mirror of
https://github.com/github/codeql.git
synced 2026-07-06 03:55:30 +02:00
Compare commits
1 Commits
codeql-cli
...
revert-140
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
0019cb10d8 |
@@ -16,11 +16,9 @@ private import semmle.python.dataflow.new.SensitiveDataSources
|
|||||||
import CleartextLoggingCustomizations::CleartextLogging
|
import CleartextLoggingCustomizations::CleartextLogging
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `CleartextLoggingFlow` module instead.
|
|
||||||
*
|
|
||||||
* A taint-tracking configuration for detecting "Clear-text logging of sensitive information".
|
* A taint-tracking configuration for detecting "Clear-text logging of sensitive information".
|
||||||
*/
|
*/
|
||||||
deprecated class Configuration extends TaintTracking::Configuration {
|
class Configuration extends TaintTracking::Configuration {
|
||||||
Configuration() { this = "CleartextLogging" }
|
Configuration() { this = "CleartextLogging" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||||
@@ -33,14 +31,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
|
|||||||
node instanceof Sanitizer
|
node instanceof Sanitizer
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private module CleartextLoggingConfig implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "Clear-text logging of sensitive information" vulnerabilities. */
|
|
||||||
module CleartextLoggingFlow = TaintTracking::Global<CleartextLoggingConfig>;
|
|
||||||
|
|||||||
@@ -16,11 +16,9 @@ private import semmle.python.dataflow.new.SensitiveDataSources
|
|||||||
import CleartextStorageCustomizations::CleartextStorage
|
import CleartextStorageCustomizations::CleartextStorage
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `CleartextStorageFlow` module instead.
|
|
||||||
*
|
|
||||||
* A taint-tracking configuration for detecting "Clear-text storage of sensitive information".
|
* A taint-tracking configuration for detecting "Clear-text storage of sensitive information".
|
||||||
*/
|
*/
|
||||||
deprecated class Configuration extends TaintTracking::Configuration {
|
class Configuration extends TaintTracking::Configuration {
|
||||||
Configuration() { this = "CleartextStorage" }
|
Configuration() { this = "CleartextStorage" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||||
@@ -33,14 +31,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
|
|||||||
node instanceof Sanitizer
|
node instanceof Sanitizer
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private module CleartextStorageConfig implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "Clear-text storage of sensitive information" vulnerabilities. */
|
|
||||||
module CleartextStorageFlow = TaintTracking::Global<CleartextStorageConfig>;
|
|
||||||
|
|||||||
@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
|
|||||||
import CodeInjectionCustomizations::CodeInjection
|
import CodeInjectionCustomizations::CodeInjection
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `CodeInjectionFlow` module instead.
|
|
||||||
*
|
|
||||||
* A taint-tracking configuration for detecting "code injection" vulnerabilities.
|
* A taint-tracking configuration for detecting "code injection" vulnerabilities.
|
||||||
*/
|
*/
|
||||||
deprecated class Configuration extends TaintTracking::Configuration {
|
class Configuration extends TaintTracking::Configuration {
|
||||||
Configuration() { this = "CodeInjection" }
|
Configuration() { this = "CodeInjection" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||||
@@ -29,14 +27,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
|
|||||||
guard instanceof SanitizerGuard
|
guard instanceof SanitizerGuard
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private module CodeInjectionConfig implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "code injection" vulnerabilities. */
|
|
||||||
module CodeInjectionFlow = TaintTracking::Global<CodeInjectionConfig>;
|
|
||||||
|
|||||||
@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
|
|||||||
import CommandInjectionCustomizations::CommandInjection
|
import CommandInjectionCustomizations::CommandInjection
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `CommandInjectionFlow` module instead.
|
|
||||||
*
|
|
||||||
* A taint-tracking configuration for detecting "command injection" vulnerabilities.
|
* A taint-tracking configuration for detecting "command injection" vulnerabilities.
|
||||||
*/
|
*/
|
||||||
deprecated class Configuration extends TaintTracking::Configuration {
|
class Configuration extends TaintTracking::Configuration {
|
||||||
Configuration() { this = "CommandInjection" }
|
Configuration() { this = "CommandInjection" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||||
@@ -29,17 +27,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
|
|||||||
guard instanceof SanitizerGuard
|
guard instanceof SanitizerGuard
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* A taint-tracking configuration for detecting "command injection" vulnerabilities.
|
|
||||||
*/
|
|
||||||
module CommandInjectionConfig implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "command injection" vulnerabilities. */
|
|
||||||
module CommandInjectionFlow = TaintTracking::Global<CommandInjectionConfig>;
|
|
||||||
|
|||||||
@@ -14,12 +14,10 @@ import semmle.python.dataflow.new.RemoteFlowSources
|
|||||||
import LdapInjectionCustomizations::LdapInjection
|
import LdapInjectionCustomizations::LdapInjection
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `LdapInjectionDnFlow` module instead.
|
|
||||||
*
|
|
||||||
* A taint-tracking configuration for detecting LDAP injection vulnerabilities
|
* A taint-tracking configuration for detecting LDAP injection vulnerabilities
|
||||||
* via the distinguished name (DN) parameter of an LDAP search.
|
* via the distinguished name (DN) parameter of an LDAP search.
|
||||||
*/
|
*/
|
||||||
deprecated class DnConfiguration extends TaintTracking::Configuration {
|
class DnConfiguration extends TaintTracking::Configuration {
|
||||||
DnConfiguration() { this = "LdapDnInjection" }
|
DnConfiguration() { this = "LdapDnInjection" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||||
@@ -33,24 +31,11 @@ deprecated class DnConfiguration extends TaintTracking::Configuration {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private module LdapInjectionDnConfig implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof DnSink }
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) { node instanceof DnSanitizer }
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "LDAP injection via the distinguished name (DN) parameter" vulnerabilities. */
|
|
||||||
module LdapInjectionDnFlow = TaintTracking::Global<LdapInjectionDnConfig>;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `LdapInjectionFilterFlow` module instead.
|
|
||||||
*
|
|
||||||
* A taint-tracking configuration for detecting LDAP injection vulnerabilities
|
* A taint-tracking configuration for detecting LDAP injection vulnerabilities
|
||||||
* via the filter parameter of an LDAP search.
|
* via the filter parameter of an LDAP search.
|
||||||
*/
|
*/
|
||||||
deprecated class FilterConfiguration extends TaintTracking::Configuration {
|
class FilterConfiguration extends TaintTracking::Configuration {
|
||||||
FilterConfiguration() { this = "LdapFilterInjection" }
|
FilterConfiguration() { this = "LdapFilterInjection" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||||
@@ -63,19 +48,3 @@ deprecated class FilterConfiguration extends TaintTracking::Configuration {
|
|||||||
guard instanceof FilterSanitizerGuard
|
guard instanceof FilterSanitizerGuard
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private module LdapInjectionFilterConfig implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof FilterSink }
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) { node instanceof FilterSanitizer }
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "LDAP injection via the filter parameter" vulnerabilities. */
|
|
||||||
module LdapInjectionFilterFlow = TaintTracking::Global<LdapInjectionFilterConfig>;
|
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "LDAP injection" vulnerabilities. */
|
|
||||||
module LdapInjectionFlow =
|
|
||||||
DataFlow::MergePathGraph<LdapInjectionDnFlow::PathNode, LdapInjectionFilterFlow::PathNode,
|
|
||||||
LdapInjectionDnFlow::PathGraph, LdapInjectionFilterFlow::PathGraph>;
|
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
/**
|
/**
|
||||||
* Provides a taint-tracking configuration for tracking "log injection" vulnerabilities.
|
* Provides a taint-tracking configuration for tracking untrusted user input used in log entries.
|
||||||
*
|
*
|
||||||
* Note, for performance reasons: only import this file if
|
* Note, for performance reasons: only import this file if
|
||||||
* `LogInjection::Configuration` is needed, otherwise
|
* `LogInjection::Configuration` is needed, otherwise
|
||||||
@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
|
|||||||
import LogInjectionCustomizations::LogInjection
|
import LogInjectionCustomizations::LogInjection
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `LogInjectionFlow` module instead.
|
|
||||||
*
|
|
||||||
* A taint-tracking configuration for tracking untrusted user input used in log entries.
|
* A taint-tracking configuration for tracking untrusted user input used in log entries.
|
||||||
*/
|
*/
|
||||||
deprecated class Configuration extends TaintTracking::Configuration {
|
class Configuration extends TaintTracking::Configuration {
|
||||||
Configuration() { this = "LogInjection" }
|
Configuration() { this = "LogInjection" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||||
@@ -29,14 +27,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
|
|||||||
guard instanceof SanitizerGuard
|
guard instanceof SanitizerGuard
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private module LogInjectionConfig implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "log injection" vulnerabilities. */
|
|
||||||
module LogInjectionFlow = TaintTracking::Global<LogInjectionConfig>;
|
|
||||||
|
|||||||
@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
|
|||||||
import PamAuthorizationCustomizations::PamAuthorizationCustomizations
|
import PamAuthorizationCustomizations::PamAuthorizationCustomizations
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `PamAuthorizationFlow` module instead.
|
|
||||||
*
|
|
||||||
* A taint-tracking configuration for detecting "PAM Authorization" vulnerabilities.
|
* A taint-tracking configuration for detecting "PAM Authorization" vulnerabilities.
|
||||||
*/
|
*/
|
||||||
deprecated class Configuration extends TaintTracking::Configuration {
|
class Configuration extends TaintTracking::Configuration {
|
||||||
Configuration() { this = "PamAuthorization" }
|
Configuration() { this = "PamAuthorization" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node node) { node instanceof Source }
|
override predicate isSource(DataFlow::Node node) { node instanceof Source }
|
||||||
@@ -39,28 +37,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
|
|||||||
exists(VulnPamAuthCall c | c.getArg(0) = node1 | node2 = c)
|
exists(VulnPamAuthCall c | c.getArg(0) = node1 | node2 = c)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private module PamAuthorizationConfig implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
|
||||||
|
|
||||||
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
|
|
||||||
// Models flow from a remotely supplied username field to a PAM `handle`.
|
|
||||||
// `retval = pam_start(service, username, byref(conv), byref(handle))`
|
|
||||||
exists(API::CallNode pamStart, DataFlow::Node handle, API::CallNode pointer |
|
|
||||||
pointer = API::moduleImport("ctypes").getMember(["pointer", "byref"]).getACall() and
|
|
||||||
pamStart = libPam().getMember("pam_start").getACall() and
|
|
||||||
pointer = pamStart.getArg(3) and
|
|
||||||
handle = pointer.getArg(0) and
|
|
||||||
pamStart.getArg(1) = node1 and
|
|
||||||
handle = node2
|
|
||||||
)
|
|
||||||
or
|
|
||||||
// Flow from handle to the authenticate call in the final step
|
|
||||||
exists(VulnPamAuthCall c | c.getArg(0) = node1 | node2 = c)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "PAM Authorization" vulnerabilities. */
|
|
||||||
module PamAuthorizationFlow = TaintTracking::Global<PamAuthorizationConfig>;
|
|
||||||
|
|||||||
@@ -13,8 +13,6 @@ import semmle.python.dataflow.new.TaintTracking
|
|||||||
import PathInjectionCustomizations::PathInjection
|
import PathInjectionCustomizations::PathInjection
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `PathInjectionFlow` module instead.
|
|
||||||
*
|
|
||||||
* A taint-tracking configuration for detecting "path injection" vulnerabilities.
|
* A taint-tracking configuration for detecting "path injection" vulnerabilities.
|
||||||
*
|
*
|
||||||
* This configuration uses two flow states, `NotNormalized` and `NormalizedUnchecked`,
|
* This configuration uses two flow states, `NotNormalized` and `NormalizedUnchecked`,
|
||||||
@@ -27,7 +25,7 @@ import PathInjectionCustomizations::PathInjection
|
|||||||
*
|
*
|
||||||
* Such checks are ineffective in the `NotNormalized` state.
|
* Such checks are ineffective in the `NotNormalized` state.
|
||||||
*/
|
*/
|
||||||
deprecated class Configuration extends TaintTracking::Configuration {
|
class Configuration extends TaintTracking::Configuration {
|
||||||
Configuration() { this = "PathInjection" }
|
Configuration() { this = "PathInjection" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
|
override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
|
||||||
@@ -76,52 +74,3 @@ class NotNormalized extends DataFlow::FlowState {
|
|||||||
class NormalizedUnchecked extends DataFlow::FlowState {
|
class NormalizedUnchecked extends DataFlow::FlowState {
|
||||||
NormalizedUnchecked() { this = "NormalizedUnchecked" }
|
NormalizedUnchecked() { this = "NormalizedUnchecked" }
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* This configuration uses two flow states, `NotNormalized` and `NormalizedUnchecked`,
|
|
||||||
* to track the requirement that a file path must be first normalized and then checked
|
|
||||||
* before it is safe to use.
|
|
||||||
*
|
|
||||||
* At sources, paths are assumed not normalized. At normalization points, they change
|
|
||||||
* state to `NormalizedUnchecked` after which they can be made safe by an appropriate
|
|
||||||
* check of the prefix.
|
|
||||||
*
|
|
||||||
* Such checks are ineffective in the `NotNormalized` state.
|
|
||||||
*/
|
|
||||||
module PathInjectionConfig implements DataFlow::StateConfigSig {
|
|
||||||
class FlowState = DataFlow::FlowState;
|
|
||||||
|
|
||||||
predicate isSource(DataFlow::Node source, FlowState state) {
|
|
||||||
source instanceof Source and state instanceof NotNormalized
|
|
||||||
}
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink, FlowState state) {
|
|
||||||
sink instanceof Sink and
|
|
||||||
(
|
|
||||||
state instanceof NotNormalized or
|
|
||||||
state instanceof NormalizedUnchecked
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node, FlowState state) {
|
|
||||||
// Block `NotNormalized` paths here, since they change state to `NormalizedUnchecked`
|
|
||||||
node instanceof Path::PathNormalization and
|
|
||||||
state instanceof NotNormalized
|
|
||||||
or
|
|
||||||
node instanceof Path::SafeAccessCheck and
|
|
||||||
state instanceof NormalizedUnchecked
|
|
||||||
}
|
|
||||||
|
|
||||||
predicate isAdditionalFlowStep(
|
|
||||||
DataFlow::Node nodeFrom, FlowState stateFrom, DataFlow::Node nodeTo, FlowState stateTo
|
|
||||||
) {
|
|
||||||
nodeFrom = nodeTo.(Path::PathNormalization).getPathArg() and
|
|
||||||
stateFrom instanceof NotNormalized and
|
|
||||||
stateTo instanceof NormalizedUnchecked
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "path injection" vulnerabilities. */
|
|
||||||
module PathInjectionFlow = TaintTracking::GlobalWithState<PathInjectionConfig>;
|
|
||||||
|
|||||||
@@ -6,6 +6,7 @@
|
|||||||
|
|
||||||
private import python
|
private import python
|
||||||
private import semmle.python.dataflow.new.DataFlow
|
private import semmle.python.dataflow.new.DataFlow
|
||||||
|
private import semmle.python.dataflow.new.DataFlow2
|
||||||
private import semmle.python.dataflow.new.TaintTracking
|
private import semmle.python.dataflow.new.TaintTracking
|
||||||
private import semmle.python.Concepts
|
private import semmle.python.Concepts
|
||||||
private import semmle.python.dataflow.new.RemoteFlowSources
|
private import semmle.python.dataflow.new.RemoteFlowSources
|
||||||
|
|||||||
@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
|
|||||||
import PolynomialReDoSCustomizations::PolynomialReDoS
|
import PolynomialReDoSCustomizations::PolynomialReDoS
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `PolynomialReDoSFlow` module instead.
|
|
||||||
*
|
|
||||||
* A taint-tracking configuration for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities.
|
* A taint-tracking configuration for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities.
|
||||||
*/
|
*/
|
||||||
deprecated class Configuration extends TaintTracking::Configuration {
|
class Configuration extends TaintTracking::Configuration {
|
||||||
Configuration() { this = "PolynomialReDoS" }
|
Configuration() { this = "PolynomialReDoS" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||||
@@ -29,14 +27,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
|
|||||||
guard instanceof SanitizerGuard
|
guard instanceof SanitizerGuard
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities. */
|
|
||||||
module PolynomialReDoSFlow = TaintTracking::Global<PolynomialReDoSConfig>;
|
|
||||||
|
|||||||
@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
|
|||||||
import ReflectedXSSCustomizations::ReflectedXss
|
import ReflectedXSSCustomizations::ReflectedXss
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `ReflectedXssFlow` module instead.
|
|
||||||
*
|
|
||||||
* A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
|
* A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
|
||||||
*/
|
*/
|
||||||
deprecated class Configuration extends TaintTracking::Configuration {
|
class Configuration extends TaintTracking::Configuration {
|
||||||
Configuration() { this = "ReflectedXSS" }
|
Configuration() { this = "ReflectedXSS" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||||
@@ -29,14 +27,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
|
|||||||
guard instanceof SanitizerGuard
|
guard instanceof SanitizerGuard
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private module ReflectedXssConfig implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "reflected server-side cross-site scripting" vulnerabilities. */
|
|
||||||
module ReflectedXssFlow = TaintTracking::Global<ReflectedXssConfig>;
|
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
/**
|
/**
|
||||||
* Provides a taint-tracking configuration for detecting "regular expression injection"
|
* Provides a taint-tracking configuration for detecting regular expression injection
|
||||||
* vulnerabilities.
|
* vulnerabilities.
