hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Move Sanitizer to ReEscapeCall

Browse Source
This commit is contained in:
jorgectf
2021-03-24 21:11:45 +01:00
parent b5ea41fcca
commit ce23db2e9c
2 changed files with 17 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
View File

@@ -32,7 +32,7 @@ private module Stdlib {
* WARNING: Only holds for a few predefined attributes.
*/
private DataFlow::Node re_attr(DataFlow::TypeTracker t, string attr_name) {
attr_name in ["match", "fullmatch", "search", "split", "findall", "finditer", "sub", "subn", "compile"] and
attr_name in ["match", "fullmatch", "search", "split", "findall", "finditer", "sub", "subn", "compile", "escape"] and
(
t.start() and
result = DataFlow::importNode("re" + "." + attr_name)
@@ -181,6 +181,19 @@ private module Stdlib {
override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
}
/**
* A call to `re.escape`
* See https://docs.python.org/3/library/re.html#re.escape
*/
private class ReEscapeCall extends RegexExecution::Range, DataFlow::CfgNode {
override CallNode node;
ReEscapeCall() { node.getFunction() = re_attr("escape").asCfgNode() }
override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
}
/**
* A call to `re.compile`
* See https://docs.python.org/3/library/re.html#re.match

8
python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
View File

@@ -5,6 +5,7 @@
import python
import experimental.semmle.python.Concepts
import experimental.semmle.python.frameworks.Stdlib
import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.TaintTracking
import semmle.python.dataflow.new.RemoteFlowSources
@@ -18,10 +19,7 @@ class RegexInjectionFlowConfig extends TaintTracking::Configuration {
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { sink = any(RegexExecution re).getRegexNode() }
override predicate isSink(DataFlow::Node sink) { sink = any(RegexExecution re).getRegexNode() }
override predicate isSanitizer(DataFlow::Node sanitizer) {
sanitizer =
API::moduleImport("re").getMember("escape").getACall().(DataFlow::CallCfgNode).getArg(0)
}
override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof ReEscapeCall }
}