mirror of
https://github.com/github/codeql.git
synced 2025-12-17 01:03:14 +01:00
Merge pull request #7660 from RasmusWL/deprecate-old-modeling
Python: Deprecate old points-to based modeling
This commit is contained in:
yoff
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: deprecated
|
||||
---
|
||||
* The old points-to based modeling has been deprecated. Use the new type-tracking/API-graphs based modeling instead.
|
||||
@@ -534,7 +534,11 @@ class RegexEscaping extends Escaping {
|
||||
|
||||
/** Provides classes for modeling HTTP-related APIs. */
|
||||
module HTTP {
|
||||
import semmle.python.web.HttpConstants
|
||||
/** Gets an HTTP verb, in upper case */
|
||||
string httpVerb() { result in ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS", "HEAD"] }
|
||||
|
||||
/** Gets an HTTP verb, in lower case */
|
||||
string httpVerbLower() { result = httpVerb().toLowerCase() }
|
||||
|
||||
/** Provides classes for modeling HTTP servers. */
|
||||
module Server {
|
||||
|
||||
@@ -4,7 +4,7 @@ import semmle.python.security.SensitiveData
|
||||
import semmle.python.dataflow.Files
|
||||
import semmle.python.web.Http
|
||||
|
||||
module ClearTextStorage {
|
||||
deprecated module ClearTextStorage {
|
||||
abstract class Sink extends TaintSink {
|
||||
override predicate sinks(TaintKind kind) { kind instanceof SensitiveData }
|
||||
}
|
||||
@@ -26,7 +26,7 @@ module ClearTextStorage {
|
||||
}
|
||||
}
|
||||
|
||||
module ClearTextLogging {
|
||||
deprecated module ClearTextLogging {
|
||||
abstract class Sink extends TaintSink {
|
||||
override predicate sinks(TaintKind kind) { kind instanceof SensitiveData }
|
||||
}
|
||||
|
||||
@@ -3,12 +3,12 @@ import semmle.python.dataflow.TaintTracking
|
||||
private import semmle.python.security.SensitiveData
|
||||
private import semmle.crypto.Crypto as CryptoLib
|
||||
|
||||
abstract class WeakCryptoSink extends TaintSink {
|
||||
abstract deprecated class WeakCryptoSink extends TaintSink {
|
||||
override predicate sinks(TaintKind taint) { taint instanceof SensitiveData }
|
||||
}
|
||||
|
||||
/** Modeling the 'pycrypto' package https://github.com/dlitz/pycrypto (latest release 2013) */
|
||||
module Pycrypto {
|
||||
deprecated module Pycrypto {
|
||||
ModuleValue cipher(string name) { result = Module::named("Crypto.Cipher").attr(name) }
|
||||
|
||||
class CipherInstance extends TaintKind {
|
||||
@@ -58,7 +58,7 @@ module Pycrypto {
|
||||
}
|
||||
}
|
||||
|
||||
module Cryptography {
|
||||
deprecated module Cryptography {
|
||||
ModuleValue ciphers() {
|
||||
result = Module::named("cryptography.hazmat.primitives.ciphers") and
|
||||
result.isPackage()
|
||||
@@ -128,7 +128,7 @@ module Cryptography {
|
||||
}
|
||||
}
|
||||
|
||||
private class CipherConfig extends TaintTracking::Configuration {
|
||||
deprecated private class CipherConfig extends TaintTracking::Configuration {
|
||||
CipherConfig() { this = "Crypto cipher config" }
|
||||
|
||||
override predicate isSource(TaintTracking::Source source) {
|
||||
|
||||
@@ -7,13 +7,15 @@ import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Basic
|
||||
|
||||
private Value traceback_function(string name) { result = Module::named("traceback").attr(name) }
|
||||
deprecated private Value traceback_function(string name) {
|
||||
result = Module::named("traceback").attr(name)
|
||||
}
|
||||
|
||||
/**
|
||||
* This represents information relating to an exception, for instance the
|
||||
* message, arguments or parts of the exception traceback.
|
||||
*/
|
||||
class ExceptionInfo extends StringKind {
|
||||
deprecated class ExceptionInfo extends StringKind {
|
||||
ExceptionInfo() { this = "exception.info" }
|
||||
|
||||
override string repr() { result = "exception info" }
|
||||
@@ -23,12 +25,12 @@ class ExceptionInfo extends StringKind {
|
||||
* A class representing sources of information about
|
||||
* execution state exposed in tracebacks and the like.
|
||||
*/
|
||||
abstract class ErrorInfoSource extends TaintSource { }
|
||||
abstract deprecated class ErrorInfoSource extends TaintSource { }
|
||||
|
||||
/**
|
||||
* This kind represents exceptions themselves.
|
||||
*/
|
||||
class ExceptionKind extends TaintKind {
|
||||
deprecated class ExceptionKind extends TaintKind {
|
||||
ExceptionKind() { this = "exception.kind" }
|
||||
|
||||
override string repr() { result = "exception" }
|
||||
@@ -44,7 +46,7 @@ class ExceptionKind extends TaintKind {
|
||||
* A source of exception objects, either explicitly created, or captured by an
|
||||
* `except` statement.
|
||||
*/
|
||||
class ExceptionSource extends ErrorInfoSource {
|
||||
deprecated class ExceptionSource extends ErrorInfoSource {
|
||||
ExceptionSource() {
|
||||
exists(ClassValue cls |
|
||||
cls.getASuperType() = ClassValue::baseException() and
|
||||
@@ -63,7 +65,7 @@ class ExceptionSource extends ErrorInfoSource {
|
||||
* Represents a sequence of pieces of information relating to an exception,
|
||||
* for instance the contents of the `args` attribute, or the stack trace.
|
||||
*/
|
||||
class ExceptionInfoSequence extends SequenceKind {
|
||||
deprecated class ExceptionInfoSequence extends SequenceKind {
|
||||
ExceptionInfoSequence() { this.getItem() instanceof ExceptionInfo }
|
||||
}
|
||||
|
||||
@@ -71,7 +73,7 @@ class ExceptionInfoSequence extends SequenceKind {
|
||||
* Represents calls to functions in the `traceback` module that return
|
||||
* sequences of exception information.
|
||||
*/
|
||||
class CallToTracebackFunction extends ErrorInfoSource {
|
||||
deprecated class CallToTracebackFunction extends ErrorInfoSource {
|
||||
CallToTracebackFunction() {
|
||||
exists(string name |
|
||||
name in [
|
||||
@@ -92,7 +94,7 @@ class CallToTracebackFunction extends ErrorInfoSource {
|
||||
* Represents calls to functions in the `traceback` module that return a single
|
||||
* string of information about an exception.
|
||||
*/
|
||||
class FormattedTracebackSource extends ErrorInfoSource {
|
||||
deprecated class FormattedTracebackSource extends ErrorInfoSource {
|
||||
FormattedTracebackSource() { this = traceback_function("format_exc").getACall() }
|
||||
|
||||
override string toString() { result = "exception.info.source" }
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
import semmle.python.dataflow.Implementation
|
||||
|
||||
module TaintTrackingPaths {
|
||||
deprecated module TaintTrackingPaths {
|
||||
predicate edge(TaintTrackingNode src, TaintTrackingNode dest, string label) {
|
||||
exists(TaintTrackingNode source, TaintTrackingNode sink |
|
||||
source.getConfiguration().hasFlowPath(source, sink) and
|
||||
@@ -11,6 +11,6 @@ module TaintTrackingPaths {
|
||||
}
|
||||
}
|
||||
|
||||
query predicate edges(TaintTrackingNode fromnode, TaintTrackingNode tonode) {
|
||||
deprecated query predicate edges(TaintTrackingNode fromnode, TaintTrackingNode tonode) {
|
||||
TaintTrackingPaths::edge(fromnode, tonode, _)
|
||||
}
|
||||
|
||||
@@ -15,7 +15,7 @@ import semmle.python.web.HttpRequest
|
||||
import semmle.python.security.internal.SensitiveDataHeuristics
|
||||
private import HeuristicNames
|
||||
|
||||
abstract class SensitiveData extends TaintKind {
|
||||
abstract deprecated class SensitiveData extends TaintKind {
|
||||
bindingset[this]
|
||||
SensitiveData() { this = this }
|
||||
|
||||
@@ -23,7 +23,7 @@ abstract class SensitiveData extends TaintKind {
|
||||
abstract SensitiveDataClassification getClassification();
|
||||
}
|
||||
|
||||
module SensitiveData {
|
||||
deprecated module SensitiveData {
|
||||
class Secret extends SensitiveData {
|
||||
Secret() { this = "sensitive.data.secret" }
|
||||
|
||||
@@ -115,4 +115,4 @@ module SensitiveData {
|
||||
}
|
||||
|
||||
//Backwards compatibility
|
||||
class SensitiveDataSource = SensitiveData::Source;
|
||||
deprecated class SensitiveDataSource = SensitiveData::Source;
|
||||
|
||||
@@ -2,7 +2,7 @@ import python
|
||||
import semmle.python.security.strings.Basic
|
||||
|
||||
/** Assume that taint flows from argument to result for *any* call */
|
||||
class AnyCallStringFlow extends DataFlowExtension::DataFlowNode {
|
||||
deprecated class AnyCallStringFlow extends DataFlowExtension::DataFlowNode {
|
||||
AnyCallStringFlow() { any(CallNode call).getAnArg() = this }
|
||||
|
||||
override ControlFlowNode getASuccessorNode() { result.(CallNode).getAnArg() = this }
|
||||
|
||||
@@ -11,18 +11,18 @@ import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
|
||||
/** Abstract taint sink that is potentially vulnerable to malicious shell commands. */
|
||||
abstract class CommandSink extends TaintSink { }
|
||||
abstract deprecated class CommandSink extends TaintSink { }
|
||||
|
||||
private ModuleObject osOrPopenModule() { result.getName() = ["os", "popen2"] }
|
||||
deprecated private ModuleObject osOrPopenModule() { result.getName() = ["os", "popen2"] }
|
||||
|
||||
private Object makeOsCall() {
|
||||
deprecated private Object makeOsCall() {
|
||||
exists(string name | result = ModuleObject::named("subprocess").attr(name) |
|
||||
name = ["Popen", "call", "check_call", "check_output", "run"]
|
||||
)
|
||||
}
|
||||
|
||||
/**Special case for first element in sequence. */
|
||||
class FirstElementKind extends TaintKind {
|
||||
deprecated class FirstElementKind extends TaintKind {
|
||||
FirstElementKind() { this = "sequence[" + any(ExternalStringKind key) + "][0]" }
|
||||
|
||||
override string repr() { result = "first item in sequence of " + this.getItem().repr() }
|
||||
@@ -31,7 +31,7 @@ class FirstElementKind extends TaintKind {
|
||||
ExternalStringKind getItem() { this = "sequence[" + result + "][0]" }
|
||||
}
|
||||
|
||||
class FirstElementFlow extends DataFlowExtension::DataFlowNode {
|
||||
deprecated class FirstElementFlow extends DataFlowExtension::DataFlowNode {
|
||||
FirstElementFlow() { this = any(SequenceNode s).getElement(0) }
|
||||
|
||||
override ControlFlowNode getASuccessorNode(TaintKind fromkind, TaintKind tokind) {
|
||||
@@ -43,7 +43,7 @@ class FirstElementFlow extends DataFlowExtension::DataFlowNode {
|
||||
* A taint sink that is potentially vulnerable to malicious shell commands.
|
||||
* The `vuln` in `subprocess.call(shell=vuln)` and similar calls.
|
||||
*/
|
||||
class ShellCommand extends CommandSink {
|
||||
deprecated class ShellCommand extends CommandSink {
|
||||
override string toString() { result = "shell command" }
|
||||
|
||||
ShellCommand() {
|
||||
@@ -81,7 +81,7 @@ class ShellCommand extends CommandSink {
|
||||
* A taint sink that is potentially vulnerable to malicious shell commands.
|
||||
* The `vuln` in `subprocess.call(vuln, ...)` and similar calls.
|
||||
*/
|
||||
class OsCommandFirstArgument extends CommandSink {
|
||||
deprecated class OsCommandFirstArgument extends CommandSink {
|
||||
override string toString() { result = "OS command first argument" }
|
||||
|
||||
OsCommandFirstArgument() {
|
||||
@@ -111,7 +111,7 @@ class OsCommandFirstArgument extends CommandSink {
|
||||
* A taint sink that is potentially vulnerable to malicious shell commands.
|
||||
* The `vuln` in `invoke.run(vuln, ...)` and similar calls.
|
||||
*/
|
||||
class InvokeRun extends CommandSink {
|
||||
deprecated class InvokeRun extends CommandSink {
|
||||
InvokeRun() {
|
||||
this = Value::named("invoke.run").(FunctionValue).getArgumentForCall(_, 0)
|
||||
or
|
||||
@@ -127,12 +127,12 @@ class InvokeRun extends CommandSink {
|
||||
* Internal TaintKind to track the invoke.Context instance passed to functions
|
||||
* marked with @invoke.task
|
||||
*/
|
||||
private class InvokeContextArg extends TaintKind {
|
||||
deprecated private class InvokeContextArg extends TaintKind {
|
||||
InvokeContextArg() { this = "InvokeContextArg" }
|
||||
}
|
||||
|
||||
/** Internal TaintSource to track the context passed to functions marked with @invoke.task */
|
||||
private class InvokeContextArgSource extends TaintSource {
|
||||
deprecated private class InvokeContextArgSource extends TaintSource {
|
||||
InvokeContextArgSource() {
|
||||
exists(Function f, Expr decorator |
|
||||
count(f.getADecorator()) = 1 and
|
||||
@@ -158,7 +158,7 @@ private class InvokeContextArgSource extends TaintSource {
|
||||
* A taint sink that is potentially vulnerable to malicious shell commands.
|
||||
* The `vuln` in `invoke.Context().run(vuln, ...)` and similar calls.
|
||||
*/
|
||||
class InvokeContextRun extends CommandSink {
|
||||
deprecated class InvokeContextRun extends CommandSink {
|
||||
InvokeContextRun() {
|
||||
exists(CallNode call |
|
||||
any(InvokeContextArg k).taints(call.getFunction().(AttrNode).getObject("run"))
|
||||
@@ -187,7 +187,7 @@ class InvokeContextRun extends CommandSink {
|
||||
* A taint sink that is potentially vulnerable to malicious shell commands.
|
||||
* The `vuln` in `fabric.Group().run(vuln, ...)` and similar calls.
|
||||
*/
|
||||
class FabricGroupRun extends CommandSink {
|
||||
deprecated class FabricGroupRun extends CommandSink {
|
||||
FabricGroupRun() {
|
||||
exists(ClassValue cls |
|
||||
cls.getASuperType() = Value::named("fabric.Group") and
|
||||
@@ -203,7 +203,7 @@ class FabricGroupRun extends CommandSink {
|
||||
// -------------------------------------------------------------------------- //
|
||||
// Modeling of the 'invoke' package and 'fabric' package (v 1.x)
|
||||
// -------------------------------------------------------------------------- //
|
||||
class FabricV1Commands extends CommandSink {
|
||||
deprecated class FabricV1Commands extends CommandSink {
|
||||
FabricV1Commands() {
|
||||
// since `run` and `sudo` are decorated, we can't use FunctionValue's :(
|
||||
exists(CallNode call |
|
||||
@@ -228,7 +228,7 @@ class FabricV1Commands extends CommandSink {
|
||||
* An extension that propagates taint from the arguments of `fabric.api.execute(func, arg0, arg1, ...)`
|
||||
* to the parameters of `func`, since this will call `func(arg0, arg1, ...)`.
|
||||
*/
|
||||
class FabricExecuteExtension extends DataFlowExtension::DataFlowNode {
|
||||
deprecated class FabricExecuteExtension extends DataFlowExtension::DataFlowNode {
|
||||
CallNode call;
|
||||
|
||||
FabricExecuteExtension() {
|
||||
|
||||
@@ -2,7 +2,7 @@ import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
|
||||
/** `pickle.loads(untrusted)` vulnerability. */
|
||||
abstract class DeserializationSink extends TaintSink {
|
||||
abstract deprecated class DeserializationSink extends TaintSink {
|
||||
bindingset[this]
|
||||
DeserializationSink() { this = this }
|
||||
}
|
||||
|
||||
@@ -14,7 +14,7 @@ import semmle.python.security.strings.Untrusted
|
||||
* A taint sink that represents an argument to exec or eval that is vulnerable to malicious input.
|
||||
* The `vuln` in `exec(vuln)` or similar.
