Python: Make exception info concept local

2026-04-30 11:15:13 +02:00 · 2021-03-03 16:47:31 +01:00
parent 4196dc2291
commit f02a19669f
12 changed files with 88 additions and 140 deletions
--- a/python/ql/src/semmle/python/Concepts.qll
+++ b/python/ql/src/semmle/python/Concepts.qll
@@ -293,54 +293,6 @@ module SqlExecution {
  }
 }

-/**
- * A data-flow node that carries information about an error. Such information should
- * rarely be exposed directly to the user.
- *
- * Extend this class to refine existing API models. If you want to model new APIs,
- * extend `ErrorInfoSource::Range` instead.
- */
-class ErrorInfoSource extends DataFlow::Node {
-  ErrorInfoSource::Range range;
-
-  ErrorInfoSource() { this = range }
-}
-
-/** Provides a class for modeling new sources of error information, say via APIs. */
-module ErrorInfoSource {
-  /**
-   * A data-flow node that carries information about an error. Such information should
-   * rarely be exposed directly to the user.
-   *
-   * Extend this class to model new APIs. If you want to refine existing API models,
-   * extend `ErrorInfoSource` instead.
-   */
-  abstract class Range extends DataFlow::Node { }
-}
-
-/**
- * A data-flow node that represents the creation or introduction of an exception.
- *
- * Extend this class to refine existing API models. If you want to model new APIs,
- * extend `ExceptionSource::Range` instead.
- */
-class ExceptionSource extends ErrorInfoSource::Range {
-  ExceptionSource::Range range;
-
-  ExceptionSource() { this = range }
-}
-
-/** Provides a class for modeling new sources of exceptions, say via APIs. */
-module ExceptionSource {
-  /**
-   * A data-flow node that represents the creation or introduction of an exception.
-   *
-   * Extend this class to model new APIs. If you want to refine existing API models,
-   * extend `ExceptionSource` instead.
-   */
-  abstract class Range extends DataFlow::Node { }
-}
-
 /** Provides classes for modeling HTTP-related APIs. */
 module HTTP {
  import semmle.python.web.HttpConstants
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -1657,33 +1657,6 @@ private module Stdlib {
  class Sqlite3 extends PEP249Module {
    Sqlite3() { this = sqlite3() }
  }
-
-  // ---------------------------------------------------------------------------
-  // traceback
-  // ---------------------------------------------------------------------------
-  /** Provides models for the `traceback` module. */
-  module traceback {
-    private class TracebackFunctionCall extends ErrorInfoSource::Range, DataFlow::CallCfgNode {
-      TracebackFunctionCall() {
-        this =
-          API::moduleImport("traceback")
-              .getMember([
-                  "extract_tb", "extract_stack", "format_list", "format_exception_only",
-                  "format_exception", "format_exc", "format_tb", "format_stack"
-                ])
-              .getACall()
-      }
-    }
-  }
-}
-
-private class CaughtException extends ExceptionSource::Range {
-  CaughtException() { this.asExpr() = any(ExceptStmt s).getName() }
-}
-
-/** A call to `sys.exc_info` */
-private class SysExcInfoCall extends ErrorInfoSource::Range, DataFlow::CallCfgNode {
-  SysExcInfoCall() { this = API::moduleImport("sys").getMember("exc_info").getACall() }
 }

