mirror of
https://github.com/github/codeql.git
synced 2025-12-21 19:26:31 +01:00
Python: Deprecate old library modeling
This commit is contained in:
Rasmus Wriedt Larsen
@@ -4,7 +4,7 @@ import semmle.python.security.SensitiveData
|
||||
import semmle.python.dataflow.Files
|
||||
import semmle.python.web.Http
|
||||
|
||||
module ClearTextStorage {
|
||||
deprecated module ClearTextStorage {
|
||||
abstract class Sink extends TaintSink {
|
||||
override predicate sinks(TaintKind kind) { kind instanceof SensitiveData }
|
||||
}
|
||||
@@ -26,7 +26,7 @@ module ClearTextStorage {
|
||||
}
|
||||
}
|
||||
|
||||
module ClearTextLogging {
|
||||
deprecated module ClearTextLogging {
|
||||
abstract class Sink extends TaintSink {
|
||||
override predicate sinks(TaintKind kind) { kind instanceof SensitiveData }
|
||||
}
|
||||
|
||||
@@ -3,12 +3,12 @@ import semmle.python.dataflow.TaintTracking
|
||||
private import semmle.python.security.SensitiveData
|
||||
private import semmle.crypto.Crypto as CryptoLib
|
||||
|
||||
abstract class WeakCryptoSink extends TaintSink {
|
||||
abstract deprecated class WeakCryptoSink extends TaintSink {
|
||||
override predicate sinks(TaintKind taint) { taint instanceof SensitiveData }
|
||||
}
|
||||
|
||||
/** Modeling the 'pycrypto' package https://github.com/dlitz/pycrypto (latest release 2013) */
|
||||
module Pycrypto {
|
||||
deprecated module Pycrypto {
|
||||
ModuleValue cipher(string name) { result = Module::named("Crypto.Cipher").attr(name) }
|
||||
|
||||
class CipherInstance extends TaintKind {
|
||||
@@ -58,7 +58,7 @@ module Pycrypto {
|
||||
}
|
||||
}
|
||||
|
||||
module Cryptography {
|
||||
deprecated module Cryptography {
|
||||
ModuleValue ciphers() {
|
||||
result = Module::named("cryptography.hazmat.primitives.ciphers") and
|
||||
result.isPackage()
|
||||
@@ -128,7 +128,7 @@ module Cryptography {
|
||||
}
|
||||
}
|
||||
|
||||
private class CipherConfig extends TaintTracking::Configuration {
|
||||
deprecated private class CipherConfig extends TaintTracking::Configuration {
|
||||
CipherConfig() { this = "Crypto cipher config" }
|
||||
|
||||
override predicate isSource(TaintTracking::Source source) {
|
||||
|
||||
@@ -7,13 +7,15 @@ import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Basic
|
||||
|
||||
private Value traceback_function(string name) { result = Module::named("traceback").attr(name) }
|
||||
deprecated private Value traceback_function(string name) {
|
||||
result = Module::named("traceback").attr(name)
|
||||
}
|
||||
|
||||
/**
|
||||
* This represents information relating to an exception, for instance the
|
||||
* message, arguments or parts of the exception traceback.
|
||||
*/
|
||||
class ExceptionInfo extends StringKind {
|
||||
deprecated class ExceptionInfo extends StringKind {
|
||||
ExceptionInfo() { this = "exception.info" }
|
||||
|
||||
override string repr() { result = "exception info" }
|
||||
@@ -23,12 +25,12 @@ class ExceptionInfo extends StringKind {
|
||||
* A class representing sources of information about
|
||||
* execution state exposed in tracebacks and the like.
|
||||
*/
|
||||
abstract class ErrorInfoSource extends TaintSource { }
|
||||
abstract deprecated class ErrorInfoSource extends TaintSource { }
|
||||
|
||||
/**
|
||||
* This kind represents exceptions themselves.
|
||||
*/
|
||||
class ExceptionKind extends TaintKind {
|
||||
deprecated class ExceptionKind extends TaintKind {
|
||||
ExceptionKind() { this = "exception.kind" }
|
||||
|
||||
override string repr() { result = "exception" }
|
||||
@@ -44,7 +46,7 @@ class ExceptionKind extends TaintKind {
|
||||
* A source of exception objects, either explicitly created, or captured by an
|
||||
* `except` statement.