|
||||||
*
|
*
|
||||||
* Note, for performance reasons: only import this file if
|
* Note, for performance reasons: only import this file if
|
||||||
@@ -13,11 +13,9 @@ import semmle.python.dataflow.new.TaintTracking
|
|||||||
import RegexInjectionCustomizations::RegexInjection
|
import RegexInjectionCustomizations::RegexInjection
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `RegexInjectionFlow` module instead.
|
|
||||||
*
|
|
||||||
* A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
|
* A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
|
||||||
*/
|
*/
|
||||||
deprecated class Configuration extends TaintTracking::Configuration {
|
class Configuration extends TaintTracking::Configuration {
|
||||||
Configuration() { this = "RegexInjection" }
|
Configuration() { this = "RegexInjection" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||||
@@ -30,14 +28,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
|
|||||||
guard instanceof SanitizerGuard
|
guard instanceof SanitizerGuard
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private module RegexInjectionConfig implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "regular expression injection" vulnerabilities. */
|
|
||||||
module RegexInjectionFlow = TaintTracking::Global<RegexInjectionConfig>;
|
|
||||||
|
|||||||
@@ -13,8 +13,6 @@ import semmle.python.Concepts
|
|||||||
import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery
|
import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `FullServerSideRequestForgeryFlow` module instead.
|
|
||||||
*
|
|
||||||
* A taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
|
* A taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
|
||||||
*
|
*
|
||||||
* This configuration has a sanitizer to limit results to cases where attacker has full control of URL.
|
* This configuration has a sanitizer to limit results to cases where attacker has full control of URL.
|
||||||
@@ -23,7 +21,7 @@ import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery
|
|||||||
* You should use the `fullyControlledRequest` to only select results where all
|
* You should use the `fullyControlledRequest` to only select results where all
|
||||||
* URL parts are fully controlled.
|
* URL parts are fully controlled.
|
||||||
*/
|
*/
|
||||||
deprecated class FullServerSideRequestForgeryConfiguration extends TaintTracking::Configuration {
|
class FullServerSideRequestForgeryConfiguration extends TaintTracking::Configuration {
|
||||||
FullServerSideRequestForgeryConfiguration() { this = "FullServerSideRequestForgery" }
|
FullServerSideRequestForgeryConfiguration() { this = "FullServerSideRequestForgery" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||||
@@ -41,51 +39,24 @@ deprecated class FullServerSideRequestForgeryConfiguration extends TaintTracking
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* This configuration has a sanitizer to limit results to cases where attacker has full control of URL.
|
|
||||||
* See `PartialServerSideRequestForgery` for a variant without this requirement.
|
|
||||||
*
|
|
||||||
* You should use the `fullyControlledRequest` to only select results where all
|
|
||||||
* URL parts are fully controlled.
|
|
||||||
*/
|
|
||||||
private module FullServerSideRequestForgeryConfig implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) {
|
|
||||||
node instanceof Sanitizer
|
|
||||||
or
|
|
||||||
node instanceof FullUrlControlSanitizer
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Global taint-tracking for detecting "Full server-side request forgery" vulnerabilities.
|
|
||||||
*
|
|
||||||
* You should use the `fullyControlledRequest` to only select results where all
|
|
||||||
* URL parts are fully controlled.
|
|
||||||
*/
|
|
||||||
module FullServerSideRequestForgeryFlow = TaintTracking::Global<FullServerSideRequestForgeryConfig>;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds if all URL parts of `request` is fully user controlled.
|
* Holds if all URL parts of `request` is fully user controlled.
|
||||||
*/
|
*/
|
||||||
predicate fullyControlledRequest(Http::Client::Request request) {
|
predicate fullyControlledRequest(Http::Client::Request request) {
|
||||||
forall(DataFlow::Node urlPart | urlPart = request.getAUrlPart() |
|
exists(FullServerSideRequestForgeryConfiguration fullConfig |
|
||||||
FullServerSideRequestForgeryFlow::flow(_, urlPart)
|
forall(DataFlow::Node urlPart | urlPart = request.getAUrlPart() |
|
||||||
|
fullConfig.hasFlow(_, urlPart)
|
||||||
|
)
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `FullServerSideRequestForgeryFlow` module instead.
|
|
||||||
*
|
|
||||||
* A taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
|
* A taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
|
||||||
*
|
*
|
||||||
* This configuration has results, even when the attacker does not have full control over the URL.
|
* This configuration has results, even when the attacker does not have full control over the URL.
|
||||||
* See `FullServerSideRequestForgeryConfiguration`, and the `fullyControlledRequest` predicate.
|
* See `FullServerSideRequestForgeryConfiguration`, and the `fullyControlledRequest` predicate.
|
||||||
*/
|
*/
|
||||||
deprecated class PartialServerSideRequestForgeryConfiguration extends TaintTracking::Configuration {
|
class PartialServerSideRequestForgeryConfiguration extends TaintTracking::Configuration {
|
||||||
PartialServerSideRequestForgeryConfiguration() { this = "PartialServerSideRequestForgery" }
|
PartialServerSideRequestForgeryConfiguration() { this = "PartialServerSideRequestForgery" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||||
@@ -98,21 +69,3 @@ deprecated class PartialServerSideRequestForgeryConfiguration extends TaintTrack
|
|||||||
guard instanceof SanitizerGuard
|
guard instanceof SanitizerGuard
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* This configuration has results, even when the attacker does not have full control over the URL.
|
|
||||||
* See `FullServerSideRequestForgeryConfiguration`, and the `fullyControlledRequest` predicate.
|
|
||||||
*/
|
|
||||||
private module PartialServerSideRequestForgeryConfig implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Global taint-tracking for detecting "partial server-side request forgery" vulnerabilities.
|
|
||||||
*/
|
|
||||||
module PartialServerSideRequestForgeryFlow =
|
|
||||||
TaintTracking::Global<PartialServerSideRequestForgeryConfig>;
|
|
||||||
|
|||||||
@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
|
|||||||
import SqlInjectionCustomizations::SqlInjection
|
import SqlInjectionCustomizations::SqlInjection
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `SqlInjectionFlow` module instead.
|
|
||||||
*
|
|
||||||
* A taint-tracking configuration for detecting "SQL injection" vulnerabilities.
|
* A taint-tracking configuration for detecting "SQL injection" vulnerabilities.
|
||||||
*/
|
*/
|
||||||
deprecated class Configuration extends TaintTracking::Configuration {
|
class Configuration extends TaintTracking::Configuration {
|
||||||
Configuration() { this = "SqlInjection" }
|
Configuration() { this = "SqlInjection" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||||
@@ -29,14 +27,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
|
|||||||
guard instanceof SanitizerGuard
|
guard instanceof SanitizerGuard
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private module SqlInjectionConfig implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "SQL injection" vulnerabilities. */
|
|
||||||
module SqlInjectionFlow = TaintTracking::Global<SqlInjectionConfig>;
|
|
||||||
|
|||||||
@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
|
|||||||
import StackTraceExposureCustomizations::StackTraceExposure
|
import StackTraceExposureCustomizations::StackTraceExposure
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `StackTraceExposureFlow` module instead.
|
|
||||||
*
|
|
||||||
* A taint-tracking configuration for detecting "stack trace exposure" vulnerabilities.
|
* A taint-tracking configuration for detecting "stack trace exposure" vulnerabilities.
|
||||||
*/
|
*/
|
||||||
deprecated class Configuration extends TaintTracking::Configuration {
|
class Configuration extends TaintTracking::Configuration {
|
||||||
Configuration() { this = "StackTraceExposure" }
|
Configuration() { this = "StackTraceExposure" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||||
@@ -38,23 +36,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
|
|||||||
)
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private module StackTraceExposureConfig implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
|
||||||
|
|
||||||
// A stack trace is accessible as the `__traceback__` attribute of a caught exception.
|
|
||||||
// see https://docs.python.org/3/reference/datamodel.html#traceback-objects
|
|
||||||
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
|
|
||||||
exists(DataFlow::AttrRead attr | attr.getAttributeName() = "__traceback__" |
|
|
||||||
nodeFrom = attr.getObject() and
|
|
||||||
nodeTo = attr
|
|
||||||
)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "stack trace exposure" vulnerabilities. */
|
|
||||||
module StackTraceExposureFlow = TaintTracking::Global<StackTraceExposureConfig>;
|
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
/**
|
/**
|
||||||
* Provides a taint-tracking configuration for detecting "tar slip" vulnerabilities.
|
* Provides a taint-tracking configuration for detecting "command injection" vulnerabilities.
|
||||||
*
|
*
|
||||||
* Note, for performance reasons: only import this file if
|
* Note, for performance reasons: only import this file if
|
||||||
* `TarSlip::Configuration` is needed, otherwise
|
* `TarSlip::Configuration` is needed, otherwise
|
||||||
@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
|
|||||||
import TarSlipCustomizations::TarSlip
|
import TarSlipCustomizations::TarSlip
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `TarSlipFlow` module instead.
