hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Python: Autoformat (4 spaces) django library

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2019-09-27 13:15:28 +02:00
parent f4e0abd4c4
commit fc59b10ba4
7 changed files with 67 additions and 196 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
python/ql/src/semmle/python/web/django/Db.qll
View File

@@ -1,51 +1,37 @@
import python
import semmle.python.security.injection.Sql
/** A taint kind representing a django cursor object.
/**
* A taint kind representing a django cursor object.
*/
class DjangoDbCursor extends DbCursor {
DjangoDbCursor() {
this = "django.db.connection.cursor"
}
DjangoDbCursor() { this = "django.db.connection.cursor" }
}
private Value theDjangoConnectionObject() {
result = Value::named("django.db.connection")
}
private Value theDjangoConnectionObject() { result = Value::named("django.db.connection") }
/** A kind of taint source representing sources of django cursor objects.
/**
* A kind of taint source representing sources of django cursor objects.
*/
class DjangoDbCursorSource extends DbConnectionSource {
DjangoDbCursorSource() {
exists(AttrNode cursor |
this.(CallNode).getFunction()= cursor and
this.(CallNode).getFunction() = cursor and
cursor.getObject("cursor").pointsTo(theDjangoConnectionObject())
)
}
override string toString() {
result = "django.db.connection.cursor"
}
override predicate isSourceOf(TaintKind kind) {
kind instanceof DjangoDbCursor
}
override string toString() { result = "django.db.connection.cursor" }
override predicate isSourceOf(TaintKind kind) { kind instanceof DjangoDbCursor }
}
ClassValue theDjangoRawSqlClass() {
result = Value::named("django.db.models.expressions.RawSQL")
}
ClassValue theDjangoRawSqlClass() { result = Value::named("django.db.models.expressions.RawSQL") }
/**
* A sink of taint on calls to `django.db.models.expressions.RawSQL`. This
* allows arbitrary SQL statements to be executed, which is a security risk.
*/
class DjangoRawSqlSink extends SqlInjectionSink {
DjangoRawSqlSink() {
exists(CallNode call |
@@ -54,12 +40,7 @@ class DjangoRawSqlSink extends SqlInjectionSink {
)
}
override predicate sinks(TaintKind kind) {
kind instanceof ExternalStringKind
}
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
override string toString() {
result = "django.db.models.expressions.RawSQL(sink,...)"
}
override string toString() { result = "django.db.models.expressions.RawSQL(sink,...)" }
}

72
python/ql/src/semmle/python/web/django/Model.qll
View File

@@ -1,5 +1,4 @@
import python
import semmle.python.security.TaintTracking
import semmle.python.security.strings.Basic
import semmle.python.web.Http
@@ -7,19 +6,12 @@ import semmle.python.security.injection.Sql
/** A django model class */
class DjangoModel extends ClassValue {
DjangoModel() {
Value::named("django.db.models.Model") = this.getASuperType()
}
DjangoModel() { Value::named("django.db.models.Model") = this.getASuperType() }
}
/** A "taint" for django database tables */
class DjangoDbTableObjects extends TaintKind {
DjangoDbTableObjects() {
this = "django.db.models.Model.objects"
}
DjangoDbTableObjects() { this = "django.db.models.Model.objects" }
override TaintKind getTaintOfMethodResult(string name) {
result = this and
@@ -53,102 +45,72 @@ class DjangoDbTableObjects extends TaintKind {
/** Django model objects, which are sources of django database table "taint" */
class DjangoModelObjects extends TaintSource {
DjangoModelObjects() {
this.(AttrNode).isLoad() and this.(AttrNode).getObject("objects").pointsTo(any(DjangoModel m))
}
override predicate isSourceOf(TaintKind kind) {
kind instanceof DjangoDbTableObjects
}
override string toString() {
result = "django.db.models.Model.objects"
}
override predicate isSourceOf(TaintKind kind) { kind instanceof DjangoDbTableObjects }
override string toString() { result = "django.db.models.Model.objects" }
}
/** A write to a field of a django model, which is a vulnerable to external data. */
class DjangoModelFieldWrite extends SqlInjectionSink {
DjangoModelFieldWrite() {
exists(AttrNode attr, DjangoModel model |
this = attr and attr.isStore() and attr.getObject(_).pointsTo(model)
)
}
override predicate sinks(TaintKind kind) {
kind instanceof ExternalStringKind
}
override string toString() {
result = "django model field write"
}
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
override string toString() { result = "django model field write" }
}
/** A direct reference to a django model object, which is vulnerable to external data. */
class DjangoModelDirectObjectReference extends TaintSink {
DjangoModelDirectObjectReference() {
exists(CallNode objects_get_call, ControlFlowNode objects |
this = objects_get_call.getAnArg() |
exists(CallNode objects_get_call, ControlFlowNode objects | this = objects_get_call.getAnArg() |
objects_get_call.getFunction().(AttrNode).getObject("get") = objects and
any(DjangoDbTableObjects objs).taints(objects)
)
}
override predicate sinks(TaintKind kind) {
kind instanceof ExternalStringKind
}
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
override string toString() {
result = "django model object reference"
}
override string toString() { result = "django model object reference" }
}
/**
* A call to the `raw` method on a django model. This allows a raw SQL query
* A call to the `raw` method on a django model. This allows a raw SQL query
* to be sent to the database, which is a security risk.
*/
class DjangoModelRawCall extends SqlInjectionSink {
DjangoModelRawCall() {
exists(CallNode raw_call, ControlFlowNode queryset |
this = raw_call.getArg(0) |
exists(CallNode raw_call, ControlFlowNode queryset | this = raw_call.getArg(0) |
raw_call.getFunction().(AttrNode).getObject("raw") = queryset and
any(DjangoDbTableObjects objs).taints(queryset)
)
}
override predicate sinks(TaintKind kind) {
kind instanceof ExternalStringKind
}
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
override string toString() {
result = "django.models.QuerySet.raw(sink,...)"
}
override string toString() { result = "django.models.QuerySet.raw(sink,...)" }
}
/**
* A call to the `extra` method on a django model. This allows a raw SQL query
* A call to the `extra` method on a django model. This allows a raw SQL query
* to be sent to the database, which is a security risk.
*/
class DjangoModelExtraCall extends SqlInjectionSink {
DjangoModelExtraCall() {
exists(CallNode extra_call, ControlFlowNode queryset |
this = extra_call.getArg(0) |
exists(CallNode extra_call, ControlFlowNode queryset | this = extra_call.getArg(0) |
extra_call.getFunction().(AttrNode).getObject("extra") = queryset and
any(DjangoDbTableObjects objs).taints(queryset)
)
}
override predicate sinks(TaintKind kind) {
kind instanceof ExternalStringKind
}
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
override string toString() {
result = "django.models.QuerySet.extra(sink,...)"
}
override string toString() { result = "django.models.QuerySet.extra(sink,...)" }
}

14
python/ql/src/semmle/python/web/django/Redirect.qll
View File

@@ -1,29 +1,25 @@
/** Provides class representing the `django.redirect` function.
/**
* Provides class representing the `django.redirect` function.
* This module is intended to be imported into a taint-tracking query
* to extend `TaintSink`.
*/
import python
import python
import semmle.python.security.TaintTracking
import semmle.python.security.strings.Basic
private import semmle.python.web.django.Shared
private import semmle.python.web.Http
/**
* Represents an argument to the `django.redirect` function.
*/
class DjangoRedirect extends HttpRedirectTaintSink {
override string toString() {
result = "django.redirect"
}
override string toString() { result = "django.redirect" }
DjangoRedirect() {
exists(CallNode call |
redirect().getACall() = call and
this = call.getAnArg()
this = call.getAnArg()
)
}
}