|
||||
*/
|
||||
class StringEvaluationNode extends TaintSink {
|
||||
deprecated class StringEvaluationNode extends TaintSink {
|
||||
override string toString() { result = "exec or eval" }
|
||||
|
||||
StringEvaluationNode() {
|
||||
|
||||
@@ -11,13 +11,15 @@ import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
import semmle.python.security.injection.Deserialization
|
||||
|
||||
private FunctionObject marshalLoads() { result = ModuleObject::named("marshal").attr("loads") }
|
||||
deprecated private FunctionObject marshalLoads() {
|
||||
result = ModuleObject::named("marshal").attr("loads")
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint sink that is potentially vulnerable to malicious marshaled objects.
|
||||
* The `vuln` in `marshal.loads(vuln)`.
|
||||
*/
|
||||
class UnmarshalingNode extends DeserializationSink {
|
||||
deprecated class UnmarshalingNode extends DeserializationSink {
|
||||
override string toString() { result = "unmarshaling vulnerability" }
|
||||
|
||||
UnmarshalingNode() {
|
||||
|
||||
@@ -6,7 +6,7 @@ import semmle.python.security.strings.Untrusted
|
||||
* Prevents taint flowing through ntpath.normpath()
|
||||
* NormalizedPath below handles that case.
|
||||
*/
|
||||
class PathSanitizer extends Sanitizer {
|
||||
deprecated class PathSanitizer extends Sanitizer {
|
||||
PathSanitizer() { this = "path.sanitizer" }
|
||||
|
||||
override predicate sanitizingNode(TaintKind taint, ControlFlowNode node) {
|
||||
@@ -15,7 +15,7 @@ class PathSanitizer extends Sanitizer {
|
||||
}
|
||||
}
|
||||
|
||||
private FunctionObject abspath() {
|
||||
deprecated private FunctionObject abspath() {
|
||||
exists(ModuleObject os_path | ModuleObject::named("os").attr("path") = os_path |
|
||||
os_path.attr("abspath") = result
|
||||
or
|
||||
@@ -24,18 +24,18 @@ private FunctionObject abspath() {
|
||||
}
|
||||
|
||||
/** A path that has been normalized, but not verified to be safe */
|
||||
class NormalizedPath extends TaintKind {
|
||||
deprecated class NormalizedPath extends TaintKind {
|
||||
NormalizedPath() { this = "normalized.path.injection" }
|
||||
|
||||
override string repr() { result = "normalized path" }
|
||||
}
|
||||
|
||||
private predicate abspath_call(CallNode call, ControlFlowNode arg) {
|
||||
deprecated private predicate abspath_call(CallNode call, ControlFlowNode arg) {
|
||||
call.getFunction().refersTo(abspath()) and
|
||||
arg = call.getArg(0)
|
||||
}
|
||||
|
||||
class AbsPath extends DataFlowExtension::DataFlowNode {
|
||||
deprecated class AbsPath extends DataFlowExtension::DataFlowNode {
|
||||
AbsPath() { abspath_call(_, this) }
|
||||
|
||||
override ControlFlowNode getASuccessorNode(TaintKind fromkind, TaintKind tokind) {
|
||||
@@ -45,7 +45,7 @@ class AbsPath extends DataFlowExtension::DataFlowNode {
|
||||
}
|
||||
}
|
||||
|
||||
class NormalizedPathSanitizer extends Sanitizer {
|
||||
deprecated class NormalizedPathSanitizer extends Sanitizer {
|
||||
NormalizedPathSanitizer() { this = "normalized.path.sanitizer" }
|
||||
|
||||
override predicate sanitizingEdge(TaintKind taint, PyEdgeRefinement test) {
|
||||
@@ -59,7 +59,7 @@ class NormalizedPathSanitizer extends Sanitizer {
|
||||
* A taint sink that is vulnerable to malicious paths.
|
||||
* The `vuln` in `open(vuln)` and similar.
|
||||
*/
|
||||
class OpenNode extends TaintSink {
|
||||
deprecated class OpenNode extends TaintSink {
|
||||
override string toString() { result = "argument to open()" }
|
||||
|
||||
OpenNode() {
|
||||
|
||||
@@ -11,7 +11,7 @@ import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
import semmle.python.security.injection.Deserialization
|
||||
|
||||
private ModuleObject pickleModule() {
|
||||
deprecated private ModuleObject pickleModule() {
|
||||
result.getName() = "pickle"
|
||||
or
|
||||
result.getName() = "cPickle"
|
||||
@@ -19,10 +19,10 @@ private ModuleObject pickleModule() {
|
||||
result.getName() = "dill"
|
||||
}
|
||||
|
||||
private FunctionObject pickleLoads() { result = pickleModule().attr("loads") }
|
||||
deprecated private FunctionObject pickleLoads() { result = pickleModule().attr("loads") }
|
||||
|
||||
/** `pickle.loads(untrusted)` vulnerability. */
|
||||
class UnpicklingNode extends DeserializationSink {
|
||||
deprecated class UnpicklingNode extends DeserializationSink {
|
||||
override string toString() { result = "unpickling untrusted data" }
|
||||
|
||||
UnpicklingNode() {
|
||||
|
||||
@@ -11,7 +11,7 @@ import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
import semmle.python.security.SQL
|
||||
|
||||
private StringObject first_part(ControlFlowNode command) {
|
||||
deprecated private StringObject first_part(ControlFlowNode command) {
|
||||
command.(BinaryExprNode).getOp() instanceof Add and
|
||||
command.(BinaryExprNode).getLeft().refersTo(result)
|
||||
or
|
||||
@@ -26,7 +26,7 @@ private StringObject first_part(ControlFlowNode command) {
|
||||
}
|
||||
|
||||
/** Holds if `command` appears to be a SQL command string of which `inject` is a part. */
|
||||
predicate probable_sql_command(ControlFlowNode command, ControlFlowNode inject) {
|
||||
deprecated predicate probable_sql_command(ControlFlowNode command, ControlFlowNode inject) {
|
||||
exists(string prefix |
|
||||
inject = command.getAChild*() and
|
||||
first_part(command).getText().regexpMatch(" *" + prefix + ".*")
|
||||
@@ -39,7 +39,7 @@ predicate probable_sql_command(ControlFlowNode command, ControlFlowNode inject)
|
||||
* A taint kind representing a DB cursor.
|
||||
* This will be overridden to provide specific kinds of DB cursor.
|
||||
*/
|
||||
abstract class DbCursor extends TaintKind {
|
||||
abstract deprecated class DbCursor extends TaintKind {
|
||||
bindingset[this]
|
||||
DbCursor() { any() }
|
||||
|
||||
@@ -50,7 +50,7 @@ abstract class DbCursor extends TaintKind {
|
||||
* A part of a string that appears to be a SQL command and is thus
|
||||
* vulnerable to malicious input.
|
||||
*/
|
||||
class SimpleSqlStringInjection extends SqlInjectionSink {
|
||||
deprecated class SimpleSqlStringInjection extends SqlInjectionSink {
|
||||
override string toString() { result = "simple SQL string injection" }
|
||||
|
||||
SimpleSqlStringInjection() { probable_sql_command(_, this) }
|
||||
@@ -62,13 +62,13 @@ class SimpleSqlStringInjection extends SqlInjectionSink {
|
||||
* A taint source representing sources of DB connections.
|
||||
* This will be overridden to provide specific kinds of DB connection sources.
|
||||
*/
|
||||
abstract class DbConnectionSource extends TaintSource { }
|
||||
abstract deprecated class DbConnectionSource extends TaintSource { }
|
||||
|
||||
/**
|
||||
* A taint sink that is vulnerable to malicious SQL queries.
|
||||
* The `vuln` in `db.connection.execute(vuln)` and similar.
|
||||
*/
|
||||
class DbConnectionExecuteArgument extends SqlInjectionSink {
|
||||
deprecated class DbConnectionExecuteArgument extends SqlInjectionSink {
|
||||
override string toString() { result = "db.connection.execute" }
|
||||
|
||||
DbConnectionExecuteArgument() {
|
||||
|
||||
@@ -11,23 +11,25 @@ import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
import semmle.python.security.injection.Deserialization
|
||||
|
||||
private ModuleObject xmlElementTreeModule() { result.getName() = "xml.etree.ElementTree" }
|
||||
deprecated private ModuleObject xmlElementTreeModule() {
|
||||
result.getName() = "xml.etree.ElementTree"
|
||||
}
|
||||
|
||||
private ModuleObject xmlMiniDomModule() { result.getName() = "xml.dom.minidom" }
|
||||
deprecated private ModuleObject xmlMiniDomModule() { result.getName() = "xml.dom.minidom" }
|
||||
|
||||
private ModuleObject xmlPullDomModule() { result.getName() = "xml.dom.pulldom" }
|
||||
deprecated private ModuleObject xmlPullDomModule() { result.getName() = "xml.dom.pulldom" }
|
||||
|
||||
private ModuleObject xmlSaxModule() { result.getName() = "xml.sax" }
|
||||
deprecated private ModuleObject xmlSaxModule() { result.getName() = "xml.sax" }
|
||||
|
||||
private class ExpatParser extends TaintKind {
|
||||
deprecated private class ExpatParser extends TaintKind {
|
||||
ExpatParser() { this = "expat.parser" }
|
||||
}
|
||||
|
||||
private FunctionObject expatCreateParseFunction() {
|
||||
deprecated private FunctionObject expatCreateParseFunction() {
|
||||
result = ModuleObject::named("xml.parsers.expat").attr("ParserCreate")
|
||||
}
|
||||
|
||||
private class ExpatCreateParser extends TaintSource {
|
||||
deprecated private class ExpatCreateParser extends TaintSource {
|
||||
ExpatCreateParser() { expatCreateParseFunction().getACall() = this }
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) { kind instanceof ExpatParser }
|
||||
@@ -35,7 +37,7 @@ private class ExpatCreateParser extends TaintSource {
|
||||
override string toString() { result = "expat.create.parser" }
|
||||
}
|
||||
|
||||
private FunctionObject xmlFromString() {
|
||||
deprecated private FunctionObject xmlFromString() {
|
||||
result = xmlElementTreeModule().attr("fromstring")
|
||||
or
|
||||
result = xmlMiniDomModule().attr("parseString")
|
||||
@@ -46,7 +48,7 @@ private FunctionObject xmlFromString() {
|
||||
}
|
||||
|
||||
/** A (potentially) malicious XML string. */
|
||||
class ExternalXmlString extends ExternalStringKind {
|
||||
deprecated class ExternalXmlString extends ExternalStringKind {
|
||||
ExternalXmlString() { this = "external xml encoded object" }
|
||||
}
|
||||
|
||||
@@ -54,7 +56,7 @@ class ExternalXmlString extends ExternalStringKind {
|
||||
* A call to an XML library function that is potentially vulnerable to a
|
||||
* specially crafted XML string.
|
||||
*/
|
||||
class XmlLoadNode extends DeserializationSink {
|
||||
deprecated class XmlLoadNode extends DeserializationSink {
|
||||
override string toString() { result = "xml.load vulnerability" }
|
||||
|
||||
XmlLoadNode() {
|
||||
|
||||
@@ -11,10 +11,10 @@ import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Untrusted
|
||||
import semmle.python.security.injection.Deserialization
|
||||
|
||||
private FunctionObject yamlLoad() { result = ModuleObject::named("yaml").attr("load") }
|
||||
deprecated private FunctionObject yamlLoad() { result = ModuleObject::named("yaml").attr("load") }
|
||||
|
||||
/** `yaml.load(untrusted)` vulnerability. */
|
||||
class YamlLoadNode extends DeserializationSink {
|
||||
deprecated class YamlLoadNode extends DeserializationSink {
|
||||
override string toString() { result = "yaml.load vulnerability" }
|
||||
|
||||
YamlLoadNode() {
|
||||
|
||||
@@ -3,7 +3,7 @@ private import Common
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
|
||||
/** An extensible kind of taint representing any kind of string. */
|
||||
abstract class StringKind extends TaintKind {
|
||||
abstract deprecated class StringKind extends TaintKind {
|
||||
bindingset[this]
|
||||
StringKind() { this = this }
|
||||
|
||||
@@ -42,7 +42,7 @@ abstract class StringKind extends TaintKind {
|
||||
}
|
||||
}
|
||||
|
||||
private class StringEqualitySanitizer extends Sanitizer {
|
||||
deprecated private class StringEqualitySanitizer extends Sanitizer {
|
||||
StringEqualitySanitizer() { this = "string equality sanitizer" }
|
||||
|
||||
/** The test `if untrusted == "KNOWN_VALUE":` sanitizes `untrusted` on its `true` edge. */
|
||||
@@ -64,13 +64,13 @@ private class StringEqualitySanitizer extends Sanitizer {
|
||||
}
|
||||
|
||||
/** tonode = ....format(fromnode) */
|
||||
private predicate str_format(ControlFlowNode fromnode, CallNode tonode) {
|
||||
deprecated private predicate str_format(ControlFlowNode fromnode, CallNode tonode) {
|
||||
tonode.getFunction().(AttrNode).getName() = "format" and
|
||||
tonode.getAnArg() = fromnode
|
||||
}
|
||||
|
||||
/** tonode = codec.[en|de]code(fromnode) */
|
||||
private predicate encode_decode(ControlFlowNode fromnode, CallNode tonode) {
|
||||
deprecated private predicate encode_decode(ControlFlowNode fromnode, CallNode tonode) {
|
||||
exists(FunctionObject func, string name |
|
||||
not func.getFunction().isMethod() and
|
||||
func.getACall() = tonode and
|
||||
@@ -84,7 +84,7 @@ private predicate encode_decode(ControlFlowNode fromnode, CallNode tonode) {
|
||||
}
|
||||
|
||||
/** tonode = str(fromnode) */
|
||||
private predicate to_str(ControlFlowNode fromnode, CallNode tonode) {
|
||||
deprecated private predicate to_str(ControlFlowNode fromnode, CallNode tonode) {
|
||||
tonode.getAnArg() = fromnode and
|
||||
(
|
||||
tonode = ClassValue::bytes().getACall()
|
||||
@@ -94,7 +94,7 @@ private predicate to_str(ControlFlowNode fromnode, CallNode tonode) {
|
||||
}
|
||||
|
||||
/** tonode = fromnode[:] */
|
||||
private predicate slice(ControlFlowNode fromnode, SubscriptNode tonode) {
|
||||
deprecated private predicate slice(ControlFlowNode fromnode, SubscriptNode tonode) {
|
||||
exists(Slice all |
|
||||
all = tonode.getIndex().getNode() and
|
||||
not exists(all.getStart()) and
|
||||
@@ -104,13 +104,13 @@ private predicate slice(ControlFlowNode fromnode, SubscriptNode tonode) {
|
||||
}
|
||||
|
||||
/** tonode = os.path.join(..., fromnode, ...) */
|
||||
private predicate os_path_join(ControlFlowNode fromnode, CallNode tonode) {
|
||||
deprecated private predicate os_path_join(ControlFlowNode fromnode, CallNode tonode) {
|
||||
tonode = Value::named("os.path.join").getACall() and
|
||||
tonode.getAnArg() = fromnode
|
||||
}
|
||||
|
||||
/** tonode = f"... {fromnode} ..." */
|
||||
private predicate f_string(ControlFlowNode fromnode, ControlFlowNode tonode) {
|
||||
deprecated private predicate f_string(ControlFlowNode fromnode, ControlFlowNode tonode) {
|
||||
tonode.getNode().(Fstring).getAValue() = fromnode.getNode()
|
||||
}
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
import python
|
||||
|
||||
/* A call that returns a copy (or similar) of the argument */
|
||||
predicate copy_call(ControlFlowNode fromnode, CallNode tonode) {
|
||||
deprecated predicate copy_call(ControlFlowNode fromnode, CallNode tonode) {
|
||||
tonode.getFunction().(AttrNode).getObject("copy") = fromnode
|
||||
or
|
||||
exists(ModuleValue copy, string name | name = "copy" or name = "deepcopy" |
|
||||
|
||||
@@ -5,7 +5,7 @@ private import Common
|
||||
/**
|
||||
* An extensible kind of taint representing an externally controlled string.
|
||||
*/
|
||||
abstract class ExternalStringKind extends StringKind {
|
||||
abstract deprecated class ExternalStringKind extends StringKind {
|
||||
bindingset[this]
|
||||
ExternalStringKind() { this = this }
|
||||
|
||||
@@ -30,7 +30,7 @@ abstract class ExternalStringKind extends StringKind {
|
||||
}
|
||||
|
||||
/** A kind of "taint", representing a sequence, with a "taint" member */
|
||||
class ExternalStringSequenceKind extends SequenceKind {
|
||||
deprecated class ExternalStringSequenceKind extends SequenceKind {
|
||||
ExternalStringSequenceKind() { this.getItem() instanceof ExternalStringKind }
|
||||
}
|
||||
|
||||
@@ -38,7 +38,7 @@ class ExternalStringSequenceKind extends SequenceKind {
|
||||
* An hierachical dictionary or list where the entire structure is externally controlled
|
||||
* This is typically a parsed JSON object.
