Merge pull request #16771 from porcupineyhairs/js2py

Python : Arbitrary code execution due to Js2Py
2026-04-25 16:55:19 +02:00 · 2024-07-11 15:31:57 +02:00
parent 8152ec7472 5ecde387af
commit f41d2a896c
7 changed files with 93 additions and 0 deletions
--- a/python/ql/test/experimental/query-tests/Security/CWE-094/Js2Py.expected
+++ b/python/ql/test/experimental/query-tests/Security/CWE-094/Js2Py.expected
@@ -0,0 +1,10 @@
+edges
+| Js2PyTest.py:9:5:9:6 | ControlFlowNode for jk | Js2PyTest.py:10:18:10:28 | ControlFlowNode for Fstring | provenance |  |
+| Js2PyTest.py:9:10:9:22 | ControlFlowNode for Attribute | Js2PyTest.py:9:5:9:6 | ControlFlowNode for jk | provenance | AdditionalTaintStep |
+nodes
+| Js2PyTest.py:9:5:9:6 | ControlFlowNode for jk | semmle.label | ControlFlowNode for jk |
+| Js2PyTest.py:9:10:9:22 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| Js2PyTest.py:10:18:10:28 | ControlFlowNode for Fstring | semmle.label | ControlFlowNode for Fstring |
+subpaths
+#select
+| Js2PyTest.py:10:18:10:28 | ControlFlowNode for Fstring | Js2PyTest.py:9:10:9:22 | ControlFlowNode for Attribute | Js2PyTest.py:10:18:10:28 | ControlFlowNode for Fstring | This input to Js2Py depends on a $@. | Js2PyTest.py:9:10:9:22 | ControlFlowNode for Attribute | user-provided value |
--- a/python/ql/test/experimental/query-tests/Security/CWE-094/Js2Py.qlref
+++ b/python/ql/test/experimental/query-tests/Security/CWE-094/Js2Py.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-094/Js2Py.ql
--- a/python/ql/test/experimental/query-tests/Security/CWE-094/Js2PyTest.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-094/Js2PyTest.py
@@ -0,0 +1,10 @@
+
+import flask
+from js2py import eval_js, disable_pyimport
+
+bp = flask.Blueprint("app", __name__, url_prefix="/")
+
+@bp.route("/bad")
+def bad():
+    jk = flask.request.form["jk"]
+    jk = eval_js(f"{jk} f()")