hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 01:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into gradio-model

Browse Source
This commit is contained in:
Sylwia Budzynska
2024-05-14 12:41:00 +02:00
committed by GitHub
parent d6acea1d0c e65a62c727
commit f72afdc7cb
2997 changed files with 85462 additions and 295226 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
python/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,11 @@
## 0.9.15
No user-facing changes.
## 0.9.14
No user-facing changes.
## 0.9.13
No user-facing changes.
@@ -273,7 +281,7 @@ No user-facing changes.
### Bug Fixes
* The [View AST functionality](https://codeql.github.com/docs/codeql-for-visual-studio-code/exploring-the-structure-of-your-source-code/) no longer prints detailed information about regular expressions, greatly improving performance.
* The [View AST functionality](https://docs.github.com/en/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/exploring-the-structure-of-your-source-code) no longer prints detailed information about regular expressions, greatly improving performance.
## 0.0.8

2
python/ql/src/Expressions/DuplicateKeyInDictionaryLiteral.ql
View File

@@ -22,7 +22,7 @@ predicate dict_key(Dict d, Expr k, string s) {
// We use <20> to mark unrepresentable characters
// so two instances of <20> may represent different strings in the source code
not "<22>" = s.charAt(_) and
exists(StrConst c | c = k |
exists(StringLiteral c | c = k |
s = "u\"" + c.getText() + "\"" and c.isUnicode()
or
s = "b\"" + c.getText() + "\"" and not c.isUnicode()

2
python/ql/src/Expressions/Formatting/AdvancedFormatting.qll
View File

@@ -1,7 +1,7 @@
import python
/** A string constant that looks like it may be used in string formatting operations. */
class PossibleAdvancedFormatString extends StrConst {
class PossibleAdvancedFormatString extends StringLiteral {
PossibleAdvancedFormatString() { this.getText().matches("%{%}%") }
private predicate field(int start, int end) {

4
python/ql/src/Expressions/IncorrectComparisonUsingIs.ql
View File

@@ -21,7 +21,7 @@ predicate comparison_using_is(Compare comp, ControlFlowNode left, Cmpop op, Cont
}
private predicate cpython_interned_value(Expr e) {
exists(string text | text = e.(StrConst).getText() |
exists(string text | text = e.(StringLiteral).getText() |
text.length() = 0
or
text.length() = 1 and text.regexpMatch("[U+0000-U+00ff]")
@@ -34,7 +34,7 @@ private predicate cpython_interned_value(Expr e) {
predicate uninterned_literal(Expr e) {
(
e instanceof StrConst
e instanceof StringLiteral
or
e instanceof IntegerLiteral
or

4
python/ql/src/Expressions/IsComparisons.qll
View File

@@ -49,7 +49,7 @@ predicate simple_constant(ControlFlowNode f) {
}
private predicate cpython_interned_value(Expr e) {
exists(string text | text = e.(StrConst).getText() |
exists(string text | text = e.(StringLiteral).getText() |
text.length() = 0
or
text.length() = 1 and text.regexpMatch("[U+0000-U+00ff]")
@@ -70,7 +70,7 @@ private predicate universally_interned_value(Expr e) {
or
exists(Tuple t | t = e and not exists(t.getAnElt()))
or
e.(StrConst).getText() = ""
e.(StringLiteral).getText() = ""
}
/** Holds if the expression `e` points to an interned constant in CPython. */

4
python/ql/src/Expressions/UnintentionalImplicitStringConcatenation.ql
View File

@@ -15,12 +15,12 @@
import python
predicate string_const(Expr s) {
s instanceof StrConst
s instanceof StringLiteral
or
string_const(s.(BinaryExpr).getLeft()) and string_const(s.(BinaryExpr).getRight())
}
from StrConst s
from StringLiteral s
where
// Implicitly concatenated string is in a list and that list contains at least one other string.
exists(List l, Expr other |

4
python/ql/src/Expressions/WrongNumberArgumentsForFormat.ql
View File

@@ -15,7 +15,7 @@
import python
import semmle.python.strings
predicate string_format(BinaryExpr operation, StrConst str, Value args, AstNode origin) {
predicate string_format(BinaryExpr operation, StringLiteral str, Value args, AstNode origin) {
operation.getOp() instanceof Mod and
exists(Context ctx |
operation.getLeft().pointsTo(ctx, _, str) and
@@ -34,7 +34,7 @@ int sequence_length(Value args) {
}
from
BinaryExpr operation, StrConst fmt, Value args, int slen, int alen, AstNode origin,
BinaryExpr operation, StringLiteral fmt, Value args, int slen, int alen, AstNode origin,
string provided
where
string_format(operation, fmt, args, origin) and