|
||||
*/
|
||||
class ExternalJsonKind extends TaintKind {
|
||||
deprecated class ExternalJsonKind extends TaintKind {
|
||||
ExternalJsonKind() { this = "json[" + any(ExternalStringKind key) + "]" }
|
||||
|
||||
/** Gets the taint kind for item in this sequence */
|
||||
@@ -61,7 +61,7 @@ class ExternalJsonKind extends TaintKind {
|
||||
}
|
||||
|
||||
/** A kind of "taint", representing a dictionary mapping keys to tainted strings. */
|
||||
class ExternalStringDictKind extends DictKind {
|
||||
deprecated class ExternalStringDictKind extends DictKind {
|
||||
ExternalStringDictKind() { this.getValue() instanceof ExternalStringKind }
|
||||
}
|
||||
|
||||
@@ -69,12 +69,12 @@ class ExternalStringDictKind extends DictKind {
|
||||
* A kind of "taint", representing a dictionary mapping keys to sequences of
|
||||
* tainted strings.
|
||||
*/
|
||||
class ExternalStringSequenceDictKind extends DictKind {
|
||||
deprecated class ExternalStringSequenceDictKind extends DictKind {
|
||||
ExternalStringSequenceDictKind() { this.getValue() instanceof ExternalStringSequenceKind }
|
||||
}
|
||||
|
||||
/** TaintKind for the result of `urlsplit(tainted_string)` */
|
||||
class ExternalUrlSplitResult extends ExternalStringSequenceKind {
|
||||
deprecated class ExternalUrlSplitResult extends ExternalStringSequenceKind {
|
||||
// https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlsplit
|
||||
override TaintKind getTaintOfAttribute(string name) {
|
||||
result = super.getTaintOfAttribute(name)
|
||||
@@ -103,7 +103,7 @@ class ExternalUrlSplitResult extends ExternalStringSequenceKind {
|
||||
}
|
||||
|
||||
/** TaintKind for the result of `urlparse(tainted_string)` */
|
||||
class ExternalUrlParseResult extends ExternalStringSequenceKind {
|
||||
deprecated class ExternalUrlParseResult extends ExternalStringSequenceKind {
|
||||
// https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlparse
|
||||
override TaintKind getTaintOfAttribute(string name) {
|
||||
result = super.getTaintOfAttribute(name)
|
||||
@@ -134,7 +134,7 @@ class ExternalUrlParseResult extends ExternalStringSequenceKind {
|
||||
|
||||
/* Helper for getTaintForStep() */
|
||||
pragma[noinline]
|
||||
private predicate json_subscript_taint(
|
||||
deprecated private predicate json_subscript_taint(
|
||||
SubscriptNode sub, ControlFlowNode obj, ExternalJsonKind seq, TaintKind key
|
||||
) {
|
||||
sub.isLoad() and
|
||||
@@ -142,12 +142,12 @@ private predicate json_subscript_taint(
|
||||
key = seq.getValue()
|
||||
}
|
||||
|
||||
private predicate json_load(ControlFlowNode fromnode, CallNode tonode) {
|
||||
deprecated private predicate json_load(ControlFlowNode fromnode, CallNode tonode) {
|
||||
tonode = Value::named("json.loads").getACall() and
|
||||
tonode.getArg(0) = fromnode
|
||||
}
|
||||
|
||||
private predicate urlsplit(ControlFlowNode fromnode, CallNode tonode) {
|
||||
deprecated private predicate urlsplit(ControlFlowNode fromnode, CallNode tonode) {
|
||||
// This could be implemented as `exists(FunctionValue` without the explicit six part,
|
||||
// but then our tests will need to import +100 modules, so for now this slightly
|
||||
// altered version gets to live on.
|
||||
@@ -166,7 +166,7 @@ private predicate urlsplit(ControlFlowNode fromnode, CallNode tonode) {
|
||||
)
|
||||
}
|
||||
|
||||
private predicate urlparse(ControlFlowNode fromnode, CallNode tonode) {
|
||||
deprecated private predicate urlparse(ControlFlowNode fromnode, CallNode tonode) {
|
||||
// This could be implemented as `exists(FunctionValue` without the explicit six part,
|
||||
// but then our tests will need to import +100 modules, so for now this slightly
|
||||
// altered version gets to live on.
|
||||
@@ -185,7 +185,7 @@ private predicate urlparse(ControlFlowNode fromnode, CallNode tonode) {
|
||||
)
|
||||
}
|
||||
|
||||
private predicate parse_qs(ControlFlowNode fromnode, CallNode tonode) {
|
||||
deprecated private predicate parse_qs(ControlFlowNode fromnode, CallNode tonode) {
|
||||
// This could be implemented as `exists(FunctionValue` without the explicit six part,
|
||||
// but then our tests will need to import +100 modules, so for now this slightly
|
||||
// altered version gets to live on.
|
||||
@@ -211,7 +211,7 @@ private predicate parse_qs(ControlFlowNode fromnode, CallNode tonode) {
|
||||
)
|
||||
}
|
||||
|
||||
private predicate parse_qsl(ControlFlowNode fromnode, CallNode tonode) {
|
||||
deprecated private predicate parse_qsl(ControlFlowNode fromnode, CallNode tonode) {
|
||||
// This could be implemented as `exists(FunctionValue` without the explicit six part,
|
||||
// but then our tests will need to import +100 modules, so for now this slightly
|
||||
// altered version gets to live on.
|
||||
@@ -238,7 +238,7 @@ private predicate parse_qsl(ControlFlowNode fromnode, CallNode tonode) {
|
||||
}
|
||||
|
||||
/** A kind of "taint", representing an open file-like object from an external source. */
|
||||
class ExternalFileObject extends TaintKind {
|
||||
deprecated class ExternalFileObject extends TaintKind {
|
||||
ExternalStringKind valueKind;
|
||||
|
||||
ExternalFileObject() { this = "file[" + valueKind + "]" }
|
||||
@@ -266,7 +266,7 @@ class ExternalFileObject extends TaintKind {
|
||||
* - `if splitres.netloc == "KNOWN_VALUE"`
|
||||
* - `if splitres[0] == "KNOWN_VALUE"`
|
||||
*/
|
||||
class UrlsplitUrlparseTempSanitizer extends Sanitizer {
|
||||
deprecated class UrlsplitUrlparseTempSanitizer extends Sanitizer {
|
||||
// TODO: remove this once we have better support for named tuples
|
||||
UrlsplitUrlparseTempSanitizer() { this = "UrlsplitUrlparseTempSanitizer" }
|
||||
|
||||
|
||||
@@ -5,6 +5,6 @@ import External
|
||||
* A kind of taint representing an externally controlled string.
|
||||
* This class is a simple sub-class of `ExternalStringKind`.
|
||||
*/
|
||||
class UntrustedStringKind extends ExternalStringKind {
|
||||
deprecated class UntrustedStringKind extends ExternalStringKind {
|
||||
UntrustedStringKind() { this = "externally controlled string" }
|
||||
}
|
||||
|
||||
@@ -87,7 +87,7 @@ class RangeIterationVariableFact extends PointsToExtension {
|
||||
}
|
||||
|
||||
/* bottle module route constants */
|
||||
class BottleRoutePointToExtension extends PointsToExtension {
|
||||
deprecated class BottleRoutePointToExtension extends PointsToExtension {
|
||||
string name;
|
||||
|
||||
BottleRoutePointToExtension() {
|
||||
|
||||
@@ -4,13 +4,13 @@ import semmle.python.security.strings.External
|
||||
import HttpConstants
|
||||
|
||||
/** Generic taint source from a http request */
|
||||
abstract class HttpRequestTaintSource extends TaintSource { }
|
||||
abstract deprecated class HttpRequestTaintSource extends TaintSource { }
|
||||
|
||||
/**
|
||||
* Taint kind representing the WSGI environment.
|
||||
* As specified in PEP 3333. https://www.python.org/dev/peps/pep-3333/#environ-variables
|
||||
*/
|
||||
class WsgiEnvironment extends TaintKind {
|
||||
deprecated class WsgiEnvironment extends TaintKind {
|
||||
WsgiEnvironment() { this = "wsgi.environment" }
|
||||
|
||||
override TaintKind getTaintForFlowStep(ControlFlowNode fromnode, ControlFlowNode tonode) {
|
||||
@@ -43,7 +43,7 @@ class WsgiEnvironment extends TaintKind {
|
||||
* A standard morsel object from a HTTP request, a value in a cookie,
|
||||
* typically an instance of `http.cookies.Morsel`
|
||||
*/
|
||||
class UntrustedMorsel extends TaintKind {
|
||||
deprecated class UntrustedMorsel extends TaintKind {
|
||||
UntrustedMorsel() { this = "http.Morsel" }
|
||||
|
||||
override TaintKind getTaintOfAttribute(string name) {
|
||||
@@ -53,7 +53,7 @@ class UntrustedMorsel extends TaintKind {
|
||||
}
|
||||
|
||||
/** A standard cookie object from a HTTP request, typically an instance of `http.cookies.SimpleCookie` */
|
||||
class UntrustedCookie extends TaintKind {
|
||||
deprecated class UntrustedCookie extends TaintKind {
|
||||
UntrustedCookie() { this = "http.Cookie" }
|
||||
|
||||
override TaintKind getTaintForFlowStep(ControlFlowNode fromnode, ControlFlowNode tonode) {
|
||||
@@ -62,7 +62,7 @@ class UntrustedCookie extends TaintKind {
|
||||
}
|
||||
}
|
||||
|
||||
abstract class CookieOperation extends @py_flow_node {
|
||||
abstract deprecated class CookieOperation extends @py_flow_node {
|
||||
/** Gets a textual representation of this element. */
|
||||
abstract string toString();
|
||||
|
||||
@@ -71,20 +71,20 @@ abstract class CookieOperation extends @py_flow_node {
|
||||
abstract ControlFlowNode getValue();
|
||||
}
|
||||
|
||||
abstract class CookieGet extends CookieOperation { }
|
||||
abstract deprecated class CookieGet extends CookieOperation { }
|
||||
|
||||
abstract class CookieSet extends CookieOperation { }
|
||||
abstract deprecated class CookieSet extends CookieOperation { }
|
||||
|
||||
/** Generic taint sink in a http response */
|
||||
abstract class HttpResponseTaintSink extends TaintSink {
|
||||
abstract deprecated class HttpResponseTaintSink extends TaintSink {
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
|
||||
abstract class HttpRedirectTaintSink extends TaintSink {
|
||||
abstract deprecated class HttpRedirectTaintSink extends TaintSink {
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
|
||||
module Client {
|
||||
deprecated module Client {
|
||||
// TODO: user-input in other than URL:
|
||||
// - `data`, `json` for `requests.post`
|
||||
// - `body` for `HTTPConnection.request`
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
/** Gets an HTTP verb, in upper case */
|
||||
string httpVerb() { result in ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS", "HEAD"] }
|
||||
deprecated string httpVerb() {
|
||||
result in ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS", "HEAD"]
|
||||
}
|
||||
|
||||
/** Gets an HTTP verb, in lower case */
|
||||
string httpVerbLower() { result = httpVerb().toLowerCase() }
|
||||
deprecated string httpVerbLower() { result = httpVerb().toLowerCase() }
|
||||
|
||||
@@ -3,16 +3,16 @@ import semmle.python.web.Http
|
||||
import semmle.python.types.Extensions
|
||||
|
||||
/** The bottle module */
|
||||
ModuleValue theBottleModule() { result = Module::named("bottle") }
|
||||
deprecated ModuleValue theBottleModule() { result = Module::named("bottle") }
|
||||
|
||||
/** The bottle.Bottle class */
|
||||
ClassValue theBottleClass() { result = theBottleModule().attr("Bottle") }
|
||||
deprecated ClassValue theBottleClass() { result = theBottleModule().attr("Bottle") }
|
||||
|
||||
/**
|
||||
* Holds if `route` is routed to `func`
|
||||
* by decorating `func` with `app.route(route)` or `route(route)`
|
||||
*/
|
||||
predicate bottle_route(CallNode route_call, ControlFlowNode route, Function func) {
|
||||
deprecated predicate bottle_route(CallNode route_call, ControlFlowNode route, Function func) {
|
||||
exists(CallNode decorator_call, string name |
|
||||
route_call.getFunction().(AttrNode).getObject(name).pointsTo().getClass() = theBottleClass() or
|
||||
route_call.getFunction().pointsTo(theBottleModule().attr(name))
|
||||
@@ -24,7 +24,7 @@ predicate bottle_route(CallNode route_call, ControlFlowNode route, Function func
|
||||
)
|
||||
}
|
||||
|
||||
class BottleRoute extends ControlFlowNode {
|
||||
deprecated class BottleRoute extends ControlFlowNode {
|
||||
BottleRoute() { bottle_route(this, _, _) }
|
||||
|
||||
string getUrl() {
|
||||
|
||||
@@ -9,12 +9,12 @@ import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Basic
|
||||
import semmle.python.web.bottle.General
|
||||
|
||||
FunctionValue bottle_redirect() { result = theBottleModule().attr("redirect") }
|
||||
deprecated FunctionValue bottle_redirect() { result = theBottleModule().attr("redirect") }
|
||||
|
||||
/**
|
||||
* Represents an argument to the `bottle.redirect` function.
|
||||
*/
|
||||
class BottleRedirect extends TaintSink {
|
||||
deprecated class BottleRedirect extends TaintSink {
|
||||
override string toString() { result = "bottle.redirect" }
|
||||
|
||||
BottleRedirect() {
|
||||
|
||||
@@ -4,9 +4,9 @@ import semmle.python.security.strings.External
|
||||
import semmle.python.web.Http
|
||||
import semmle.python.web.bottle.General
|
||||
|
||||
private Value theBottleRequestObject() { result = theBottleModule().attr("request") }
|
||||
deprecated private Value theBottleRequestObject() { result = theBottleModule().attr("request") }
|
||||
|
||||
class BottleRequestKind extends TaintKind {
|
||||
deprecated class BottleRequestKind extends TaintKind {
|
||||
BottleRequestKind() { this = "bottle.request" }
|
||||
|
||||
override TaintKind getTaintOfAttribute(string name) {
|
||||
@@ -21,13 +21,13 @@ class BottleRequestKind extends TaintKind {
|
||||
}
|
||||
}
|
||||
|
||||
private class RequestSource extends HttpRequestTaintSource {
|
||||
deprecated private class RequestSource extends HttpRequestTaintSource {
|
||||
RequestSource() { this.(ControlFlowNode).pointsTo(theBottleRequestObject()) }
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) { kind instanceof BottleRequestKind }
|
||||
}
|
||||
|
||||
class BottleFormsDict extends TaintKind {
|
||||
deprecated class BottleFormsDict extends TaintKind {
|
||||
BottleFormsDict() { this = "bottle.FormsDict" }
|
||||
|
||||
override TaintKind getTaintForFlowStep(ControlFlowNode fromnode, ControlFlowNode tonode) {
|
||||
@@ -48,7 +48,7 @@ class BottleFormsDict extends TaintKind {
|
||||
}
|
||||
}
|
||||
|
||||
class FileUpload extends TaintKind {
|
||||
deprecated class FileUpload extends TaintKind {
|
||||
FileUpload() { this = "bottle.FileUpload" }
|
||||
|
||||
override TaintKind getTaintOfAttribute(string name) {
|
||||
@@ -60,7 +60,7 @@ class FileUpload extends TaintKind {
|
||||
}
|
||||
}
|
||||
|
||||
class UntrustedFile extends TaintKind {
|
||||
deprecated class UntrustedFile extends TaintKind {
|
||||
UntrustedFile() { this = "Untrusted file" }
|
||||
}
|
||||
|
||||
@@ -69,7 +69,7 @@ class UntrustedFile extends TaintKind {
|
||||
// Move UntrustedFile to shared location
|
||||
//
|
||||
/** Parameter to a bottle request handler function */
|
||||
class BottleRequestParameter extends HttpRequestTaintSource {
|
||||
deprecated class BottleRequestParameter extends HttpRequestTaintSource {
|
||||
BottleRequestParameter() {
|
||||
exists(BottleRoute route | route.getANamedArgument() = this.(ControlFlowNode).getNode())
|
||||
}
|
||||
|
||||
@@ -9,13 +9,13 @@ import semmle.python.web.bottle.General
|
||||
* This isn't really a "taint", but we use the value tracking machinery to
|
||||
* track the flow of response objects.