 // ---------------------------------------------------------------------------
--- a/python/ql/src/semmle/python/security/dataflow/ExceptionInfo.qll
+++ b/python/ql/src/semmle/python/security/dataflow/ExceptionInfo.qll
@@ -0,0 +1,34 @@
+/** Provides classes representing various sources of information about raised exceptions. */
+
+import python
+import semmle.python.dataflow.new.DataFlow
+private import semmle.python.ApiGraphs
+
+/**
+ * A data-flow node that carries information about a raised exception.
+ * Such information should rarely be exposed directly to the user.
+ */
+abstract class ExceptionInfo extends DataFlow::Node { }
+
+/** A call to a function from the `traceback` module revealing information about a raised exception. */
+private class TracebackFunctionCall extends ExceptionInfo, DataFlow::CallCfgNode {
+  TracebackFunctionCall() {
+    this =
+      API::moduleImport("traceback")
+          .getMember([
+              "extract_tb", "extract_stack", "format_list", "format_exception_only",
+              "format_exception", "format_exc", "format_tb", "format_stack"
+            ])
+          .getACall()
+  }
+}
+
+/** A caught exception. */
+private class CaughtException extends ExceptionInfo {
+  CaughtException() { this.asExpr() = any(ExceptStmt s).getName() }
+}
+
+/** A call to `sys.exc_info`. */
+private class SysExcInfoCall extends ExceptionInfo, DataFlow::CallCfgNode {
+  SysExcInfoCall() { this = API::moduleImport("sys").getMember("exc_info").getACall() }
+}
--- a/python/ql/src/semmle/python/security/dataflow/StackTraceExposure.qll
+++ b/python/ql/src/semmle/python/security/dataflow/StackTraceExposure.qll
@@ -7,6 +7,7 @@ import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.Concepts
+private import ExceptionInfo

 /**
 * A taint-tracking configuration for detecting stack trace exposure.
@@ -14,7 +15,7 @@ import semmle.python.Concepts
 class StackTraceExposureConfiguration extends TaintTracking::Configuration {
  StackTraceExposureConfiguration() { this = "StackTraceExposureConfiguration" }

-  override predicate isSource(DataFlow::Node source) { source instanceof ErrorInfoSource }
+  override predicate isSource(DataFlow::Node source) { source instanceof ExceptionInfo }