85
python/ql/src/semmle/python/web/django/Request.qll
View File

@@ -1,16 +1,11 @@
import python
import semmle.python.regex
import semmle.python.security.TaintTracking
import semmle.python.web.Http
/** A django.request.HttpRequest object */
class DjangoRequest extends TaintKind {
DjangoRequest() {
this = "django.request.HttpRequest"
}
DjangoRequest() { this = "django.request.HttpRequest" }
override TaintKind getTaintOfAttribute(string name) {
(name = "GET" or name = "POST") and
@@ -18,14 +13,13 @@ class DjangoRequest extends TaintKind {
}
override TaintKind getTaintOfMethodResult(string name) {
(name = "body" or name = "path") and
result instanceof ExternalStringKind
}
}
/* Helper for getTaintForStep() */
pragma [noinline]
pragma[noinline]
private predicate subscript_taint(SubscriptNode sub, ControlFlowNode obj, TaintKind kind) {
sub.getValue() = obj and
kind instanceof ExternalStringKind
@@ -33,10 +27,7 @@ private predicate subscript_taint(SubscriptNode sub, ControlFlowNode obj, TaintK
/** A django.request.QueryDict object */
class DjangoQueryDict extends TaintKind {
DjangoQueryDict() {
this = "django.http.request.QueryDict"
}
DjangoQueryDict() { this = "django.http.request.QueryDict" }
override TaintKind getTaintForFlowStep(ControlFlowNode fromnode, ControlFlowNode tonode) {
this.taints(fromnode) and
@@ -46,67 +37,46 @@ class DjangoQueryDict extends TaintKind {
override TaintKind getTaintOfMethodResult(string name) {
name = "get" and result instanceof ExternalStringKind
}
}
abstract class DjangoRequestSource extends HttpRequestTaintSource {
override string toString() { result = "Django request source" }
override string toString() {
result = "Django request source"
}
override predicate isSourceOf(TaintKind kind) {
kind instanceof DjangoRequest
}
override predicate isSourceOf(TaintKind kind) { kind instanceof DjangoRequest }
}
/** Function based views
/**
* Function based views
* https://docs.djangoproject.com/en/1.11/topics/http/views/
*/
private class DjangoFunctionBasedViewRequestArgument extends DjangoRequestSource {
DjangoFunctionBasedViewRequestArgument() {
exists(FunctionValue view |
url_dispatch(_, _, view) and
this = view.getScope().getArg(0).asName().getAFlowNode()
)
}
}
/** Class based views
/**
* Class based views
* https://docs.djangoproject.com/en/1.11/topics/class-based-views/
*
*/
private class DjangoView extends ClassValue {
DjangoView() {
Value::named("django.views.generic.View") = this.getASuperType()
}
DjangoView() { Value::named("django.views.generic.View") = this.getASuperType() }
}
private FunctionValue djangoViewHttpMethod() {
exists(DjangoView view |
view.attr(httpVerbLower()) = result
)
exists(DjangoView view | view.attr(httpVerbLower()) = result)
}
class DjangoClassBasedViewRequestArgument extends DjangoRequestSource {
DjangoClassBasedViewRequestArgument() {
this = djangoViewHttpMethod().getScope().getArg(1).asName().getAFlowNode()
}
}
/* *********** Routing ********* */
/* Function based views */
predicate url_dispatch(CallNode call, ControlFlowNode regex, FunctionValue view) {
exists(FunctionValue url |
@@ -116,24 +86,14 @@ predicate url_dispatch(CallNode call, ControlFlowNode regex, FunctionValue view)
)
}
class UrlRegex extends RegexString {
UrlRegex() {
url_dispatch(_, this.getAFlowNode(), _)
}
UrlRegex() { url_dispatch(_, this.getAFlowNode(), _) }
}
class UrlRouting extends CallNode {
UrlRouting() { url_dispatch(this, _, _) }
UrlRouting() {
url_dispatch(this, _, _)
}
FunctionValue getViewFunction() {
url_dispatch(this, _, result)
}
FunctionValue getViewFunction() { url_dispatch(this, _, result) }
string getNamedArgument() {
exists(UrlRegex regex |
@@ -141,25 +101,20 @@ class UrlRouting extends CallNode {
regex.getGroupName(_, _) = result
)
}
}
/** An argument specified in a url routing table */
class HttpRequestParameter extends HttpRequestTaintSource {
HttpRequestParameter() {
exists(UrlRouting url |
this.(ControlFlowNode).getNode() =
url.getViewFunction().getScope().getArgByName(url.getNamedArgument())
this.(ControlFlowNode).getNode() = url
.getViewFunction()
.getScope()
.getArgByName(url.getNamedArgument())
)
}
override predicate isSourceOf(TaintKind kind) {
kind instanceof ExternalStringKind
}
override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringKind }
override string toString() {
result = "django.http.request.parameter"
}
override string toString() { result = "django.http.request.parameter" }
}