|
||||
*/
|
||||
class BottleResponse extends TaintKind {
|
||||
deprecated class BottleResponse extends TaintKind {
|
||||
BottleResponse() { this = "bottle.response" }
|
||||
}
|
||||
|
||||
private Value theBottleResponseObject() { result = theBottleModule().attr("response") }
|
||||
deprecated private Value theBottleResponseObject() { result = theBottleModule().attr("response") }
|
||||
|
||||
class BottleResponseBodyAssignment extends HttpResponseTaintSink {
|
||||
deprecated class BottleResponseBodyAssignment extends HttpResponseTaintSink {
|
||||
BottleResponseBodyAssignment() {
|
||||
exists(DefinitionNode lhs |
|
||||
lhs.getValue() = this and
|
||||
@@ -26,7 +26,7 @@ class BottleResponseBodyAssignment extends HttpResponseTaintSink {
|
||||
override predicate sinks(TaintKind kind) { kind instanceof StringKind }
|
||||
}
|
||||
|
||||
class BottleHandlerFunctionResult extends HttpResponseTaintSink {
|
||||
deprecated class BottleHandlerFunctionResult extends HttpResponseTaintSink {
|
||||
BottleHandlerFunctionResult() {
|
||||
exists(BottleRoute route, Return ret |
|
||||
ret.getScope() = route.getFunction() and
|
||||
@@ -39,7 +39,7 @@ class BottleHandlerFunctionResult extends HttpResponseTaintSink {
|
||||
override string toString() { result = "bottle handler function result" }
|
||||
}
|
||||
|
||||
class BottleCookieSet extends CookieSet, CallNode {
|
||||
deprecated class BottleCookieSet extends CookieSet, CallNode {
|
||||
BottleCookieSet() {
|
||||
any(BottleResponse r).taints(this.getFunction().(AttrNode).getObject("set_cookie"))
|
||||
}
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
import python
|
||||
import semmle.python.web.Http
|
||||
|
||||
module CherryPy {
|
||||
deprecated module CherryPy {
|
||||
FunctionValue expose() { result = Value::named("cherrypy.expose") }
|
||||
}
|
||||
|
||||
class CherryPyExposedFunction extends Function {
|
||||
deprecated class CherryPyExposedFunction extends Function {
|
||||
CherryPyExposedFunction() {
|
||||
this.getADecorator().pointsTo(CherryPy::expose())
|
||||
or
|
||||
@@ -13,7 +13,7 @@ class CherryPyExposedFunction extends Function {
|
||||
}
|
||||
}
|
||||
|
||||
class CherryPyRoute extends CallNode {
|
||||
deprecated class CherryPyRoute extends CallNode {
|
||||
CherryPyRoute() {
|
||||
/* cherrypy.quickstart(root, script_name, config) */
|
||||
Value::named("cherrypy.quickstart").(FunctionValue).getACall() = this
|
||||
|
||||
@@ -5,7 +5,7 @@ import semmle.python.web.Http
|
||||
import semmle.python.web.cherrypy.General
|
||||
|
||||
/** The cherrypy.request local-proxy object */
|
||||
class CherryPyRequest extends TaintKind {
|
||||
deprecated class CherryPyRequest extends TaintKind {
|
||||
CherryPyRequest() { this = "cherrypy.request" }
|
||||
|
||||
override TaintKind getTaintOfAttribute(string name) {
|
||||
@@ -20,7 +20,7 @@ class CherryPyRequest extends TaintKind {
|
||||
}
|
||||
}
|
||||
|
||||
class CherryPyExposedFunctionParameter extends HttpRequestTaintSource {
|
||||
deprecated class CherryPyExposedFunctionParameter extends HttpRequestTaintSource {
|
||||
CherryPyExposedFunctionParameter() {
|
||||
exists(Parameter p |
|
||||
p = any(CherryPyExposedFunction f).getAnArg() and
|
||||
@@ -34,7 +34,7 @@ class CherryPyExposedFunctionParameter extends HttpRequestTaintSource {
|
||||
override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
|
||||
class CherryPyRequestSource extends HttpRequestTaintSource {
|
||||
deprecated class CherryPyRequestSource extends HttpRequestTaintSource {
|
||||
CherryPyRequestSource() { this.(ControlFlowNode).pointsTo(Value::named("cherrypy.request")) }
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) { kind instanceof CherryPyRequest }
|
||||
|
||||
@@ -4,7 +4,7 @@ import semmle.python.security.strings.Untrusted
|
||||
import semmle.python.web.Http
|
||||
import semmle.python.web.cherrypy.General
|
||||
|
||||
class CherryPyExposedFunctionResult extends HttpResponseTaintSink {
|
||||
deprecated class CherryPyExposedFunctionResult extends HttpResponseTaintSink {
|
||||
CherryPyExposedFunctionResult() {
|
||||
exists(Return ret |
|
||||
ret.getScope() instanceof CherryPyExposedFunction and
|
||||
|
||||
@@ -6,7 +6,7 @@
|
||||
import python
|
||||
private import semmle.python.web.Http
|
||||
|
||||
class RequestsHttpRequest extends Client::HttpRequest, CallNode {
|
||||
deprecated class RequestsHttpRequest extends Client::HttpRequest, CallNode {
|
||||
CallableValue func;
|
||||
string method;
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
import python
|
||||
private import semmle.python.web.Http
|
||||
|
||||
ClassValue httpConnectionClass() {
|
||||
deprecated ClassValue httpConnectionClass() {
|
||||
// Python 2
|
||||
result = Value::named("httplib.HTTPConnection")
|
||||
or
|
||||
@@ -18,7 +18,7 @@ ClassValue httpConnectionClass() {
|
||||
result = Value::named("six.moves.http_client.HTTPSConnection")
|
||||
}
|
||||
|
||||
class HttpConnectionHttpRequest extends Client::HttpRequest, CallNode {
|
||||
deprecated class HttpConnectionHttpRequest extends Client::HttpRequest, CallNode {
|
||||
CallNode constructor_call;
|
||||
CallableValue func;
|
||||
|
||||
|
||||
@@ -4,16 +4,18 @@ import semmle.python.security.injection.Sql
|
||||
/**
|
||||
* A taint kind representing a django cursor object.
|
||||
*/
|
||||
class DjangoDbCursor extends DbCursor {
|
||||
deprecated class DjangoDbCursor extends DbCursor {
|
||||
DjangoDbCursor() { this = "django.db.connection.cursor" }
|
||||
}
|
||||
|
||||
private Value theDjangoConnectionObject() { result = Value::named("django.db.connection") }
|
||||
deprecated private Value theDjangoConnectionObject() {
|
||||
result = Value::named("django.db.connection")
|
||||
}
|
||||
|
||||
/**
|
||||
* A kind of taint source representing sources of django cursor objects.
|
||||
*/
|
||||
class DjangoDbCursorSource extends DbConnectionSource {
|
||||
deprecated class DjangoDbCursorSource extends DbConnectionSource {
|
||||
DjangoDbCursorSource() {
|
||||
exists(AttrNode cursor |
|
||||
this.(CallNode).getFunction() = cursor and
|
||||
@@ -26,13 +28,15 @@ class DjangoDbCursorSource extends DbConnectionSource {
|
||||
override predicate isSourceOf(TaintKind kind) { kind instanceof DjangoDbCursor }
|
||||
}
|
||||
|
||||
ClassValue theDjangoRawSqlClass() { result = Value::named("django.db.models.expressions.RawSQL") }
|
||||
deprecated ClassValue theDjangoRawSqlClass() {
|
||||
result = Value::named("django.db.models.expressions.RawSQL")
|
||||
}
|
||||
|
||||
/**
|
||||
* A sink of taint on calls to `django.db.models.expressions.RawSQL`. This
|
||||
* allows arbitrary SQL statements to be executed, which is a security risk.
|
||||
*/
|
||||
class DjangoRawSqlSink extends SqlInjectionSink {
|
||||
deprecated class DjangoRawSqlSink extends SqlInjectionSink {
|
||||
DjangoRawSqlSink() {
|
||||
exists(CallNode call |
|
||||
call = theDjangoRawSqlClass().getACall() and
|
||||
|
||||
@@ -5,7 +5,7 @@ import semmle.python.web.Http
|
||||
// TODO: Since django uses `path = partial(...)`, our analysis doesn't understand this is
|
||||
// a FunctionValue, so we can't use `FunctionValue.getArgumentForCall`
|
||||
// https://github.com/django/django/blob/master/django/urls/conf.py#L76
|
||||
abstract class DjangoRoute extends CallNode {
|
||||
abstract deprecated class DjangoRoute extends CallNode {
|
||||
DjangoViewHandler getViewHandler() {
|
||||
result = view_handler_from_view_arg(this.getArg(1))
|
||||
or
|
||||
@@ -26,7 +26,7 @@ abstract class DjangoRoute extends CallNode {
|
||||
* https://docs.djangoproject.com/en/1.11/topics/http/views/
|
||||
* https://docs.djangoproject.com/en/3.0/topics/http/views/
|
||||
*/
|
||||
class DjangoViewHandler extends PythonFunctionValue {
|
||||
deprecated class DjangoViewHandler extends PythonFunctionValue {
|
||||
/** Gets the index of the 'request' argument */
|
||||
int getRequestArgIndex() { result = 0 }
|
||||
}
|
||||
@@ -36,7 +36,7 @@ class DjangoViewHandler extends PythonFunctionValue {
|
||||
* https://docs.djangoproject.com/en/1.11/topics/class-based-views/
|
||||
* https://docs.djangoproject.com/en/3.0/topics/class-based-views/
|
||||
*/
|
||||
private class DjangoViewClass extends ClassValue {
|
||||
deprecated private class DjangoViewClass extends ClassValue {
|
||||
DjangoViewClass() {
|
||||
Value::named("django.views.generic.View") = this.getASuperType()
|
||||
or
|
||||
@@ -44,7 +44,7 @@ private class DjangoViewClass extends ClassValue {
|
||||
}
|
||||
}
|
||||
|
||||
class DjangoClassBasedViewHandler extends DjangoViewHandler {
|
||||
deprecated class DjangoClassBasedViewHandler extends DjangoViewHandler {
|
||||
DjangoClassBasedViewHandler() { exists(DjangoViewClass cls | cls.lookup(httpVerbLower()) = this) }
|
||||
|
||||
override int getRequestArgIndex() {
|
||||
@@ -57,7 +57,7 @@ class DjangoClassBasedViewHandler extends DjangoViewHandler {
|
||||
* Gets the function that will handle requests when `view_arg` is used as the view argument to a
|
||||
* django route. That is, this methods handles Class-based Views and its `as_view()` function.
|
||||
*/
|
||||
private DjangoViewHandler view_handler_from_view_arg(ControlFlowNode view_arg) {
|
||||
deprecated private DjangoViewHandler view_handler_from_view_arg(ControlFlowNode view_arg) {
|
||||
// Function-based view
|
||||
result = view_arg.pointsTo()
|
||||
or
|
||||
@@ -70,11 +70,11 @@ private DjangoViewHandler view_handler_from_view_arg(ControlFlowNode view_arg) {
|
||||
|
||||
// We need this "dummy" class, since otherwise the regex argument would not be considered
|
||||
// a regex (RegexString is abstract)
|
||||
class DjangoRouteRegex extends RegexString {
|
||||
deprecated class DjangoRouteRegex extends RegexString {
|
||||
DjangoRouteRegex() { exists(DjangoRegexRoute route | route.getRouteArg() = this.getAFlowNode()) }
|
||||
}
|
||||
|
||||
class DjangoRegexRoute extends DjangoRoute {
|
||||
deprecated class DjangoRegexRoute extends DjangoRoute {
|
||||
ControlFlowNode route;
|
||||
|
||||
DjangoRegexRoute() {
|
||||
@@ -109,7 +109,7 @@ class DjangoRegexRoute extends DjangoRoute {
|
||||
}
|
||||
}
|
||||
|
||||
class DjangoPathRoute extends DjangoRoute {
|
||||
deprecated class DjangoPathRoute extends DjangoRoute {
|
||||
ControlFlowNode route;
|
||||
|
||||
DjangoPathRoute() {
|
||||
|
||||
@@ -5,12 +5,12 @@ import semmle.python.web.Http
|
||||
import semmle.python.security.injection.Sql
|
||||
|
||||
/** A django model class */
|
||||
class DjangoModel extends ClassValue {
|
||||
deprecated class DjangoModel extends ClassValue {
|
||||
DjangoModel() { Value::named("django.db.models.Model") = this.getASuperType() }
|
||||
}
|
||||
|
||||
/** A "taint" for django database tables */
|
||||
class DjangoDbTableObjects extends TaintKind {
|
||||
deprecated class DjangoDbTableObjects extends TaintKind {
|
||||
DjangoDbTableObjects() { this = "django.db.models.Model.objects" }
|
||||
|
||||
override TaintKind getTaintOfMethodResult(string name) {
|
||||
@@ -24,7 +24,7 @@ class DjangoDbTableObjects extends TaintKind {
|
||||
}
|
||||
|
||||
/** Django model objects, which are sources of django database table "taint" */
|
||||
class DjangoModelObjects extends TaintSource {
|
||||
deprecated class DjangoModelObjects extends TaintSource {
|
||||
DjangoModelObjects() {
|
||||
this.(AttrNode).isLoad() and this.(AttrNode).getObject("objects").pointsTo(any(DjangoModel m))
|
||||
}
|
||||
@@ -38,7 +38,7 @@ class DjangoModelObjects extends TaintSource {
|
||||
* A call to the `raw` method on a django model. This allows a raw SQL query
|
||||
* to be sent to the database, which is a security risk.
|
||||
*/
|
||||
class DjangoModelRawCall extends SqlInjectionSink {
|
||||
deprecated class DjangoModelRawCall extends SqlInjectionSink {
|
||||
DjangoModelRawCall() {
|
||||
exists(CallNode raw_call, ControlFlowNode queryset | this = raw_call.getArg(0) |
|
||||
raw_call.getFunction().(AttrNode).getObject("raw") = queryset and
|
||||
@@ -55,7 +55,7 @@ class DjangoModelRawCall extends SqlInjectionSink {
|
||||
* A call to the `extra` method on a django model. This allows a raw SQL query
|
||||
* to be sent to the database, which is a security risk.
|
||||
*/
|
||||
class DjangoModelExtraCall extends SqlInjectionSink {
|
||||
deprecated class DjangoModelExtraCall extends SqlInjectionSink {
|
||||
DjangoModelExtraCall() {
|
||||
exists(CallNode extra_call, ControlFlowNode queryset | this = extra_call.getArg(0) |
|
||||
extra_call.getFunction().(AttrNode).getObject("extra") = queryset and
|
||||
|
||||
@@ -13,7 +13,7 @@ private import semmle.python.web.Http
|
||||
/**
|
||||
* The URL argument for a call to the `django.shortcuts.redirect` function.
|
||||
*/
|
||||
class DjangoShortcutsRedirectSink extends HttpRedirectTaintSink {
|
||||
deprecated class DjangoShortcutsRedirectSink extends HttpRedirectTaintSink {
|
||||
override string toString() { result = "DjangoShortcutsRedirectSink" }
|
||||
|
||||
DjangoShortcutsRedirectSink() {
|
||||
@@ -27,7 +27,7 @@ deprecated class DjangoRedirect = DjangoShortcutsRedirectSink;
|
||||
/**
|
||||
* The URL argument when instantiating a Django Redirect Response.
|
||||
*/
|
||||
class DjangoRedirectResponseSink extends HttpRedirectTaintSink {
|
||||
deprecated class DjangoRedirectResponseSink extends HttpRedirectTaintSink {
|
||||
DjangoRedirectResponseSink() {
|
||||
exists(CallNode call | call = any(DjangoRedirectResponseClass cls).getACall() |
|
||||
this = call.getArg(0)
|
||||
|
||||
@@ -4,7 +4,7 @@ import semmle.python.web.Http
|
||||
import semmle.python.web.django.General
|
||||
|
||||
/** A django.request.HttpRequest object */
|
||||
class DjangoRequest extends TaintKind {
|
||||
deprecated class DjangoRequest extends TaintKind {
|
||||
DjangoRequest() { this = "django.request.HttpRequest" }
|
||||
|
||||
override TaintKind getTaintOfAttribute(string name) {
|
||||
@@ -20,13 +20,13 @@ class DjangoRequest extends TaintKind {
|
||||
|
||||
/* Helper for getTaintForStep() */
|
||||
pragma[noinline]
|
||||
private predicate subscript_taint(SubscriptNode sub, ControlFlowNode obj, TaintKind kind) {
|
||||
deprecated private predicate subscript_taint(SubscriptNode sub, ControlFlowNode obj, TaintKind kind) {
|
||||
sub.getObject() = obj and
|
||||
kind instanceof ExternalStringKind
|
||||
}
|
||||
|
||||
/** A django.request.QueryDict object */
|
||||
class DjangoQueryDict extends TaintKind {
|
||||
deprecated class DjangoQueryDict extends TaintKind {
|
||||
DjangoQueryDict() { this = "django.http.request.QueryDict" }
|
||||
|
||||
override TaintKind getTaintForFlowStep(ControlFlowNode fromnode, ControlFlowNode tonode) {
|
||||
@@ -40,7 +40,7 @@ class DjangoQueryDict extends TaintKind {
|
||||
}
|
||||
|
||||
/** A Django request parameter */
|
||||
class DjangoRequestSource extends HttpRequestTaintSource {
|
||||
deprecated class DjangoRequestSource extends HttpRequestTaintSource {
|
||||
DjangoRequestSource() {
|
||||
exists(DjangoRoute route, DjangoViewHandler view, int request_arg_index |
|
||||
route.getViewHandler() = view and
|
||||
@@ -55,7 +55,7 @@ class DjangoRequestSource extends HttpRequestTaintSource {
|
||||
}
|
||||
|
||||
/** An argument specified in a url routing table */
|
||||
class DjangoRequestParameter extends HttpRequestTaintSource {
|
||||
deprecated class DjangoRequestParameter extends HttpRequestTaintSource {
|
||||
DjangoRequestParameter() {
|
||||
exists(DjangoRoute route, Function f, DjangoViewHandler view, int request_arg_index |
|
||||
route.getViewHandler() = view and
|
||||
|
||||
@@ -15,12 +15,12 @@ private import semmle.python.web.Http
|
||||
deprecated class DjangoResponse = DjangoResponseKind;
|
||||
|
||||
/** INTERNAL class used for tracking a django response object. */
|
||||
private class DjangoResponseKind extends TaintKind {
|
||||
deprecated private class DjangoResponseKind extends TaintKind {
|
||||
DjangoResponseKind() { this = "django.response.HttpResponse" }
|
||||
}
|
||||
|
||||
/** INTERNAL taint-source used for tracking a django response object. */
|
||||
private class DjangoResponseSource extends TaintSource {
|
||||
deprecated private class DjangoResponseSource extends TaintSource {
|
||||
DjangoResponseSource() { exists(DjangoContentResponseClass cls | cls.getACall() = this) }
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) { kind instanceof DjangoResponseKind }
|
||||
@@ -29,7 +29,7 @@ private class DjangoResponseSource extends TaintSource {
|
||||
}
|
||||
|
||||
/** A write to a django response, which is vulnerable to external data (xss) */
|
||||
class DjangoResponseWrite extends HttpResponseTaintSink {
|
||||
deprecated class DjangoResponseWrite extends HttpResponseTaintSink {
|
||||
DjangoResponseWrite() {
|
||||
exists(AttrNode meth, CallNode call |
|
||||
call.getFunction() = meth and
|
||||
@@ -46,7 +46,7 @@ class DjangoResponseWrite extends HttpResponseTaintSink {
|
||||
/**
|
||||
* An argument to initialization of a django response.
|
||||
*/
|
||||
class DjangoResponseContent extends HttpResponseTaintSink {
|
||||
deprecated class DjangoResponseContent extends HttpResponseTaintSink {
|
||||
DjangoContentResponseClass cls;
|
||||
CallNode call;
|
||||
|
||||
@@ -63,7 +63,7 @@ class DjangoResponseContent extends HttpResponseTaintSink {
|
||||
/**
|
||||
* An argument to initialization of a django response, which is vulnerable to external data (XSS).
|
||||
*/
|
||||
class DjangoResponseContentXSSVulnerable extends DjangoResponseContent {
|
||||
deprecated class DjangoResponseContentXSSVulnerable extends DjangoResponseContent {
|
||||
override DjangoXSSVulnerableResponseClass cls;
|
||||
|
||||
DjangoResponseContentXSSVulnerable() {
|
||||
@@ -76,7 +76,7 @@ class DjangoResponseContentXSSVulnerable extends DjangoResponseContent {
|
||||
}
|
||||
}
|
||||
|
||||
class DjangoCookieSet extends CookieSet, CallNode {
|
||||
deprecated class DjangoCookieSet extends CookieSet, CallNode {
|
||||
DjangoCookieSet() {
|
||||
any(DjangoResponseKind r).taints(this.getFunction().(AttrNode).getObject("set_cookie"))
|
||||
}
|
||||
|
||||
@@ -13,7 +13,7 @@ deprecated ClassValue theDjangoHttpRedirectClass() {
|
||||
}
|
||||
|
||||
/** A class that is a Django Redirect Response (subclass of `django.http.HttpResponseRedirectBase`). */
|
||||
class DjangoRedirectResponseClass extends ClassValue {
|
||||
deprecated class DjangoRedirectResponseClass extends ClassValue {
|
||||
DjangoRedirectResponseClass() {
|
||||
exists(ClassValue redirect_base |
|
||||
// version 1.x
|
||||
@@ -31,7 +31,7 @@ class DjangoRedirectResponseClass extends ClassValue {
|
||||
* A class that is a Django Response, which can contain content.
|
||||
* A subclass of `django.http.HttpResponse` that is not a `DjangoRedirectResponseClass`.
|
||||
*/
|
||||
class DjangoContentResponseClass extends ClassValue {
|
||||
deprecated class DjangoContentResponseClass extends ClassValue {
|
||||
ClassValue base;
|
||||
|
||||
DjangoContentResponseClass() {
|
||||
@@ -59,7 +59,7 @@ class DjangoContentResponseClass extends ClassValue {
|
||||
}
|
||||
|
||||
/** A class that is a Django Response, and is vulnerable to XSS. */
|
||||
class DjangoXSSVulnerableResponseClass extends DjangoContentResponseClass {
|
||||
deprecated class DjangoXSSVulnerableResponseClass extends DjangoContentResponseClass {
|
||||
DjangoXSSVulnerableResponseClass() {
|
||||
// We want to avoid FPs on subclasses that are not exposed to XSS, for example `JsonResponse`.
|
||||
// The easiest way is to disregard any subclass that has a special `__init__` method.
|
||||
|
||||
@@ -2,21 +2,23 @@ import python
|
||||
import semmle.python.web.Http
|
||||
|
||||
/** The falcon API class */
|
||||
ClassValue theFalconAPIClass() { result = Value::named("falcon.API") }
|
||||
deprecated ClassValue theFalconAPIClass() { result = Value::named("falcon.API") }
|
||||
|
||||
/** Holds if `route` is routed to `resource` */
|
||||
private predicate api_route(CallNode route_call, ControlFlowNode route, ClassValue resource) {
|
||||
deprecated private predicate api_route(
|
||||
CallNode route_call, ControlFlowNode route, ClassValue resource
|
||||
) {
|
||||
route_call.getFunction().(AttrNode).getObject("add_route").pointsTo().getClass() =
|
||||
theFalconAPIClass() and
|
||||
route_call.getArg(0) = route and
|
||||
route_call.getArg(1).pointsTo().getClass() = resource
|
||||
}
|
||||
|
||||
private predicate route(FalconRoute route, Function target, string funcname) {
|
||||
deprecated private predicate route(FalconRoute route, Function target, string funcname) {
|
||||
route.getResourceClass().lookup("on_" + funcname).(FunctionValue).getScope() = target
|
||||
}
|
||||
|
||||
class FalconRoute extends ControlFlowNode {
|
||||
deprecated class FalconRoute extends ControlFlowNode {
|
||||
FalconRoute() { api_route(this, _, _) }
|
||||
|
||||
string getUrl() {
|
||||
@@ -31,7 +33,7 @@ class FalconRoute extends ControlFlowNode {
|
||||
FalconHandlerFunction getHandlerFunction(string method) { route(this, result, method) }
|
||||
}
|
||||
|
||||
class FalconHandlerFunction extends Function {
|
||||
deprecated class FalconHandlerFunction extends Function {
|
||||
FalconHandlerFunction() { route(_, this, _) }
|
||||
|
||||
private string methodName() { route(_, this, result) }
|
||||
|
||||
@@ -5,7 +5,7 @@ import semmle.python.web.falcon.General
|
||||
import semmle.python.security.strings.External
|
||||
|
||||
/** https://falcon.readthedocs.io/en/stable/api/request_and_response.html */
|
||||
class FalconRequest extends TaintKind {
|
||||
deprecated class FalconRequest extends TaintKind {
|
||||
FalconRequest() { this = "falcon.request" }
|
||||
|
||||
override TaintKind getTaintOfAttribute(string name) {
|
||||
@@ -29,7 +29,7 @@ class FalconRequest extends TaintKind {
|
||||
}
|
||||
}
|
||||
|
||||
class FalconRequestParameter extends HttpRequestTaintSource {
|
||||
deprecated class FalconRequestParameter extends HttpRequestTaintSource {
|
||||
FalconRequestParameter() {
|
||||
exists(FalconHandlerFunction f | f.getRequest() = this.(ControlFlowNode).getNode())
|
||||
}
|
||||
|
||||
@@ -5,12 +5,12 @@ import semmle.python.web.falcon.General
|
||||
import semmle.python.security.strings.External
|
||||
|
||||
/** https://falcon.readthedocs.io/en/stable/api/request_and_response.html */
|
||||
class FalconResponse extends TaintKind {
|
||||
deprecated class FalconResponse extends TaintKind {
|
||||
FalconResponse() { this = "falcon.response" }
|
||||
}
|
||||
|
||||
/** Only used internally to track the response parameter */
|
||||
private class FalconResponseParameter extends TaintSource {
|
||||
deprecated private class FalconResponseParameter extends TaintSource {
|
||||
FalconResponseParameter() {
|
||||
exists(FalconHandlerFunction f | f.getResponse() = this.(ControlFlowNode).getNode())
|
||||
}
|
||||
@@ -18,7 +18,7 @@ private class FalconResponseParameter extends TaintSource {
|
||||
override predicate isSourceOf(TaintKind k) { k instanceof FalconResponse }
|
||||
}
|
||||
|
||||
class FalconResponseBodySink extends HttpResponseTaintSink {
|
||||
deprecated class FalconResponseBodySink extends HttpResponseTaintSink {
|
||||
FalconResponseBodySink() {
|
||||
exists(AttrNode attr | any(FalconResponse f).taints(attr.getObject("body")) |
|
||||
attr.(DefinitionNode).getValue() = this
|
||||
|
||||
@@ -3,18 +3,18 @@ import semmle.python.web.Http
|
||||
import semmle.python.web.flask.Response
|
||||
|
||||
/** The flask app class */
|
||||
ClassValue theFlaskClass() { result = Value::named("flask.Flask") }
|
||||
deprecated ClassValue theFlaskClass() { result = Value::named("flask.Flask") }
|
||||
|
||||
/** The flask MethodView class */
|
||||
ClassValue theFlaskMethodViewClass() { result = Value::named("flask.views.MethodView") }
|
||||
deprecated ClassValue theFlaskMethodViewClass() { result = Value::named("flask.views.MethodView") }
|
||||
|
||||
ClassValue theFlaskReponseClass() { result = Value::named("flask.Response") }
|
||||
deprecated ClassValue theFlaskReponseClass() { result = Value::named("flask.Response") }
|
||||
|
||||
/**
|
||||
* Holds if `route` is routed to `func`
|
||||
* by decorating `func` with `app.route(route)`
|
||||
*/
|
||||
predicate app_route(ControlFlowNode route, Function func) {
|
||||
deprecated predicate app_route(ControlFlowNode route, Function func) {
|
||||
exists(CallNode route_call, CallNode decorator_call |
|
||||
route_call.getFunction().(AttrNode).getObject("route").pointsTo().getClass() = theFlaskClass() and
|
||||
decorator_call.getFunction() = route_call and
|
||||
@@ -24,7 +24,7 @@ predicate app_route(ControlFlowNode route, Function func) {
|
||||
}
|
||||
|
||||
/* Helper for add_url_rule */
|
||||
private predicate add_url_rule_call(ControlFlowNode regex, ControlFlowNode callable) {
|
||||
deprecated private predicate add_url_rule_call(ControlFlowNode regex, ControlFlowNode callable) {
|
||||
exists(CallNode call |
|
||||
call.getFunction().(AttrNode).getObject("add_url_rule").pointsTo().getClass() = theFlaskClass() and
|
||||
regex = call.getArg(0)
|
||||
@@ -35,7 +35,7 @@ private predicate add_url_rule_call(ControlFlowNode regex, ControlFlowNode calla
|
||||
}
|
||||
|
||||
/** Holds if urls matching `regex` are routed to `func` */
|
||||
predicate add_url_rule(ControlFlowNode regex, Function func) {
|
||||
deprecated predicate add_url_rule(ControlFlowNode regex, Function func) {
|
||||
exists(ControlFlowNode callable | add_url_rule_call(regex, callable) |
|
||||
exists(PythonFunctionValue f | f.getScope() = func and callable.pointsTo(f))
|
||||
or
|
||||
@@ -51,14 +51,14 @@ predicate add_url_rule(ControlFlowNode regex, Function func) {
|
||||
* Holds if urls matching `regex` are routed to `func` using
|
||||
* any of flask's routing mechanisms.
|
||||
*/
|
||||
predicate flask_routing(ControlFlowNode regex, Function func) {
|
||||
deprecated predicate flask_routing(ControlFlowNode regex, Function func) {
|
||||
app_route(regex, func)
|
||||
or
|
||||
add_url_rule(regex, func)
|
||||
}
|
||||
|
||||
/** A class that extends flask.views.MethodView */
|
||||
private class MethodViewClass extends ClassValue {
|
||||
deprecated private class MethodViewClass extends ClassValue {
|
||||
MethodViewClass() { this.getASuperType() = theFlaskMethodViewClass() }
|
||||
|
||||
/* As we are restricted to strings for taint kinds, we need to map these classes to strings. */
|
||||
@@ -68,12 +68,12 @@ private class MethodViewClass extends ClassValue {
|
||||
TaintKind asTaint() { result = this.taintString() }
|
||||
}
|
||||
|
||||
private class MethodViewTaint extends TaintKind {
|
||||
deprecated private class MethodViewTaint extends TaintKind {
|
||||
MethodViewTaint() { any(MethodViewClass cls).taintString() = this }
|
||||
}
|
||||
|
||||
/** A source of method view "taint"s. */
|
||||
private class AsView extends TaintSource {
|
||||
deprecated private class AsView extends TaintSource {
|
||||
AsView() {
|
||||
exists(ClassValue view_class |
|
||||
view_class.getASuperType() = theFlaskMethodViewClass() and
|
||||
@@ -91,7 +91,7 @@ private class AsView extends TaintSource {
|
||||
}
|
||||
}
|
||||
|
||||
class FlaskCookieSet extends CookieSet, CallNode {
|
||||
deprecated class FlaskCookieSet extends CookieSet, CallNode {
|
||||
FlaskCookieSet() {
|
||||
any(FlaskResponseTaintKind t).taints(this.getFunction().(AttrNode).getObject("set_cookie"))
|
||||
}
|
||||
|
||||
@@ -9,12 +9,12 @@ import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Basic
|
||||
import semmle.python.web.flask.General
|
||||
|
||||
FunctionValue flask_redirect() { result = Value::named("flask.redirect") }
|
||||
deprecated FunctionValue flask_redirect() { result = Value::named("flask.redirect") }
|
||||
|
||||
/**
|
||||
* Represents an argument to the `flask.redirect` function.
