hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 04:39:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Autoformat (4 spaces) django library

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2019-09-27 13:15:28 +02:00
parent f4e0abd4c4
commit fc59b10ba4
7 changed files with 67 additions and 196 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
python/ql/src/semmle/python/web/django/Db.qll
View File

@@ -1,51 +1,37 @@
import python import python
import semmle.python.security.injection.Sql import semmle.python.security.injection.Sql
/** A taint kind representing a django cursor object. /**
* A taint kind representing a django cursor object.
*/ */
class DjangoDbCursor extends DbCursor { class DjangoDbCursor extends DbCursor {
DjangoDbCursor() { this = "django.db.connection.cursor" }
DjangoDbCursor() {
this = "django.db.connection.cursor"
}
} }
private Value theDjangoConnectionObject() { private Value theDjangoConnectionObject() { result = Value::named("django.db.connection") }
result = Value::named("django.db.connection")
}
/** A kind of taint source representing sources of django cursor objects. /**
* A kind of taint source representing sources of django cursor objects.
*/ */
class DjangoDbCursorSource extends DbConnectionSource { class DjangoDbCursorSource extends DbConnectionSource {
DjangoDbCursorSource() { DjangoDbCursorSource() {
exists(AttrNode cursor | exists(AttrNode cursor |
this.(CallNode).getFunction()= cursor and this.(CallNode).getFunction() = cursor and
cursor.getObject("cursor").pointsTo(theDjangoConnectionObject()) cursor.getObject("cursor").pointsTo(theDjangoConnectionObject())
) )
} }
override string toString() { override string toString() { result = "django.db.connection.cursor" }
result = "django.db.connection.cursor"
}
override predicate isSourceOf(TaintKind kind) {
kind instanceof DjangoDbCursor
}
override predicate isSourceOf(TaintKind kind) { kind instanceof DjangoDbCursor }
} }
ClassValue theDjangoRawSqlClass() { result = Value::named("django.db.models.expressions.RawSQL") }
ClassValue theDjangoRawSqlClass() {
result = Value::named("django.db.models.expressions.RawSQL")
}
/** /**
* A sink of taint on calls to `django.db.models.expressions.RawSQL`. This * A sink of taint on calls to `django.db.models.expressions.RawSQL`. This
* allows arbitrary SQL statements to be executed, which is a security risk. * allows arbitrary SQL statements to be executed, which is a security risk.
*/ */
class DjangoRawSqlSink extends SqlInjectionSink { class DjangoRawSqlSink extends SqlInjectionSink {
DjangoRawSqlSink() { DjangoRawSqlSink() {
exists(CallNode call | exists(CallNode call |
@@ -54,12 +40,7 @@ class DjangoRawSqlSink extends SqlInjectionSink {
) )
} }
override predicate sinks(TaintKind kind) { override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
kind instanceof ExternalStringKind
}
override string toString() { override string toString() { result = "django.db.models.expressions.RawSQL(sink,...)" }
result = "django.db.models.expressions.RawSQL(sink,...)"
}
} }

72
python/ql/src/semmle/python/web/django/Model.qll
View File

@@ -1,5 +1,4 @@
import python import python
import semmle.python.security.TaintTracking import semmle.python.security.TaintTracking
import semmle.python.security.strings.Basic import semmle.python.security.strings.Basic
import semmle.python.web.Http import semmle.python.web.Http
@@ -7,19 +6,12 @@ import semmle.python.security.injection.Sql
/** A django model class */ /** A django model class */
class DjangoModel extends ClassValue { class DjangoModel extends ClassValue {
DjangoModel() { Value::named("django.db.models.Model") = this.getASuperType() }
DjangoModel() {
Value::named("django.db.models.Model") = this.getASuperType()
}
} }
/** A "taint" for django database tables */ /** A "taint" for django database tables */
class DjangoDbTableObjects extends TaintKind { class DjangoDbTableObjects extends TaintKind {
DjangoDbTableObjects() { this = "django.db.models.Model.objects" }
DjangoDbTableObjects() {
this = "django.db.models.Model.objects"
}
override TaintKind getTaintOfMethodResult(string name) { override TaintKind getTaintOfMethodResult(string name) {
result = this and result = this and
@@ -53,102 +45,72 @@ class DjangoDbTableObjects extends TaintKind {
/** Django model objects, which are sources of django database table "taint" */ /** Django model objects, which are sources of django database table "taint" */
class DjangoModelObjects extends TaintSource { class DjangoModelObjects extends TaintSource {
DjangoModelObjects() { DjangoModelObjects() {
this.(AttrNode).isLoad() and this.(AttrNode).getObject("objects").pointsTo(any(DjangoModel m)) this.(AttrNode).isLoad() and this.(AttrNode).getObject("objects").pointsTo(any(DjangoModel m))
} }
override predicate isSourceOf(TaintKind kind) { override predicate isSourceOf(TaintKind kind) { kind instanceof DjangoDbTableObjects }
kind instanceof DjangoDbTableObjects
}
override string toString() {
result = "django.db.models.Model.objects"
}
override string toString() { result = "django.db.models.Model.objects" }
} }
/** A write to a field of a django model, which is a vulnerable to external data. */ /** A write to a field of a django model, which is a vulnerable to external data. */
class DjangoModelFieldWrite extends SqlInjectionSink { class DjangoModelFieldWrite extends SqlInjectionSink {
DjangoModelFieldWrite() { DjangoModelFieldWrite() {
exists(AttrNode attr, DjangoModel model | exists(AttrNode attr, DjangoModel model |
this = attr and attr.isStore() and attr.getObject(_).pointsTo(model) this = attr and attr.isStore() and attr.getObject(_).pointsTo(model)
) )
} }
override predicate sinks(TaintKind kind) { override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
kind instanceof ExternalStringKind
}
override string toString() {
result = "django model field write"
}
override string toString() { result = "django model field write" }
} }
/** A direct reference to a django model object, which is vulnerable to external data. */ /** A direct reference to a django model object, which is vulnerable to external data. */
class DjangoModelDirectObjectReference extends TaintSink { class DjangoModelDirectObjectReference extends TaintSink {
DjangoModelDirectObjectReference() { DjangoModelDirectObjectReference() {
exists(CallNode objects_get_call, ControlFlowNode objects | exists(CallNode objects_get_call, ControlFlowNode objects | this = objects_get_call.getAnArg() |
this = objects_get_call.getAnArg() |
objects_get_call.getFunction().(AttrNode).getObject("get") = objects and objects_get_call.getFunction().(AttrNode).getObject("get") = objects and
any(DjangoDbTableObjects objs).taints(objects) any(DjangoDbTableObjects objs).taints(objects)
) )
} }
override predicate sinks(TaintKind kind) { override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
kind instanceof ExternalStringKind
}
override string toString() { override string toString() { result = "django model object reference" }
result = "django model object reference"
}
} }
/** /**
* A call to the `raw` method on a django model. This allows a raw SQL query * A call to the `raw` method on a django model. This allows a raw SQL query
* to be sent to the database, which is a security risk. * to be sent to the database, which is a security risk.
*/ */
class DjangoModelRawCall extends SqlInjectionSink { class DjangoModelRawCall extends SqlInjectionSink {
DjangoModelRawCall() { DjangoModelRawCall() {
exists(CallNode raw_call, ControlFlowNode queryset | exists(CallNode raw_call, ControlFlowNode queryset | this = raw_call.getArg(0) |
this = raw_call.getArg(0) |
raw_call.getFunction().(AttrNode).getObject("raw") = queryset and raw_call.getFunction().(AttrNode).getObject("raw") = queryset and
any(DjangoDbTableObjects objs).taints(queryset) any(DjangoDbTableObjects objs).taints(queryset)
) )
} }
override predicate sinks(TaintKind kind) { override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
kind instanceof ExternalStringKind
}
override string toString() { override string toString() { result = "django.models.QuerySet.raw(sink,...)" }
result = "django.models.QuerySet.raw(sink,...)"
}
} }
/** /**
* A call to the `extra` method on a django model. This allows a raw SQL query * A call to the `extra` method on a django model. This allows a raw SQL query
* to be sent to the database, which is a security risk. * to be sent to the database, which is a security risk.
*/ */
class DjangoModelExtraCall extends SqlInjectionSink { class DjangoModelExtraCall extends SqlInjectionSink {
DjangoModelExtraCall() { DjangoModelExtraCall() {
exists(CallNode extra_call, ControlFlowNode queryset | exists(CallNode extra_call, ControlFlowNode queryset | this = extra_call.getArg(0) |
this = extra_call.getArg(0) |
extra_call.getFunction().(AttrNode).getObject("extra") = queryset and extra_call.getFunction().(AttrNode).getObject("extra") = queryset and
any(DjangoDbTableObjects objs).taints(queryset) any(DjangoDbTableObjects objs).taints(queryset)
) )
} }
override predicate sinks(TaintKind kind) { override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
kind instanceof ExternalStringKind
}
override string toString() { override string toString() { result = "django.models.QuerySet.extra(sink,...)" }
result = "django.models.QuerySet.extra(sink,...)"
}
} }

