Merge branch 'main' of github.com:github/codeql into python-port-unsafe-deserialization

2025-12-21 03:06:31 +01:00 · 2020-10-15 15:45:35 +02:00
parent cc7d32c27c b05cc2eafd
commit ef32488596
127 changed files with 1873 additions and 1316 deletions
--- a/python/ql/src/experimental/Security-new-dataflow/CWE-078/CommandInjection.ql
+++ b/python/ql/src/experimental/Security-new-dataflow/CWE-078/CommandInjection.ql
@@ -46,15 +46,16 @@ class CommandInjectionConfiguration extends TaintTracking::Configuration {
    // os.system(cmd)
    // ```
    //
-    // Best solution I could come up with is to exclude all sinks inside the `os` and
-    // `subprocess` modules. This does have a downside: If we have overlooked a function
-    // in any of these, that internally runs a command, we no longer give an alert :|
+    // Best solution I could come up with is to exclude all sinks inside the modules of
+    // known sinks. This does have a downside: If we have overlooked a function in any
+    // of these, that internally runs a command, we no longer give an alert :| -- and we
+    // need to keep them updated (which is hard to remember)
    //
    // This does not only affect `os.popen`, but also the helper functions in
    // `subprocess`. See:
    // https://github.com/python/cpython/blob/fa7ce080175f65d678a7d5756c94f82887fc9803/Lib/os.py#L974
    // https://github.com/python/cpython/blob/fa7ce080175f65d678a7d5756c94f82887fc9803/Lib/subprocess.py#L341
-    not sink.getScope().getEnclosingModule().getName() in ["os", "subprocess"]
+    not sink.getScope().getEnclosingModule().getName() in ["os", "subprocess", "platform", "popen2"]
  }
 }

--- a/python/ql/src/experimental/Security-new-dataflow/CWE-094/CodeInjection.ql
+++ b/python/ql/src/experimental/Security-new-dataflow/CWE-094/CodeInjection.ql
@@ -0,0 +1,35 @@
+/**
+ * @name Code injection
+ * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary
+ *              code execution.
+ * @kind path-problem
+ * @problem.severity error
+ * @sub-severity high
+ * @precision high
+ * @id py/code-injection
+ * @tags security
+ *       external/owasp/owasp-a1
+ *       external/cwe/cwe-094
+ *       external/cwe/cwe-095
+ *       external/cwe/cwe-116
+ */
+
+import python
+import experimental.dataflow.DataFlow
+import experimental.dataflow.TaintTracking
+import experimental.semmle.python.Concepts
+import experimental.dataflow.RemoteFlowSources
+import DataFlow::PathGraph
+
+class CodeInjectionConfiguration extends TaintTracking::Configuration {
+  CodeInjectionConfiguration() { this = "CodeInjectionConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink = any(CodeExecution e).getCode() }
+}
+
+from CodeInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "$@ flows to here and is interpreted as code.",
+  source.getNode(), "A user-provided value"
--- a/python/ql/src/experimental/Security-new-dataflow/promote.sh
+++ b/python/ql/src/experimental/Security-new-dataflow/promote.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+set -Eeuo pipefail # see https://vaneyckt.io/posts/safer_bash_scripts_with_set_euxo_pipefail/
+
+# Promotes new dataflow queries to be the real ones
+
+SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+
+cd $SCRIPTDIR
+for file in $(find . -mindepth 2); do
+    echo "Promoting $file"
+    mkdir -p "../../Security/$(dirname $file)"
+    mv "$file" "../../Security/${file}"
+done