|
||||
*/
|
||||
class ExceptionSource extends ErrorInfoSource {
|
||||
deprecated class ExceptionSource extends ErrorInfoSource {
|
||||
ExceptionSource() {
|
||||
exists(ClassValue cls |
|
||||
cls.getASuperType() = ClassValue::baseException() and
|
||||
@@ -63,7 +65,7 @@ class ExceptionSource extends ErrorInfoSource {
|
||||
* Represents a sequence of pieces of information relating to an exception,
|
||||
* for instance the contents of the `args` attribute, or the stack trace.
|
||||
*/
|
||||
class ExceptionInfoSequence extends SequenceKind {
|
||||
deprecated class ExceptionInfoSequence extends SequenceKind {
|
||||
ExceptionInfoSequence() { this.getItem() instanceof ExceptionInfo }
|
||||
}
|
||||
|
||||
@@ -71,7 +73,7 @@ class ExceptionInfoSequence extends SequenceKind {
|
||||
* Represents calls to functions in the `traceback` module that return
|
||||
* sequences of exception information.
|
||||
*/
|
||||
class CallToTracebackFunction extends ErrorInfoSource {
|
||||
deprecated class CallToTracebackFunction extends ErrorInfoSource {
|
||||
CallToTracebackFunction() {
|
||||
exists(string name |
|
||||
name in [
|
||||
@@ -92,7 +94,7 @@ class CallToTracebackFunction extends ErrorInfoSource {
|
||||
* Represents calls to functions in the `traceback` module that return a single
|
||||
* string of information about an exception.
|
||||
*/
|
||||
class FormattedTracebackSource extends ErrorInfoSource {
|
||||
deprecated class FormattedTracebackSource extends ErrorInfoSource {
|
||||
FormattedTracebackSource() { this = traceback_function("format_exc").getACall() }
|
||||
|
||||
override string toString() { result = "exception.info.source" }
|
||||
|
||||
@@ -15,7 +15,7 @@ import semmle.python.web.HttpRequest
|
||||
import semmle.python.security.internal.SensitiveDataHeuristics
|
||||
private import HeuristicNames
|
||||
|
||||
abstract class SensitiveData extends TaintKind {
|
||||
abstract deprecated class SensitiveData extends TaintKind {
|
||||
bindingset[this]
|
||||
SensitiveData() { this = this }
|
||||
|
||||
@@ -23,7 +23,7 @@ abstract class SensitiveData extends TaintKind {
|
||||
abstract SensitiveDataClassification getClassification();
|
||||
}
|
||||
|
||||
module SensitiveData {
|
||||
deprecated module SensitiveData {
|
||||
class Secret extends SensitiveData {
|
||||
Secret() { this = "sensitive.data.secret" }
|
||||
|
||||
@@ -115,4 +115,4 @@ module SensitiveData {
|
||||
}
|
||||
|
||||
//Backwards compatibility
|
||||
class SensitiveDataSource = SensitiveData::Source;
|
||||
deprecated class SensitiveDataSource = SensitiveData::Source;
|
||||
|
||||
@@ -11,18 +11,18 @@ import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
/** Abstract taint sink that is potentially vulnerable to malicious shell commands. */
|
||||
abstract class CommandSink extends TaintSink { }
|
||||
abstract deprecated class CommandSink extends TaintSink { }
|
||||
|
||||
private ModuleObject osOrPopenModule() { result.getName() = ["os", "popen2"] }
|
||||
deprecated private ModuleObject osOrPopenModule() { result.getName() = ["os", "popen2"] }
|
||||
|
||||
private Object makeOsCall() {
|
||||
deprecated private Object makeOsCall() {
|
||||
exists(string name | result = ModuleObject::named("subprocess").attr(name) |
|
||||
name = ["Popen", "call", "check_call", "check_output", "run"]
|
||||
)
|
||||
}
|
||||
|
||||
/**Special case for first element in sequence. */
|
||||
class FirstElementKind extends TaintKind {
|
||||
deprecated class FirstElementKind extends TaintKind {
|
||||
FirstElementKind() { this = "sequence[" + any(ExternalStringKind key) + "][0]" }
|
||||
|
||||
override string repr() { result = "first item in sequence of " + this.getItem().repr() }
|
||||
@@ -31,7 +31,7 @@ class FirstElementKind extends TaintKind {
|
||||
ExternalStringKind getItem() { this = "sequence[" + result + "][0]" }
|
||||
}
|
||||
|
||||
class FirstElementFlow extends DataFlowExtension::DataFlowNode {
|
||||
deprecated class FirstElementFlow extends DataFlowExtension::DataFlowNode {
|
||||
FirstElementFlow() { this = any(SequenceNode s).getElement(0) }
|
||||
|
||||
override ControlFlowNode getASuccessorNode(TaintKind fromkind, TaintKind tokind) {
|
||||
@@ -43,7 +43,7 @@ class FirstElementFlow extends DataFlowExtension::DataFlowNode {
|
||||
* A taint sink that is potentially vulnerable to malicious shell commands.