14
python/ql/src/semmle/python/web/django/Redirect.qll
View File

@@ -1,29 +1,25 @@
/** Provides class representing the `django.redirect` function. /**
* Provides class representing the `django.redirect` function.
* This module is intended to be imported into a taint-tracking query * This module is intended to be imported into a taint-tracking query
* to extend `TaintSink`. * to extend `TaintSink`.
*/ */
import python
import python
import semmle.python.security.TaintTracking import semmle.python.security.TaintTracking
import semmle.python.security.strings.Basic import semmle.python.security.strings.Basic
private import semmle.python.web.django.Shared private import semmle.python.web.django.Shared
private import semmle.python.web.Http private import semmle.python.web.Http
/** /**
* Represents an argument to the `django.redirect` function. * Represents an argument to the `django.redirect` function.
*/ */
class DjangoRedirect extends HttpRedirectTaintSink { class DjangoRedirect extends HttpRedirectTaintSink {
override string toString() { result = "django.redirect" }
override string toString() {
result = "django.redirect"
}
DjangoRedirect() { DjangoRedirect() {
exists(CallNode call | exists(CallNode call |
redirect().getACall() = call and redirect().getACall() = call and
this = call.getAnArg() this = call.getAnArg()
) )
} }
} }

85
python/ql/src/semmle/python/web/django/Request.qll
View File

@@ -1,16 +1,11 @@
import python import python
import semmle.python.regex import semmle.python.regex
import semmle.python.security.TaintTracking import semmle.python.security.TaintTracking
import semmle.python.web.Http import semmle.python.web.Http
/** A django.request.HttpRequest object */ /** A django.request.HttpRequest object */
class DjangoRequest extends TaintKind { class DjangoRequest extends TaintKind {
DjangoRequest() { this = "django.request.HttpRequest" }
DjangoRequest() {
this = "django.request.HttpRequest"
}
override TaintKind getTaintOfAttribute(string name) { override TaintKind getTaintOfAttribute(string name) {
(name = "GET" or name = "POST") and (name = "GET" or name = "POST") and
@@ -18,14 +13,13 @@ class DjangoRequest extends TaintKind {
} }
override TaintKind getTaintOfMethodResult(string name) { override TaintKind getTaintOfMethodResult(string name) {
(name = "body" or name = "path") and (name = "body" or name = "path") and
result instanceof ExternalStringKind result instanceof ExternalStringKind
} }
} }
/* Helper for getTaintForStep() */ /* Helper for getTaintForStep() */
pragma [noinline] pragma[noinline]
private predicate subscript_taint(SubscriptNode sub, ControlFlowNode obj, TaintKind kind) { private predicate subscript_taint(SubscriptNode sub, ControlFlowNode obj, TaintKind kind) {
sub.getValue() = obj and sub.getValue() = obj and
kind instanceof ExternalStringKind kind instanceof ExternalStringKind
@@ -33,10 +27,7 @@ private predicate subscript_taint(SubscriptNode sub, ControlFlowNode obj, TaintK
/** A django.request.QueryDict object */ /** A django.request.QueryDict object */
class DjangoQueryDict extends TaintKind { class DjangoQueryDict extends TaintKind {
DjangoQueryDict() { this = "django.http.request.QueryDict" }
DjangoQueryDict() {
this = "django.http.request.QueryDict"
}
override TaintKind getTaintForFlowStep(ControlFlowNode fromnode, ControlFlowNode tonode) { override TaintKind getTaintForFlowStep(ControlFlowNode fromnode, ControlFlowNode tonode) {
this.taints(fromnode) and this.taints(fromnode) and
@@ -46,67 +37,46 @@ class DjangoQueryDict extends TaintKind {
override TaintKind getTaintOfMethodResult(string name) { override TaintKind getTaintOfMethodResult(string name) {
name = "get" and result instanceof ExternalStringKind name = "get" and result instanceof ExternalStringKind
} }
} }
abstract class DjangoRequestSource extends HttpRequestTaintSource { abstract class DjangoRequestSource extends HttpRequestTaintSource {
override string toString() { result = "Django request source" }