|
||||
*/
|
||||
class FlaskRedirect extends HttpRedirectTaintSink {
|
||||
deprecated class FlaskRedirect extends HttpRedirectTaintSink {
|
||||
override string toString() { result = "flask.redirect" }
|
||||
|
||||
FlaskRedirect() {
|
||||
|
||||
@@ -3,16 +3,16 @@ import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.web.Http
|
||||
import semmle.python.web.flask.General
|
||||
|
||||
private Value theFlaskRequestObject() { result = Value::named("flask.request") }
|
||||
deprecated private Value theFlaskRequestObject() { result = Value::named("flask.request") }
|
||||
|
||||
/** Holds if `attr` is an access of attribute `name` of the flask request object */
|
||||
private predicate flask_request_attr(AttrNode attr, string name) {
|
||||
deprecated private predicate flask_request_attr(AttrNode attr, string name) {
|
||||
attr.isLoad() and
|
||||
attr.getObject(name).pointsTo(theFlaskRequestObject())
|
||||
}
|
||||
|
||||
/** Source of external data from a flask request */
|
||||
class FlaskRequestData extends HttpRequestTaintSource {
|
||||
deprecated class FlaskRequestData extends HttpRequestTaintSource {
|
||||
FlaskRequestData() {
|
||||
not this instanceof FlaskRequestArgs and
|
||||
exists(string name | flask_request_attr(this, name) |
|
||||
@@ -26,7 +26,7 @@ class FlaskRequestData extends HttpRequestTaintSource {
|
||||
}
|
||||
|
||||
/** Source of dictionary whose values are externally controlled */
|
||||
class FlaskRequestArgs extends HttpRequestTaintSource {
|
||||
deprecated class FlaskRequestArgs extends HttpRequestTaintSource {
|
||||
FlaskRequestArgs() {
|
||||
exists(string attr | flask_request_attr(this, attr) |
|
||||
attr in ["args", "form", "values", "files", "headers", "json"]
|
||||
@@ -39,7 +39,7 @@ class FlaskRequestArgs extends HttpRequestTaintSource {
|
||||
}
|
||||
|
||||
/** Source of dictionary whose values are externally controlled */
|
||||
class FlaskRequestJson extends HttpRequestTaintSource {
|
||||
deprecated class FlaskRequestJson extends HttpRequestTaintSource {
|
||||
FlaskRequestJson() { flask_request_attr(this, "json") }
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalJsonKind }
|
||||
@@ -57,7 +57,7 @@ class FlaskRequestJson extends HttpRequestTaintSource {
|
||||
* def hello(name):
|
||||
* ```
|
||||
*/
|
||||
class FlaskRoutedParameter extends HttpRequestTaintSource {
|
||||
deprecated class FlaskRoutedParameter extends HttpRequestTaintSource {
|
||||
FlaskRoutedParameter() {
|
||||
exists(string name, Function func, StrConst url_pattern |
|
||||
this.(ControlFlowNode).getNode() = func.getArgByName(name) and
|
||||
@@ -72,7 +72,7 @@ class FlaskRoutedParameter extends HttpRequestTaintSource {
|
||||
override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
|
||||
private string werkzeug_rule_re() {
|
||||
deprecated private string werkzeug_rule_re() {
|
||||
// since flask uses werkzeug internally, we are using its routing rules from
|
||||
// https://github.com/pallets/werkzeug/blob/4dc8d6ab840d4b78cbd5789cef91b01e3bde01d5/src/werkzeug/routing.py#L138-L151
|
||||
result =
|
||||
|
||||
@@ -7,7 +7,7 @@ import semmle.python.web.flask.General
|
||||
* A flask response, which is vulnerable to any sort of
|
||||
* http response malice.
|
||||
*/
|
||||
class FlaskRoutedResponse extends HttpResponseTaintSink {
|
||||
deprecated class FlaskRoutedResponse extends HttpResponseTaintSink {
|
||||
FlaskRoutedResponse() {
|
||||
exists(PythonFunctionValue response |
|
||||
flask_routing(_, response.getScope()) and
|
||||
@@ -20,7 +20,7 @@ class FlaskRoutedResponse extends HttpResponseTaintSink {
|
||||
override string toString() { result = "flask.routed.response" }
|
||||
}
|
||||
|
||||
class FlaskResponseArgument extends HttpResponseTaintSink {
|
||||
deprecated class FlaskResponseArgument extends HttpResponseTaintSink {
|
||||
FlaskResponseArgument() {
|
||||
exists(CallNode call |
|
||||
(
|
||||
@@ -37,11 +37,11 @@ class FlaskResponseArgument extends HttpResponseTaintSink {
|
||||
override string toString() { result = "flask.response.argument" }
|
||||
}
|
||||
|
||||
class FlaskResponseTaintKind extends TaintKind {
|
||||
deprecated class FlaskResponseTaintKind extends TaintKind {
|
||||
FlaskResponseTaintKind() { this = "flask.Response" }
|
||||
}
|
||||
|
||||
class FlaskResponseConfiguration extends TaintTracking::Configuration {
|
||||
deprecated class FlaskResponseConfiguration extends TaintTracking::Configuration {
|
||||
FlaskResponseConfiguration() { this = "Flask response configuration" }
|
||||
|
||||
override predicate isSource(DataFlow::Node node, TaintKind kind) {
|
||||
|
||||
@@ -9,7 +9,7 @@ import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.security.strings.Basic
|
||||
import semmle.python.web.Http
|
||||
|
||||
private ClassValue redirectClass() {
|
||||
deprecated private ClassValue redirectClass() {
|
||||
exists(ModuleValue ex | ex.getName() = "pyramid.httpexceptions" |
|
||||
ex.attr("HTTPFound") = result
|
||||
or
|
||||
@@ -20,7 +20,7 @@ private ClassValue redirectClass() {
|
||||
/**
|
||||
* Represents an argument to the `tornado.redirect` function.
|
||||
*/
|
||||
class PyramidRedirect extends HttpRedirectTaintSink {
|
||||
deprecated class PyramidRedirect extends HttpRedirectTaintSink {
|
||||
override string toString() { result = "pyramid.redirect" }
|
||||
|
||||
PyramidRedirect() {
|
||||
|
||||
@@ -4,14 +4,14 @@ import semmle.python.web.Http
|
||||
private import semmle.python.web.webob.Request
|
||||
private import semmle.python.web.pyramid.View
|
||||
|
||||
class PyramidRequest extends BaseWebobRequest {
|
||||
deprecated class PyramidRequest extends BaseWebobRequest {
|
||||
PyramidRequest() { this = "pyramid.request" }
|
||||
|
||||
override ClassValue getType() { result = Value::named("pyramid.request.Request") }
|
||||
}
|
||||
|
||||
/** Source of pyramid request objects */
|
||||
class PyramidViewArgument extends HttpRequestTaintSource {
|
||||
deprecated class PyramidViewArgument extends HttpRequestTaintSource {
|
||||
PyramidViewArgument() {
|
||||
exists(Function view_func |
|
||||
is_pyramid_view_function(view_func) and
|
||||
|
||||
@@ -9,7 +9,7 @@ private import semmle.python.web.Http
|
||||
* A pyramid response, which is vulnerable to any sort of
|
||||
* http response malice.
|
||||
*/
|
||||
class PyramidRoutedResponse extends HttpResponseTaintSink {
|
||||
deprecated class PyramidRoutedResponse extends HttpResponseTaintSink {
|
||||
PyramidRoutedResponse() {
|
||||
exists(PythonFunctionValue view |
|
||||
is_pyramid_view_function(view.getScope()) and
|
||||
@@ -22,7 +22,7 @@ class PyramidRoutedResponse extends HttpResponseTaintSink {
|
||||
override string toString() { result = "pyramid.routed.response" }
|
||||
}
|
||||
|
||||
class PyramidCookieSet extends CookieSet, CallNode {
|
||||
deprecated class PyramidCookieSet extends CookieSet, CallNode {
|
||||
PyramidCookieSet() {
|
||||
exists(ControlFlowNode f |
|
||||
f = this.getFunction().(AttrNode).getObject("set_cookie") and
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
import python
|
||||
|
||||
ModuleValue thePyramidViewModule() { result.getName() = "pyramid.view" }
|
||||
deprecated ModuleValue thePyramidViewModule() { result.getName() = "pyramid.view" }
|
||||
|
||||
Value thePyramidViewConfig() { result = thePyramidViewModule().attr("view_config") }
|
||||
deprecated Value thePyramidViewConfig() { result = thePyramidViewModule().attr("view_config") }
|
||||
|
||||
predicate is_pyramid_view_function(Function func) {
|
||||
deprecated predicate is_pyramid_view_function(Function func) {
|
||||
func.getADecorator().pointsTo().getClass() = thePyramidViewConfig()
|
||||
}
|
||||
|
||||
@@ -9,7 +9,7 @@ import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.web.Http
|
||||
|
||||
/** Source of BaseHTTPRequestHandler instances. */
|
||||
class StdLibRequestSource extends HttpRequestTaintSource {
|
||||
deprecated class StdLibRequestSource extends HttpRequestTaintSource {
|
||||
StdLibRequestSource() {
|
||||
exists(ClassValue cls |
|
||||
cls.getABaseType+() = Value::named("BaseHTTPServer.BaseHTTPRequestHandler")
|
||||
@@ -24,7 +24,7 @@ class StdLibRequestSource extends HttpRequestTaintSource {
|
||||
}
|
||||
|
||||
/** TaintKind for an instance of BaseHTTPRequestHandler. */
|
||||
class BaseHTTPRequestHandlerKind extends TaintKind {
|
||||
deprecated class BaseHTTPRequestHandlerKind extends TaintKind {
|
||||
BaseHTTPRequestHandlerKind() { this = "BaseHTTPRequestHandlerKind" }
|
||||
|
||||
override TaintKind getTaintOfAttribute(string name) {
|
||||
@@ -40,7 +40,7 @@ class BaseHTTPRequestHandlerKind extends TaintKind {
|
||||
}
|
||||
|
||||
/** TaintKind for headers (instance of HTTPMessage). */
|
||||
class HTTPMessageKind extends ExternalStringDictKind {
|
||||
deprecated class HTTPMessageKind extends ExternalStringDictKind {
|
||||
override TaintKind getTaintOfMethodResult(string name) {
|
||||
result = super.getTaintOfMethodResult(name)
|
||||
or
|
||||
@@ -63,14 +63,14 @@ class HTTPMessageKind extends ExternalStringDictKind {
|
||||
}
|
||||
|
||||
/** Source of parsed HTTP forms (by using the `cgi` module). */
|
||||
class CgiFieldStorageSource extends HttpRequestTaintSource {
|
||||
deprecated class CgiFieldStorageSource extends HttpRequestTaintSource {
|
||||
CgiFieldStorageSource() { this = Value::named("cgi.FieldStorage").getACall() }
|
||||
|
||||
override predicate isSourceOf(TaintKind kind) { kind instanceof CgiFieldStorageFormKind }
|
||||
}
|
||||
|
||||
/** TaintKind for a parsed HTTP form. */
|
||||
class CgiFieldStorageFormKind extends TaintKind {
|
||||
deprecated class CgiFieldStorageFormKind extends TaintKind {
|
||||
/*
|
||||
* There is a slight difference between how we model form/fields and how it is handled by the code.
|
||||
* In the code
|
||||
@@ -115,7 +115,7 @@ class CgiFieldStorageFormKind extends TaintKind {
|
||||
}
|
||||
|
||||
/** TaintKind for the field of a parsed HTTP form. */
|
||||
class CgiFieldStorageFieldKind extends TaintKind {
|
||||
deprecated class CgiFieldStorageFieldKind extends TaintKind {
|
||||
CgiFieldStorageFieldKind() { this = "CgiFieldStorageFieldKind" }
|
||||
|
||||
override TaintKind getTaintOfAttribute(string name) {
|
||||
|
||||
@@ -6,7 +6,7 @@ import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.web.Http
|
||||
|
||||
private predicate is_wfile(AttrNode wfile) {
|
||||
deprecated private predicate is_wfile(AttrNode wfile) {
|
||||
exists(ClassValue cls |
|
||||
// Python 2
|
||||
cls.getABaseType+() = Value::named("BaseHTTPServer.BaseHTTPRequestHandler")
|
||||
@@ -19,7 +19,7 @@ private predicate is_wfile(AttrNode wfile) {
|
||||
}
|
||||
|
||||
/** Sink for `h.wfile.write` where `h` is an instance of BaseHTTPRequestHandler. */
|
||||
class StdLibWFileWriteSink extends HttpResponseTaintSink {
|
||||
deprecated class StdLibWFileWriteSink extends HttpResponseTaintSink {
|
||||
StdLibWFileWriteSink() {
|
||||
exists(CallNode call |
|
||||
is_wfile(call.getFunction().(AttrNode).getObject("write")) and
|
||||
@@ -31,7 +31,7 @@ class StdLibWFileWriteSink extends HttpResponseTaintSink {
|
||||
}
|
||||
|
||||
/** Sink for `h.wfile.writelines` where `h` is an instance of BaseHTTPRequestHandler. */
|
||||
class StdLibWFileWritelinesSink extends HttpResponseTaintSink {
|
||||
deprecated class StdLibWFileWritelinesSink extends HttpResponseTaintSink {
|
||||
StdLibWFileWritelinesSink() {
|
||||
exists(CallNode call |
|
||||
is_wfile(call.getFunction().(AttrNode).getObject("writelines")) and
|
||||
|
||||
@@ -13,7 +13,7 @@ import Tornado
|
||||
/**
|
||||
* Represents an argument to the `tornado.redirect` function.
|
||||
*/
|
||||
class TornadoHttpRequestHandlerRedirect extends HttpRedirectTaintSink {
|
||||
deprecated class TornadoHttpRequestHandlerRedirect extends HttpRedirectTaintSink {
|
||||
override string toString() { result = "tornado.HttpRequestHandler.redirect" }
|
||||
|
||||
TornadoHttpRequestHandlerRedirect() {
|
||||
|
||||
@@ -4,7 +4,7 @@ import semmle.python.web.Http
|
||||
import Tornado
|
||||
|
||||
/** A tornado.request.HttpRequest object */
|
||||
class TornadoRequest extends TaintKind {
|
||||
deprecated class TornadoRequest extends TaintKind {
|
||||
TornadoRequest() { this = "tornado.request.HttpRequest" }
|
||||
|
||||
override TaintKind getTaintOfAttribute(string name) {
|
||||
@@ -30,7 +30,7 @@ class TornadoRequest extends TaintKind {
|
||||
}
|
||||
}
|
||||
|
||||
class TornadoRequestSource extends HttpRequestTaintSource {
|
||||
deprecated class TornadoRequestSource extends HttpRequestTaintSource {
|
||||
TornadoRequestSource() { isTornadoRequestHandlerInstance(this.(AttrNode).getObject("request")) }
|
||||
|
||||
override string toString() { result = "Tornado request source" }
|
||||
@@ -38,7 +38,7 @@ class TornadoRequestSource extends HttpRequestTaintSource {
|
||||
override predicate isSourceOf(TaintKind kind) { kind instanceof TornadoRequest }
|
||||
}
|
||||
|
||||
class TornadoExternalInputSource extends HttpRequestTaintSource {
|
||||
deprecated class TornadoExternalInputSource extends HttpRequestTaintSource {
|
||||
TornadoExternalInputSource() {
|
||||
exists(string name |
|
||||
name in ["get_argument", "get_query_argument", "get_body_argument", "decode_argument"]
|
||||
@@ -52,7 +52,7 @@ class TornadoExternalInputSource extends HttpRequestTaintSource {
|
||||
override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
|
||||
class TornadoExternalInputListSource extends HttpRequestTaintSource {
|
||||
deprecated class TornadoExternalInputListSource extends HttpRequestTaintSource {
|
||||
TornadoExternalInputListSource() {
|
||||
exists(string name |
|
||||
name = "get_arguments" or
|
||||
|
||||
@@ -4,11 +4,11 @@ import semmle.python.security.strings.Basic
|
||||
private import semmle.python.web.Http
|
||||
import Tornado
|
||||
|
||||
class TornadoConnection extends TaintKind {
|
||||
deprecated class TornadoConnection extends TaintKind {
|
||||
TornadoConnection() { this = "tornado.http.connection" }
|
||||
}
|
||||
|
||||
class TornadoConnectionSource extends TaintSource {
|
||||
deprecated class TornadoConnectionSource extends TaintSource {
|
||||
TornadoConnectionSource() {
|
||||
isTornadoRequestHandlerInstance(this.(AttrNode).getObject("connection"))
|
||||
}
|
||||
@@ -18,7 +18,7 @@ class TornadoConnectionSource extends TaintSource {
|
||||
override predicate isSourceOf(TaintKind kind) { kind instanceof TornadoConnection }
|
||||
}
|
||||
|
||||
class TornadoConnectionWrite extends HttpResponseTaintSink {
|
||||
deprecated class TornadoConnectionWrite extends HttpResponseTaintSink {
|
||||
override string toString() { result = "tornado.connection.write" }
|
||||
|
||||
TornadoConnectionWrite() {
|
||||
@@ -32,7 +32,7 @@ class TornadoConnectionWrite extends HttpResponseTaintSink {
|
||||
override predicate sinks(TaintKind kind) { kind instanceof StringKind }
|
||||
}
|
||||
|
||||
class TornadoHttpRequestHandlerWrite extends HttpResponseTaintSink {
|
||||
deprecated class TornadoHttpRequestHandlerWrite extends HttpResponseTaintSink {
|
||||
override string toString() { result = "tornado.HttpRequestHandler.write" }
|
||||
|
||||
TornadoHttpRequestHandlerWrite() {
|
||||
|
||||
@@ -2,11 +2,11 @@ import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.web.Http
|
||||
|
||||
private ClassValue theTornadoRequestHandlerClass() {
|
||||
deprecated private ClassValue theTornadoRequestHandlerClass() {
|
||||
result = Value::named("tornado.web.RequestHandler")
|
||||
}
|
||||
|
||||
ClassValue aTornadoRequestHandlerClass() {
|
||||
deprecated ClassValue aTornadoRequestHandlerClass() {
|
||||
result.getABaseType+() = theTornadoRequestHandlerClass()
|
||||
}
|
||||
|
||||
@@ -14,7 +14,7 @@ ClassValue aTornadoRequestHandlerClass() {
|
||||
* Holds if `node` is likely to refer to an instance of a tornado
|
||||
* `RequestHandler` class.
