hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Python: Move BarrierGuards to own file

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2020-11-27 12:09:57 +01:00
parent f35ffa5632
commit cc9a7fe4fe
9 changed files with 62 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
python/ql/src/semmle/python/dataflow/new/BarrierGuards.qll Normal file
View File

@@ -0,0 +1,46 @@
/** Provides commonly used BarrierGuards. */
private import python
private import semmle.python.dataflow.new.DataFlow
/** A validation of unknown node by comparing with a constant string value. */
class StringConstCompare extends DataFlow::BarrierGuard, CompareNode {
ControlFlowNode checked_node;
boolean safe_branch;
StringConstCompare() {
exists(StrConst str_const, Cmpop op |
op = any(Eq eq) and safe_branch = true
or
op = any(NotEq ne) and safe_branch = false
|
this.operands(str_const.getAFlowNode(), op, checked_node)
or
this.operands(checked_node, op, str_const.getAFlowNode())
)
or
exists(ControlFlowNode str_const_iterable, Cmpop op |
op = any(In in_) and safe_branch = true
or
op = any(NotIn ni) and safe_branch = false
|
this.operands(checked_node, op, str_const_iterable) and
(
str_const_iterable instanceof SequenceNode
or
str_const_iterable instanceof SetNode
) and
forall(ControlFlowNode elem |
elem = str_const_iterable.(SequenceNode).getAnElement()
or
elem = str_const_iterable.(SetNode).getAnElement()
|
elem.getNode() instanceof StrConst
)
)
}
override predicate checks(ControlFlowNode node, boolean branch) {
node = checked_node and branch = safe_branch
}
}

45
python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
View File

@@ -355,51 +355,6 @@ class BarrierGuard extends GuardNode {
}
}
/** Provides commonly used BarrierGuards */
module BarrierGuard {
/** A validation of unknown node by comparing with a constant string value. */
class StringConstCompare extends BarrierGuard, CompareNode {
ControlFlowNode checked_node;
boolean safe_branch;
StringConstCompare() {
exists(StrConst str_const, Cmpop op |
op = any(Eq eq) and safe_branch = true
or
op = any(NotEq ne) and safe_branch = false
|
this.operands(str_const.getAFlowNode(), op, checked_node)
or
this.operands(checked_node, op, str_const.getAFlowNode())
)
or
exists(ControlFlowNode str_const_iterable, Cmpop op |
op = any(In in_) and safe_branch = true
or
op = any(NotIn ni) and safe_branch = false
|
this.operands(checked_node, op, str_const_iterable) and
(
str_const_iterable instanceof SequenceNode
or
str_const_iterable instanceof SetNode
) and
forall(ControlFlowNode elem |
elem = str_const_iterable.(SequenceNode).getAnElement()
or
elem = str_const_iterable.(SetNode).getAnElement()
|
elem.getNode() instanceof StrConst
)
)
}
override predicate checks(ControlFlowNode node, boolean branch) {
node = checked_node and branch = safe_branch
}
}
}
/**
* Algebraic datatype for tracking data content associated with values.
* Content can be collection elements or object attributes.

3
python/ql/src/semmle/python/security/dataflow/CodeInjection.qll
View File

@@ -8,6 +8,7 @@ import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.TaintTracking
import semmle.python.Concepts
import semmle.python.dataflow.new.RemoteFlowSources
import semmle.python.dataflow.new.BarrierGuards
/**
* A taint-tracking configuration for detecting code injection vulnerabilities.
@@ -20,6 +21,6 @@ class CodeInjectionConfiguration extends TaintTracking::Configuration {
override predicate isSink(DataFlow::Node sink) { sink = any(CodeExecution e).getCode() }
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
guard instanceof DataFlow::BarrierGuard::StringConstCompare
guard instanceof StringConstCompare
}
}