|
||||
* The `vuln` in `subprocess.call(shell=vuln)` and similar calls.
|
||||
*/
|
||||
class ShellCommand extends CommandSink {
|
||||
deprecated class ShellCommand extends CommandSink {
|
||||
override string toString() { result = "shell command" }
|
||||
|
||||
ShellCommand() {
|
||||
@@ -81,7 +81,7 @@ class ShellCommand extends CommandSink {
|
||||
* A taint sink that is potentially vulnerable to malicious shell commands.
|
||||
* The `vuln` in `subprocess.call(vuln, ...)` and similar calls.
|
||||
*/
|
||||
class OsCommandFirstArgument extends CommandSink {
|
||||
deprecated class OsCommandFirstArgument extends CommandSink {
|
||||
override string toString() { result = "OS command first argument" }
|
||||
|
||||
OsCommandFirstArgument() {
|
||||
@@ -111,7 +111,7 @@ class OsCommandFirstArgument extends CommandSink {
|
||||
* A taint sink that is potentially vulnerable to malicious shell commands.
|
||||
* The `vuln` in `invoke.run(vuln, ...)` and similar calls.
|
||||
*/
|
||||
class InvokeRun extends CommandSink {
|
||||
deprecated class InvokeRun extends CommandSink {
|
||||
InvokeRun() {
|
||||
this = Value::named("invoke.run").(FunctionValue).getArgumentForCall(_, 0)
|
||||
or
|
||||
@@ -127,12 +127,12 @@ class InvokeRun extends CommandSink {
|
||||
* Internal TaintKind to track the invoke.Context instance passed to functions
|
||||
* marked with @invoke.task
|
||||
*/
|
||||
private class InvokeContextArg extends TaintKind {
|
||||
deprecated private class InvokeContextArg extends TaintKind {
|
||||
InvokeContextArg() { this = "InvokeContextArg" }
|
||||
}
|
||||
|
||||
/** Internal TaintSource to track the context passed to functions marked with @invoke.task */
|
||||
private class InvokeContextArgSource extends TaintSource {
|
||||
deprecated private class InvokeContextArgSource extends TaintSource {
|
||||
InvokeContextArgSource() {
|
||||
exists(Function f, Expr decorator |
|
||||
count(f.getADecorator()) = 1 and
|
||||
@@ -158,7 +158,7 @@ private class InvokeContextArgSource extends TaintSource {
|
||||
* A taint sink that is potentially vulnerable to malicious shell commands.
|
||||
* The `vuln` in `invoke.Context().run(vuln, ...)` and similar calls.
|
||||
*/
|
||||
class InvokeContextRun extends CommandSink {
|
||||
deprecated class InvokeContextRun extends CommandSink {
|
||||
InvokeContextRun() {
|
||||
exists(CallNode call |
|
||||
any(InvokeContextArg k).taints(call.getFunction().(AttrNode).getObject("run"))
|
||||
@@ -187,7 +187,7 @@ class InvokeContextRun extends CommandSink {
|
||||
* A taint sink that is potentially vulnerable to malicious shell commands.
|
||||
* The `vuln` in `fabric.Group().run(vuln, ...)` and similar calls.
|
||||
*/
|
||||
class FabricGroupRun extends CommandSink {
|
||||
deprecated class FabricGroupRun extends CommandSink {
|
||||
FabricGroupRun() {
|
||||
exists(ClassValue cls |
|
||||
cls.getASuperType() = Value::named("fabric.Group") and
|
||||
@@ -203,7 +203,7 @@ class FabricGroupRun extends CommandSink {
|
||||
// -------------------------------------------------------------------------- //
|
||||
// Modeling of the 'invoke' package and 'fabric' package (v 1.x)
|
||||
// -------------------------------------------------------------------------- //
|
||||
class FabricV1Commands extends CommandSink {
|
||||
deprecated class FabricV1Commands extends CommandSink {
|
||||
FabricV1Commands() {
|
||||
// since `run` and `sudo` are decorated, we can't use FunctionValue's :(
|
||||
exists(CallNode call |
|
||||
@@ -228,7 +228,7 @@ class FabricV1Commands extends CommandSink {
|
||||
* An extension that propagates taint from the arguments of `fabric.api.execute(func, arg0, arg1, ...)`
|
||||
* to the parameters of `func`, since this will call `func(arg0, arg1, ...)`.
|
||||
*/
|
||||
class FabricExecuteExtension extends DataFlowExtension::DataFlowNode {
|
||||
deprecated class FabricExecuteExtension extends DataFlowExtension::DataFlowNode {
|
||||
CallNode call;
|
||||
|
||||
FabricExecuteExtension() {
|
||||
|
||||
@@ -2,7 +2,7 @@ import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
|
||||
/** `pickle.loads(untrusted)` vulnerability. */
|
||||
abstract class DeserializationSink extends TaintSink {
|
||||
abstract deprecated class DeserializationSink extends TaintSink {
|
||||
bindingset[this]
|
||||
DeserializationSink() { this = this }
|
||||
}
|
||||
|
||||
@@ -14,7 +14,7 @@ import semmle.python.security.strings.Untrusted
|
||||
* A taint sink that represents an argument to exec or eval that is vulnerable to malicious input.
|
||||
* The `vuln` in `exec(vuln)` or similar.
|
||||
*/
|
||||
class StringEvaluationNode extends TaintSink {
|
||||
deprecated class StringEvaluationNode extends TaintSink {
|
||||
override string toString() { result = "exec or eval" }
|
||||
|
||||
StringEvaluationNode() {
|
||||
|
||||
@@ -11,13 +11,15 @@ import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
import semmle.python.security.injection.Deserialization
|
||||
|
||||
private FunctionObject marshalLoads() { result = ModuleObject::named("marshal").attr("loads") }
|
||||
deprecated private FunctionObject marshalLoads() {
|
||||
result = ModuleObject::named("marshal").attr("loads")
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint sink that is potentially vulnerable to malicious marshaled objects.
|
||||
* The `vuln` in `marshal.loads(vuln)`.
|
||||
*/
|
||||
class UnmarshalingNode extends DeserializationSink {
|
||||
deprecated class UnmarshalingNode extends DeserializationSink {
|
||||
override string toString() { result = "unmarshaling vulnerability" }
|
||||
|
||||
UnmarshalingNode() {
|
||||
|
||||
@@ -6,7 +6,7 @@ import semmle.python.security.strings.Untrusted
|
||||
* Prevents taint flowing through ntpath.normpath()
|
||||
* NormalizedPath below handles that case.
|
||||
*/
|
||||
class PathSanitizer extends Sanitizer {
|
||||
deprecated class PathSanitizer extends Sanitizer {
|
||||
PathSanitizer() { this = "path.sanitizer" }
|
||||
|
||||
override predicate sanitizingNode(TaintKind taint, ControlFlowNode node) {
|
||||
@@ -15,7 +15,7 @@ class PathSanitizer extends Sanitizer {
|
||||
}
|
||||
}
|
||||
|
||||
private FunctionObject abspath() {
|
||||
deprecated private FunctionObject abspath() {
|
||||
exists(ModuleObject os_path | ModuleObject::named("os").attr("path") = os_path |
|
||||
os_path.attr("abspath") = result
|
||||
or
|
||||
@@ -24,18 +24,18 @@ private FunctionObject abspath() {
|
||||
}
|
||||
|
||||
/** A path that has been normalized, but not verified to be safe */
|
||||
class NormalizedPath extends TaintKind {
|
||||
deprecated class NormalizedPath extends TaintKind {
|
||||
NormalizedPath() { this = "normalized.path.injection" }
|
||||
|
||||
override string repr() { result = "normalized path" }
|
||||
}
|
||||
|
||||
private predicate abspath_call(CallNode call, ControlFlowNode arg) {
|
||||
deprecated private predicate abspath_call(CallNode call, ControlFlowNode arg) {
|
||||
call.getFunction().refersTo(abspath()) and
|
||||
arg = call.getArg(0)
|
||||
}
|
||||
|
||||
class AbsPath extends DataFlowExtension::DataFlowNode {
|
||||
deprecated class AbsPath extends DataFlowExtension::DataFlowNode {
|
||||
AbsPath() { abspath_call(_, this) }
|
||||
|
||||
override ControlFlowNode getASuccessorNode(TaintKind fromkind, TaintKind tokind) {
|
||||
@@ -45,7 +45,7 @@ class AbsPath extends DataFlowExtension::DataFlowNode {
|
||||
}
|
||||
}
|
||||
|
||||
class NormalizedPathSanitizer extends Sanitizer {
|
||||
deprecated class NormalizedPathSanitizer extends Sanitizer {
|
||||
NormalizedPathSanitizer() { this = "normalized.path.sanitizer" }
|
||||
|
||||
override predicate sanitizingEdge(TaintKind taint, PyEdgeRefinement test) {
|
||||
@@ -59,7 +59,7 @@ class NormalizedPathSanitizer extends Sanitizer {
|
||||
* A taint sink that is vulnerable to malicious paths.