|
||||
*/
|
||||
predicate isTornadoRequestHandlerInstance(ControlFlowNode node) {
|
||||
deprecated predicate isTornadoRequestHandlerInstance(ControlFlowNode node) {
|
||||
node.pointsTo().getClass() = aTornadoRequestHandlerClass()
|
||||
or
|
||||
/*
|
||||
@@ -30,11 +30,11 @@ predicate isTornadoRequestHandlerInstance(ControlFlowNode node) {
|
||||
node.(NameNode).isSelf()
|
||||
}
|
||||
|
||||
CallNode callToNamedTornadoRequestHandlerMethod(string name) {
|
||||
deprecated CallNode callToNamedTornadoRequestHandlerMethod(string name) {
|
||||
isTornadoRequestHandlerInstance(result.getFunction().(AttrNode).getObject(name))
|
||||
}
|
||||
|
||||
class TornadoCookieSet extends CookieSet, CallNode {
|
||||
deprecated class TornadoCookieSet extends CookieSet, CallNode {
|
||||
TornadoCookieSet() {
|
||||
exists(ControlFlowNode f |
|
||||
f = this.getFunction().(AttrNode).getObject("set_cookie") and
|
||||
|
||||
@@ -3,7 +3,7 @@ import semmle.python.security.strings.External
|
||||
import semmle.python.web.Http
|
||||
import TurboGears
|
||||
|
||||
private class ValidatedMethodParameter extends Parameter {
|
||||
deprecated private class ValidatedMethodParameter extends Parameter {
|
||||
ValidatedMethodParameter() {
|
||||
exists(string name, TurboGearsControllerMethod method |
|
||||
method.getArgByName(name) = this and
|
||||
@@ -12,7 +12,7 @@ private class ValidatedMethodParameter extends Parameter {
|
||||
}
|
||||
}
|
||||
|
||||
class UnvalidatedControllerMethodParameter extends HttpRequestTaintSource {
|
||||
deprecated class UnvalidatedControllerMethodParameter extends HttpRequestTaintSource {
|
||||
UnvalidatedControllerMethodParameter() {
|
||||
exists(Parameter p |
|
||||
any(TurboGearsControllerMethod m | not m.getName() = "onerror").getAnArg() = p and
|
||||
|
||||
@@ -4,7 +4,7 @@ import semmle.python.security.strings.Basic
|
||||
import semmle.python.web.Http
|
||||
import TurboGears
|
||||
|
||||
class ControllerMethodReturnValue extends HttpResponseTaintSink {
|
||||
deprecated class ControllerMethodReturnValue extends HttpResponseTaintSink {
|
||||
override string toString() { result = "TurboGears ControllerMethodReturnValue" }
|
||||
|
||||
ControllerMethodReturnValue() {
|
||||
@@ -17,7 +17,7 @@ class ControllerMethodReturnValue extends HttpResponseTaintSink {
|
||||
override predicate sinks(TaintKind kind) { kind instanceof StringKind }
|
||||
}
|
||||
|
||||
class ControllerMethodTemplatedReturnValue extends HttpResponseTaintSink {
|
||||
deprecated class ControllerMethodTemplatedReturnValue extends HttpResponseTaintSink {
|
||||
override string toString() { result = "TurboGears ControllerMethodTemplatedReturnValue" }
|
||||
|
||||
ControllerMethodTemplatedReturnValue() {
|
||||
|
||||
@@ -1,11 +1,15 @@
|
||||
import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
|
||||
private ClassValue theTurboGearsControllerClass() { result = Value::named("tg.TGController") }
|
||||
deprecated private ClassValue theTurboGearsControllerClass() {
|
||||
result = Value::named("tg.TGController")
|
||||
}
|
||||
|
||||
ClassValue aTurboGearsControllerClass() { result.getABaseType+() = theTurboGearsControllerClass() }
|
||||
deprecated ClassValue aTurboGearsControllerClass() {
|
||||
result.getABaseType+() = theTurboGearsControllerClass()
|
||||
}
|
||||
|
||||
class TurboGearsControllerMethod extends Function {
|
||||
deprecated class TurboGearsControllerMethod extends Function {
|
||||
ControlFlowNode decorator;
|
||||
|
||||
TurboGearsControllerMethod() {
|
||||
|
||||
@@ -4,7 +4,7 @@ import semmle.python.web.Http
|
||||
import Twisted
|
||||
|
||||
/** A twisted.web.http.Request object */
|
||||
class TwistedRequest extends TaintKind {
|
||||
deprecated class TwistedRequest extends TaintKind {
|
||||
TwistedRequest() { this = "twisted.request.http.Request" }
|
||||
|
||||
override TaintKind getTaintOfAttribute(string name) {
|
||||
@@ -21,7 +21,7 @@ class TwistedRequest extends TaintKind {
|
||||
}
|
||||
}
|
||||
|
||||
class TwistedRequestSource extends HttpRequestTaintSource {
|
||||
deprecated class TwistedRequestSource extends HttpRequestTaintSource {
|
||||
TwistedRequestSource() { isTwistedRequestInstance(this) }
|
||||
|
||||
override string toString() { result = "Twisted request source" }
|
||||
|
||||
@@ -5,7 +5,7 @@ import semmle.python.security.strings.Basic
|
||||
import Twisted
|
||||
import Request
|
||||
|
||||
class TwistedResponse extends HttpResponseTaintSink {
|
||||
deprecated class TwistedResponse extends HttpResponseTaintSink {
|
||||
TwistedResponse() {
|
||||
exists(PythonFunctionValue func, string name |
|
||||
isKnownRequestHandlerMethodName(name) and
|
||||
@@ -25,7 +25,7 @@ class TwistedResponse extends HttpResponseTaintSink {
|
||||
* object, which affects the properties of the subsequent response sent to this
|
||||
* request.
|
||||
*/
|
||||
class TwistedRequestSetter extends HttpResponseTaintSink {
|
||||
deprecated class TwistedRequestSetter extends HttpResponseTaintSink {
|
||||
TwistedRequestSetter() {
|
||||
exists(CallNode call, ControlFlowNode node, string name |
|
||||
(
|
||||
|
||||
@@ -1,22 +1,24 @@
|
||||
import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
|
||||
private ClassValue theTwistedHttpRequestClass() {
|
||||
deprecated private ClassValue theTwistedHttpRequestClass() {
|
||||
result = Value::named("twisted.web.http.Request")
|
||||
}
|
||||
|
||||
private ClassValue theTwistedHttpResourceClass() {
|
||||
deprecated private ClassValue theTwistedHttpResourceClass() {
|
||||
result = Value::named("twisted.web.resource.Resource")
|
||||
}
|
||||
|
||||
ClassValue aTwistedRequestHandlerClass() { result.getABaseType+() = theTwistedHttpResourceClass() }
|
||||
deprecated ClassValue aTwistedRequestHandlerClass() {
|
||||
result.getABaseType+() = theTwistedHttpResourceClass()
|
||||
}
|
||||
|
||||
FunctionValue getTwistedRequestHandlerMethod(string name) {
|
||||
deprecated FunctionValue getTwistedRequestHandlerMethod(string name) {
|
||||
result = aTwistedRequestHandlerClass().declaredAttribute(name)
|
||||
}
|
||||
|
||||
bindingset[name]
|
||||
predicate isKnownRequestHandlerMethodName(string name) {
|
||||
deprecated predicate isKnownRequestHandlerMethodName(string name) {
|
||||
name = "render" or
|
||||
name.matches("render_%")
|
||||
}
|
||||
@@ -25,7 +27,7 @@ predicate isKnownRequestHandlerMethodName(string name) {
|
||||
* Holds if `node` is likely to refer to an instance of the twisted
|
||||
* `Request` class.
|
||||
*/
|
||||
predicate isTwistedRequestInstance(NameNode node) {
|
||||
deprecated predicate isTwistedRequestInstance(NameNode node) {
|
||||
node.pointsTo().getClass() = theTwistedHttpRequestClass()
|
||||
or
|
||||
/*
|
||||
|
||||
@@ -2,7 +2,7 @@ import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.web.Http
|
||||
|
||||
abstract class BaseWebobRequest extends TaintKind {
|
||||
abstract deprecated class BaseWebobRequest extends TaintKind {
|
||||
bindingset[this]
|
||||
BaseWebobRequest() { any() }
|
||||
|
||||
@@ -31,7 +31,7 @@ abstract class BaseWebobRequest extends TaintKind {
|
||||
}
|
||||
}
|
||||
|
||||
class WebobRequest extends BaseWebobRequest {
|
||||
deprecated class WebobRequest extends BaseWebobRequest {
|
||||
WebobRequest() { this = "webob.Request" }
|
||||
|
||||
override ClassValue getType() { result = Value::named("webob.request.Request") }
|
||||
|
||||
@@ -21,11 +21,11 @@ import semmle.python.security.strings.Untrusted
|
||||
class TemplateInjectionConfiguration extends TaintTracking::Configuration {
|
||||
TemplateInjectionConfiguration() { this = "Template injection configuration" }
|
||||
|
||||
override predicate isSource(TaintTracking::Source source) {
|
||||
deprecated override predicate isSource(TaintTracking::Source source) {
|
||||
source instanceof HttpRequestTaintSource
|
||||
}
|
||||
|
||||
override predicate isSink(TaintTracking::Sink sink) { sink instanceof SSTISink }
|
||||
deprecated override predicate isSink(TaintTracking::Sink sink) { sink instanceof SSTISink }
|
||||
}
|
||||
|
||||
from TemplateInjectionConfiguration config, TaintedPathSource src, TaintedPathSink sink
|
||||
|
||||
@@ -20,11 +20,11 @@ import experimental.semmle.python.security.injection.XSLT
|
||||
class XSLTInjectionConfiguration extends TaintTracking::Configuration {
|
||||
XSLTInjectionConfiguration() { this = "XSLT injection configuration" }
|
||||
|
||||
override predicate isSource(TaintTracking::Source source) {
|
||||
deprecated override predicate isSource(TaintTracking::Source source) {
|
||||
source instanceof HttpRequestTaintSource
|
||||
}
|
||||
|
||||
override predicate isSink(TaintTracking::Sink sink) {
|
||||
deprecated override predicate isSink(TaintTracking::Sink sink) {
|
||||
sink instanceof XSLTInjection::XSLTInjectionSink
|
||||
}
|
||||
}
|
||||
|
||||
@@ -21,7 +21,7 @@ module XSLTInjection {
|
||||
/**
|
||||
* A kind of "taint", representing an untrusted XML string
|
||||
*/
|
||||
private class ExternalXmlStringKind extends ExternalStringKind {
|
||||
deprecated private class ExternalXmlStringKind extends ExternalStringKind {
|
||||
ExternalXmlStringKind() { this = "etree.XML string" }
|
||||
|
||||
override TaintKind getTaintForFlowStep(ControlFlowNode fromnode, ControlFlowNode tonode) {
|
||||
|
||||
@@ -5,7 +5,7 @@ import semmle.python.web.HttpRequest
|
||||
import experimental.semmle.python.templates.SSTISink
|
||||
|
||||
/** returns the ClassValue representing `airspeed.Template` */
|
||||
ClassValue theAirspeedTemplateClass() { result = Value::named("airspeed.Template") }
|
||||
deprecated ClassValue theAirspeedTemplateClass() { result = Value::named("airspeed.Template") }
|
||||
|
||||
/**
|
||||
* Sink representing the `airspeed.Template` class instantiation argument.
|
||||
@@ -13,7 +13,7 @@ ClassValue theAirspeedTemplateClass() { result = Value::named("airspeed.Template
|
||||
* import airspeed
|
||||
* temp = airspeed.Template(`"sink"`)
|
||||
*/
|
||||
class AirspeedTemplateSink extends SSTISink {
|
||||
deprecated class AirspeedTemplateSink extends SSTISink {
|
||||
override string toString() { result = "argument to airspeed.Template()" }
|
||||
|
||||
AirspeedTemplateSink() {
|
||||
|
||||
@@ -5,7 +5,9 @@ import semmle.python.web.HttpRequest
|
||||
import experimental.semmle.python.templates.SSTISink
|
||||
|
||||
/** returns the ClassValue representing `bottle.SimpleTemplate` */
|
||||
ClassValue theBottleSimpleTemplateClass() { result = Value::named("bottle.SimpleTemplate") }
|
||||
deprecated ClassValue theBottleSimpleTemplateClass() {
|
||||
result = Value::named("bottle.SimpleTemplate")
|
||||
}
|
||||
|
||||
/**
|
||||
* Sink representing the `bottle.SimpleTemplate` class instantiation argument.
|
||||
@@ -13,7 +15,7 @@ ClassValue theBottleSimpleTemplateClass() { result = Value::named("bottle.Simple
|
||||
* from bottle import SimpleTemplate
|
||||
* template = SimpleTemplate(`sink`)
|
||||
*/
|
||||
class BottleSimpleTemplateSink extends SSTISink {
|
||||
deprecated class BottleSimpleTemplateSink extends SSTISink {
|
||||
override string toString() { result = "argument to bottle.SimpleTemplate()" }
|
||||
|
||||
BottleSimpleTemplateSink() {
|
||||
@@ -32,7 +34,7 @@ class BottleSimpleTemplateSink extends SSTISink {
|
||||
* from bottle import template
|
||||
* tmp = template(`sink`)
|
||||
*/
|
||||
class BottleTemplateSink extends SSTISink {
|
||||
deprecated class BottleTemplateSink extends SSTISink {
|
||||
override string toString() { result = "argument to bottle.template()" }
|
||||
|
||||
BottleTemplateSink() {
|
||||
|
||||
@@ -5,7 +5,9 @@ import semmle.python.web.HttpRequest
|
||||
import experimental.semmle.python.templates.SSTISink
|
||||
|
||||
/** returns the ClassValue representing `chameleon.PageTemplate` */
|
||||
ClassValue theChameleonPageTemplateClass() { result = Value::named("chameleon.PageTemplate") }
|
||||
deprecated ClassValue theChameleonPageTemplateClass() {
|
||||
result = Value::named("chameleon.PageTemplate")
|
||||
}
|
||||
|
||||
/**
|
||||
* Sink representing the `chameleon.PageTemplate` class instantiation argument.
|
||||
@@ -13,7 +15,7 @@ ClassValue theChameleonPageTemplateClass() { result = Value::named("chameleon.Pa
|
||||
* from chameleon import PageTemplate
|
||||
* template = PageTemplate(`sink`)
|
||||
*/
|
||||
class ChameleonTemplateSink extends SSTISink {
|
||||
deprecated class ChameleonTemplateSink extends SSTISink {
|
||||
override string toString() { result = "argument to Chameleon.PageTemplate()" }
|
||||
|
||||
ChameleonTemplateSink() {
|
||||
|
||||
@@ -5,7 +5,9 @@ import semmle.python.web.HttpRequest
|
||||
import experimental.semmle.python.templates.SSTISink
|
||||
|
||||
/** returns the ClassValue representing `Cheetah.Template.Template` */
|
||||
ClassValue theCheetahTemplateClass() { result = Value::named("Cheetah.Template.Template") }
|
||||
deprecated ClassValue theCheetahTemplateClass() {
|
||||
result = Value::named("Cheetah.Template.Template")
|
||||
}
|
||||
|
||||
/**
|
||||
* Sink representing the instantiation argument of any class which derives from
|
||||
@@ -22,7 +24,7 @@ ClassValue theCheetahTemplateClass() { result = Value::named("Cheetah.Template.T
|
||||
* from Cheetah.Template import Template
|
||||
* t3 = Template("sink")
|
||||
*/
|
||||
class CheetahTemplateInstantiationSink extends SSTISink {
|
||||
deprecated class CheetahTemplateInstantiationSink extends SSTISink {
|
||||
override string toString() { result = "argument to Cheetah.Template.Template()" }
|
||||
|
||||
CheetahTemplateInstantiationSink() {
|
||||
|
||||
@@ -5,7 +5,7 @@ import semmle.python.web.HttpRequest
|
||||
import experimental.semmle.python.templates.SSTISink
|
||||
|
||||
/** returns the Value representing `chevron.render` function */
|
||||
Value theChevronRenderFunc() { result = Value::named("chevron.render") }
|
||||
deprecated Value theChevronRenderFunc() { result = Value::named("chevron.render") }
|
||||
|
||||
/**
|
||||
* Sink representing the `chevron.render` function call argument.