override string toString() { override predicate isSourceOf(TaintKind kind) { kind instanceof DjangoRequest }
result = "Django request source"
}
override predicate isSourceOf(TaintKind kind) {
kind instanceof DjangoRequest
}
} }
/** Function based views /**
* Function based views
* https://docs.djangoproject.com/en/1.11/topics/http/views/ * https://docs.djangoproject.com/en/1.11/topics/http/views/
*/ */
private class DjangoFunctionBasedViewRequestArgument extends DjangoRequestSource { private class DjangoFunctionBasedViewRequestArgument extends DjangoRequestSource {
DjangoFunctionBasedViewRequestArgument() { DjangoFunctionBasedViewRequestArgument() {
exists(FunctionValue view | exists(FunctionValue view |
url_dispatch(_, _, view) and url_dispatch(_, _, view) and
this = view.getScope().getArg(0).asName().getAFlowNode() this = view.getScope().getArg(0).asName().getAFlowNode()
) )
} }
} }
/** Class based views /**
* Class based views
* https://docs.djangoproject.com/en/1.11/topics/class-based-views/ * https://docs.djangoproject.com/en/1.11/topics/class-based-views/
*
*/ */
private class DjangoView extends ClassValue { private class DjangoView extends ClassValue {
DjangoView() { Value::named("django.views.generic.View") = this.getASuperType() }
DjangoView() {
Value::named("django.views.generic.View") = this.getASuperType()
}
} }
private FunctionValue djangoViewHttpMethod() { private FunctionValue djangoViewHttpMethod() {
exists(DjangoView view | exists(DjangoView view | view.attr(httpVerbLower()) = result)
view.attr(httpVerbLower()) = result
)
} }
class DjangoClassBasedViewRequestArgument extends DjangoRequestSource { class DjangoClassBasedViewRequestArgument extends DjangoRequestSource {
DjangoClassBasedViewRequestArgument() { DjangoClassBasedViewRequestArgument() {
this = djangoViewHttpMethod().getScope().getArg(1).asName().getAFlowNode() this = djangoViewHttpMethod().getScope().getArg(1).asName().getAFlowNode()
} }
} }
/* *********** Routing ********* */ /* *********** Routing ********* */
/* Function based views */ /* Function based views */
predicate url_dispatch(CallNode call, ControlFlowNode regex, FunctionValue view) { predicate url_dispatch(CallNode call, ControlFlowNode regex, FunctionValue view) {
exists(FunctionValue url | exists(FunctionValue url |
@@ -116,24 +86,14 @@ predicate url_dispatch(CallNode call, ControlFlowNode regex, FunctionValue view)
) )
} }
class UrlRegex extends RegexString { class UrlRegex extends RegexString {
UrlRegex() { url_dispatch(_, this.getAFlowNode(), _) }
UrlRegex() {
url_dispatch(_, this.getAFlowNode(), _)
}
} }
class UrlRouting extends CallNode { class UrlRouting extends CallNode {
UrlRouting() { url_dispatch(this, _, _) }
UrlRouting() { FunctionValue getViewFunction() { url_dispatch(this, _, result) }
url_dispatch(this, _, _)
}
FunctionValue getViewFunction() {
url_dispatch(this, _, result)
}
string getNamedArgument() { string getNamedArgument() {
exists(UrlRegex regex | exists(UrlRegex regex |
@@ -141,25 +101,20 @@ class UrlRouting extends CallNode {
regex.getGroupName(_, _) = result regex.getGroupName(_, _) = result
) )
} }
} }
/** An argument specified in a url routing table */ /** An argument specified in a url routing table */
class HttpRequestParameter extends HttpRequestTaintSource { class HttpRequestParameter extends HttpRequestTaintSource {
HttpRequestParameter() { HttpRequestParameter() {
exists(UrlRouting url | exists(UrlRouting url |
this.(ControlFlowNode).getNode() = this.(ControlFlowNode).getNode() = url
url.getViewFunction().getScope().getArgByName(url.getNamedArgument()) .getViewFunction()
.getScope()
.getArgByName(url.getNamedArgument())
) )
} }
override predicate isSourceOf(TaintKind kind) { override predicate isSourceOf(TaintKind kind) { kind instanceof ExternalStringKind }
kind instanceof ExternalStringKind
}
override string toString() { override string toString() { result = "django.http.request.parameter" }
result = "django.http.request.parameter"
}
} }

