hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Apply suggestions from code review

Browse Source 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
This commit is contained in:
yoff
2020-10-14 14:08:16 +02:00
committed by GitHub
parent b0ebb5b6d1
commit ffe79f688d
4 changed files with 5 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
python/ql/src/experimental/semmle/python/Concepts.qll
View File

@@ -42,7 +42,7 @@ module SystemCommandExecution {
/**
* A data-flow node that decodes data from a binary or textual format. This
* is intended to include deserialization, unmarshalling, decoding, unpickling,
* unzipping, decrypting, parsing etc.
* decompressing, decrypting, parsing etc.
*
* Doing so should normally preserve taint, but it can also be a problem
* in itself, e.g. if it allows code execution or could result in deinal-of-service.

3
python/ql/test/experimental/library-tests/frameworks/dill/Decoding.py
View File

@@ -1,4 +1,3 @@
import dill
dill.loads(payload) # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=dill $decodeUnsafe=
dill.loads(payload, encoding='latin1') # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=dill $decodeUnsafe=
dill.loads(payload) # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=dill $decodeUnsafe

5
python/ql/test/experimental/library-tests/frameworks/stdlib/Decoding.py
View File

@@ -10,6 +10,5 @@ app = Flask(__name__)
@app.route("/")
def hello():
payload = request.args.get("payload")
pickle.loads(payload) # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=pickle $decodeUnsafe=
pickle.loads(payload, encoding='latin1') # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=pickle $decodeUnsafe=
marshal.loads(payload) # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=pickle $decodeUnsafe=
pickle.loads(payload) # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=pickle $decodeUnsafe
marshal.loads(payload) # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=pickle $decodeUnsafe

2
python/ql/test/experimental/library-tests/frameworks/yaml/Decoding.py
View File

@@ -10,5 +10,5 @@ app = Flask(__name__)
@app.route("/")
def hello():
payload = request.args.get("payload")
yaml.load(payload) # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=YAML $decodeUnsafe=
yaml.load(payload) # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=YAML $decodeUnsafe
yaml.load(payload, Loader=SafeLoader) # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=YAML