|
||||
@@ -13,7 +13,7 @@ Value theChevronRenderFunc() { result = Value::named("chevron.render") }
|
||||
* import chevron
|
||||
* tmp = chevron.render(`sink`,{ 'key' : 'value' })
|
||||
*/
|
||||
class ChevronRenderSink extends SSTISink {
|
||||
deprecated class ChevronRenderSink extends SSTISink {
|
||||
override string toString() { result = "argument to chevron.render()" }
|
||||
|
||||
ChevronRenderSink() {
|
||||
|
||||
@@ -4,7 +4,7 @@ import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import experimental.semmle.python.templates.SSTISink
|
||||
|
||||
ClassValue theDjangoTemplateClass() { result = Value::named("django.template.Template") }
|
||||
deprecated ClassValue theDjangoTemplateClass() { result = Value::named("django.template.Template") }
|
||||
|
||||
/**
|
||||
* Sink representng `django.template.Template` class instantiation argument.
|
||||
@@ -12,7 +12,7 @@ ClassValue theDjangoTemplateClass() { result = Value::named("django.template.Tem
|
||||
* from django.template import Template
|
||||
* template = Template(`sink`)
|
||||
*/
|
||||
class DjangoTemplateTemplateSink extends SSTISink {
|
||||
deprecated class DjangoTemplateTemplateSink extends SSTISink {
|
||||
override string toString() { result = "argument to Django.template()" }
|
||||
|
||||
DjangoTemplateTemplateSink() {
|
||||
|
||||
@@ -4,7 +4,9 @@ import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import experimental.semmle.python.templates.SSTISink
|
||||
|
||||
Value theFlaskRenderTemplateClass() { result = Value::named("flask.render_template_string") }
|
||||
deprecated Value theFlaskRenderTemplateClass() {
|
||||
result = Value::named("flask.render_template_string")
|
||||
}
|
||||
|
||||
/**
|
||||
* Sink representng `flask.render_template_string` function call argument.
|
||||
@@ -12,7 +14,7 @@ Value theFlaskRenderTemplateClass() { result = Value::named("flask.render_templa
|
||||
* from flask import render_template_string
|
||||
* render_template_string(`sink`)
|
||||
*/
|
||||
class FlaskTemplateSink extends SSTISink {
|
||||
deprecated class FlaskTemplateSink extends SSTISink {
|
||||
override string toString() { result = "argument to flask.render_template_string()" }
|
||||
|
||||
FlaskTemplateSink() {
|
||||
|
||||
@@ -5,10 +5,12 @@ import semmle.python.web.HttpRequest
|
||||
import experimental.semmle.python.templates.SSTISink
|
||||
|
||||
/** returns the ClassValue representing `Genshi.template.TextTemplate` */
|
||||
ClassValue theGenshiTextTemplateClass() { result = Value::named("genshi.template.TextTemplate") }
|
||||
deprecated ClassValue theGenshiTextTemplateClass() {
|
||||
result = Value::named("genshi.template.TextTemplate")
|
||||
}
|
||||
|
||||
/** returns the ClassValue representing `Genshi.template.MarkupTemplate` */
|
||||
ClassValue theGenshiMarkupTemplateClass() {
|
||||
deprecated ClassValue theGenshiMarkupTemplateClass() {
|
||||
result = Value::named("genshi.template.MarkupTemplate")
|
||||
}
|
||||
|
||||
@@ -18,7 +20,7 @@ ClassValue theGenshiMarkupTemplateClass() {
|
||||
* from genshi.template import TextTemplate
|
||||
* tmpl = TextTemplate('sink')
|
||||
*/
|
||||
class GenshiTextTemplateSink extends SSTISink {
|
||||
deprecated class GenshiTextTemplateSink extends SSTISink {
|
||||
override string toString() { result = "argument to genshi.template.TextTemplate()" }
|
||||
|
||||
GenshiTextTemplateSink() {
|
||||
@@ -37,7 +39,7 @@ class GenshiTextTemplateSink extends SSTISink {
|
||||
* from genshi.template import MarkupTemplate
|
||||
* tmpl = MarkupTemplate('sink')
|
||||
*/
|
||||
class GenshiMarkupTemplateSink extends SSTISink {
|
||||
deprecated class GenshiMarkupTemplateSink extends SSTISink {
|
||||
override string toString() { result = "argument to genshi.template.MarkupTemplate()" }
|
||||
|
||||
GenshiMarkupTemplateSink() {
|
||||
|
||||
@@ -5,10 +5,10 @@ import semmle.python.web.HttpRequest
|
||||
import experimental.semmle.python.templates.SSTISink
|
||||
|
||||
/** returns the ClassValue representing `jinja2.Template` */
|
||||
ClassValue theJinja2TemplateClass() { result = Value::named("jinja2.Template") }
|
||||
deprecated ClassValue theJinja2TemplateClass() { result = Value::named("jinja2.Template") }
|
||||
|
||||
/** returns the ClassValue representing `jinja2.Template` */
|
||||
Value theJinja2FromStringValue() { result = Value::named("jinja2.from_string") }
|
||||
deprecated Value theJinja2FromStringValue() { result = Value::named("jinja2.from_string") }
|
||||
|
||||
/**
|
||||
* Sink representing the `jinja2.Template` class instantiation argument.
|
||||
@@ -16,7 +16,7 @@ Value theJinja2FromStringValue() { result = Value::named("jinja2.from_string") }
|
||||
* from jinja2 import Template
|
||||
* template = Template(`sink`)
|
||||
*/
|
||||
class Jinja2TemplateSink extends SSTISink {
|
||||
deprecated class Jinja2TemplateSink extends SSTISink {
|
||||
override string toString() { result = "argument to jinja2.Template()" }
|
||||
|
||||
Jinja2TemplateSink() {
|
||||
@@ -35,7 +35,7 @@ class Jinja2TemplateSink extends SSTISink {
|
||||
* from jinja2 import from_string
|
||||
* template = from_string(`sink`)
|
||||
*/
|
||||
class Jinja2FromStringSink extends SSTISink {
|
||||
deprecated class Jinja2FromStringSink extends SSTISink {
|
||||
override string toString() { result = "argument to jinja2.from_string()" }
|
||||
|
||||
Jinja2FromStringSink() {
|
||||
|
||||
@@ -5,7 +5,7 @@ import semmle.python.web.HttpRequest
|
||||
import experimental.semmle.python.templates.SSTISink
|
||||
|
||||
/** returns the ClassValue representing `mako.template.Template` */
|
||||
ClassValue theMakoTemplateClass() { result = Value::named("mako.template.Template") }
|
||||
deprecated ClassValue theMakoTemplateClass() { result = Value::named("mako.template.Template") }
|
||||
|
||||
/**
|
||||
* Sink representing the `mako.template.Template` class instantiation argument.
|
||||
@@ -13,7 +13,7 @@ ClassValue theMakoTemplateClass() { result = Value::named("mako.template.Templat
|
||||
* from mako.template import Template
|
||||
* mytemplate = Template("hello world!")
|
||||
*/
|
||||
class MakoTemplateSink extends SSTISink {
|
||||
deprecated class MakoTemplateSink extends SSTISink {
|
||||
override string toString() { result = "argument to mako.template.Template()" }
|
||||
|
||||
MakoTemplateSink() {
|
||||
|
||||
@@ -4,4 +4,4 @@ import semmle.python.dataflow.TaintTracking
|
||||
* A generic taint sink that is vulnerable to template inclusions.
|
||||
* The `temp` in `jinja2.Template(temp)` and similar.
|
||||
*/
|
||||
abstract class SSTISink extends TaintSink { }
|
||||
abstract deprecated class SSTISink extends TaintSink { }
|
||||
|
||||
@@ -5,7 +5,7 @@ import semmle.python.web.HttpRequest
|
||||
import experimental.semmle.python.templates.SSTISink
|
||||
|
||||
/** returns the ClassValue representing `trender.TRender` */
|
||||
ClassValue theTRenderTemplateClass() { result = Value::named("trender.TRender") }
|
||||
deprecated ClassValue theTRenderTemplateClass() { result = Value::named("trender.TRender") }
|
||||
|
||||
/**
|
||||
* Sink representing the `trender.TRender` class instantiation argument.
|
||||
@@ -13,7 +13,7 @@ ClassValue theTRenderTemplateClass() { result = Value::named("trender.TRender")
|
||||
* from trender import TRender
|
||||
* template = TRender(`sink`)
|
||||
*/
|
||||
class TRenderTemplateSink extends SSTISink {
|
||||
deprecated class TRenderTemplateSink extends SSTISink {
|
||||
override string toString() { result = "argument to trender.TRender()" }
|
||||
|
||||
TRenderTemplateSink() {
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
WARNING: Type SSTISink has been deprecated and may be removed in future (AirspeedSSTISinks.ql:4,6-14)
|
||||
| Airspeed.py:10:30:10:35 | argument to airspeed.Template() |
|
||||
|
||||
@@ -1,2 +1,3 @@
|
||||
WARNING: Type SSTISink has been deprecated and may be removed in future (BottleSSTISinks.ql:4,6-14)
|
||||
| Bottle.py:11:26:11:33 | argument to bottle.SimpleTemplate() |
|
||||
| Bottle.py:17:17:17:24 | argument to bottle.template() |
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
WARNING: Type SSTISink has been deprecated and may be removed in future (ChameleonSSTISinks.ql:4,6-14)
|
||||
| Chameleon.py:5:29:5:34 | argument to Chameleon.PageTemplate() |
|
||||
|
||||
@@ -1,2 +1,3 @@
|
||||
WARNING: Type SSTISink has been deprecated and may be removed in future (CheetahSSTISinks.ql:4,6-14)
|
||||
| CheetahSinks.py:10:21:10:26 | argument to Cheetah.Template.Template() |
|
||||
| CheetahSinks.py:20:20:20:25 | argument to Cheetah.Template.Template() |
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
WARNING: Type SSTISink has been deprecated and may be removed in future (ChevronSSTISinks.ql:4,6-14)
|
||||
| ChevronSinks.py:10:27:10:32 | argument to chevron.render() |
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
WARNING: Type SSTISink has been deprecated and may be removed in future (DjangoSSTISinks.ql:4,6-14)
|
||||
| DjangoTemplates.py:9:18:9:25 | argument to Django.template() |
|
||||
|
||||
@@ -1,2 +1,3 @@
|
||||
WARNING: Type SSTISink has been deprecated and may be removed in future (GenshiSSTISinks.ql:4,6-14)
|
||||
| Genshi.py:5:27:5:32 | argument to genshi.template.MarkupTemplate() |
|
||||
| Genshi.py:10:25:10:30 | argument to genshi.template.TextTemplate() |
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
WARNING: Type SSTISink has been deprecated and may be removed in future (JinjaSSTISinks.ql:4,6-14)
|
||||
| Jinja2Templates.py:6:25:6:30 | argument to jinja2.Template() |
|
||||
| Jinja2Templates.py:11:25:11:30 | argument to jinja2.Template() |
|
||||
| Jinja2Templates.py:16:25:16:37 | argument to jinja2.Template() |
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
WARNING: Type SSTISink has been deprecated and may be removed in future (MakoSSTISinks.ql:4,6-14)
|
||||
| Mako.py:5:27:5:32 | argument to mako.template.Template() |
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
WARNING: Type SSTISink has been deprecated and may be removed in future (TRenderSSTISinks.ql:4,6-14)
|
||||
| TRender.py:6:24:6:31 | argument to trender.TRender() |
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
WARNING: Type CommandSink has been deprecated and may be removed in future (CommandSinks.ql:5,6-17)
|
||||
| fabric_v1_test.py:8:7:8:28 | FabricV1Commands | externally controlled string |
|
||||
| fabric_v1_test.py:9:5:9:27 | FabricV1Commands | externally controlled string |
|
||||
| fabric_v1_test.py:10:6:10:38 | FabricV1Commands | externally controlled string |
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
WARNING: Module SensitiveData has been deprecated and may be removed in future (Sources.ql:4,6-19)
|
||||
| test.py:16:1:16:14 | test.py:16 | a call returning a password |
|
||||
| test.py:17:1:17:12 | test.py:17 | a call returning a password |
|
||||
| test.py:18:1:18:12 | test.py:18 | a call returning a secret |
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
WARNING: Type HttpResponseTaintSink has been deprecated and may be removed in future (HttpResponseSinks.ql:5,6-27)
|
||||
| test.py:9:12:9:26 | bottle handler function result | externally controlled string |
|
||||
| test.py:13:12:13:24 | bottle handler function result | externally controlled string |
|
||||
| test.py:19:12:19:33 | bottle handler function result | externally controlled string |
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
WARNING: Type HttpRequestTaintSource has been deprecated and may be removed in future (HttpSources.ql:5,6-28)
|
||||
| ../../../query-tests/Security/lib/bottle.py:64:11:64:24 | LocalRequest() | bottle.request |
|
||||
| test.py:3:35:3:41 | ImportMember | bottle.request |
|
||||
| test.py:8:11:8:14 | name | externally controlled string |
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
WARNING: Type BottleRoute has been deprecated and may be removed in future (Routing.ql:4,6-17)
|
||||
| /args | test.py:31:1:31:14 | Function unsafe2 |
|
||||
| /bye/<name> | test.py:12:1:12:25 | Function bye |
|
||||
| /hello/<name> | test.py:8:1:8:27 | Function hello |
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
WARNING: Type HttpResponseTaintSink has been deprecated and may be removed in future (HttpResponseSinks.ql:5,6-27)
|
||||
| red.py:8:16:8:20 | cherrypy handler function result | externally controlled string |
|
||||
| test.py:11:16:11:29 | cherrypy handler function result | externally controlled string |
|
||||
| test.py:17:16:17:27 | cherrypy handler function result | externally controlled string |
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
WARNING: Type HttpRequestTaintSource has been deprecated and may be removed in future (HttpSources.ql:5,6-28)
|
||||
| ../../../query-tests/Security/lib/cherrypy/__init__.py:10:11:10:38 | _ThreadLocalProxy() | cherrypy.request |
|
||||
| test.py:10:17:10:19 | arg | externally controlled string |
|
||||
| test.py:16:17:16:19 | arg | externally controlled string |
|
||||
|
||||
@@ -1,2 +1,3 @@
|
||||
WARNING: Module Client has been deprecated and may be removed in future (ClientHttpRequests.ql:5,6-12)
|
||||
| test.py:3:1:3:27 | ControlFlowNode for Attribute() | test.py:3:14:3:26 | ControlFlowNode for Str | GET |
|
||||
| test.py:4:1:4:28 | ControlFlowNode for Attribute() | test.py:4:15:4:27 | ControlFlowNode for Str | POST |
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
WARNING: Module Client has been deprecated and may be removed in future (ClientHttpRequests.ql:5,6-12)
|
||||
| test.py:6:5:6:32 | ControlFlowNode for Attribute() | test.py:5:27:5:39 | ControlFlowNode for Str | GET |
|
||||
| test.py:6:5:6:32 | ControlFlowNode for Attribute() | test.py:6:25:6:31 | ControlFlowNode for Str | GET |
|
||||
| test.py:15:5:15:33 | ControlFlowNode for Attribute() | test.py:10:28:10:40 | ControlFlowNode for Str | POST |
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
WARNING: Module Client has been deprecated and may be removed in future (ClientHttpRequests.ql:5,6-12)
|
||||
| test.py:13:5:13:32 | ControlFlowNode for Attribute() | test.py:12:27:12:39 | ControlFlowNode for Str | GET |
|
||||
| test.py:13:5:13:32 | ControlFlowNode for Attribute() | test.py:13:25:13:31 | ControlFlowNode for Str | GET |
|
||||
| test.py:22:5:22:33 | ControlFlowNode for Attribute() | test.py:17:28:17:40 | ControlFlowNode for Str | POST |
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
WARNING: Type HttpRedirectTaintSink has been deprecated and may be removed in future (HttpRedirectSinks.ql:5,6-27)
|
||||
| test_1x.py:13:21:13:24 | DjangoShortcutsRedirectSink | externally controlled string |
|
||||
| test_2x_3x.py:13:21:13:24 | DjangoShortcutsRedirectSink | externally controlled string |
|
||||
| views_1x.py:99:33:99:55 | DjangoRedirectResponseSink | externally controlled string |
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user