40
python/ql/src/semmle/python/web/django/Response.qll
View File

@@ -4,17 +4,13 @@ import semmle.python.security.strings.Basic
private import semmle.python.web.django.Shared private import semmle.python.web.django.Shared
private import semmle.python.web.Http private import semmle.python.web.Http
/**
/** A django.http.response.Response object * A django.http.response.Response object
* This isn't really a "taint", but we use the value tracking machinery to * This isn't really a "taint", but we use the value tracking machinery to
* track the flow of response objects. * track the flow of response objects.
*/ */
class DjangoResponse extends TaintKind { class DjangoResponse extends TaintKind {
DjangoResponse() { this = "django.response.HttpResponse" }
DjangoResponse() {
this = "django.response.HttpResponse"
}
} }
private ClassValue theDjangoHttpResponseClass() { private ClassValue theDjangoHttpResponseClass() {
@@ -24,7 +20,6 @@ private ClassValue theDjangoHttpResponseClass() {
/** Instantiation of a django response. */ /** Instantiation of a django response. */
class DjangoResponseSource extends TaintSource { class DjangoResponseSource extends TaintSource {
DjangoResponseSource() { DjangoResponseSource() {
exists(ClassValue cls | exists(ClassValue cls |
cls.getASuperType() = theDjangoHttpResponseClass() and cls.getASuperType() = theDjangoHttpResponseClass() and
@@ -34,14 +29,11 @@ class DjangoResponseSource extends TaintSource {
override predicate isSourceOf(TaintKind kind) { kind instanceof DjangoResponse } override predicate isSourceOf(TaintKind kind) { kind instanceof DjangoResponse }
override string toString() { override string toString() { result = "django.http.response.HttpResponse" }
result = "django.http.response.HttpResponse"
}
} }
/** A write to a django response, which is vulnerable to external data (xss) */ /** A write to a django response, which is vulnerable to external data (xss) */
class DjangoResponseWrite extends HttpResponseTaintSink { class DjangoResponseWrite extends HttpResponseTaintSink {
DjangoResponseWrite() { DjangoResponseWrite() {
exists(AttrNode meth, CallNode call | exists(AttrNode meth, CallNode call |
call.getFunction() = meth and call.getFunction() = meth and
@@ -50,41 +42,30 @@ class DjangoResponseWrite extends HttpResponseTaintSink {
) )
} }
override predicate sinks(TaintKind kind) { override predicate sinks(TaintKind kind) { kind instanceof StringKind }
kind instanceof StringKind
}
override string toString() {
result = "django.Response.write(...)"
}
override string toString() { result = "django.Response.write(...)" }
} }
/** An argument to initialization of a django response, which is vulnerable to external data (xss) */ /** An argument to initialization of a django response, which is vulnerable to external data (xss) */
class DjangoResponseContent extends HttpResponseTaintSink { class DjangoResponseContent extends HttpResponseTaintSink {
DjangoResponseContent() { DjangoResponseContent() {
exists(CallNode call, ClassValue cls | exists(CallNode call, ClassValue cls |
cls.getASuperType() = theDjangoHttpResponseClass() and cls.getASuperType() = theDjangoHttpResponseClass() and
call.getFunction().pointsTo(cls) | call.getFunction().pointsTo(cls)
|
call.getArg(0) = this call.getArg(0) = this
or or
call.getArgByName("content") = this call.getArgByName("content") = this
) )
} }
override predicate sinks(TaintKind kind) { override predicate sinks(TaintKind kind) { kind instanceof StringKind }
kind instanceof StringKind
}
override string toString() {
result = "django.Response(...)"
}
override string toString() { result = "django.Response(...)" }
} }
class DjangoCookieSet extends CookieSet, CallNode { class DjangoCookieSet extends CookieSet, CallNode {
DjangoCookieSet() { DjangoCookieSet() {
any(DjangoResponse r).taints(this.getFunction().(AttrNode).getObject("set_cookie")) any(DjangoResponse r).taints(this.getFunction().(AttrNode).getObject("set_cookie"))
} }
@@ -94,5 +75,4 @@ class DjangoCookieSet extends CookieSet, CallNode {
override ControlFlowNode getKey() { result = this.getArg(0) } override ControlFlowNode getKey() { result = this.getArg(0) }
override ControlFlowNode getValue() { result = this.getArg(1) } override ControlFlowNode getValue() { result = this.getArg(1) }
} }

5
python/ql/src/semmle/python/web/django/Sanitizers.qll
View File

@@ -1,7 +1,6 @@
import python import python
/*
* Sanitizers
/* Sanitizers
* No django sanitizers implemented yet. * No django sanitizers implemented yet.
*/ */

4
python/ql/src/semmle/python/web/django/Shared.qll
View File

@@ -1,9 +1,7 @@
import python import python
/** django.shortcuts.redirect */ /** django.shortcuts.redirect */
FunctionValue redirect() { FunctionValue redirect() { result = Value::named("django.shortcuts.redirect") }
result = Value::named("django.shortcuts.redirect")
}
ClassValue theDjangoHttpRedirectClass() { ClassValue theDjangoHttpRedirectClass() {
result = Value::named("django.http.response.HttpResponseRedirectBase") result = Value::named("django.http.response.HttpResponseRedirectBase")