  override predicate isSink(DataFlow::Node sink) {
    sink = any(HTTP::Server::HttpResponse response).getBody()
--- a/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/manage.py
+++ b/python/ql/test/experimental/library-tests/frameworks/django-v2-v3/manage.py
@@ -9,7 +9,7 @@ def main():
    os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'testproj.settings')
    try:
        from django.core.management import execute_from_command_line
-    except ImportError as exc:  #$ errorInfoSource exceptionSource
+    except ImportError as exc:
        raise ImportError(
            "Couldn't import Django. Are you sure it's installed and "
            "available on your PYTHONPATH environment variable? Did you "
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/Exceptions.py
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/Exceptions.py
@@ -1,10 +0,0 @@
-try:
-    1+2
-except Exception as e:  #$ exceptionSource errorInfoSource
-    e
-
-def test_exception():
-    try:
-        1+2
-    except Exception as e:  #$ exceptionSource errorInfoSource
-        e
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/Stacktrace.py
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/Stacktrace.py
@@ -1,15 +0,0 @@
-import sys, traceback
-
-try:
-    1/0
-except:
-    exc_type, exc_value, exc_traceback = sys.exc_info() #$ errorInfoSource
-
-    tb = traceback.extract_tb(exc_traceback) #$ errorInfoSource
-    stack = traceback.extract_stack() #$ errorInfoSource
-    print(traceback.format_exc(1, tb)) #$ errorInfoSource
-    print(traceback.format_exception(exc_type, exc_value, exc_traceback)) #$ errorInfoSource
-    print(traceback.format_exception_only(None, exc_value)) #$ errorInfoSource
-    print(traceback.format_list(stack)) #$ errorInfoSource
-    print(traceback.format_stack()) #$ errorInfoSource
-    print(traceback.format_tb(exc_traceback)) #$ errorInfoSource
--- a/python/ql/test/experimental/meta/ConceptsTest.qll
+++ b/python/ql/test/experimental/meta/ConceptsTest.qll
@@ -319,35 +319,3 @@ class SafeAccessCheckTest extends InlineExpectationsTest {
    )
  }
 }
-
-class ErrorInfoSourceTest extends InlineExpectationsTest {
-  ErrorInfoSourceTest() { this = "ErrorInfoSourceTest" }
-
-  override string getARelevantTag() { result = "errorInfoSource" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(location.getFile().getRelativePath()) and
-    exists(ErrorInfoSource e |
-      location = e.getLocation() and
-      element = e.toString() and
-      value = "" and
-      tag = "errorInfoSource"
-    )
-  }
-}
-
-class ExceptionSourceTest extends InlineExpectationsTest {
-  ExceptionSourceTest() { this = "ExceptionSourceTest" }
-
-  override string getARelevantTag() { result = "exceptionSource" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(location.getFile().getRelativePath()) and
-    exists(ExceptionSource e |
-      location = e.getLocation() and
-      element = e.toString() and
-      value = "" and
-      tag = "exceptionSource"
-    )
-  }
-}
--- a/python/ql/test/query-tests/Security/CWE-209/ExceptionInfo.ql
+++ b/python/ql/test/query-tests/Security/CWE-209/ExceptionInfo.ql
@@ -0,0 +1,20 @@
+import python
+import semmle.python.dataflow.new.DataFlow
+import TestUtilities.InlineExpectationsTest
+import semmle.python.security.dataflow.ExceptionInfo
+
+class ExceptionInfoTest extends InlineExpectationsTest {
+  ExceptionInfoTest() { this = "ExceptionInfoTest" }
+
+  override string getARelevantTag() { result = "exceptionInfo" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(location.getFile().getRelativePath()) and
+    exists(ExceptionInfo e |
+      location = e.getLocation() and
+      element = e.toString() and
+      value = "" and
+      tag = "exceptionInfo"
+    )
+  }
+}
--- a/python/ql/test/query-tests/Security/CWE-209/Exceptions.py
+++ b/python/ql/test/query-tests/Security/CWE-209/Exceptions.py
@@ -0,0 +1,10 @@
+try:
+    1+2
+except Exception as e:  #$ exceptionInfo
+    e
+
+def test_exception():
+    try:
+        1+2
+    except Exception as e:  #$ exceptionInfo
+        e
--- a/python/ql/test/query-tests/Security/CWE-209/Stacktrace.py
+++ b/python/ql/test/query-tests/Security/CWE-209/Stacktrace.py
@@ -0,0 +1,15 @@
+import sys, traceback
+
+try:
+    1/0
+except:
+    exc_type, exc_value, exc_traceback = sys.exc_info() #$ exceptionInfo
+
+    tb = traceback.extract_tb(exc_traceback) #$ exceptionInfo
+    stack = traceback.extract_stack() #$ exceptionInfo
+    print(traceback.format_exc(1, tb)) #$ exceptionInfo
+    print(traceback.format_exception(exc_type, exc_value, exc_traceback)) #$ exceptionInfo
+    print(traceback.format_exception_only(None, exc_value)) #$ exceptionInfo
+    print(traceback.format_list(stack)) #$ exceptionInfo
+    print(traceback.format_stack()) #$ exceptionInfo
+    print(traceback.format_tb(exc_traceback)) #$ exceptionInfo
--- a/python/ql/test/query-tests/Security/CWE-209/test.py
+++ b/python/ql/test/query-tests/Security/CWE-209/test.py
@@ -12,16 +12,16 @@ def do_computation():
 def server_bad():
    try:
        do_computation()
-    except Exception as e:
-        return traceback.format_exc()
+    except Exception as e:  #$ exceptionInfo
+        return traceback.format_exc()  #$ exceptionInfo

 # GOOD
@app.route('/good')
 def server_good():
    try:
        do_computation()
-    except Exception as e:
-        log(traceback.format_exc())
+    except Exception as e:  #$ exceptionInfo
+        log(traceback.format_exc())  #$ exceptionInfo
        return "An internal error has occurred!"

 #BAD
@@ -29,8 +29,8 @@ def server_good():
 def server_bad_flow():
    try:
        do_computation()
-    except Exception as e:
-        err = traceback.format_exc()
+    except Exception as e:  #$ exceptionInfo
+        err = traceback.format_exc()  #$ exceptionInfo
        return format_error(err)

 def format_error(msg):