|
||||
* The `vuln` in `open(vuln)` and similar.
|
||||
*/
|
||||
class OpenNode extends TaintSink {
|
||||
deprecated class OpenNode extends TaintSink {
|
||||
override string toString() { result = "argument to open()" }
|
||||
|
||||
OpenNode() {
|
||||
|
||||
@@ -11,7 +11,7 @@ import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
import semmle.python.security.injection.Deserialization
|
||||
|
||||
private ModuleObject pickleModule() {
|
||||
deprecated private ModuleObject pickleModule() {
|
||||
result.getName() = "pickle"
|
||||
or
|
||||
result.getName() = "cPickle"
|
||||
@@ -19,10 +19,10 @@ private ModuleObject pickleModule() {
|
||||
result.getName() = "dill"
|
||||
}
|
||||
|
||||
private FunctionObject pickleLoads() { result = pickleModule().attr("loads") }
|
||||
deprecated private FunctionObject pickleLoads() { result = pickleModule().attr("loads") }
|
||||
|
||||
/** `pickle.loads(untrusted)` vulnerability. */
|
||||
class UnpicklingNode extends DeserializationSink {
|
||||
deprecated class UnpicklingNode extends DeserializationSink {
|
||||
override string toString() { result = "unpickling untrusted data" }
|
||||
|
||||
UnpicklingNode() {
|
||||
|
||||
@@ -11,7 +11,7 @@ import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
import semmle.python.security.SQL
|
||||
|
||||
private StringObject first_part(ControlFlowNode command) {
|
||||
deprecated private StringObject first_part(ControlFlowNode command) {
|
||||
command.(BinaryExprNode).getOp() instanceof Add and
|
||||
command.(BinaryExprNode).getLeft().refersTo(result)
|
||||
or
|
||||
@@ -26,7 +26,7 @@ private StringObject first_part(ControlFlowNode command) {
|
||||
}
|
||||
|
||||
/** Holds if `command` appears to be a SQL command string of which `inject` is a part. */
|
||||
predicate probable_sql_command(ControlFlowNode command, ControlFlowNode inject) {
|
||||
deprecated predicate probable_sql_command(ControlFlowNode command, ControlFlowNode inject) {
|
||||
exists(string prefix |
|
||||
inject = command.getAChild*() and
|
||||
first_part(command).getText().regexpMatch(" *" + prefix + ".*")
|
||||
@@ -39,7 +39,7 @@ predicate probable_sql_command(ControlFlowNode command, ControlFlowNode inject)
|
||||
* A taint kind representing a DB cursor.
|
||||
* This will be overridden to provide specific kinds of DB cursor.
|
||||
*/
|
||||
abstract class DbCursor extends TaintKind {
|
||||
abstract deprecated class DbCursor extends TaintKind {
|
||||
bindingset[this]
|
||||
DbCursor() { any() }
|
||||
|
||||
@@ -50,7 +50,7 @@ abstract class DbCursor extends TaintKind {
|
||||
* A part of a string that appears to be a SQL command and is thus
|
||||
* vulnerable to malicious input.
|
||||
*/
|
||||
class SimpleSqlStringInjection extends SqlInjectionSink {
|
||||
deprecated class SimpleSqlStringInjection extends SqlInjectionSink {
|
||||
override string toString() { result = "simple SQL string injection" }
|
||||
|
||||
SimpleSqlStringInjection() { probable_sql_command(_, this) }
|
||||
@@ -62,13 +62,13 @@ class SimpleSqlStringInjection extends SqlInjectionSink {
|
||||
* A taint source representing sources of DB connections.
|
||||
* This will be overridden to provide specific kinds of DB connection sources.
|
||||
*/
|
||||
abstract class DbConnectionSource extends TaintSource { }
|
||||
abstract deprecated class DbConnectionSource extends TaintSource { }
|
||||
|
||||
/**
|
||||
* A taint sink that is vulnerable to malicious SQL queries.