4
python/ql/src/Imports/UnusedImport.ql
View File

@@ -53,7 +53,7 @@ predicate imported_module_used_in_doctest(Import imp) {
pragma[noinline]
private string doctest_in_scope(Scope scope) {
exists(StrConst doc |
exists(StringLiteral doc |
doc.getEnclosingModule() = scope and
doc.isDocString() and
result = doc.getText() and
@@ -63,7 +63,7 @@ private string doctest_in_scope(Scope scope) {
pragma[noinline]
private string typehint_annotation_in_module(Module module_scope) {
exists(StrConst annotation |
exists(StringLiteral annotation |
annotation = any(Arguments a).getAnAnnotation().getASubExpression*()
or
annotation = any(AnnAssign a).getAnnotation().getASubExpression*()

6
python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql
View File

@@ -29,9 +29,9 @@ private string vulnerableHostname() {
/** Gets a reference to a hostname that can be used to bind to all interfaces. */
private DataFlow::TypeTrackingNode vulnerableHostnameRef(DataFlow::TypeTracker t, string hostname) {
t.start() and
exists(StrConst allInterfacesStrConst | hostname = vulnerableHostname() |
allInterfacesStrConst.getText() = hostname and
result.asExpr() = allInterfacesStrConst
exists(StringLiteral allInterfacesStringLiteral | hostname = vulnerableHostname() |
allInterfacesStringLiteral.getText() = hostname and
result.asExpr() = allInterfacesStringLiteral
)
or
exists(DataFlow::TypeTracker t2 | result = vulnerableHostnameRef(t2, hostname).track(t2, t))

4
python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll
View File

@@ -157,12 +157,12 @@ class ExternalApiDataNode extends DataFlow::Node {
ExternalApiDataNode() {
exists(InterestingExternalApiCall call | this = call.getArgument(_)) and
// Not already modeled as a taint step
not TaintTrackingPrivate::defaultAdditionalTaintStep(this, _) and
not TaintTrackingPrivate::defaultAdditionalTaintStep(this, _, _) and
// for `list.append(x)`, we have a additional taint step from x -> [post] list.
// Since we have modeled this explicitly, I don't see any cases where we would want to report this.
not exists(DataFlow::PostUpdateNode post |
post.getPreUpdateNode() = this and
TaintTrackingPrivate::defaultAdditionalTaintStep(_, post)
TaintTrackingPrivate::defaultAdditionalTaintStep(_, post, _)
)
}
}

8
python/ql/src/Security/CWE-020/HostnameRegexpShared.qll
View File

@@ -1,8 +0,0 @@
/**
* Provides predicates for reasoning about regular expressions
* that match URLs and hostname patterns.
*/
// HostnameRegexp should be used directly from the shared regex pack, and not from this file.
deprecated private import semmle.python.security.regexp.HostnameRegex as Dep
import Dep

10
python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
View File

@@ -16,7 +16,7 @@ import semmle.python.regex
private string commonTopLevelDomainRegex() { result = "com|org|edu|gov|uk|net|io" }
predicate looksLikeUrl(StrConst s) {
predicate looksLikeUrl(StringLiteral s) {
exists(string text | text = s.getText() |
text.regexpMatch("(?i)([a-z]*:?//)?\\.?([a-z0-9-]+\\.)+(" + commonTopLevelDomainRegex() +
")(:[0-9]+)?/?")
@@ -26,7 +26,7 @@ predicate looksLikeUrl(StrConst s) {
)
}
predicate incomplete_sanitization(Expr sanitizer, StrConst url) {
predicate incomplete_sanitization(Expr sanitizer, StringLiteral url) {
looksLikeUrl(url) and
(
sanitizer.(Compare).compares(url, any(In i), _)
@@ -37,19 +37,19 @@ predicate incomplete_sanitization(Expr sanitizer, StrConst url) {
)
}
predicate unsafe_call_to_startswith(Call sanitizer, StrConst url) {
predicate unsafe_call_to_startswith(Call sanitizer, StringLiteral url) {
sanitizer.getFunc().(Attribute).getName() = "startswith" and
sanitizer.getArg(0) = url and
not url.getText().regexpMatch("(?i)https?://[\\.a-z0-9-]+/.*")
}
predicate unsafe_call_to_endswith(Call sanitizer, StrConst url) {
predicate unsafe_call_to_endswith(Call sanitizer, StringLiteral url) {
sanitizer.getFunc().(Attribute).getName() = "endswith" and
sanitizer.getArg(0) = url and
not url.getText().regexpMatch("(?i)\\.([a-z0-9-]+)(\\.[a-z0-9-]+)+")
}
from Expr sanitizer, StrConst url
from Expr sanitizer, StringLiteral url
where incomplete_sanitization(sanitizer, url)
select sanitizer, "The string $@ may be at an arbitrary position in the sanitized URL.", url,
url.getText()

10
python/ql/src/Security/CWE-798/HardcodedCredentials.ql
View File

@@ -20,7 +20,7 @@ private import semmle.python.dataflow.new.internal.DataFlowDispatch as DataFlowD
private import semmle.python.dataflow.new.internal.Builtins::Builtins as Builtins
bindingset[char, fraction]
predicate fewer_characters_than(StrConst str, string char, float fraction) {
predicate fewer_characters_than(StringLiteral str, string char, float fraction) {
exists(string text, int chars |
text = str.getText() and
chars = count(int i | text.charAt(i) = char)
@@ -41,15 +41,15 @@ predicate possible_reflective_name(string name) {
exists(Builtins::likelyBuiltin(name))
}
int char_count(StrConst str) { result = count(string c | c = str.getText().charAt(_)) }
int char_count(StringLiteral str) { result = count(string c | c = str.getText().charAt(_)) }
predicate capitalized_word(StrConst str) { str.getText().regexpMatch("[A-Z][a-z]+") }
predicate capitalized_word(StringLiteral str) { str.getText().regexpMatch("[A-Z][a-z]+") }
predicate format_string(StrConst str) { str.getText().matches("%{%}%") }
predicate format_string(StringLiteral str) { str.getText().matches("%{%}%") }
predicate maybeCredential(ControlFlowNode f) {
/* A string that is not too short and unlikely to be text or an identifier. */
exists(StrConst str | str = f.getNode() |
exists(StringLiteral str | str = f.getNode() |
/* At least 10 characters */
str.getText().length() > 9 and
/* Not too much whitespace */

2
python/ql/src/Statements/AssertLiteralConstant.ql
View File

@@ -21,7 +21,7 @@ where
exists(Expr test | test = a.getTest() |
value = test.(IntegerLiteral).getN()
or
value = "\"" + test.(StrConst).getS() + "\""
value = "\"" + test.(StringLiteral).getS() + "\""
or
value = test.(NameConstant).toString()
) and

2
python/ql/src/Statements/StatementNoEffect.ql
View File

@@ -121,7 +121,7 @@ predicate python2_print(Expr e) {
predicate no_effect(Expr e) {
// strings can be used as comments
not e instanceof StrConst and
not e instanceof StringLiteral and
not e.hasSideEffects() and
forall(Expr sub | sub = e.getASubExpression*() |
not side_effecting_binary(sub) and

2
python/ql/src/Statements/TopLevelPrint.ql
View File

@@ -14,7 +14,7 @@
import python
predicate main_eq_name(If i) {
exists(Name n, StrConst m, Compare c |
exists(Name n, StringLiteral m, Compare c |
i.getTest() = c and
c.getLeft() = n and
c.getAComparator() = m and

2
python/ql/src/Variables/Loop.qll
View File

@@ -9,7 +9,7 @@ private predicate empty_sequence(Expr e) {
or
e instanceof Tuple and not exists(e.(Tuple).getAnElt())
or
e.(StrConst).getText().length() = 0
e.(StringLiteral).getText().length() = 0
}
/* This has the potential for refinement, but we err on the side of fewer false positives for now. */

4
python/ql/src/Variables/MonkeyPatched.qll
View File

@@ -1,7 +1,7 @@
import python
predicate monkey_patched_builtin(string name) {
exists(AttrNode attr, SubscriptNode subscr, StrConst s |
exists(AttrNode attr, SubscriptNode subscr, StringLiteral s |
subscr.isStore() and
subscr.getIndex().getNode() = s and
s.getText() = name and
@@ -9,7 +9,7 @@ predicate monkey_patched_builtin(string name) {
attr.getObject("__dict__").pointsTo(Module::builtinModule())
)
or
exists(CallNode call, ControlFlowNode bltn, StrConst s |
exists(CallNode call, ControlFlowNode bltn, StringLiteral s |
call.getArg(0) = bltn and
bltn.pointsTo(Module::builtinModule()) and
call.getArg(1).getNode() = s and

2
python/ql/src/Variables/MultiplyDefined.ql
View File

@@ -43,7 +43,7 @@ predicate simple_literal(Expr e) {
or
e instanceof Dict and not exists(e.(Dict).getAKey())
or
e.(StrConst).getText() = ""
e.(StringLiteral).getText() = ""
}
/**

4
python/ql/src/Variables/UndefinedExport.ql
View File

@@ -14,7 +14,7 @@
import python
/** Whether name is declared in the __all__ list of this module */
predicate declaredInAll(Module m, StrConst name) {
predicate declaredInAll(Module m, StringLiteral name) {
exists(Assign a, GlobalVariable all |
a.defines(all) and
a.getScope() = m and
@@ -70,7 +70,7 @@ predicate contains_unknown_import_star(ModuleValue m) {
)
}
from ModuleValue m, StrConst name, string exported_name
from ModuleValue m, StringLiteral name, string exported_name
where
declaredInAll(m.getScope(), name) and
exported_name = name.getText() and

2
python/ql/src/Variables/UnusedModuleVariable.ql
View File

@@ -24,7 +24,7 @@ predicate complex_all(Module m) {
|
not a.getValue() instanceof List
or
exists(Expr e | e = a.getValue().(List).getAnElt() | not e instanceof StrConst)
exists(Expr e | e = a.getValue().(List).getAnElt() | not e instanceof StringLiteral)
)
or
exists(Call c, GlobalVariable all |

2
python/ql/src/change-notes/released/0.0.9.md
View File

@@ -2,4 +2,4 @@
### Bug Fixes
* The [View AST functionality](https://codeql.github.com/docs/codeql-for-visual-studio-code/exploring-the-structure-of-your-source-code/) no longer prints detailed information about regular expressions, greatly improving performance.
* The [View AST functionality](https://docs.github.com/en/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/exploring-the-structure-of-your-source-code) no longer prints detailed information about regular expressions, greatly improving performance.

3
python/ql/src/change-notes/released/0.9.14.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.9.14
No user-facing changes.

3
python/ql/src/change-notes/released/0.9.15.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.9.15
No user-facing changes.

2
python/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.9.13
lastReleaseVersion: 0.9.15

4
python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKeyFlask.qll
View File

@@ -121,7 +121,7 @@ module FlaskConstantSecretKeyConfig {
.getACall() and
result =
[
cn.getParameter(0).getAValueReachingSink().asExpr().(StrConst).getText(),
cn.getParameter(0).getAValueReachingSink().asExpr().(StringLiteral).getText(),
cn.getParameter(0).asSink().asExpr().(Name).getId()
]
}
@@ -134,6 +134,6 @@ module FlaskConstantSecretKeyConfig {
.getASuccessor*()
.getMember("from_object")
.getACall() and
result = cn.getParameter(0).asSink().asExpr().(StrConst).getText()
result = cn.getParameter(0).asSink().asExpr().(StringLiteral).getText()
}
}

7
python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKeySource.qll
View File

@@ -11,12 +11,12 @@ class WebAppConstantSecretKeySource extends DataFlow::Node {
env = API::moduleImport("environ").getMember("Env") and
// has default value
exists(API::Node param | param = env.getKeywordParameter("SECRET_KEY") |
param.asSink().asExpr().getASubExpression*() instanceof StrConst
param.asSink().asExpr().getASubExpression*() instanceof StringLiteral
) and
this = env.getReturn().getReturn().asSource()
)
or
this.asExpr() instanceof StrConst
this.asExpr() instanceof StringLiteral
or
exists(API::CallNode cn |
cn =
@@ -25,7 +25,8 @@ class WebAppConstantSecretKeySource extends DataFlow::Node {
API::moduleImport("os").getMember("environ").getMember("get").getACall()
] and
cn.getNumArgument() = 2 and
DataFlow::localFlow(any(DataFlow::Node n | n.asExpr() instanceof StrConst), cn.getArg(1)) and
DataFlow::localFlow(any(DataFlow::Node n | n.asExpr() instanceof StringLiteral),
cn.getArg(1)) and
this.asExpr() = cn.asExpr()
)
) and

2
python/ql/src/experimental/Security/CWE-287/ImproperLdapAuth.ql
View File

@@ -20,7 +20,7 @@ predicate authenticatesImproperly(LdapBind ldapBind) {
not exists(ldapBind.getPassword())
)
or
exists(StrConst emptyString |
exists(StringLiteral emptyString |
emptyString.getText() = "" and
DataFlow::localFlow(DataFlow::exprNode(emptyString), ldapBind.getPassword())
)

2
python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
View File

@@ -109,7 +109,7 @@ private module AzureBlobClientConfig implements DataFlow::StateConfigSig {
exists(DataFlow::AttrWrite attr |
node = anyClient(_).getAValueReachableFromSource() and
attr.accesses(node, "encryption_version") and
attr.getValue().asExpr().(StrConst).getText() in ["'2.0'", "2.0"]
attr.getValue().asExpr().(StringLiteral).getText() in ["'2.0'", "2.0"]
)
or
// small optimization to block flow with no encryption out of the post-update node

2
python/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql
View File

@@ -41,7 +41,7 @@ private module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::Co
exists(Subscript ss |
not ss.getIndex().(IntegerLiteral).getText() = "0" and
ss.getObject().(Call).getFunc().(Attribute).getName() = "split" and
ss.getObject().(Call).getAnArg().(StrConst).getText() = "," and
ss.getObject().(Call).getAnArg().(StringLiteral).getText() = "," and
ss = node.asExpr()
)
}

20
python/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheckLib.qll
View File

@@ -20,7 +20,7 @@ private class FlaskClientSuppliedIpUsedInSecurityCheck extends ClientSuppliedIpU
{
FlaskClientSuppliedIpUsedInSecurityCheck() {
this = Flask::request().getMember("headers").getMember(["get", "get_all", "getlist"]).getACall() and
this.getArg(0).asExpr().(StrConst).getText().toLowerCase() = clientIpParameterName()
this.getArg(0).asExpr().(StringLiteral).getText().toLowerCase() = clientIpParameterName()
}
}
@@ -35,7 +35,7 @@ private class DjangoClientSuppliedIpUsedInSecurityCheck extends ClientSuppliedIp
headers.getAttributeName() in ["headers", "META"] and
this.calls(headers, "get")
) and
this.getArg(0).asExpr().(StrConst).getText().toLowerCase() = clientIpParameterName()
this.getArg(0).asExpr().(StringLiteral).getText().toLowerCase() = clientIpParameterName()
}
}
@@ -54,7 +54,7 @@ private class TornadoClientSuppliedIpUsedInSecurityCheck extends ClientSuppliedI
headers.getAttributeName() = "headers" and
this.calls(headers, ["get", "get_list"])
) and
this.getArg(0).asExpr().(StrConst).getText().toLowerCase() = clientIpParameterName()
this.getArg(0).asExpr().(StringLiteral).getText().toLowerCase() = clientIpParameterName()
}
}
@@ -85,8 +85,8 @@ private class CompareSink extends PossibleSecurityCheck {
CompareSink() {
exists(Call call |
call.getFunc().(Attribute).getName() = "startswith" and
call.getArg(0).(StrConst).getText().regexpMatch(getIpAddressRegex()) and
not call.getArg(0).(StrConst).getText() = "0:0:0:0:0:0:0:1" and
call.getArg(0).(StringLiteral).getText().regexpMatch(getIpAddressRegex()) and
not call.getArg(0).(StringLiteral).getText() = "0:0:0:0:0:0:0:1" and
call.getFunc().(Attribute).getObject() = this.asExpr()
)
or
@@ -97,12 +97,12 @@ private class CompareSink extends PossibleSecurityCheck {
) and
(
compare.getLeft() = this.asExpr() and
compare.getComparator(0).(StrConst).getText() instanceof PrivateHostName and
not compare.getComparator(0).(StrConst).getText() = "0:0:0:0:0:0:0:1"
compare.getComparator(0).(StringLiteral).getText() instanceof PrivateHostName and
not compare.getComparator(0).(StringLiteral).getText() = "0:0:0:0:0:0:0:1"
or
compare.getComparator(0) = this.asExpr() and
compare.getLeft().(StrConst).getText() instanceof PrivateHostName and
not compare.getLeft().(StrConst).getText() = "0:0:0:0:0:0:0:1"
compare.getLeft().(StringLiteral).getText() instanceof PrivateHostName and
not compare.getLeft().(StringLiteral).getText() = "0:0:0:0:0:0:0:1"
)
)
or
@@ -115,7 +115,7 @@ private class CompareSink extends PossibleSecurityCheck {
compare.getLeft() = this.asExpr()
or
compare.getComparator(0) = this.asExpr() and
not compare.getLeft().(StrConst).getText() in ["%", ",", "."]
not compare.getLeft().(StringLiteral).getText() in ["%", ",", "."]
)
)
}

12
python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql
View File

@@ -25,16 +25,22 @@ class UnicodeCompatibilityNormalize extends API::CallNode {
UnicodeCompatibilityNormalize() {
(
this = API::moduleImport("unicodedata").getMember("normalize").getACall() and
this.getParameter(0).getAValueReachingSink().asExpr().(StrConst).getText() in ["NFKC", "NFKD"]
this.getParameter(0).getAValueReachingSink().asExpr().(StringLiteral).getText() in [
"NFKC", "NFKD"
]
or
this = API::moduleImport("pyunormalize").getMember("normalize").getACall() and
this.getParameter(0).getAValueReachingSink().asExpr().(StrConst).getText() in ["NFKC", "NFKD"]
this.getParameter(0).getAValueReachingSink().asExpr().(StringLiteral).getText() in [
"NFKC", "NFKD"
]
) and
argIdx = 1
or
(
this = API::moduleImport("textnorm").getMember("normalize_unicode").getACall() and
this.getParameter(1).getAValueReachingSink().asExpr().(StrConst).getText() in ["NFKC", "NFKD"]
this.getParameter(1).getAValueReachingSink().asExpr().(StringLiteral).getText() in [
"NFKC", "NFKD"
]
or
this = API::moduleImport("unidecode").getMember("unidecode").getACall()
or

8
python/ql/src/experimental/semmle/python/CookieHeader.qll
View File

@@ -28,7 +28,7 @@ import experimental.semmle.python.Concepts
*/
class CookieHeader extends Cookie::Range instanceof HeaderDeclaration {
CookieHeader() {
exists(StrConst str |
exists(StringLiteral str |
str.getText() = "Set-Cookie" and
DataFlow::exprNode(str)
.(DataFlow::LocalSourceNode)
@@ -37,7 +37,7 @@ class CookieHeader extends Cookie::Range instanceof HeaderDeclaration {
}
override predicate isSecure() {
exists(StrConst str |
exists(StringLiteral str |
str.getText().regexpMatch(".*; *Secure;.*") and
DataFlow::exprNode(str)
.(DataFlow::LocalSourceNode)
@@ -46,7 +46,7 @@ class CookieHeader extends Cookie::Range instanceof HeaderDeclaration {
}
override predicate isHttpOnly() {
exists(StrConst str |
exists(StringLiteral str |
str.getText().regexpMatch(".*; *HttpOnly;.*") and
DataFlow::exprNode(str)
.(DataFlow::LocalSourceNode)
@@ -55,7 +55,7 @@ class CookieHeader extends Cookie::Range instanceof HeaderDeclaration {
}
override predicate isSameSite() {
exists(StrConst str |
exists(StringLiteral str |
str.getText().regexpMatch(".*; *SameSite=(Strict|Lax);.*") and
DataFlow::exprNode(str)
.(DataFlow::LocalSourceNode)

2
python/ql/src/experimental/semmle/python/frameworks/Django.qll
View File

@@ -159,7 +159,7 @@ private module ExperimentalPrivateDjango {
}
override predicate isSameSite() {
exists(StrConst str |
exists(StringLiteral str |
str.getText() in ["Strict", "Lax"] and
DataFlow::exprNode(str)
.(DataFlow::LocalSourceNode)

2
python/ql/src/experimental/semmle/python/frameworks/Flask.qll
View File

@@ -119,7 +119,7 @@ module ExperimentalFlask {
}
override predicate isSameSite() {
exists(StrConst str |
exists(StringLiteral str |
str.getText() in ["Strict", "Lax"] and
DataFlow::exprNode(str)
.(DataFlow::LocalSourceNode)

2
python/ql/src/experimental/semmle/python/frameworks/JWT.qll
View File

@@ -6,7 +6,7 @@ predicate isEmptyOrNone(DataFlow::Node arg) { isEmpty(arg) or isNone(arg) }
/** Checks if an empty string `""` flows to `arg` */
predicate isEmpty(DataFlow::Node arg) {
exists(StrConst emptyString |
exists(StringLiteral emptyString |
emptyString.getText() = "" and
DataFlow::exprNode(emptyString).(DataFlow::LocalSourceNode).flowsTo(arg)
)

10
python/ql/src/experimental/semmle/python/frameworks/Sendgrid.qll
View File

@@ -74,7 +74,7 @@ private module Sendgrid {
private DataFlow::Node sendgridContent(DataFlow::CallCfgNode contentCall, string mime) {
mime in ["text/plain", "text/html", "text/x-amp-html"] and
exists(StrConst mimeNode |
exists(StringLiteral mimeNode |
mimeNode.getText() = mime and
DataFlow::exprNode(mimeNode).(DataFlow::LocalSourceNode).flowsTo(contentCall.getArg(0)) and
result = contentCall.getArg(1)
@@ -122,8 +122,12 @@ private module Sendgrid {
contentElement =
this.getKeywordParameter("request_body").getSubscript("content").getASubscript()
|
contentElement.getSubscript("type").getAValueReachingSink().asExpr().(StrConst).getText() =
["text/html", "text/x-amp-html"] and
contentElement
.getSubscript("type")
.getAValueReachingSink()
.asExpr()
.(StringLiteral)
.getText() = ["text/html", "text/x-amp-html"] and
result = contentElement.getSubscript("value").getAValueReachingSink()
)
or

2
python/ql/src/experimental/semmle/python/libraries/Authlib.qll
View File

@@ -49,7 +49,7 @@ private module Authlib {
}
override string getAlgorithmString() {
exists(StrConst str |
exists(StringLiteral str |
DataFlow::exprNode(str).(DataFlow::LocalSourceNode).flowsTo(this.getAlgorithm()) and
result = str.getText()
)

4
python/ql/src/experimental/semmle/python/libraries/PyJWT.qll
View File

@@ -39,7 +39,7 @@ private module PyJwt {
}
override string getAlgorithmString() {
exists(StrConst str |
exists(StringLiteral str |
DataFlow::exprNode(str).(DataFlow::LocalSourceNode).flowsTo(this.getAlgorithm()) and
result = str.getText()
)
@@ -75,7 +75,7 @@ private module PyJwt {
}
override string getAlgorithmString() {
exists(StrConst str |
exists(StringLiteral str |
DataFlow::exprNode(str).(DataFlow::LocalSourceNode).flowsTo(this.getAlgorithm()) and
result = str.getText()
)

4
python/ql/src/experimental/semmle/python/libraries/PythonJose.qll
View File

@@ -40,7 +40,7 @@ private module PythonJose {
}
override string getAlgorithmString() {
exists(StrConst str |
exists(StringLiteral str |
DataFlow::exprNode(str).(DataFlow::LocalSourceNode).flowsTo(this.getAlgorithm()) and
result = str.getText()
)
@@ -76,7 +76,7 @@ private module PythonJose {
}
override string getAlgorithmString() {
exists(StrConst str |
exists(StringLiteral str |
DataFlow::exprNode(str).(DataFlow::LocalSourceNode).flowsTo(this.getAlgorithm()) and
result = str.getText()
)

2
python/ql/src/experimental/semmle/python/libraries/Python_JWT.qll
View File

@@ -38,7 +38,7 @@ private module Python_Jwt {
override DataFlow::Node getAlgorithm() { result = this.verifyCall().getArg(2) }
override string getAlgorithmString() {
exists(StrConst str |
exists(StringLiteral str |
DataFlow::exprNode(str).(DataFlow::LocalSourceNode).flowsTo(this.getAlgorithm()) and
result = str.getText()
)

3
python/ql/src/experimental/semmle/python/libraries/SmtpLib.qll
View File

@@ -23,7 +23,8 @@ module SmtpLib {
private DataFlow::CallCfgNode mimeText(string mimetype) {
result = smtpMimeTextInstance().getACall() and
[result.getArg(1), result.getArgByName("_subtype")].asExpr().(StrConst).getText() = mimetype
[result.getArg(1), result.getArgByName("_subtype")].asExpr().(StringLiteral).getText() =
mimetype
}
/**

33
python/ql/src/experimental/semmle/python/security/DecompressionBomb.qll
View File

@@ -145,7 +145,7 @@ module TarFile {
.getParameter(1, "mode")
.getAValueReachingSink()
.asExpr()
.(StrConst)
.(StringLiteral)
.getText()
) or
not result
@@ -153,7 +153,7 @@ module TarFile {
.getParameter(1, "mode")
.getAValueReachingSink()
.asExpr()
.(StrConst)
.(StringLiteral)
.getText()
.matches("r:%")
)
@@ -211,7 +211,7 @@ module Pandas {
.getKeywordParameter("compression")
.getAValueReachingSink()
.asExpr()
.(StrConst)
.(StringLiteral)
.getText() = "tar"
)
)
@@ -260,13 +260,18 @@ module Gzip {
this = gzipCall.getParameter(0, "filename").asSink() and
(
not exists(
gzipCall.getParameter(1, "mode").getAValueReachingSink().asExpr().(StrConst).getText()
gzipCall
.getParameter(1, "mode")
.getAValueReachingSink()
.asExpr()
.(StringLiteral)
.getText()
) or
gzipCall
.getParameter(1, "mode")
.getAValueReachingSink()
.asExpr()
.(StrConst)
.(StringLiteral)
.getText()
.matches("%r%")
)
@@ -297,13 +302,18 @@ module Bz2 {
this = bz2Call.getParameter(0, "filename").asSink() and
(
not exists(
bz2Call.getParameter(1, "mode").getAValueReachingSink().asExpr().(StrConst).getText()
bz2Call
.getParameter(1, "mode")
.getAValueReachingSink()
.asExpr()
.(StringLiteral)
.getText()
) or
bz2Call
.getParameter(1, "mode")
.getAValueReachingSink()
.asExpr()
.(StrConst)
.(StringLiteral)
.getText()
.matches("%r%")
)
@@ -334,13 +344,18 @@ module Lzma {
this = lzmaCall.getParameter(0, "filename").asSink() and
(
not exists(
lzmaCall.getParameter(1, "mode").getAValueReachingSink().asExpr().(StrConst).getText()
lzmaCall
.getParameter(1, "mode")
.getAValueReachingSink()
.asExpr()
.(StringLiteral)
.getText()
) or
lzmaCall
.getParameter(1, "mode")
.getAValueReachingSink()
.asExpr()
.(StrConst)
.(StringLiteral)
.getText()
.matches("%r%")
)