|
* A taint-tracking configuration for detecting "command injection" vulnerabilities.
|
||||||
*
|
|
||||||
* A taint-tracking configuration for detecting "tar slip" vulnerabilities.
|
|
||||||
*/
|
*/
|
||||||
deprecated class Configuration extends TaintTracking::Configuration {
|
class Configuration extends TaintTracking::Configuration {
|
||||||
Configuration() { this = "TarSlip" }
|
Configuration() { this = "TarSlip" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||||
@@ -25,14 +23,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
|
|||||||
|
|
||||||
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
|
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
|
||||||
}
|
}
|
||||||
|
|
||||||
private module TarSlipConfig implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "tar slip" vulnerabilities. */
|
|
||||||
module TarSlipFlow = TaintTracking::Global<TarSlipConfig>;
|
|
||||||
|
|||||||
@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
|
|||||||
import UnsafeDeserializationCustomizations::UnsafeDeserialization
|
import UnsafeDeserializationCustomizations::UnsafeDeserialization
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `UnsafeDeserializationFlow` module instead.
|
|
||||||
*
|
|
||||||
* A taint-tracking configuration for detecting "code execution from deserialization" vulnerabilities.
|
* A taint-tracking configuration for detecting "code execution from deserialization" vulnerabilities.
|
||||||
*/
|
*/
|
||||||
deprecated class Configuration extends TaintTracking::Configuration {
|
class Configuration extends TaintTracking::Configuration {
|
||||||
Configuration() { this = "UnsafeDeserialization" }
|
Configuration() { this = "UnsafeDeserialization" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||||
@@ -29,14 +27,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
|
|||||||
guard instanceof SanitizerGuard
|
guard instanceof SanitizerGuard
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "code execution from deserialization" vulnerabilities. */
|
|
||||||
module UnsafeDeserializationFlow = TaintTracking::Global<UnsafeDeserializationConfig>;
|
|
||||||
|
|||||||
@@ -14,11 +14,9 @@ private import CommandInjectionCustomizations::CommandInjection as CommandInject
|
|||||||
private import semmle.python.dataflow.new.BarrierGuards
|
private import semmle.python.dataflow.new.BarrierGuards
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `UnsafeShellCommandConstructionFlow` module instead.
|
|
||||||
*
|
|
||||||
* A taint-tracking configuration for detecting shell command constructed from library input vulnerabilities.
|
* A taint-tracking configuration for detecting shell command constructed from library input vulnerabilities.
|
||||||
*/
|
*/
|
||||||
deprecated class Configuration extends TaintTracking::Configuration {
|
class Configuration extends TaintTracking::Configuration {
|
||||||
Configuration() { this = "UnsafeShellCommandConstruction" }
|
Configuration() { this = "UnsafeShellCommandConstruction" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||||
@@ -35,23 +33,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
|
|||||||
result instanceof DataFlow::FeatureHasSourceCallContext
|
result instanceof DataFlow::FeatureHasSourceCallContext
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* A taint-tracking configuration for detecting "shell command constructed from library input" vulnerabilities.
|
|
||||||
*/
|
|
||||||
module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) {
|
|
||||||
node instanceof CommandInjection::Sanitizer // using all sanitizers from `py/command-injection`
|
|
||||||
}
|
|
||||||
|
|
||||||
// override to require the path doesn't have unmatched return steps
|
|
||||||
DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "shell command constructed from library input" vulnerabilities. */
|
|
||||||
module UnsafeShellCommandConstructionFlow =
|
|
||||||
TaintTracking::Global<UnsafeShellCommandConstructionConfig>;
|
|
||||||
|
|||||||
@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
|
|||||||
import UrlRedirectCustomizations::UrlRedirect
|
import UrlRedirectCustomizations::UrlRedirect
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `UrlRedirectFlow` module instead.
|
|
||||||
*
|
|
||||||
* A taint-tracking configuration for detecting "URL redirection" vulnerabilities.
|
* A taint-tracking configuration for detecting "URL redirection" vulnerabilities.
|
||||||
*/
|
*/
|
||||||
deprecated class Configuration extends TaintTracking::Configuration {
|
class Configuration extends TaintTracking::Configuration {
|
||||||
Configuration() { this = "UrlRedirect" }
|
Configuration() { this = "UrlRedirect" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||||
@@ -29,14 +27,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
|
|||||||
guard instanceof SanitizerGuard
|
guard instanceof SanitizerGuard
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private module UrlRedirectConfig implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "URL redirection" vulnerabilities. */
|
|
||||||
module UrlRedirectFlow = TaintTracking::Global<UrlRedirectConfig>;
|
|
||||||
|
|||||||
@@ -24,12 +24,10 @@ module NormalHashFunction {
|
|||||||
import WeakSensitiveDataHashingCustomizations::NormalHashFunction
|
import WeakSensitiveDataHashingCustomizations::NormalHashFunction
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `Flow` module instead.
|
|
||||||
*
|
|
||||||
* A taint-tracking configuration for detecting use of a broken or weak
|
* A taint-tracking configuration for detecting use of a broken or weak
|
||||||
* cryptographic hashing algorithm on sensitive data.
|
* cryptographic hashing algorithm on sensitive data.
|
||||||
*/
|
*/
|
||||||
deprecated class Configuration extends TaintTracking::Configuration {
|
class Configuration extends TaintTracking::Configuration {
|
||||||
Configuration() { this = "NormalHashFunction" }
|
Configuration() { this = "NormalHashFunction" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||||
@@ -46,21 +44,6 @@ module NormalHashFunction {
|
|||||||
sensitiveDataExtraStepForCalls(node1, node2)
|
sensitiveDataExtraStepForCalls(node1, node2)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private module Config implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
|
||||||
|
|
||||||
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
|
|
||||||
sensitiveDataExtraStepForCalls(node1, node2)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on sensitive data" vulnerabilities. */
|
|
||||||
module Flow = TaintTracking::Global<Config>;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -74,15 +57,13 @@ module ComputationallyExpensiveHashFunction {
|
|||||||
import WeakSensitiveDataHashingCustomizations::ComputationallyExpensiveHashFunction
|
import WeakSensitiveDataHashingCustomizations::ComputationallyExpensiveHashFunction
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `Flow` module instead.
|
|
||||||
*
|
|
||||||
* A taint-tracking configuration for detecting use of a broken or weak
|
* A taint-tracking configuration for detecting use of a broken or weak
|
||||||
* cryptographic hashing algorithm on passwords.
|
* cryptographic hashing algorithm on passwords.
|
||||||
*
|
*
|
||||||
* Passwords has stricter requirements on the hashing algorithm used (must be
|
* Passwords has stricter requirements on the hashing algorithm used (must be
|
||||||
* computationally expensive to prevent brute-force attacks).
|
* computationally expensive to prevent brute-force attacks).
|
||||||
*/
|
*/
|
||||||
deprecated class Configuration extends TaintTracking::Configuration {
|
class Configuration extends TaintTracking::Configuration {
|
||||||
Configuration() { this = "ComputationallyExpensiveHashFunction" }
|
Configuration() { this = "ComputationallyExpensiveHashFunction" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||||
@@ -99,49 +80,4 @@ module ComputationallyExpensiveHashFunction {
|
|||||||
sensitiveDataExtraStepForCalls(node1, node2)
|
sensitiveDataExtraStepForCalls(node1, node2)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Passwords has stricter requirements on the hashing algorithm used (must be
|
|
||||||
* computationally expensive to prevent brute-force attacks).
|
|
||||||
*/
|
|
||||||
private module Config implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
|
||||||
|
|
||||||
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
|
|
||||||
sensitiveDataExtraStepForCalls(node1, node2)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on passwords" vulnerabilities. */
|
|
||||||
module Flow = TaintTracking::Global<Config>;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Global taint-tracking for detecting both variants of "use of a broken or weak
|
|
||||||
* cryptographic hashing algorithm on sensitive data" vulnerabilities.
|
|
||||||
*
|
|
||||||
* See convenience predicates `normalHashFunctionFlowPath` and
|
|
||||||
* `computationallyExpensiveHashFunctionFlowPath`.
|
|
||||||
*/
|
|
||||||
module WeakSensitiveDataHashingFlow =
|
|
||||||
DataFlow::MergePathGraph<NormalHashFunction::Flow::PathNode,
|
|
||||||
ComputationallyExpensiveHashFunction::Flow::PathNode, NormalHashFunction::Flow::PathGraph,
|
|
||||||
ComputationallyExpensiveHashFunction::Flow::PathGraph>;
|
|
||||||
|
|
||||||
/** Holds if data can flow from `source` to `sink` with `NormalHashFunction::Flow`. */
|
|
||||||
predicate normalHashFunctionFlowPath(
|
|
||||||
WeakSensitiveDataHashingFlow::PathNode source, WeakSensitiveDataHashingFlow::PathNode sink
|
|
||||||
) {
|
|
||||||
NormalHashFunction::Flow::flowPath(source.asPathNode1(), sink.asPathNode1())
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Holds if data can flow from `source` to `sink` with `ComputationallyExpensiveHashFunction::Flow`. */
|
|
||||||
predicate computationallyExpensiveHashFunctionFlowPath(
|
|
||||||
WeakSensitiveDataHashingFlow::PathNode source, WeakSensitiveDataHashingFlow::PathNode sink
|
|
||||||
) {
|
|
||||||
ComputationallyExpensiveHashFunction::Flow::flowPath(source.asPathNode2(), sink.asPathNode2())
|
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
|
|||||||
import XmlBombCustomizations::XmlBomb
|
import XmlBombCustomizations::XmlBomb
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `XmlBombFlow` module instead.