|
||||
* The `vuln` in `db.connection.execute(vuln)` and similar.
|
||||
*/
|
||||
class DbConnectionExecuteArgument extends SqlInjectionSink {
|
||||
deprecated class DbConnectionExecuteArgument extends SqlInjectionSink {
|
||||
override string toString() { result = "db.connection.execute" }
|
||||
|
||||
DbConnectionExecuteArgument() {
|
||||
|
||||
@@ -11,23 +11,25 @@ import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
import semmle.python.security.injection.Deserialization
|
||||
|
||||
private ModuleObject xmlElementTreeModule() { result.getName() = "xml.etree.ElementTree" }
|
||||
deprecated private ModuleObject xmlElementTreeModule() {
|
||||
result.getName() = "xml.etree.ElementTree"
|
||||
}
|
||||
|
||||
private ModuleObject xmlMiniDomModule() { result.getName() = "xml.dom.minidom" }
|
||||
deprecated private ModuleObject xmlMiniDomModule() { result.getName() = "xml.dom.minidom" }
|
||||
|
||||
private ModuleObject xmlPullDomModule() { result.getName() = "xml.dom.pulldom" }
|
||||
deprecated private ModuleObject xmlPullDomModule() { result.getName() = "xml.dom.pulldom" }
|
||||
|
||||
private ModuleObject xmlSaxModule() { result.getName() = "xml.sax" }
|
||||
deprecated private ModuleObject xmlSaxModule() { result.getName() = "xml.sax" }
|
||||
|
||||
private class ExpatParser extends TaintKind {
|
||||
deprecated private class ExpatParser extends TaintKind {
|
||||
ExpatParser() { this = "expat.parser" }
|
||||
}
|
||||
|
||||
private FunctionObject expatCreateParseFunction() {
|
||||
deprecated private FunctionObject expatCreateParseFunction() {
|
||||
result = ModuleObject::named("xml.parsers.expat").attr("ParserCreate")
|
||||
}
|
||||
|
||||
private class ExpatCreateParser extends TaintSource {
|
||||
deprecated private class ExpatCreateParser extends TaintSource {
|
||||
ExpatCreateParser() { expatCreateParseFunction().getACall() = this }
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) { kind instanceof ExpatParser }
|
||||
@@ -35,7 +37,7 @@ private class ExpatCreateParser extends TaintSource {
|
||||
override string toString() { result = "expat.create.parser" }
|
||||
}
|
||||
|
||||
private FunctionObject xmlFromString() {
|
||||
deprecated private FunctionObject xmlFromString() {
|
||||
result = xmlElementTreeModule().attr("fromstring")
|
||||
or
|
||||
result = xmlMiniDomModule().attr("parseString")
|
||||
@@ -46,7 +48,7 @@ private FunctionObject xmlFromString() {
|
||||
}
|
||||
|
||||
/** A (potentially) malicious XML string. */
|
||||
class ExternalXmlString extends ExternalStringKind {
|
||||
deprecated class ExternalXmlString extends ExternalStringKind {
|
||||
ExternalXmlString() { this = "external xml encoded object" }
|
||||
}
|
||||
|
||||
@@ -54,7 +56,7 @@ class ExternalXmlString extends ExternalStringKind {
|
||||
* A call to an XML library function that is potentially vulnerable to a
|
||||
* specially crafted XML string.
|
||||
*/
|
||||
class XmlLoadNode extends DeserializationSink {
|
||||
deprecated class XmlLoadNode extends DeserializationSink {
|
||||
override string toString() { result = "xml.load vulnerability" }
|
||||
|
||||
XmlLoadNode() {
|
||||
|
||||
@@ -11,10 +11,10 @@ import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
import semmle.python.security.injection.Deserialization
|
||||
|
||||
private FunctionObject yamlLoad() { result = ModuleObject::named("yaml").attr("load") }
|
||||
deprecated private FunctionObject yamlLoad() { result = ModuleObject::named("yaml").attr("load") }
|
||||
|
||||
/** `yaml.load(untrusted)` vulnerability. */
|
||||
class YamlLoadNode extends DeserializationSink {
|
||||
deprecated class YamlLoadNode extends DeserializationSink {
|
||||
override string toString() { result = "yaml.load vulnerability" }
|
||||
|
||||
YamlLoadNode() {
|
||||
|
||||
Reference in New Issue
Block a user