hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 03:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Recognize keyword arguments for os.*spawn* calls

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2021-11-29 11:49:42 +01:00
parent 14590436f9
commit d2d5cce787
2 changed files with 14 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
python/ql/lib/semmle/python/frameworks/Stdlib.qll
View File

@@ -492,7 +492,13 @@ private module StdlibPrivate {
)
}
override DataFlow::Node getCommand() { result = this.getArg(1) }
override DataFlow::Node getCommand() {
result = this.getArg(1)
or
// `file` keyword argument only valid for the `v` variants, but this
// over-approximation is not hurting anyone, and is easy to implement.
result = this.getArgByName("file")
}
}
/**
@@ -502,7 +508,7 @@ private module StdlibPrivate {
private class OsPosixSpawnCall extends SystemCommandExecution::Range, DataFlow::CallCfgNode {
OsPosixSpawnCall() { this = os().getMember(["posix_spawn", "posix_spawnp"]).getACall() }
override DataFlow::Node getCommand() { result = this.getArg(0) }
override DataFlow::Node getCommand() { result in [this.getArg(0), this.getArgByName("path")] }
}
/** An additional taint step for calls to `os.path.join` */

12
python/ql/test/library-tests/frameworks/stdlib/SystemCommandExecution.py
View File

@@ -69,17 +69,17 @@ os.spawnvpe(os.P_WAIT, "file", ["<progname>", "arg0"], env) # $ getCommand="fil
# unlike os.exec*, some os.spawn* functions is usable with keyword arguments. However,
# despite the docs using both `file` and `path` as the parameter name, you actually need
# to use `file` in all cases.
os.spawnv(mode=os.P_WAIT, file="path", args=["<progname>", "arg0"]) # $ MISSING: getCommand="path" getAPathArgument="path"
os.spawnve(mode=os.P_WAIT, file="path", args=["<progname>", "arg0"], env=env) # $ MISSING: getCommand="path" getAPathArgument="path"
os.spawnvp(mode=os.P_WAIT, file="file", args=["<progname>", "arg0"]) # $ MISSING: getCommand="file" getAPathArgument="file"
os.spawnvpe(mode=os.P_WAIT, file="file", args=["<progname>", "arg0"], env=env) # $ MISSING: getCommand="file" getAPathArgument="file"
os.spawnv(mode=os.P_WAIT, file="path", args=["<progname>", "arg0"]) # $ getCommand="path" MISSING: getAPathArgument="path"
os.spawnve(mode=os.P_WAIT, file="path", args=["<progname>", "arg0"], env=env) # $ getCommand="path" MISSING: getAPathArgument="path"
os.spawnvp(mode=os.P_WAIT, file="file", args=["<progname>", "arg0"]) # $ getCommand="file" MISSING: getAPathArgument="file"
os.spawnvpe(mode=os.P_WAIT, file="file", args=["<progname>", "arg0"], env=env) # $ getCommand="file" MISSING: getAPathArgument="file"
# `posix_spawn` Added in Python 3.8
os.posix_spawn("path", ["<progname>", "arg0"], env) # $ getCommand="path" MISSING: getAPathArgument="path"
os.posix_spawn(path="path", argv=["<progname>", "arg0"], env=env) # $ MISSING: getCommand="path" getAPathArgument="path"
os.posix_spawn(path="path", argv=["<progname>", "arg0"], env=env) # $ getCommand="path" MISSING: getAPathArgument="path"
os.posix_spawnp("path", ["<progname>", "arg0"], env) # $ getCommand="path" MISSING: getAPathArgument="path"
os.posix_spawnp(path="path", argv=["<progname>", "arg0"], env=env) # $ MISSING: getCommand="path" getAPathArgument="path"
os.posix_spawnp(path="path", argv=["<progname>", "arg0"], env=env) # $ getCommand="path" MISSING: getAPathArgument="path"
########################################