Merge pull request #2888 from RasmusWL/python-tarslip-sanitizer

Python: Improve tarslip sanitizer
2026-04-30 03:05:15 +02:00 · 2020-03-24 12:59:20 +01:00
parent 4c9a6b73ee dcfc9a8796
commit fe00d1cbf4
3 changed files with 49 additions and 2 deletions
--- a/python/ql/src/Security/CWE-022/TarSlip.ql
+++ b/python/ql/src/Security/CWE-022/TarSlip.ql
@@ -121,9 +121,19 @@ class ExtractMembersSink extends TaintSink {
 class TarFileInfoSanitizer extends Sanitizer {
    TarFileInfoSanitizer() { this = "TarInfo sanitizer" }

+    /** The test `if <path_sanitizing_test>:` clears taint on its `false` edge. */
    override predicate sanitizingEdge(TaintKind taint, PyEdgeRefinement test) {
-        path_sanitizing_test(test.getTest()) and
-        taint instanceof TarFileInfo
+        taint instanceof TarFileInfo and
+        clears_taint_on_false_edge(test.getTest(), test.getSense())
+    }
+
+    private predicate clears_taint_on_false_edge(ControlFlowNode test, boolean sense) {
+        path_sanitizing_test(test) and
+        sense = false
+        or
+        // handle `not` (also nested)
+        test.(UnaryExprNode).getNode().getOp() instanceof Not and
+        clears_taint_on_false_edge(test.(UnaryExprNode).getOperand(), sense.booleanNot())
    }
 }