hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 05:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Support the dill pickling library.

Browse Source
This commit is contained in:
Taus Brock-Nannestad
2019-01-14 14:55:04 +01:00
parent 65337ef835
commit e8c092ad72
4 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected
View File

@@ -3,6 +3,7 @@ edges
| test.py:11:15:11:41 | externally controlled string | test.py:12:18:12:24 | externally controlled string |
| test.py:11:15:11:41 | externally controlled string | test.py:13:15:13:21 | externally controlled string |
| test.py:11:15:11:41 | externally controlled string | test.py:14:19:14:25 | externally controlled string |
| test.py:11:15:11:41 | externally controlled string | test.py:16:16:16:22 | externally controlled string |
| test.py:13:15:13:21 | externally controlled string | ../lib/yaml.py:1:10:1:10 | externally controlled string |
parents
| ../lib/yaml.py:1:10:1:10 | externally controlled string | test.py:13:15:13:21 | externally controlled string |
@@ -10,3 +11,4 @@ parents
| test.py:12:18:12:24 | unpickling untrusted data | test.py:11:15:11:26 | dict of externally controlled string | test.py:12:18:12:24 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
| test.py:13:15:13:21 | yaml.load vulnerability | test.py:11:15:11:26 | dict of externally controlled string | test.py:13:15:13:21 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
| test.py:14:19:14:25 | unmarshaling vulnerability | test.py:11:15:11:26 | dict of externally controlled string | test.py:14:19:14:25 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
| test.py:16:16:16:22 | unpickling untrusted data | test.py:11:15:11:26 | dict of externally controlled string | test.py:16:16:16:22 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |

2
python/ql/test/query-tests/Security/CWE-502/test.py
View File

@@ -12,5 +12,7 @@ def hello():
pickle.loads(payload)
yaml.load(payload)
marshal.loads(payload)
import dill
dill.loads(payload)

2
python/ql/test/query-tests/Security/lib/dill.py Normal file
View File

@@ -0,0 +1,2 @@
def loads(*args, **kwargs):
return None