Merge pull request #5118 from yoff/python-port-stacktrace-exosure

Python: Port stack trace exposure

python/ql/test/query-tests/Security/CWE-209/ExceptionInfo.ql

@@ -0,0 +1,20 @@
+import python
+import semmle.python.dataflow.new.DataFlow
+import TestUtilities.InlineExpectationsTest
+import semmle.python.security.dataflow.ExceptionInfo
+
+class ExceptionInfoTest extends InlineExpectationsTest {
+  ExceptionInfoTest() { this = "ExceptionInfoTest" }
+
+  override string getARelevantTag() { result = "exceptionInfo" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(location.getFile().getRelativePath()) and
+    exists(ExceptionInfo e |
+      location = e.getLocation() and
+      element = e.toString() and
+      value = "" and
+      tag = "exceptionInfo"
+    )
+  }
+}

python/ql/test/query-tests/Security/CWE-209/Exceptions.py

@@ -0,0 +1,10 @@
+try:
+    1+2
+except Exception as e:  #$ exceptionInfo
+    e
+
+def test_exception():
+    try:
+        1+2
+    except Exception as e:  #$ exceptionInfo
+        e

python/ql/test/query-tests/Security/CWE-209/StackTraceExposure.expected

@@ -1,8 +1,19 @@
 edges
-| test.py:33:15:33:36 | exception info | test.py:34:29:34:31 | exception info |
-| test.py:33:15:33:36 | exception info | test.py:34:29:34:31 | exception info |
-| test.py:34:29:34:31 | exception info | test.py:34:16:34:32 | exception info |
-| test.py:34:29:34:31 | exception info | test.py:34:16:34:32 | exception info |
+| test.py:23:25:23:25 | SSA variable e | test.py:24:16:24:16 | ControlFlowNode for e |
+| test.py:31:25:31:25 | SSA variable e | test.py:32:16:32:30 | ControlFlowNode for Attribute |
+| test.py:49:15:49:36 | ControlFlowNode for Attribute() | test.py:50:29:50:31 | ControlFlowNode for err |
+| test.py:50:29:50:31 | ControlFlowNode for err | test.py:50:16:50:32 | ControlFlowNode for format_error() |
+nodes
+| test.py:16:16:16:37 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| test.py:23:25:23:25 | SSA variable e | semmle.label | SSA variable e |
+| test.py:24:16:24:16 | ControlFlowNode for e | semmle.label | ControlFlowNode for e |
+| test.py:31:25:31:25 | SSA variable e | semmle.label | SSA variable e |
+| test.py:32:16:32:30 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| test.py:49:15:49:36 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| test.py:50:16:50:32 | ControlFlowNode for format_error() | semmle.label | ControlFlowNode for format_error() |
+| test.py:50:29:50:31 | ControlFlowNode for err | semmle.label | ControlFlowNode for err |
 #select
-| test.py:16:16:16:37 | Attribute() | test.py:16:16:16:37 | exception info | test.py:16:16:16:37 | exception info | $@ may be exposed to an external user | test.py:16:16:16:37 | Attribute() | Error information |
-| test.py:34:16:34:32 | format_error() | test.py:33:15:33:36 | exception info | test.py:34:16:34:32 | exception info | $@ may be exposed to an external user | test.py:33:15:33:36 | Attribute() | Error information |
+| test.py:16:16:16:37 | ControlFlowNode for Attribute() | test.py:16:16:16:37 | ControlFlowNode for Attribute() | test.py:16:16:16:37 | ControlFlowNode for Attribute() | $@ may be exposed to an external user | test.py:16:16:16:37 | ControlFlowNode for Attribute() | Error information |
+| test.py:24:16:24:16 | ControlFlowNode for e | test.py:23:25:23:25 | SSA variable e | test.py:24:16:24:16 | ControlFlowNode for e | $@ may be exposed to an external user | test.py:23:25:23:25 | SSA variable e | Error information |
+| test.py:32:16:32:30 | ControlFlowNode for Attribute | test.py:31:25:31:25 | SSA variable e | test.py:32:16:32:30 | ControlFlowNode for Attribute | $@ may be exposed to an external user | test.py:31:25:31:25 | SSA variable e | Error information |
+| test.py:50:16:50:32 | ControlFlowNode for format_error() | test.py:49:15:49:36 | ControlFlowNode for Attribute() | test.py:50:16:50:32 | ControlFlowNode for format_error() | $@ may be exposed to an external user | test.py:49:15:49:36 | ControlFlowNode for Attribute() | Error information |

python/ql/test/query-tests/Security/CWE-209/Stacktrace.py

@@ -0,0 +1,15 @@
+import sys, traceback
+
+try:
+    1/0
+except:
+    exc_type, exc_value, exc_traceback = sys.exc_info() #$ exceptionInfo
+
+    tb = traceback.extract_tb(exc_traceback) #$ exceptionInfo
+    stack = traceback.extract_stack() #$ exceptionInfo
+    print(traceback.format_exc(1, tb)) #$ exceptionInfo
+    print(traceback.format_exception(exc_type, exc_value, exc_traceback)) #$ exceptionInfo
+    print(traceback.format_exception_only(None, exc_value)) #$ exceptionInfo
+    print(traceback.format_list(stack)) #$ exceptionInfo
+    print(traceback.format_stack()) #$ exceptionInfo
+    print(traceback.format_tb(exc_traceback)) #$ exceptionInfo

python/ql/test/query-tests/Security/CWE-209/test.py

@@ -12,16 +12,32 @@ def do_computation():
 def server_bad():
     try:
         do_computation()
-    except Exception as e:
-        return traceback.format_exc()
+    except Exception:
+        return traceback.format_exc()  #$ exceptionInfo
+
+# BAD
+@app.route('/bad/direct')
+def server_bad_direct():
+    try:
+        do_computation()
+    except Exception as e:  #$ exceptionInfo
+        return e
+
+# BAD
+@app.route('/bad/traceback')
+def server_bad_traceback():
+    try:
+        do_computation()
+    except Exception as e:  #$ exceptionInfo
+        return e.__traceback__
 
 # GOOD
 @app.route('/good')
 def server_good():
     try:
         do_computation()
-    except Exception as e:
-        log(traceback.format_exc())
+    except Exception:
+        log(traceback.format_exc())  #$ exceptionInfo
         return "An internal error has occurred!"
 
 #BAD
@@ -29,8 +45,8 @@ def server_good():
 def server_bad_flow():
     try:
         do_computation()
-    except Exception as e:
-        err = traceback.format_exc()
+    except Exception:
+        err = traceback.format_exc()  #$ exceptionInfo
         return format_error(err)
 
 def format_error(msg):