +5,7 @@
<overview>
<p>CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files.</p>
<p>When a CSV format file is opened with a spreadsheet program such as Microsoft Excel or LibreOffice Calc.
this software interprets entries beginning with <code>=</code> as formulas. may attempt information exfiltration
this software interprets entries beginning with <code>=</code> as formulas, which may attempt information exfiltration
or other malicious activity when automatically executed by the spreadsheet software.</p>
</overview>
<recommendation>
@@ -18,7 +18,7 @@ Risky characters include <code>=</code>(equal), <code>+</code>(plus), <code>-</c
<p>The following examples show the bad case and the good case respectively.
In <code>bad1</code> method, the data provided by the user is directly stored in the CSV file, which may be attacked.
But in the <code>good1</code> method,, the program will check the data provided by the user, and process the data starting with <code>=</code>(equal), <code>+</code>(plus), <code>-</code>(minus), and <code>@</code>(at) characters safely.</p>
But in the <code>good1</code> method, the program will check the data provided by the user, and process the data starting with <code>=</code>(equal), <code>+</code>(plus), <code>-</code>(minus), and <code>@</code>(at) characters safely.</p>
<sample src="CsvInjection.py" />

3
python/ql/src/experimental/semmle/python/Concepts.qll
View File

@@ -294,6 +294,9 @@ class CsvWriter extends DataFlow::Node {
CsvWriter() { this = range }
/**
* Get the parameter value of the csv writer function.
*/
DataFlow::Node getAnInput() { result = range.getAnInput() }
}

21
python/ql/src/experimental/semmle/python/security/injection/CsvInjection.qll
View File

@@ -2,6 +2,7 @@ import python
import experimental.semmle.python.Concepts
import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.TaintTracking
import semmle.python.dataflow.new.BarrierGuards
import semmle.python.dataflow.new.RemoteFlowSources
/**
@@ -10,11 +11,21 @@ import semmle.python.dataflow.new.RemoteFlowSources
class CsvInjectionFlowConfig extends TaintTracking::Configuration {
CsvInjectionFlowConfig() { this = "CsvInjectionFlowConfig" }
override predicate isSource(DataFlow::Node source) {
source instanceof RemoteFlowSource
}
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) {
exists(CsvWriter csvwriter | sink = csvwriter.getAnInput())
override predicate isSink(DataFlow::Node sink) { sink = any(CsvWriter cw).getAnInput() }
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
guard instanceof StartsWithCheck or
guard instanceof StringConstCompare
}
}
class StartsWithCheck extends DataFlow::BarrierGuard {
StartsWithCheck() { this.(CallNode).getNode().getFunc().(Attribute).getName() = "startswith" }
override predicate checks(ControlFlowNode node, boolean branch) {
node = this.(CallNode).getNode().getFunc().(Attribute).getObject().getAFlowNode() and
branch = true
}
}