Python: Update a few examples so queries work on them

Fixes problem highlighted in https://github.com/github/codeql/issues/12156
2025-12-17 17:23:36 +01:00 · 2023-02-14 11:54:18 +01:00
parent f68083872d
commit dc5bb4fb77
3 changed files with 19 additions and 25 deletions
--- a/python/ql/src/Security/CWE-022/examples/tainted_path.py
+++ b/python/ql/src/Security/CWE-022/examples/tainted_path.py
@@ -1,36 +1,30 @@
 import os.path
+from flask import Flask, request, abort

+app = Flask(__name__)

-urlpatterns = [
-    # Route to user_picture
-    url(r'^user-pic1$', user_picture1, name='user-picture1'),
-    url(r'^user-pic2$', user_picture2, name='user-picture2'),
-    url(r'^user-pic3$', user_picture3, name='user-picture3')
-]
-
-
-def user_picture1(request):
-    """A view that is vulnerable to malicious file access."""
-    filename = request.GET.get('p')
+@app.route("/user_picture1")
+def user_picture1():
+    filename = request.args.get('p')
    # BAD: This could read any file on the file system
    data = open(filename, 'rb').read()
-    return HttpResponse(data)
+    return data

-def user_picture2(request):
-    """A view that is vulnerable to malicious file access."""
+@app.route("/user_picture2")
+def user_picture2():
    base_path = '/server/static/images'
-    filename = request.GET.get('p')
+    filename = request.args.get('p')
    # BAD: This could still read any file on the file system
    data = open(os.path.join(base_path, filename), 'rb').read()
-    return HttpResponse(data)
+    return data

-def user_picture3(request):
-    """A view that is not vulnerable to malicious file access."""
+@app.route("/user_picture3")
+def user_picture3():
    base_path = '/server/static/images'
-    filename = request.GET.get('p')
+    filename = request.args.get('p')
    #GOOD -- Verify with normalised version of path
    fullpath = os.path.normpath(os.path.join(base_path, filename))
    if not fullpath.startswith(base_path):
-        raise SecurityException()
+        raise Exception("not allowed")
    data = open(fullpath, 'rb').read()
-    return HttpResponse(data)
+    return data
--- a/python/ql/src/Security/CWE-022/examples/tarslip_bad.py
+++ b/python/ql/src/Security/CWE-022/examples/tarslip_bad.py
@@ -1,7 +1,7 @@
-
+import sys
 import tarfile

-with tarfile.open('archive.zip') as tar:
+with tarfile.open(sys.argv[1]) as tar:
    #BAD : This could write any file on the filesystem.
    for entry in tar:
        tar.extract(entry, "/tmp/unpack/")
--- a/python/ql/src/Security/CWE-022/examples/tarslip_good.py
+++ b/python/ql/src/Security/CWE-022/examples/tarslip_good.py
@@ -1,8 +1,8 @@
-
+import sys
 import tarfile
 import os.path

-with tarfile.open('archive.zip') as tar:
+with tarfile.open(sys.argv[1]) as tar:
    for entry in tar:
        #GOOD: Check that entry is safe
        if os.path.isabs(entry.name) or ".." in entry.name: