Python: Add modeling of jmespath

2026-04-29 02:35:15 +02:00 · 2021-06-09 12:13:29 +02:00
parent 5cdd60d0d6
commit fa6abea465
5 changed files with 43 additions and 4 deletions
--- a/python/ql/src/semmle/python/Frameworks.qll
+++ b/python/ql/src/semmle/python/Frameworks.qll
@@ -12,6 +12,7 @@ private import semmle.python.frameworks.Fabric
 private import semmle.python.frameworks.Flask
 private import semmle.python.frameworks.Idna
 private import semmle.python.frameworks.Invoke
+private import semmle.python.frameworks.Jmespath
 private import semmle.python.frameworks.MysqlConnectorPython
 private import semmle.python.frameworks.MySQLdb
 private import semmle.python.frameworks.Psycopg2
--- a/python/ql/src/semmle/python/frameworks/Jmespath.qll
+++ b/python/ql/src/semmle/python/frameworks/Jmespath.qll
@@ -0,0 +1,35 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `jmespath` PyPI package.
+ * See https://pypi.org/project/jmespath/.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+
+/**
+ * Provides models for the `jmespath` PyPI package.
+ * See https://pypi.org/project/jmespath/.
+ */
+private module Jmespath {
+  class JmespathAdditionalTaintSteps extends TaintTracking::AdditionalTaintStep {
+    override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+      exists(DataFlow::CallCfgNode call |
+        call = API::moduleImport("jmespath").getMember("search").getACall() and
+        nodeFrom in [call.getArg(1), call.getArgByName("data")] and
+        nodeTo = call
+        or
+        call =
+          API::moduleImport("jmespath")
+              .getMember("compile")
+              .getReturn()
+              .getMember("search")
+              .getACall() and
+        nodeFrom in [call.getArg(0), call.getArgByName("value")] and
+        nodeTo = call
+      )
+    }
+  }
+}