|
|
||||||
*
|
|
||||||
* A taint-tracking configuration for detecting "XML bomb" vulnerabilities.
|
* A taint-tracking configuration for detecting "XML bomb" vulnerabilities.
|
||||||
*/
|
*/
|
||||||
deprecated class Configuration extends TaintTracking::Configuration {
|
class Configuration extends TaintTracking::Configuration {
|
||||||
Configuration() { this = "XmlBomb" }
|
Configuration() { this = "XmlBomb" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||||
@@ -28,14 +26,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
|
|||||||
node instanceof Sanitizer
|
node instanceof Sanitizer
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private module XmlBombConfig implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "XML bomb" vulnerabilities. */
|
|
||||||
module XmlBombFlow = TaintTracking::Global<XmlBombConfig>;
|
|
||||||
|
|||||||
@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
|
|||||||
import XpathInjectionCustomizations::XpathInjection
|
import XpathInjectionCustomizations::XpathInjection
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `XpathInjectionFlow` module instead.
|
|
||||||
*
|
|
||||||
* A taint-tracking configuration for detecting "Xpath Injection" vulnerabilities.
|
* A taint-tracking configuration for detecting "Xpath Injection" vulnerabilities.
|
||||||
*/
|
*/
|
||||||
deprecated class Configuration extends TaintTracking::Configuration {
|
class Configuration extends TaintTracking::Configuration {
|
||||||
Configuration() { this = "Xpath Injection" }
|
Configuration() { this = "Xpath Injection" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||||
@@ -29,14 +27,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
|
|||||||
guard instanceof SanitizerGuard
|
guard instanceof SanitizerGuard
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private module XpathInjectionConfig implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "Xpath Injection" vulnerabilities. */
|
|
||||||
module XpathInjectionFlow = TaintTracking::Global<XpathInjectionConfig>;
|
|
||||||
|
|||||||
@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
|
|||||||
import XxeCustomizations::Xxe
|
import XxeCustomizations::Xxe
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `XxeFlow` module instead.
|
|
||||||
*
|
|
||||||
* A taint-tracking configuration for detecting "XML External Entity (XXE)" vulnerabilities.
|
* A taint-tracking configuration for detecting "XML External Entity (XXE)" vulnerabilities.
|
||||||
*/
|
*/
|
||||||
deprecated class Configuration extends TaintTracking::Configuration {
|
class Configuration extends TaintTracking::Configuration {
|
||||||
Configuration() { this = "Xxe" }
|
Configuration() { this = "Xxe" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||||
@@ -28,14 +26,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
|
|||||||
node instanceof Sanitizer
|
node instanceof Sanitizer
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private module XxeConfig implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "XML External Entity (XXE)" vulnerabilities. */
|
|
||||||
module XxeFlow = TaintTracking::Global<XxeConfig>;
|
|
||||||
|
|||||||
@@ -13,11 +13,11 @@
|
|||||||
|
|
||||||
import python
|
import python
|
||||||
import semmle.python.functions.ModificationOfParameterWithDefault
|
import semmle.python.functions.ModificationOfParameterWithDefault
|
||||||
import ModificationOfParameterWithDefault::Flow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from
|
from
|
||||||
ModificationOfParameterWithDefault::Flow::PathNode source,
|
ModificationOfParameterWithDefault::Configuration config, DataFlow::PathNode source,
|
||||||
ModificationOfParameterWithDefault::Flow::PathNode sink
|
DataFlow::PathNode sink
|
||||||
where ModificationOfParameterWithDefault::Flow::flowPath(source, sink)
|
where config.hasFlowPath(source, sink)
|
||||||
select sink.getNode(), source, sink, "This expression mutates a $@.", source.getNode(),
|
select sink.getNode(), source, sink, "This expression mutates a $@.", source.getNode(),
|
||||||
"default value"
|
"default value"
|
||||||
|
|||||||
@@ -167,12 +167,8 @@ class ExternalApiDataNode extends DataFlow::Node {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
|
||||||
* DEPRECATED: Use `XmlBombFlow` module instead.
|
class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
|
||||||
*
|
|
||||||
* A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s.
|
|
||||||
*/
|
|
||||||
deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
|
|
||||||
UntrustedDataToExternalApiConfig() { this = "UntrustedDataToExternalAPIConfig" }
|
UntrustedDataToExternalApiConfig() { this = "UntrustedDataToExternalAPIConfig" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||||
@@ -180,21 +176,14 @@ deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configu
|
|||||||
override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
|
override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
|
||||||
}
|
}
|
||||||
|
|
||||||
private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
|
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Global taint-tracking from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
|
|
||||||
module UntrustedDataToExternalApiFlow = TaintTracking::Global<UntrustedDataToExternalApiConfig>;
|
|
||||||
|
|
||||||
/** A node representing untrusted data being passed to an external API. */
|
/** A node representing untrusted data being passed to an external API. */
|
||||||
class UntrustedExternalApiDataNode extends ExternalApiDataNode {
|
class UntrustedExternalApiDataNode extends ExternalApiDataNode {
|
||||||
UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flow(_, this) }
|
UntrustedExternalApiDataNode() { any(UntrustedDataToExternalApiConfig c).hasFlow(_, this) }
|
||||||
|
|
||||||
/** Gets a source of untrusted data which is passed to this external API data node. */
|
/** Gets a source of untrusted data which is passed to this external API data node. */
|
||||||
DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) }
|
DataFlow::Node getAnUntrustedSource() {
|
||||||
|
any(UntrustedDataToExternalApiConfig c).hasFlow(result, this)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/** An external API which is used with untrusted data. */
|
/** An external API which is used with untrusted data. */
|
||||||
|
|||||||
@@ -11,14 +11,14 @@
|
|||||||
|
|
||||||
import python
|
import python
|
||||||
import ExternalAPIs
|
import ExternalAPIs
|
||||||
import UntrustedDataToExternalApiFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from
|
from
|
||||||
UntrustedDataToExternalApiFlow::PathNode source, UntrustedDataToExternalApiFlow::PathNode sink,
|
UntrustedDataToExternalApiConfig config, DataFlow::PathNode source, DataFlow::PathNode sink,
|
||||||
ExternalApiUsedWithUntrustedData externalApi
|
ExternalApiUsedWithUntrustedData externalApi
|
||||||
where
|
where
|
||||||
sink.getNode() = externalApi.getUntrustedDataNode() and
|
sink.getNode() = externalApi.getUntrustedDataNode() and
|
||||||
UntrustedDataToExternalApiFlow::flowPath(source, sink)
|
config.hasFlowPath(source, sink)
|
||||||
select sink.getNode(), source, sink,
|
select sink.getNode(), source, sink,
|
||||||
"Call to " + externalApi.toString() + " with untrusted data from $@.", source.getNode(),
|
"Call to " + externalApi.toString() + " with untrusted data from $@.", source.getNode(),
|
||||||
source.toString()
|
source.toString()
|
||||||
|
|||||||
@@ -18,9 +18,9 @@
|
|||||||
|
|
||||||
import python
|
import python
|
||||||
import semmle.python.security.dataflow.PathInjectionQuery
|
import semmle.python.security.dataflow.PathInjectionQuery
|
||||||
import PathInjectionFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from PathInjectionFlow::PathNode source, PathInjectionFlow::PathNode sink
|
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
where PathInjectionFlow::flowPath(source, sink)
|
where config.hasFlowPath(source, sink)
|
||||||
select sink.getNode(), source, sink, "This path depends on a $@.", source.getNode(),
|
select sink.getNode(), source, sink, "This path depends on a $@.", source.getNode(),
|
||||||
"user-provided value"
|
"user-provided value"
|
||||||
|
|||||||
@@ -14,9 +14,9 @@
|
|||||||
|
|
||||||
import python
|
import python
|
||||||
import semmle.python.security.dataflow.TarSlipQuery
|
import semmle.python.security.dataflow.TarSlipQuery
|
||||||
import TarSlipFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from TarSlipFlow::PathNode source, TarSlipFlow::PathNode sink
|
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