3
python/ql/src/semmle/python/security/dataflow/CommandInjection.qll
View File

@@ -8,6 +8,7 @@ import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.TaintTracking
import semmle.python.Concepts
import semmle.python.dataflow.new.RemoteFlowSources
import semmle.python.dataflow.new.BarrierGuards
/**
* A taint-tracking configuration for detecting command injection vulnerabilities.
@@ -50,6 +51,6 @@ class CommandInjectionConfiguration extends TaintTracking::Configuration {
}
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
guard instanceof DataFlow::BarrierGuard::StringConstCompare
guard instanceof StringConstCompare
}
}

7
python/ql/src/semmle/python/security/dataflow/PathInjection.qll
View File

@@ -31,6 +31,7 @@ import semmle.python.dataflow.new.TaintTracking2
import semmle.python.Concepts
import semmle.python.dataflow.new.RemoteFlowSources
import ChainedConfigs12
import semmle.python.dataflow.new.BarrierGuards
// ---------------------------------------------------------------------------
// Case 1. The path is never normalized.
@@ -48,7 +49,7 @@ class PathNotNormalizedConfiguration extends TaintTracking::Configuration {
override predicate isSanitizer(DataFlow::Node node) { node instanceof Path::PathNormalization }
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
guard instanceof DataFlow::BarrierGuard::StringConstCompare
guard instanceof StringConstCompare
}
}
@@ -74,7 +75,7 @@ class FirstNormalizationConfiguration extends TaintTracking::Configuration {
override predicate isSanitizerOut(DataFlow::Node node) { node instanceof Path::PathNormalization }
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
guard instanceof DataFlow::BarrierGuard::StringConstCompare
guard instanceof StringConstCompare
}
}
@@ -91,7 +92,7 @@ class NormalizedPathNotCheckedConfiguration extends TaintTracking2::Configuratio
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
guard instanceof Path::SafeAccessCheck
or
guard instanceof DataFlow::BarrierGuard::StringConstCompare
guard instanceof StringConstCompare
}
}

3
python/ql/src/semmle/python/security/dataflow/ReflectedXSS.qll
View File

@@ -8,6 +8,7 @@ import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.TaintTracking
import semmle.python.Concepts
import semmle.python.dataflow.new.RemoteFlowSources
import semmle.python.dataflow.new.BarrierGuards
/**
* A taint-tracking configuration for detecting reflected server-side cross-site
@@ -26,6 +27,6 @@ class ReflectedXssConfiguration extends TaintTracking::Configuration {
}
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
guard instanceof DataFlow::BarrierGuard::StringConstCompare
guard instanceof StringConstCompare
}
}

3
python/ql/src/semmle/python/security/dataflow/SqlInjection.qll
View File

@@ -8,6 +8,7 @@ import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.TaintTracking
import semmle.python.Concepts
import semmle.python.dataflow.new.RemoteFlowSources
import semmle.python.dataflow.new.BarrierGuards
/**
* A taint-tracking configuration for detecting SQL injection vulnerabilities.
@@ -20,6 +21,6 @@ class SQLInjectionConfiguration extends TaintTracking::Configuration {
override predicate isSink(DataFlow::Node sink) { sink = any(SqlExecution e).getSql() }
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
guard instanceof DataFlow::BarrierGuard::StringConstCompare
guard instanceof StringConstCompare
}
}

3
python/ql/src/semmle/python/security/dataflow/UnsafeDeserialization.qll
View File

@@ -8,6 +8,7 @@ import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.TaintTracking
import semmle.python.Concepts
import semmle.python.dataflow.new.RemoteFlowSources
import semmle.python.dataflow.new.BarrierGuards
/**
* A taint-tracking configuration for detecting arbitrary code execution
@@ -26,6 +27,6 @@ class UnsafeDeserializationConfiguration extends TaintTracking::Configuration {
}
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
guard instanceof DataFlow::BarrierGuard::StringConstCompare
guard instanceof StringConstCompare
}
}