40
python/ql/src/semmle/python/web/django/Response.qll
View File

@@ -4,17 +4,13 @@ import semmle.python.security.strings.Basic
private import semmle.python.web.django.Shared
private import semmle.python.web.Http
/** A django.http.response.Response object
/**
* A django.http.response.Response object
* This isn't really a "taint", but we use the value tracking machinery to
* track the flow of response objects.
*/
class DjangoResponse extends TaintKind {
DjangoResponse() {
this = "django.response.HttpResponse"
}
DjangoResponse() { this = "django.response.HttpResponse" }
}
private ClassValue theDjangoHttpResponseClass() {
@@ -24,7 +20,6 @@ private ClassValue theDjangoHttpResponseClass() {
/** Instantiation of a django response. */
class DjangoResponseSource extends TaintSource {
DjangoResponseSource() {
exists(ClassValue cls |
cls.getASuperType() = theDjangoHttpResponseClass() and
@@ -34,14 +29,11 @@ class DjangoResponseSource extends TaintSource {
override predicate isSourceOf(TaintKind kind) { kind instanceof DjangoResponse }
override string toString() {
result = "django.http.response.HttpResponse"
}
override string toString() { result = "django.http.response.HttpResponse" }
}
/** A write to a django response, which is vulnerable to external data (xss) */
class DjangoResponseWrite extends HttpResponseTaintSink {
DjangoResponseWrite() {
exists(AttrNode meth, CallNode call |
call.getFunction() = meth and
@@ -50,41 +42,30 @@ class DjangoResponseWrite extends HttpResponseTaintSink {
)
}
override predicate sinks(TaintKind kind) {
kind instanceof StringKind
}
override string toString() {
result = "django.Response.write(...)"
}
override predicate sinks(TaintKind kind) { kind instanceof StringKind }
override string toString() { result = "django.Response.write(...)" }
}
/** An argument to initialization of a django response, which is vulnerable to external data (xss) */
class DjangoResponseContent extends HttpResponseTaintSink {
DjangoResponseContent() {
exists(CallNode call, ClassValue cls |
cls.getASuperType() = theDjangoHttpResponseClass() and
call.getFunction().pointsTo(cls) |
call.getFunction().pointsTo(cls)
|
call.getArg(0) = this
or
call.getArgByName("content") = this
)
}
override predicate sinks(TaintKind kind) {
kind instanceof StringKind
}
override string toString() {
result = "django.Response(...)"
}
override predicate sinks(TaintKind kind) { kind instanceof StringKind }
override string toString() { result = "django.Response(...)" }
}
class DjangoCookieSet extends CookieSet, CallNode {
DjangoCookieSet() {
any(DjangoResponse r).taints(this.getFunction().(AttrNode).getObject("set_cookie"))
}
@@ -94,5 +75,4 @@ class DjangoCookieSet extends CookieSet, CallNode {
override ControlFlowNode getKey() { result = this.getArg(0) }
override ControlFlowNode getValue() { result = this.getArg(1) }
}

5
python/ql/src/semmle/python/web/django/Sanitizers.qll
View File

@@ -1,7 +1,6 @@
import python
/* Sanitizers
/*
* Sanitizers
* No django sanitizers implemented yet.
*/

4
python/ql/src/semmle/python/web/django/Shared.qll
View File

@@ -1,9 +1,7 @@
import python
/** django.shortcuts.redirect */
FunctionValue redirect() {
result = Value::named("django.shortcuts.redirect")
}
FunctionValue redirect() { result = Value::named("django.shortcuts.redirect") }
ClassValue theDjangoHttpRedirectClass() {
result = Value::named("django.http.response.HttpResponseRedirectBase")