where TarSlipFlow::flowPath(source, sink)
|
where config.hasFlowPath(source, sink)
|
||||||
select sink.getNode(), source, sink, "This file extraction depends on a $@.", source.getNode(),
|
select sink.getNode(), source, sink, "This file extraction depends on a $@.", source.getNode(),
|
||||||
"potentially untrusted source"
|
"potentially untrusted source"
|
||||||
|
|||||||
@@ -16,9 +16,9 @@
|
|||||||
|
|
||||||
import python
|
import python
|
||||||
import semmle.python.security.dataflow.CommandInjectionQuery
|
import semmle.python.security.dataflow.CommandInjectionQuery
|
||||||
import CommandInjectionFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink
|
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
where CommandInjectionFlow::flowPath(source, sink)
|
where config.hasFlowPath(source, sink)
|
||||||
select sink.getNode(), source, sink, "This command line depends on a $@.", source.getNode(),
|
select sink.getNode(), source, sink, "This command line depends on a $@.", source.getNode(),
|
||||||
"user-provided value"
|
"user-provided value"
|
||||||
|
|||||||
@@ -16,13 +16,11 @@
|
|||||||
|
|
||||||
import python
|
import python
|
||||||
import semmle.python.security.dataflow.UnsafeShellCommandConstructionQuery
|
import semmle.python.security.dataflow.UnsafeShellCommandConstructionQuery
|
||||||
import UnsafeShellCommandConstructionFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from
|
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, Sink sinkNode
|
||||||
UnsafeShellCommandConstructionFlow::PathNode source,
|
|
||||||
UnsafeShellCommandConstructionFlow::PathNode sink, Sink sinkNode
|
|
||||||
where
|
where
|
||||||
UnsafeShellCommandConstructionFlow::flowPath(source, sink) and
|
config.hasFlowPath(source, sink) and
|
||||||
sinkNode = sink.getNode()
|
sinkNode = sink.getNode()
|
||||||
select sinkNode.getStringConstruction(), source, sink,
|
select sinkNode.getStringConstruction(), source, sink,
|
||||||
"This " + sinkNode.describe() + " which depends on $@ is later used in a $@.", source.getNode(),
|
"This " + sinkNode.describe() + " which depends on $@ is later used in a $@.", source.getNode(),
|
||||||
|
|||||||
@@ -15,9 +15,9 @@
|
|||||||
|
|
||||||
import python
|
import python
|
||||||
import semmle.python.security.dataflow.ReflectedXssQuery
|
import semmle.python.security.dataflow.ReflectedXssQuery
|
||||||
import ReflectedXssFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from ReflectedXssFlow::PathNode source, ReflectedXssFlow::PathNode sink
|
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
where ReflectedXssFlow::flowPath(source, sink)
|
where config.hasFlowPath(source, sink)
|
||||||
select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to a $@.",
|
select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to a $@.",
|
||||||
source.getNode(), "user-provided value"
|
source.getNode(), "user-provided value"
|
||||||
|
|||||||
@@ -13,9 +13,9 @@
|
|||||||
|
|
||||||
import python
|
import python
|
||||||
import semmle.python.security.dataflow.SqlInjectionQuery
|
import semmle.python.security.dataflow.SqlInjectionQuery
|
||||||
import SqlInjectionFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from SqlInjectionFlow::PathNode source, SqlInjectionFlow::PathNode sink
|
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
where SqlInjectionFlow::flowPath(source, sink)
|
where config.hasFlowPath(source, sink)
|
||||||
select sink.getNode(), source, sink, "This SQL query depends on a $@.", source.getNode(),
|
select sink.getNode(), source, sink, "This SQL query depends on a $@.", source.getNode(),
|
||||||
"user-provided value"
|
"user-provided value"
|
||||||
|
|||||||
@@ -14,14 +14,14 @@
|
|||||||
// Determine precision above
|
// Determine precision above
|
||||||
import python
|
import python
|
||||||
import semmle.python.security.dataflow.LdapInjectionQuery
|
import semmle.python.security.dataflow.LdapInjectionQuery
|
||||||
import LdapInjectionFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from LdapInjectionFlow::PathNode source, LdapInjectionFlow::PathNode sink, string parameterName
|
from DataFlow::PathNode source, DataFlow::PathNode sink, string parameterName
|
||||||
where
|
where
|
||||||
LdapInjectionDnFlow::flowPath(source.asPathNode1(), sink.asPathNode1()) and
|
any(DnConfiguration dnConfig).hasFlowPath(source, sink) and
|
||||||
parameterName = "DN"
|
parameterName = "DN"
|
||||||
or
|
or
|
||||||
LdapInjectionFilterFlow::flowPath(source.asPathNode2(), sink.asPathNode2()) and
|
any(FilterConfiguration filterConfig).hasFlowPath(source, sink) and
|
||||||
parameterName = "filter"
|
parameterName = "filter"
|
||||||
select sink.getNode(), source, sink,
|
select sink.getNode(), source, sink,
|
||||||
"LDAP query parameter (" + parameterName + ") depends on a $@.", source.getNode(),
|
"LDAP query parameter (" + parameterName + ") depends on a $@.", source.getNode(),
|
||||||
|
|||||||
@@ -16,9 +16,9 @@
|
|||||||
|
|
||||||
import python
|
import python
|
||||||
import semmle.python.security.dataflow.CodeInjectionQuery
|
import semmle.python.security.dataflow.CodeInjectionQuery
|
||||||
import CodeInjectionFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
|
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
where CodeInjectionFlow::flowPath(source, sink)
|
where config.hasFlowPath(source, sink)
|
||||||
select sink.getNode(), source, sink, "This code execution depends on a $@.", source.getNode(),
|
select sink.getNode(), source, sink, "This code execution depends on a $@.", source.getNode(),
|
||||||
"user-provided value"
|
"user-provided value"
|
||||||
|
|||||||
@@ -13,9 +13,9 @@
|
|||||||
|
|
||||||
import python
|
import python
|
||||||
import semmle.python.security.dataflow.LogInjectionQuery
|
import semmle.python.security.dataflow.LogInjectionQuery
|
||||||
import LogInjectionFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from LogInjectionFlow::PathNode source, LogInjectionFlow::PathNode sink
|
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
where LogInjectionFlow::flowPath(source, sink)
|
where config.hasFlowPath(source, sink)
|
||||||
select sink.getNode(), source, sink, "This log entry depends on a $@.", source.getNode(),
|
select sink.getNode(), source, sink, "This log entry depends on a $@.", source.getNode(),
|
||||||
"user-provided value"
|
"user-provided value"
|
||||||
|
|||||||
@@ -15,10 +15,10 @@
|
|||||||
|
|
||||||
import python
|
import python
|
||||||
import semmle.python.security.dataflow.StackTraceExposureQuery
|
import semmle.python.security.dataflow.StackTraceExposureQuery
|
||||||
import StackTraceExposureFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from StackTraceExposureFlow::PathNode source, StackTraceExposureFlow::PathNode sink
|
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
where StackTraceExposureFlow::flowPath(source, sink)
|
where config.hasFlowPath(source, sink)
|
||||||
select sink.getNode(), source, sink,
|
select sink.getNode(), source, sink,
|
||||||
"$@ flows to this location and may be exposed to an external user.", source.getNode(),
|
"$@ flows to this location and may be exposed to an external user.", source.getNode(),
|
||||||
"Stack trace information"
|
"Stack trace information"
|
||||||
|
|||||||
@@ -11,12 +11,12 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
import python
|
import python
|
||||||
import PamAuthorizationFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
import semmle.python.ApiGraphs
|
import semmle.python.ApiGraphs
|
||||||
import semmle.python.security.dataflow.PamAuthorizationQuery
|
import semmle.python.security.dataflow.PamAuthorizationQuery
|
||||||
|
|
||||||
from PamAuthorizationFlow::PathNode source, PamAuthorizationFlow::PathNode sink
|
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
where PamAuthorizationFlow::flowPath(source, sink)
|
where config.hasFlowPath(source, sink)
|
||||||
select sink.getNode(), source, sink,
|
select sink.getNode(), source, sink,
|
||||||
"This PAM authentication depends on a $@, and 'pam_acct_mgmt' is not called afterwards.",
|
"This PAM authentication depends on a $@, and 'pam_acct_mgmt' is not called afterwards.",
|
||||||
source.getNode(), "user-provided value"
|
source.getNode(), "user-provided value"
|
||||||
|
|||||||
@@ -15,13 +15,12 @@
|
|||||||
|
|
||||||
import python
|
import python
|
||||||
private import semmle.python.dataflow.new.DataFlow
|
private import semmle.python.dataflow.new.DataFlow
|
||||||
import CleartextLoggingFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
