diff --git a/python/ql/lib/semmle/python/security/dataflow/CleartextLoggingQuery.qll b/python/ql/lib/semmle/python/security/dataflow/CleartextLoggingQuery.qll index 6f276bf0f1e..7479c24fc53 100644 --- a/python/ql/lib/semmle/python/security/dataflow/CleartextLoggingQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/CleartextLoggingQuery.qll @@ -13,23 +13,21 @@ private import semmle.python.Concepts private import semmle.python.dataflow.new.RemoteFlowSources private import semmle.python.dataflow.new.BarrierGuards private import semmle.python.dataflow.new.SensitiveDataSources +import CleartextLoggingCustomizations::CleartextLogging +/** + * A taint-tracking configuration for detecting "Clear-text logging of sensitive information". + */ +class Configuration extends TaintTracking::Configuration { + Configuration() { this = "CleartextLogging" } - import CleartextLoggingCustomizations::CleartextLogging + override predicate isSource(DataFlow::Node source) { source instanceof Source } - /** - * A taint-tracking configuration for detecting "Clear-text logging of sensitive information". - */ - class Configuration extends TaintTracking::Configuration { - Configuration() { this = "CleartextLogging" } + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) - or - node instanceof Sanitizer - } + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) + or + node instanceof Sanitizer } +} diff --git a/python/ql/lib/semmle/python/security/dataflow/CleartextStorageQuery.qll b/python/ql/lib/semmle/python/security/dataflow/CleartextStorageQuery.qll index 290dcf43e15..e5320c76d34 100644 --- a/python/ql/lib/semmle/python/security/dataflow/CleartextStorageQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/CleartextStorageQuery.qll @@ -13,22 +13,21 @@ private import semmle.python.Concepts private import semmle.python.dataflow.new.RemoteFlowSources private import semmle.python.dataflow.new.BarrierGuards private import semmle.python.dataflow.new.SensitiveDataSources +import CleartextStorageCustomizations::CleartextStorage - import CleartextStorageCustomizations::CleartextStorage +/** + * A taint-tracking configuration for detecting "Clear-text storage of sensitive information". + */ +class Configuration extends TaintTracking::Configuration { + Configuration() { this = "CleartextStorage" } - /** - * A taint-tracking configuration for detecting "Clear-text storage of sensitive information". - */ - class Configuration extends TaintTracking::Configuration { - Configuration() { this = "CleartextStorage" } + override predicate isSource(DataFlow::Node source) { source instanceof Source } - override predicate isSource(DataFlow::Node source) { source instanceof Source } + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) - or - node instanceof Sanitizer - } + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) + or + node instanceof Sanitizer } +} diff --git a/python/ql/lib/semmle/python/security/dataflow/CodeInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/CodeInjectionQuery.qll index f1da5235a10..e9cddfd9d52 100644 --- a/python/ql/lib/semmle/python/security/dataflow/CodeInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/CodeInjectionQuery.qll @@ -9,22 +9,21 @@ private import python import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.TaintTracking +import CodeInjectionCustomizations::CodeInjection - import CodeInjectionCustomizations::CodeInjection +/** + * A taint-tracking configuration for detecting "code injection" vulnerabilities. + */ +class Configuration extends TaintTracking::Configuration { + Configuration() { this = "CodeInjection" } - /** - * A taint-tracking configuration for detecting "code injection" vulnerabilities. - */ - class Configuration extends TaintTracking::Configuration { - Configuration() { this = "CodeInjection" } + override predicate isSource(DataFlow::Node source) { source instanceof Source } - override predicate isSource(DataFlow::Node source) { source instanceof Source } + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - - override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { - guard instanceof SanitizerGuard - } + override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { + guard instanceof SanitizerGuard } +} diff --git a/python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll index 9ef1845f1e0..1f76e418879 100644 --- a/python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll @@ -9,22 +9,21 @@ private import python import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.TaintTracking +import CommandInjectionCustomizations::CommandInjection - import CommandInjectionCustomizations::CommandInjection +/** + * A taint-tracking configuration for detecting "command injection" vulnerabilities. + */ +class Configuration extends TaintTracking::Configuration { + Configuration() { this = "CommandInjection" } - /** - * A taint-tracking configuration for detecting "command injection" vulnerabilities. - */ - class Configuration extends TaintTracking::Configuration { - Configuration() { this = "CommandInjection" } + override predicate isSource(DataFlow::Node source) { source instanceof Source } - override predicate isSource(DataFlow::Node source) { source instanceof Source } + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - - override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { - guard instanceof SanitizerGuard - } + override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { + guard instanceof SanitizerGuard } +} diff --git a/python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll index ebd0c668406..dbbf7a51bfb 100644 --- a/python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll @@ -11,41 +11,40 @@ import semmle.python.Concepts import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.TaintTracking import semmle.python.dataflow.new.RemoteFlowSources +import LdapInjectionCustomizations::LdapInjection - import LdapInjectionCustomizations::LdapInjection +/** + * A taint-tracking configuration for detecting LDAP injection vulnerabilities + * via the distinguished name (DN) parameter of an LDAP search. + */ +class DnConfiguration extends TaintTracking::Configuration { + DnConfiguration() { this = "LdapDnInjection" } - /** - * A taint-tracking configuration for detecting LDAP injection vulnerabilities - * via the distinguished name (DN) parameter of an LDAP search. - */ - class DnConfiguration extends TaintTracking::Configuration { - DnConfiguration() { this = "LdapDnInjection" } + override predicate isSource(DataFlow::Node source) { source instanceof Source } - override predicate isSource(DataFlow::Node source) { source instanceof Source } + override predicate isSink(DataFlow::Node sink) { sink instanceof DnSink } - override predicate isSink(DataFlow::Node sink) { sink instanceof DnSink } + override predicate isSanitizer(DataFlow::Node node) { node instanceof DnSanitizer } - override predicate isSanitizer(DataFlow::Node node) { node instanceof DnSanitizer } - - override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { - guard instanceof DnSanitizerGuard - } + override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { + guard instanceof DnSanitizerGuard } +} - /** - * A taint-tracking configuration for detecting LDAP injection vulnerabilities - * via the filter parameter of an LDAP search. - */ - class FilterConfiguration extends TaintTracking::Configuration { - FilterConfiguration() { this = "LdapFilterInjection" } +/** + * A taint-tracking configuration for detecting LDAP injection vulnerabilities + * via the filter parameter of an LDAP search. + */ +class FilterConfiguration extends TaintTracking::Configuration { + FilterConfiguration() { this = "LdapFilterInjection" } - override predicate isSource(DataFlow::Node source) { source instanceof Source } + override predicate isSource(DataFlow::Node source) { source instanceof Source } - override predicate isSink(DataFlow::Node sink) { sink instanceof FilterSink } + override predicate isSink(DataFlow::Node sink) { sink instanceof FilterSink } - override predicate isSanitizer(DataFlow::Node node) { node instanceof FilterSanitizer } + override predicate isSanitizer(DataFlow::Node node) { node instanceof FilterSanitizer } - override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { - guard instanceof FilterSanitizerGuard - } + override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { + guard instanceof FilterSanitizerGuard } +} diff --git a/python/ql/lib/semmle/python/security/dataflow/LogInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/LogInjectionQuery.qll index eed0cec174d..0b92fdd073d 100644 --- a/python/ql/lib/semmle/python/security/dataflow/LogInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/LogInjectionQuery.qll @@ -9,22 +9,21 @@ import python import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.TaintTracking +import LogInjectionCustomizations::LogInjection - import LogInjectionCustomizations::LogInjection +/** + * A taint-tracking configuration for tracking untrusted user input used in log entries. + */ +class Configuration extends TaintTracking::Configuration { + Configuration() { this = "LogInjection" } - /** - * A taint-tracking configuration for tracking untrusted user input used in log entries. - */ - class Configuration extends TaintTracking::Configuration { - Configuration() { this = "LogInjection" } + override predicate isSource(DataFlow::Node source) { source instanceof Source } - override predicate isSource(DataFlow::Node source) { source instanceof Source } + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - - override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { - guard instanceof SanitizerGuard - } + override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { + guard instanceof SanitizerGuard } +} diff --git a/python/ql/lib/semmle/python/security/dataflow/PathInjection.qll b/python/ql/lib/semmle/python/security/dataflow/PathInjection.qll index 09ed02a3afa..8860f53777a 100644 --- a/python/ql/lib/semmle/python/security/dataflow/PathInjection.qll +++ b/python/ql/lib/semmle/python/security/dataflow/PathInjection.qll @@ -18,7 +18,6 @@ module PathInjection { import PathInjectionQuery // ignore-query-import } - // --------------------------------------------------------------------------- // Old, deprecated code // --------------------------------------------------------------------------- diff --git a/python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll index d9f7349c183..0722eb59bba 100644 --- a/python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll @@ -10,68 +10,67 @@ private import python private import semmle.python.Concepts import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.TaintTracking +import PathInjectionCustomizations::PathInjection - import PathInjectionCustomizations::PathInjection +/** + * A taint-tracking configuration for detecting "path injection" vulnerabilities. + * + * This configuration uses two flow states, `NotNormalized` and `NormalizedUnchecked`, + * to track the requirement that a file path must be first normalized and then checked + * before it is safe to use. + * + * At sources, paths are assumed not normalized. At normalization points, they change + * state to `NormalizedUnchecked` after which they can be made safe by an appropriate + * check of the prefix. + * + * Such checks are ineffective in the `NotNormalized` state. + */ +class Configuration extends TaintTracking::Configuration { + Configuration() { this = "PathInjection" } - /** - * A taint-tracking configuration for detecting "path injection" vulnerabilities. - * - * This configuration uses two flow states, `NotNormalized` and `NormalizedUnchecked`, - * to track the requirement that a file path must be first normalized and then checked - * before it is safe to use. - * - * At sources, paths are assumed not normalized. At normalization points, they change - * state to `NormalizedUnchecked` after which they can be made safe by an appropriate - * check of the prefix. - * - * Such checks are ineffective in the `NotNormalized` state. - */ - class Configuration extends TaintTracking::Configuration { - Configuration() { this = "PathInjection" } + override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) { + source instanceof Source and state instanceof NotNormalized + } - override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) { - source instanceof Source and state instanceof NotNormalized - } - - override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) { - sink instanceof Sink and - ( - state instanceof NotNormalized or - state instanceof NormalizedUnchecked - ) - } - - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - - override predicate isSanitizer(DataFlow::Node node, DataFlow::FlowState state) { - // Block `NotNormalized` paths here, since they change state to `NormalizedUnchecked` - node instanceof Path::PathNormalization and - state instanceof NotNormalized - or - node = any(Path::SafeAccessCheck c).getAGuardedNode() and + override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) { + sink instanceof Sink and + ( + state instanceof NotNormalized or state instanceof NormalizedUnchecked - } - - override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { - guard instanceof SanitizerGuard - } - - override predicate isAdditionalTaintStep( - DataFlow::Node nodeFrom, DataFlow::FlowState stateFrom, DataFlow::Node nodeTo, - DataFlow::FlowState stateTo - ) { - nodeFrom = nodeTo.(Path::PathNormalization).getPathArg() and - stateFrom instanceof NotNormalized and - stateTo instanceof NormalizedUnchecked - } + ) } - /** A state signifying that the file path has not been normalized. */ - class NotNormalized extends DataFlow::FlowState { - NotNormalized() { this = "NotNormalized" } + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } + + override predicate isSanitizer(DataFlow::Node node, DataFlow::FlowState state) { + // Block `NotNormalized` paths here, since they change state to `NormalizedUnchecked` + node instanceof Path::PathNormalization and + state instanceof NotNormalized + or + node = any(Path::SafeAccessCheck c).getAGuardedNode() and + state instanceof NormalizedUnchecked } - /** A state signifying that the file path has been normalized, but not checked. */ - class NormalizedUnchecked extends DataFlow::FlowState { - NormalizedUnchecked() { this = "NormalizedUnchecked" } + override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { + guard instanceof SanitizerGuard } + + override predicate isAdditionalTaintStep( + DataFlow::Node nodeFrom, DataFlow::FlowState stateFrom, DataFlow::Node nodeTo, + DataFlow::FlowState stateTo + ) { + nodeFrom = nodeTo.(Path::PathNormalization).getPathArg() and + stateFrom instanceof NotNormalized and + stateTo instanceof NormalizedUnchecked + } +} + +/** A state signifying that the file path has not been normalized. */ +class NotNormalized extends DataFlow::FlowState { + NotNormalized() { this = "NotNormalized" } +} + +/** A state signifying that the file path has been normalized, but not checked. */ +class NormalizedUnchecked extends DataFlow::FlowState { + NormalizedUnchecked() { this = "NormalizedUnchecked" } +} diff --git a/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll b/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll index f3d99173b1c..3c85d5cf44d 100644 --- a/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll @@ -9,22 +9,21 @@ private import python import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.TaintTracking +import PolynomialReDoSCustomizations::PolynomialReDoS - import PolynomialReDoSCustomizations::PolynomialReDoS +/** + * A taint-tracking configuration for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities. + */ +class Configuration extends TaintTracking::Configuration { + Configuration() { this = "PolynomialReDoS" } - /** - * A taint-tracking configuration for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities. - */ - class Configuration extends TaintTracking::Configuration { - Configuration() { this = "PolynomialReDoS" } + override predicate isSource(DataFlow::Node source) { source instanceof Source } - override predicate isSource(DataFlow::Node source) { source instanceof Source } + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - - override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { - guard instanceof SanitizerGuard - } + override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { + guard instanceof SanitizerGuard } +} diff --git a/python/ql/lib/semmle/python/security/dataflow/ReflectedXSSQuery.qll b/python/ql/lib/semmle/python/security/dataflow/ReflectedXSSQuery.qll index 6e473bfe907..aadbcc9e3ec 100644 --- a/python/ql/lib/semmle/python/security/dataflow/ReflectedXSSQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/ReflectedXSSQuery.qll @@ -9,22 +9,21 @@ private import python import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.TaintTracking +import ReflectedXSSCustomizations::ReflectedXss - import ReflectedXSSCustomizations::ReflectedXss +/** + * A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities. + */ +class Configuration extends TaintTracking::Configuration { + Configuration() { this = "ReflectedXSS" } - /** - * A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities. - */ - class Configuration extends TaintTracking::Configuration { - Configuration() { this = "ReflectedXSS" } + override predicate isSource(DataFlow::Node source) { source instanceof Source } - override predicate isSource(DataFlow::Node source) { source instanceof Source } + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - - override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { - guard instanceof SanitizerGuard - } + override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { + guard instanceof SanitizerGuard } +} diff --git a/python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll index dbed0ac9776..1165749e9ac 100644 --- a/python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll @@ -10,22 +10,21 @@ private import python import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.TaintTracking +import RegexInjectionCustomizations::RegexInjection - import RegexInjectionCustomizations::RegexInjection +/** + * A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities. + */ +class Configuration extends TaintTracking::Configuration { + Configuration() { this = "RegexInjection" } - /** - * A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities. - */ - class Configuration extends TaintTracking::Configuration { - Configuration() { this = "RegexInjection" } + override predicate isSource(DataFlow::Node source) { source instanceof Source } - override predicate isSource(DataFlow::Node source) { source instanceof Source } + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - - override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { - guard instanceof SanitizerGuard - } + override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { + guard instanceof SanitizerGuard } +} diff --git a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll index 5b62f64391f..a9e97271281 100644 --- a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll @@ -10,36 +10,35 @@ private import python import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.TaintTracking import semmle.python.Concepts - import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery - /** - * A taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities. - * - * This configuration has a sanitizer to limit results to cases where attacker has full control of URL. - * See `PartialServerSideRequestForgery` for a variant without this requirement. - * - * You should use the `fullyControlledRequest` to only select results where all - * URL parts are fully controlled. - */ - class FullServerSideRequestForgeryConfiguration extends TaintTracking::Configuration { - FullServerSideRequestForgeryConfiguration() { this = "FullServerSideRequestForgery" } +/** + * A taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities. + * + * This configuration has a sanitizer to limit results to cases where attacker has full control of URL. + * See `PartialServerSideRequestForgery` for a variant without this requirement. + * + * You should use the `fullyControlledRequest` to only select results where all + * URL parts are fully controlled. + */ +class FullServerSideRequestForgeryConfiguration extends TaintTracking::Configuration { + FullServerSideRequestForgeryConfiguration() { this = "FullServerSideRequestForgery" } - override predicate isSource(DataFlow::Node source) { source instanceof Source } + override predicate isSource(DataFlow::Node source) { source instanceof Source } - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - override predicate isSanitizer(DataFlow::Node node) { - node instanceof Sanitizer - or - node instanceof FullUrlControlSanitizer - } - - override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { - guard instanceof SanitizerGuard - } + override predicate isSanitizer(DataFlow::Node node) { + node instanceof Sanitizer + or + node instanceof FullUrlControlSanitizer } + override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { + guard instanceof SanitizerGuard + } +} + /** * Holds if all URL parts of `request` is fully user controlled. */ @@ -51,22 +50,22 @@ predicate fullyControlledRequest(HTTP::Client::Request request) { ) } - /** - * A taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities. - * - * This configuration has results, even when the attacker does not have full control over the URL. - * See `FullServerSideRequestForgeryConfiguration`, and the `fullyControlledRequest` predicate. - */ - class PartialServerSideRequestForgeryConfiguration extends TaintTracking::Configuration { - PartialServerSideRequestForgeryConfiguration() { this = "PartialServerSideRequestForgery" } +/** + * A taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities. + * + * This configuration has results, even when the attacker does not have full control over the URL. + * See `FullServerSideRequestForgeryConfiguration`, and the `fullyControlledRequest` predicate. + */ +class PartialServerSideRequestForgeryConfiguration extends TaintTracking::Configuration { + PartialServerSideRequestForgeryConfiguration() { this = "PartialServerSideRequestForgery" } - override predicate isSource(DataFlow::Node source) { source instanceof Source } + override predicate isSource(DataFlow::Node source) { source instanceof Source } - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { - guard instanceof SanitizerGuard - } + override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { + guard instanceof SanitizerGuard } +} diff --git a/python/ql/lib/semmle/python/security/dataflow/SqlInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/SqlInjectionQuery.qll index 3d15c9a7e62..26c7fe424f3 100644 --- a/python/ql/lib/semmle/python/security/dataflow/SqlInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/SqlInjectionQuery.qll @@ -9,22 +9,21 @@ private import python import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.TaintTracking +import SqlInjectionCustomizations::SqlInjection - import SqlInjectionCustomizations::SqlInjection +/** + * A taint-tracking configuration for detecting "SQL injection" vulnerabilities. + */ +class Configuration extends TaintTracking::Configuration { + Configuration() { this = "SqlInjection" } - /** - * A taint-tracking configuration for detecting "SQL injection" vulnerabilities. - */ - class Configuration extends TaintTracking::Configuration { - Configuration() { this = "SqlInjection" } + override predicate isSource(DataFlow::Node source) { source instanceof Source } - override predicate isSource(DataFlow::Node source) { source instanceof Source } + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - - override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { - guard instanceof SanitizerGuard - } + override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { + guard instanceof SanitizerGuard } +} diff --git a/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureQuery.qll b/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureQuery.qll index 8d86802d605..5fce06a6ae7 100644 --- a/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureQuery.qll @@ -9,31 +9,30 @@ private import python import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.TaintTracking +import StackTraceExposureCustomizations::StackTraceExposure - import StackTraceExposureCustomizations::StackTraceExposure +/** + * A taint-tracking configuration for detecting "stack trace exposure" vulnerabilities. + */ +class Configuration extends TaintTracking::Configuration { + Configuration() { this = "StackTraceExposure" } - /** - * A taint-tracking configuration for detecting "stack trace exposure" vulnerabilities. - */ - class Configuration extends TaintTracking::Configuration { - Configuration() { this = "StackTraceExposure" } + override predicate isSource(DataFlow::Node source) { source instanceof Source } - override predicate isSource(DataFlow::Node source) { source instanceof Source } + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - - override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { - guard instanceof SanitizerGuard - } - - // A stack trace is accessible as the `__traceback__` attribute of a caught exception. - // seehttps://docs.python.org/3/reference/datamodel.html#traceback-objects - override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { - exists(DataFlow::AttrRead attr | attr.getAttributeName() = "__traceback__" | - nodeFrom = attr.getObject() and - nodeTo = attr - ) - } + override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { + guard instanceof SanitizerGuard } + + // A stack trace is accessible as the `__traceback__` attribute of a caught exception. + // seehttps://docs.python.org/3/reference/datamodel.html#traceback-objects + override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { + exists(DataFlow::AttrRead attr | attr.getAttributeName() = "__traceback__" | + nodeFrom = attr.getObject() and + nodeTo = attr + ) + } +} diff --git a/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationQuery.qll b/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationQuery.qll index f0a815a9eea..c807d35c9a5 100644 --- a/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationQuery.qll @@ -9,22 +9,21 @@ private import python import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.TaintTracking +import UnsafeDeserializationCustomizations::UnsafeDeserialization - import UnsafeDeserializationCustomizations::UnsafeDeserialization +/** + * A taint-tracking configuration for detecting "code execution from deserialization" vulnerabilities. + */ +class Configuration extends TaintTracking::Configuration { + Configuration() { this = "UnsafeDeserialization" } - /** - * A taint-tracking configuration for detecting "code execution from deserialization" vulnerabilities. - */ - class Configuration extends TaintTracking::Configuration { - Configuration() { this = "UnsafeDeserialization" } + override predicate isSource(DataFlow::Node source) { source instanceof Source } - override predicate isSource(DataFlow::Node source) { source instanceof Source } + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - - override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { - guard instanceof SanitizerGuard - } + override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { + guard instanceof SanitizerGuard } +} diff --git a/python/ql/lib/semmle/python/security/dataflow/UrlRedirectQuery.qll b/python/ql/lib/semmle/python/security/dataflow/UrlRedirectQuery.qll index cbff7620949..97eed7283e7 100644 --- a/python/ql/lib/semmle/python/security/dataflow/UrlRedirectQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/UrlRedirectQuery.qll @@ -9,22 +9,21 @@ private import python import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.TaintTracking +import UrlRedirectCustomizations::UrlRedirect - import UrlRedirectCustomizations::UrlRedirect +/** + * A taint-tracking configuration for detecting "URL redirection" vulnerabilities. + */ +class Configuration extends TaintTracking::Configuration { + Configuration() { this = "UrlRedirect" } - /** - * A taint-tracking configuration for detecting "URL redirection" vulnerabilities. - */ - class Configuration extends TaintTracking::Configuration { - Configuration() { this = "UrlRedirect" } + override predicate isSource(DataFlow::Node source) { source instanceof Source } - override predicate isSource(DataFlow::Node source) { source instanceof Source } + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - - override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { - guard instanceof SanitizerGuard - } + override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { + guard instanceof SanitizerGuard } +} diff --git a/python/ql/lib/semmle/python/security/dataflow/XpathInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/XpathInjectionQuery.qll index aeb03485740..ce488f5c4a1 100644 --- a/python/ql/lib/semmle/python/security/dataflow/XpathInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/XpathInjectionQuery.qll @@ -9,22 +9,21 @@ private import python import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.TaintTracking +import XpathInjectionCustomizations::XpathInjection - import XpathInjectionCustomizations::XpathInjection +/** + * A taint-tracking configuration for detecting "Xpath Injection" vulnerabilities. + */ +class Configuration extends TaintTracking::Configuration { + Configuration() { this = "Xpath Injection" } - /** - * A taint-tracking configuration for detecting "Xpath Injection" vulnerabilities. - */ - class Configuration extends TaintTracking::Configuration { - Configuration() { this = "Xpath Injection" } + override predicate isSource(DataFlow::Node source) { source instanceof Source } - override predicate isSource(DataFlow::Node source) { source instanceof Source } + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - - override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { - guard instanceof SanitizerGuard - } + override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { + guard instanceof SanitizerGuard } +}