mirror of
https://github.com/github/codeql.git
synced 2026-04-06 23:54:11 +02:00
Python: Proper threat-model handling for argparse
This commit is contained in:
Rasmus Wriedt Larsen
@@ -12,5 +12,13 @@ extensions:
|
||||
- ['sys', 'Member[argv]', 'commandargs']
|
||||
- ['sys', 'Member[orig_argv]', 'commandargs']
|
||||
|
||||
# TODO: argparse
|
||||
# if no argument is given, the default is to use sys.argv[1:]
|
||||
- ['argparse.ArgumentParser', 'Member[parse_args,parse_known_args].WithArity[0].ReturnValue', 'commandargs']
|
||||
- addsTo:
|
||||
pack: codeql/python-all
|
||||
extensible: summaryModel
|
||||
data:
|
||||
- ['argparse.ArgumentParser', 'Member[parse_args,parse_known_args]', 'Argument[0,args:]', 'ReturnValue', 'taint']
|
||||
# note: taint of attribute lookups is handled in QL
|
||||
|
||||
# TODO: input / read from stdin
|
||||
|
||||
@@ -4989,6 +4989,26 @@ module StdlibPrivate {
|
||||
|
||||
override string getKind() { result = Escaping::getHtmlKind() }
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// argparse
|
||||
// ---------------------------------------------------------------------------
|
||||
/**
|
||||
* if result of `parse_args` is tainted (because it uses command-line arguments),
|
||||
* then the parsed values accesssed on any attribute lookup is also tainted.
|
||||
*/
|
||||
private class ArgumentParserAnyAttributeStep extends TaintTracking::AdditionalTaintStep {
|
||||
override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
|
||||
nodeFrom =
|
||||
API::moduleImport("argparse")
|
||||
.getMember("ArgumentParser")
|
||||
.getReturn()
|
||||
.getMember("parse_args")
|
||||
.getReturn()
|
||||
.getAValueReachableFromSource() and
|
||||
nodeTo.(DataFlow::AttrRead).getObject() = nodeFrom
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
Reference in New Issue
Block a user