Merge pull request #4179 from RasmusWL/python-tainttracking-ala-go

Approved by tausbn, yoff

python/ql/src/experimental/Customizations.qll

@@ -0,0 +1,20 @@
+/**
+ * Contains customizations to the standard library.
+ *
+ * This module is imported by `python.qll`, so any customizations defined here automatically
+ * apply to all queries.
+ *
+ * Typical examples of customizations include adding new subclasses of abstract classes such as
+ * the `RemoteFlowSource::Range` and `AdditionalTaintStep` classes associated with the security
+ * queries to model frameworks that are not covered by the standard library.
+ */
+
+import python
+/* General import that is useful */
+// import experimental.dataflow.DataFlow
+//
+/* for extending `TaintTracking::AdditionalTaintStep` */
+// import experimental.dataflow.TaintTracking
+//
+/* for extending `RemoteFlowSource::Range` */
+// import experimental.dataflow.RemoteFlowSources

python/ql/src/experimental/dataflow/RemoteFlowSources.qll

@@ -0,0 +1,33 @@
+private import python
+private import experimental.dataflow.DataFlow
+// Need to import since frameworks can extend `RemoteFlowSource::Range`
+private import experimental.semmle.python.Frameworks
+
+/**
+ * A data flow source of remote user input.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `RemoteFlowSource::Range` instead.
+ */
+class RemoteFlowSource extends DataFlow::Node {
+  RemoteFlowSource::Range self;
+
+  RemoteFlowSource() { this = self }
+
+  /** Gets a string that describes the type of this remote flow source. */
+  string getSourceType() { result = self.getSourceType() }
+}
+
+/** Provides a class for modeling new sources of remote user input. */
+module RemoteFlowSource {
+  /**
+   * A data flow source of remote user input.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `RemoteFlowSource` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /** Gets a string that describes the type of this remote flow source. */
+    abstract string getSourceType();
+  }
+}

python/ql/src/experimental/dataflow/internal/TaintTrackingPublic.qll

@@ -6,6 +6,8 @@
 private import python
 private import TaintTrackingPrivate
 private import experimental.dataflow.DataFlow
+// Need to import since frameworks can extend `AdditionalTaintStep`
+private import experimental.semmle.python.Frameworks
 
 // Local taint flow and helpers
 /**

python/ql/src/experimental/semmle/python/Concepts.qll

@@ -0,0 +1,40 @@
+/**
+ * Provides abstract classes representing generic concepts such as file system
+ * access or system command execution, for which individual framework libraries
+ * provide concrete subclasses.
+ */
+
+import python
+private import experimental.dataflow.DataFlow
+private import experimental.semmle.python.Frameworks
+
+/**
+ * A data-flow node that executes an operating system command,
+ * for instance by spawning a new process.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `SystemCommandExecution::Range` instead.
+ */
+class SystemCommandExecution extends DataFlow::Node {
+  SystemCommandExecution::Range self;
+
+  SystemCommandExecution() { this = self }
+
+  /** Gets the argument that specifies the command to be executed. */
+  DataFlow::Node getCommand() { result = self.getCommand() }
+}
+
+/** Provides a class for modeling new system-command execution APIs. */
+module SystemCommandExecution {
+  /**
+   * A data-flow node that executes an operating system command,
+   * for instance by spawning a new process.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `SystemCommandExecution` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /** Gets the argument that specifies the command to be executed. */
+    abstract DataFlow::Node getCommand();
+  }
+}

python/ql/src/experimental/semmle/python/Frameworks.qll

@@ -0,0 +1,7 @@
+/**
+ * Helper file that imports all framework modeling.
+ */
+
+private import experimental.semmle.python.frameworks.Flask
+private import experimental.semmle.python.frameworks.Django
+private import experimental.semmle.python.frameworks.Stdlib

python/ql/src/experimental/semmle/python/frameworks/Django.qll

@@ -0,0 +1,10 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `django` package.
+ */
+
+private import python
+private import experimental.dataflow.DataFlow
+private import experimental.dataflow.RemoteFlowSources
+private import experimental.semmle.python.Concepts
+
+private module Django { }

python/ql/src/experimental/semmle/python/frameworks/Flask.qll

@@ -0,0 +1,10 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `flask` package.
+ */
+
+private import python
+private import experimental.dataflow.DataFlow
+private import experimental.dataflow.RemoteFlowSources
+private import experimental.semmle.python.Concepts
+
+private module Flask { }

python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll

@@ -0,0 +1,9 @@
+/**
+ * Provides classes modeling security-relevant aspects of the standard libraries.
+ * Note: some modeling is done internally in the dataflow/taint tracking implementation.
+ */
+
+private import python
+private import experimental.dataflow.DataFlow
+private import experimental.dataflow.RemoteFlowSources
+private import experimental.semmle.python.Concepts