8
python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll
View File

@@ -18,7 +18,7 @@ string getPrivateHostRegex() {
}
// "ldap://somethingon.theinternet.com"
class LdapFullHost extends StrConst {
class LdapFullHost extends StringLiteral {
LdapFullHost() {
exists(string s |
s = this.getText() and
@@ -29,15 +29,15 @@ class LdapFullHost extends StrConst {
}
}
class LdapSchema extends StrConst {
class LdapSchema extends StringLiteral {
LdapSchema() { this.getText().regexpMatch(getSchemaRegex()) }
}
class LdapPrivateHost extends StrConst {
class LdapPrivateHost extends StringLiteral {
LdapPrivateHost() { this.getText().regexpMatch(getPrivateHostRegex()) }
}
predicate concatAndCompareAgainstFullHostRegex(LdapSchema schema, StrConst host) {
predicate concatAndCompareAgainstFullHostRegex(LdapSchema schema, StringLiteral host) {
not host instanceof LdapPrivateHost and
(schema.getText() + host.getText()).regexpMatch(getFullHostRegex())
}

22
python/ql/src/experimental/semmle/python/security/TimingAttack.qll
View File

@@ -204,8 +204,11 @@ abstract class ClientSuppliedSecret extends DataFlow::CallCfgNode { }
private class FlaskClientSuppliedSecret extends ClientSuppliedSecret {
FlaskClientSuppliedSecret() {
this = Flask::request().getMember("headers").getMember(["get", "get_all", "getlist"]).getACall() and
[this.getArg(0), this.getArgByName(["key", "name"])].asExpr().(StrConst).getText().toLowerCase() =
sensitiveheaders()
[this.getArg(0), this.getArgByName(["key", "name"])]
.asExpr()
.(StringLiteral)
.getText()
.toLowerCase() = sensitiveheaders()
}
}
@@ -216,7 +219,7 @@ private class DjangoClientSuppliedSecret extends ClientSuppliedSecret {
.getMember(["headers", "META"])
.getMember("get")
.getACall() and
[this.getArg(0), this.getArgByName("key")].asExpr().(StrConst).getText().toLowerCase() =
[this.getArg(0), this.getArgByName("key")].asExpr().(StringLiteral).getText().toLowerCase() =
sensitiveheaders()
}
}
@@ -229,7 +232,7 @@ API::Node requesthandler() {
private class TornadoClientSuppliedSecret extends ClientSuppliedSecret {
TornadoClientSuppliedSecret() {
this = requesthandler().getMember(["headers", "META"]).getMember("get").getACall() and
[this.getArg(0), this.getArgByName("key")].asExpr().(StrConst).getText().toLowerCase() =
[this.getArg(0), this.getArgByName("key")].asExpr().(StringLiteral).getText().toLowerCase() =
sensitiveheaders()
}
}
@@ -243,8 +246,11 @@ private class WerkzeugClientSuppliedSecret extends ClientSuppliedSecret {
WerkzeugClientSuppliedSecret() {
this =
headers().getMember(["headers", "META"]).getMember(["get", "get_all", "getlist"]).getACall() and
[this.getArg(0), this.getArgByName(["key", "name"])].asExpr().(StrConst).getText().toLowerCase() =
sensitiveheaders()
[this.getArg(0), this.getArgByName(["key", "name"])]
.asExpr()
.(StringLiteral)
.getText()
.toLowerCase() = sensitiveheaders()
}
}
@@ -314,10 +320,10 @@ class CompareSink extends DataFlow::Node {
) and
(
compare.getLeft() = this.asExpr() and
not compare.getComparator(0).(StrConst).getText() = "bearer"
not compare.getComparator(0).(StringLiteral).getText() = "bearer"
or
compare.getComparator(0) = this.asExpr() and
not compare.getLeft().(StrConst).getText() = "bearer"
not compare.getLeft().(StringLiteral).getText() = "bearer"
)
)
or

2
python/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/python-queries
version: 0.9.14-dev
version: 0.9.16-dev
groups:
- python
- queries