Merge pull request #5118 from yoff/python-port-stacktrace-exosure

Python: Port stack trace exposure
2026-05-01 11:45:14 +02:00 · 2021-03-16 14:52:44 +01:00
parent 50978364a6 4a9023b989
commit fbbec5d2b9
10 changed files with 163 additions and 26 deletions
--- a/python/ql/src/semmle/python/security/dataflow/ExceptionInfo.qll
+++ b/python/ql/src/semmle/python/security/dataflow/ExceptionInfo.qll
@@ -0,0 +1,39 @@
+/** Provides classes representing various sources of information about raised exceptions. */
+
+import python
+import semmle.python.dataflow.new.DataFlow
+private import semmle.python.ApiGraphs
+
+/**
+ * INTERNAL: Do not use.
+ *
+ * A data-flow node that carries information about a raised exception.
+ * Such information should rarely be exposed directly to the user.
+ */
+abstract class ExceptionInfo extends DataFlow::Node { }
+
+/** A call to a function from the `traceback` module revealing information about a raised exception. */
+private class TracebackFunctionCall extends ExceptionInfo, DataFlow::CallCfgNode {
+  TracebackFunctionCall() {
+    this =
+      API::moduleImport("traceback")
+          .getMember([
+              "extract_tb", "extract_stack", "format_list", "format_exception_only",
+              "format_exception", "format_exc", "format_tb", "format_stack"
+            ])
+          .getACall()
+  }
+}
+
+/** A caught exception. */
+private class CaughtException extends ExceptionInfo {
+  CaughtException() {
+    this.asVar().getDefinition().(EssaNodeDefinition).getDefiningNode().getNode() =
+      any(ExceptStmt s).getName()
+  }
+}
+
+/** A call to `sys.exc_info`. */
+private class SysExcInfoCall extends ExceptionInfo, DataFlow::CallCfgNode {
+  SysExcInfoCall() { this = API::moduleImport("sys").getMember("exc_info").getACall() }
+}
--- a/python/ql/src/semmle/python/security/dataflow/StackTraceExposure.qll
+++ b/python/ql/src/semmle/python/security/dataflow/StackTraceExposure.qll
@@ -0,0 +1,33 @@
+/**
+ * Provides a taint-tracking configuration for detecting stack trace exposure
+ * vulnerabilities.
+ */
+
+import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import semmle.python.Concepts
+import semmle.python.dataflow.new.internal.Attributes
+private import ExceptionInfo
+
+/**
+ * A taint-tracking configuration for detecting stack trace exposure.
+ */
+class StackTraceExposureConfiguration extends TaintTracking::Configuration {
+  StackTraceExposureConfiguration() { this = "StackTraceExposureConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof ExceptionInfo }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink = any(HTTP::Server::HttpResponse response).getBody()
+  }
+
+  // A stack trace is accessible as the `__traceback__` attribute of a caught exception.
+  //  seehttps://docs.python.org/3/reference/datamodel.html#traceback-objects
+  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    exists(AttrRead attr | attr.getAttributeName() = "__traceback__" |
+      nodeFrom = attr.getObject() and
+      nodeTo = attr
+    )
+  }
+}