Merge branch 'main' into python-remove-spurious-global-flow

2026-04-30 11:15:13 +02:00 · 2020-09-04 16:28:03 +02:00
parent 98266ad5da 5ffc959e32
commit df1448cfb2
9 changed files with 270 additions and 24 deletions
--- a/python/ql/test/experimental/dataflow/strange-essaflow/test.py
+++ b/python/ql/test/experimental/dataflow/strange-essaflow/test.py
@@ -0,0 +1,11 @@
+
+import os
+
+from flask import Flask, request
+app = Flask(__name__)
+
+@app.route("/command1")
+def command_injection1():
+    files = request.args.get('files', '')
+    # Don't let files be `; rm -rf /`
+    os.system("ls " + files)
--- a/python/ql/test/experimental/dataflow/strange-essaflow/testFlow.expected
+++ b/python/ql/test/experimental/dataflow/strange-essaflow/testFlow.expected
@@ -0,0 +1,11 @@
+os_import
+| test.py:2:8:2:9 | GSSA Variable os |
+flowstep
+jumpStep
+| test.py:2:8:2:9 | GSSA Variable os | test.py:5:7:5:21 | ControlFlowNode for Flask() |
+| test.py:2:8:2:9 | GSSA Variable os | test.py:7:2:7:23 | ControlFlowNode for Attribute() |
+| test.py:2:8:2:9 | GSSA Variable os | test.py:7:2:7:23 | ControlFlowNode for Attribute()() |
+essaFlowStep
+| test.py:2:8:2:9 | GSSA Variable os | test.py:5:7:5:21 | ControlFlowNode for Flask() |
+| test.py:2:8:2:9 | GSSA Variable os | test.py:7:2:7:23 | ControlFlowNode for Attribute() |
+| test.py:2:8:2:9 | GSSA Variable os | test.py:7:2:7:23 | ControlFlowNode for Attribute()() |
--- a/python/ql/test/experimental/dataflow/strange-essaflow/testFlow.ql
+++ b/python/ql/test/experimental/dataflow/strange-essaflow/testFlow.ql
@@ -0,0 +1,36 @@
+import python
+import experimental.dataflow.DataFlow
+
+/** Gets the EssaNode that holds the module imported by the fully qualified module name `name` */
+DataFlow::EssaNode module_import(string name) {
+  exists(Variable var, Import imp, Alias alias |
+    alias = imp.getAName() and
+    alias.getAsname() = var.getAStore() and
+    (
+      name = alias.getValue().(ImportMember).getImportedModuleName()
+      or
+      name = alias.getValue().(ImportExpr).getImportedModuleName()
+    ) and
+    result.getVar().(AssignmentDefinition).getSourceVariable() = var
+  )
+}
+
+query predicate os_import(DataFlow::Node node) {
+  node = module_import("os") and
+  exists(node.getLocation().getFile().getRelativePath())
+}
+
+query predicate flowstep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+  os_import(nodeFrom) and
+  DataFlow::localFlowStep(nodeFrom, nodeTo)
+}
+
+query predicate jumpStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+  os_import(nodeFrom) and
+  DataFlow::jumpStep(nodeFrom, nodeTo)
+}
+
+query predicate essaFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+  os_import(nodeFrom) and
+  DataFlow::EssaFlow::essaFlowStep(nodeFrom, nodeTo)
+}
--- a/python/ql/test/experimental/dataflow/typetracking/tracked.ql
+++ b/python/ql/test/experimental/dataflow/typetracking/tracked.ql
@@ -1,8 +1,9 @@
 import python
+import experimental.dataflow.DataFlow
 import experimental.dataflow.TypeTracker
 import TestUtilities.InlineExpectationsTest

-Node tracked(TypeTracker t) {
+DataFlow::Node tracked(TypeTracker t) {
  t.start() and
  result.asCfgNode() = any(NameNode n | n.getId() = "tracked")
  or
@@ -15,7 +16,7 @@ class TrackedTest extends InlineExpectationsTest {
  override string getARelevantTag() { result = "tracked" }

  override predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(Node e, TypeTracker t |
+    exists(DataFlow::Node e, TypeTracker t |
      e = tracked(t) and
      tag = "tracked" and
      location = e.getLocation() and
@@ -25,14 +26,14 @@ class TrackedTest extends InlineExpectationsTest {
  }
 }

-Node int_type(TypeTracker t) {
+DataFlow::Node int_type(TypeTracker t) {
  t.start() and
  result.asCfgNode() = any(CallNode c | c.getFunction().(NameNode).getId() = "int")
  or
  exists(TypeTracker t2 | result = int_type(t2).track(t2, t))
 }

-Node string_type(TypeTracker t) {
+DataFlow::Node string_type(TypeTracker t) {
  t.start() and
  result.asCfgNode() = any(CallNode c | c.getFunction().(NameNode).getId() = "str")
  or
@@ -45,7 +46,7 @@ class TrackedIntTest extends InlineExpectationsTest {
  override string getARelevantTag() { result = "int" }

  override predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(Node e, TypeTracker t |
+    exists(DataFlow::Node e, TypeTracker t |
      e = int_type(t) and
      tag = "int" and
      location = e.getLocation() and
@@ -61,7 +62,7 @@ class TrackedStringTest extends InlineExpectationsTest {
  override string getARelevantTag() { result = "str" }

  override predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(Node e, TypeTracker t |
+    exists(DataFlow::Node e, TypeTracker t |
      e = string_type(t) and
      tag = "str" and
      location = e.getLocation() and