import semmle.python.security.dataflow.CleartextLoggingQuery
|
import semmle.python.security.dataflow.CleartextLoggingQuery
|
||||||
|
|
||||||
from
|
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, string classification
|
||||||
CleartextLoggingFlow::PathNode source, CleartextLoggingFlow::PathNode sink, string classification
|
|
||||||
where
|
where
|
||||||
CleartextLoggingFlow::flowPath(source, sink) and
|
config.hasFlowPath(source, sink) and
|
||||||
classification = source.getNode().(Source).getClassification()
|
classification = source.getNode().(Source).getClassification()
|
||||||
select sink.getNode(), source, sink, "This expression logs $@ as clear text.", source.getNode(),
|
select sink.getNode(), source, sink, "This expression logs $@ as clear text.", source.getNode(),
|
||||||
"sensitive data (" + classification + ")"
|
"sensitive data (" + classification + ")"
|
||||||
|
|||||||
@@ -15,13 +15,12 @@
|
|||||||
|
|
||||||
import python
|
import python
|
||||||
private import semmle.python.dataflow.new.DataFlow
|
private import semmle.python.dataflow.new.DataFlow
|
||||||
import CleartextStorageFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
import semmle.python.security.dataflow.CleartextStorageQuery
|
import semmle.python.security.dataflow.CleartextStorageQuery
|
||||||
|
|
||||||
from
|
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, string classification
|
||||||
CleartextStorageFlow::PathNode source, CleartextStorageFlow::PathNode sink, string classification
|
|
||||||
where
|
where
|
||||||
CleartextStorageFlow::flowPath(source, sink) and
|
config.hasFlowPath(source, sink) and
|
||||||
classification = source.getNode().(Source).getClassification()
|
classification = source.getNode().(Source).getClassification()
|
||||||
select sink.getNode(), source, sink, "This expression stores $@ as clear text.", source.getNode(),
|
select sink.getNode(), source, sink, "This expression stores $@ as clear text.", source.getNode(),
|
||||||
"sensitive data (" + classification + ")"
|
"sensitive data (" + classification + ")"
|
||||||
|
|||||||
@@ -16,29 +16,33 @@ import python
|
|||||||
import semmle.python.security.dataflow.WeakSensitiveDataHashingQuery
|
import semmle.python.security.dataflow.WeakSensitiveDataHashingQuery
|
||||||
import semmle.python.dataflow.new.DataFlow
|
import semmle.python.dataflow.new.DataFlow
|
||||||
import semmle.python.dataflow.new.TaintTracking
|
import semmle.python.dataflow.new.TaintTracking
|
||||||
import WeakSensitiveDataHashingFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from
|
from
|
||||||
WeakSensitiveDataHashingFlow::PathNode source, WeakSensitiveDataHashingFlow::PathNode sink,
|
DataFlow::PathNode source, DataFlow::PathNode sink, string ending, string algorithmName,
|
||||||
string ending, string algorithmName, string classification
|
string classification
|
||||||
where
|
where
|
||||||
normalHashFunctionFlowPath(source, sink) and
|
exists(NormalHashFunction::Configuration config |
|
||||||
algorithmName = sink.getNode().(NormalHashFunction::Sink).getAlgorithmName() and
|
config.hasFlowPath(source, sink) and
|
||||||
classification = source.getNode().(NormalHashFunction::Source).getClassification() and
|
algorithmName = sink.getNode().(NormalHashFunction::Sink).getAlgorithmName() and
|
||||||
ending = "."
|
classification = source.getNode().(NormalHashFunction::Source).getClassification() and
|
||||||
or
|
|
||||||
computationallyExpensiveHashFunctionFlowPath(source, sink) and
|
|
||||||
algorithmName = sink.getNode().(ComputationallyExpensiveHashFunction::Sink).getAlgorithmName() and
|
|
||||||
classification =
|
|
||||||
source.getNode().(ComputationallyExpensiveHashFunction::Source).getClassification() and
|
|
||||||
(
|
|
||||||
sink.getNode().(ComputationallyExpensiveHashFunction::Sink).isComputationallyExpensive() and
|
|
||||||
ending = "."
|
ending = "."
|
||||||
or
|
)
|
||||||
not sink.getNode().(ComputationallyExpensiveHashFunction::Sink).isComputationallyExpensive() and
|
or
|
||||||
ending =
|
exists(ComputationallyExpensiveHashFunction::Configuration config |
|
||||||
" for " + classification +
|
config.hasFlowPath(source, sink) and
|
||||||
" hashing, since it is not a computationally expensive hash function."
|
algorithmName = sink.getNode().(ComputationallyExpensiveHashFunction::Sink).getAlgorithmName() and
|
||||||
|
classification =
|
||||||
|
source.getNode().(ComputationallyExpensiveHashFunction::Source).getClassification() and
|
||||||
|
(
|
||||||
|
sink.getNode().(ComputationallyExpensiveHashFunction::Sink).isComputationallyExpensive() and
|
||||||
|
ending = "."
|
||||||
|
or
|
||||||
|
not sink.getNode().(ComputationallyExpensiveHashFunction::Sink).isComputationallyExpensive() and
|
||||||
|
ending =
|
||||||
|
" for " + classification +
|
||||||
|
" hashing, since it is not a computationally expensive hash function."
|
||||||
|
)
|
||||||
)
|
)
|
||||||
select sink.getNode(), source, sink,
|
select sink.getNode(), source, sink,
|
||||||
"$@ is used in a hashing algorithm (" + algorithmName + ") that is insecure" + ending,
|
"$@ is used in a hashing algorithm (" + algorithmName + ") that is insecure" + ending,
|
||||||
|
|||||||
@@ -14,9 +14,9 @@
|
|||||||
|
|
||||||
import python
|
import python
|
||||||
import semmle.python.security.dataflow.UnsafeDeserializationQuery
|
import semmle.python.security.dataflow.UnsafeDeserializationQuery
|
||||||
import UnsafeDeserializationFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from UnsafeDeserializationFlow::PathNode source, UnsafeDeserializationFlow::PathNode sink
|
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
where UnsafeDeserializationFlow::flowPath(source, sink)
|
where config.hasFlowPath(source, sink)
|
||||||
select sink.getNode(), source, sink, "Unsafe deserialization depends on a $@.", source.getNode(),
|
select sink.getNode(), source, sink, "Unsafe deserialization depends on a $@.", source.getNode(),
|
||||||
"user-provided value"
|
"user-provided value"
|
||||||
|
|||||||
@@ -14,9 +14,9 @@
|
|||||||
|
|
||||||
import python
|
import python
|
||||||
import semmle.python.security.dataflow.UrlRedirectQuery
|
import semmle.python.security.dataflow.UrlRedirectQuery
|
||||||
import UrlRedirectFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from UrlRedirectFlow::PathNode source, UrlRedirectFlow::PathNode sink
|
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
where UrlRedirectFlow::flowPath(source, sink)
|
where config.hasFlowPath(source, sink)
|
||||||
select sink.getNode(), source, sink, "Untrusted URL redirection depends on a $@.", source.getNode(),
|
select sink.getNode(), source, sink, "Untrusted URL redirection depends on a $@.", source.getNode(),
|
||||||
"user-provided value"
|
"user-provided value"
|
||||||
|
|||||||
@@ -14,10 +14,10 @@
|
|||||||
|
|
||||||
import python
|
import python
|
||||||
import semmle.python.security.dataflow.XxeQuery
|
import semmle.python.security.dataflow.XxeQuery
|
||||||
import XxeFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from XxeFlow::PathNode source, XxeFlow::PathNode sink
|
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
where XxeFlow::flowPath(source, sink)
|
where cfg.hasFlowPath(source, sink)
|
||||||
select sink.getNode(), source, sink,
|
select sink.getNode(), source, sink,
|
||||||
"XML parsing depends on a $@ without guarding against external entity expansion.",
|
"XML parsing depends on a $@ without guarding against external entity expansion.",
|
||||||
source.getNode(), "user-provided value"
|
source.getNode(), "user-provided value"
|
||||||
|
|||||||
@@ -13,9 +13,9 @@
|
|||||||
|
|
||||||
import python
|
import python
|
||||||
import semmle.python.security.dataflow.XpathInjectionQuery
|
import semmle.python.security.dataflow.XpathInjectionQuery
|
||||||
import XpathInjectionFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from XpathInjectionFlow::PathNode source, XpathInjectionFlow::PathNode sink
|
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
where XpathInjectionFlow::flowPath(source, sink)
|
where config.hasFlowPath(source, sink)
|
||||||
select sink.getNode(), source, sink, "XPath expression depends on a $@.", source.getNode(),
|
select sink.getNode(), source, sink, "XPath expression depends on a $@.", source.getNode(),
|
||||||
"user-provided value"
|
"user-provided value"
|
||||||
|
|||||||
@@ -15,13 +15,13 @@
|
|||||||
|
|
||||||
import python
|
import python
|
||||||
import semmle.python.security.dataflow.PolynomialReDoSQuery
|
import semmle.python.security.dataflow.PolynomialReDoSQuery
|
||||||
import PolynomialReDoSFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from
|
from
|
||||||
PolynomialReDoSFlow::PathNode source, PolynomialReDoSFlow::PathNode sink, Sink sinkNode,
|
Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, Sink sinkNode,
|
||||||
PolynomialBackTrackingTerm regexp
|
PolynomialBackTrackingTerm regexp
|
||||||
where
|
where
|
||||||
PolynomialReDoSFlow::flowPath(source, sink) and
|
config.hasFlowPath(source, sink) and
|
||||||
sinkNode = sink.getNode() and
|
sinkNode = sink.getNode() and
|
||||||
regexp.getRootTerm() = sinkNode.getRegExp()
|
regexp.getRootTerm() = sinkNode.getRegExp()
|
||||||
// not (
|
// not (
|
||||||
|
|||||||
@@ -16,13 +16,13 @@
|
|||||||
import python
|
import python
|
||||||
private import semmle.python.Concepts
|
private import semmle.python.Concepts
|
||||||
import semmle.python.security.dataflow.RegexInjectionQuery
|
import semmle.python.security.dataflow.RegexInjectionQuery
|
||||||
import RegexInjectionFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from
|
from
|
||||||
RegexInjectionFlow::PathNode source, RegexInjectionFlow::PathNode sink,
|
Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink,
|
||||||
RegexExecution regexExecution
|
RegexExecution regexExecution
|
||||||
where
|
where
|
||||||
RegexInjectionFlow::flowPath(source, sink) and
|
config.hasFlowPath(source, sink) and
|
||||||
regexExecution = sink.getNode().(Sink).getRegexExecution()
|
regexExecution = sink.getNode().(Sink).getRegexExecution()
|
||||||
select sink.getNode(), source, sink,
|
select sink.getNode(), source, sink,
|
||||||
"This regular expression depends on a $@ and is executed by $@.", source.getNode(),
|
"This regular expression depends on a $@ and is executed by $@.", source.getNode(),
|
||||||
|
|||||||
@@ -14,10 +14,10 @@
|
|||||||
|
|
||||||
import python
|
import python
|
||||||
import semmle.python.security.dataflow.XmlBombQuery
|
import semmle.python.security.dataflow.XmlBombQuery
|
||||||
import XmlBombFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from XmlBombFlow::PathNode source, XmlBombFlow::PathNode sink
|
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
where XmlBombFlow::flowPath(source, sink)
|
where cfg.hasFlowPath(source, sink)
|
||||||
select sink.getNode(), source, sink,
|
select sink.getNode(), source, sink,
|
||||||
"XML parsing depends on a $@ without guarding against uncontrolled entity expansion.",
|
"XML parsing depends on a $@ without guarding against uncontrolled entity expansion.",
|
||||||
source.getNode(), "user-provided value"
|
source.getNode(), "user-provided value"
|
||||||
|
|||||||
@@ -16,6 +16,7 @@ import python
|
|||||||
import semmle.python.dataflow.new.DataFlow
|
import semmle.python.dataflow.new.DataFlow
|
||||||
import semmle.python.dataflow.new.TaintTracking
|
import semmle.python.dataflow.new.TaintTracking
|
||||||
import semmle.python.filters.Tests
|
import semmle.python.filters.Tests
|
||||||
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
bindingset[char, fraction]
|
bindingset[char, fraction]
|
||||||
predicate fewer_characters_than(StrConst str, string char, float fraction) {
|
predicate fewer_characters_than(StrConst str, string char, float fraction) {
|
||||||
@@ -107,19 +108,17 @@ private string getACredentialRegex() {
|
|||||||
result = "(?i).*(cert)(?!.*(format|name)).*"
|
result = "(?i).*(cert)(?!.*(format|name)).*"
|
||||||
}
|
}
|
||||||
|
|
||||||
private module HardcodedCredentialsConfig implements DataFlow::ConfigSig {
|
class HardcodedCredentialsConfiguration extends TaintTracking::Configuration {
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof HardcodedValueSource }
|
HardcodedCredentialsConfiguration() { this = "Hardcoded credentials configuration" }
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof CredentialSink }
|
override predicate isSource(DataFlow::Node source) { source instanceof HardcodedValueSource }
|
||||||
|
|
||||||
|
override predicate isSink(DataFlow::Node sink) { sink instanceof CredentialSink }
|
||||||
}
|
}
|
||||||
|
|
||||||
module HardcodedCredentialsFlow = TaintTracking::Global<HardcodedCredentialsConfig>;
|
from HardcodedCredentialsConfiguration config, DataFlow::PathNode src, DataFlow::PathNode sink
|
||||||
|
|
||||||
import HardcodedCredentialsFlow::PathGraph
|
|
||||||
|
|
||||||
from HardcodedCredentialsFlow::PathNode src, HardcodedCredentialsFlow::PathNode sink
|
|
||||||
where
|
where
|
||||||
HardcodedCredentialsFlow::flowPath(src, sink) and
|
config.hasFlowPath(src, sink) and
|
||||||
not any(TestScope test).contains(src.getNode().asCfgNode().getNode())
|
not any(TestScope test).contains(src.getNode().asCfgNode().getNode())
|
||||||
select src.getNode(), src, sink, "This hardcoded value is $@.", sink.getNode(),
|
select src.getNode(), src, sink, "This hardcoded value is $@.", sink.getNode(),
|
||||||
"used as credentials"
|
"used as credentials"
|
||||||
|
|||||||
@@ -12,14 +12,14 @@
|
|||||||
|
|
||||||
import python
|
import python
|
||||||
import semmle.python.security.dataflow.ServerSideRequestForgeryQuery
|
import semmle.python.security.dataflow.ServerSideRequestForgeryQuery
|
||||||
import FullServerSideRequestForgeryFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from
|
from
|
||||||
FullServerSideRequestForgeryFlow::PathNode source,
|
FullServerSideRequestForgeryConfiguration fullConfig, DataFlow::PathNode source,
|
||||||
FullServerSideRequestForgeryFlow::PathNode sink, Http::Client::Request request
|
DataFlow::PathNode sink, Http::Client::Request request
|
||||||
where
|
where
|
||||||
request = sink.getNode().(Sink).getRequest() and
|
request = sink.getNode().(Sink).getRequest() and
|
||||||
FullServerSideRequestForgeryFlow::flowPath(source, sink) and
|
fullConfig.hasFlowPath(source, sink) and
|
||||||
fullyControlledRequest(request)
|
fullyControlledRequest(request)
|
||||||
select request, source, sink, "The full URL of this request depends on a $@.", source.getNode(),
|
select request, source, sink, "The full URL of this request depends on a $@.", source.getNode(),
|
||||||
"user-provided value"
|
"user-provided value"
|
||||||
|
|||||||
@@ -12,14 +12,14 @@
|
|||||||
|
|
||||||
import python
|
import python
|
||||||
import semmle.python.security.dataflow.ServerSideRequestForgeryQuery
|
import semmle.python.security.dataflow.ServerSideRequestForgeryQuery
|
||||||
import PartialServerSideRequestForgeryFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from
|
from
|
||||||
PartialServerSideRequestForgeryFlow::PathNode source,
|
PartialServerSideRequestForgeryConfiguration partialConfig, DataFlow::PathNode source,
|
||||||
PartialServerSideRequestForgeryFlow::PathNode sink, Http::Client::Request request
|
DataFlow::PathNode sink, Http::Client::Request request
|
||||||
where
|
where
|
||||||
request = sink.getNode().(Sink).getRequest() and
|
request = sink.getNode().(Sink).getRequest() and
|
||||||
PartialServerSideRequestForgeryFlow::flowPath(source, sink) and
|
partialConfig.hasFlowPath(source, sink) and
|
||||||
not fullyControlledRequest(request)
|
not fullyControlledRequest(request)
|
||||||
select request, source, sink, "Part of the URL of this request depends on a $@.", source.getNode(),
|
select request, source, sink, "Part of the URL of this request depends on a $@.", source.getNode(),
|
||||||
"user-provided value"
|
"user-provided value"
|
||||||
|
|||||||
@@ -15,10 +15,10 @@
|
|||||||
|
|
||||||
import python
|
import python
|
||||||
import experimental.semmle.python.security.ZipSlip
|
import experimental.semmle.python.security.ZipSlip
|
||||||
import ZipSlipFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from ZipSlipFlow::PathNode source, ZipSlipFlow::PathNode sink
|
from ZipSlipConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
where ZipSlipFlow::flowPath(source, sink)
|
where config.hasFlowPath(source, sink)
|
||||||
select source.getNode(), source, sink,
|
select source.getNode(), source, sink,
|
||||||
"This unsanitized archive entry, which may contain '..', is used in a $@.", sink.getNode(),
|
"This unsanitized archive entry, which may contain '..', is used in a $@.", sink.getNode(),
|
||||||
"file system operation"
|
"file system operation"
|
||||||
|
|||||||
@@ -16,7 +16,7 @@
|
|||||||
import python
|
import python
|
||||||
import semmle.python.dataflow.new.DataFlow
|
import semmle.python.dataflow.new.DataFlow
|
||||||
import semmle.python.dataflow.new.TaintTracking
|
import semmle.python.dataflow.new.TaintTracking
|
||||||
import TarSlipImprovFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
import semmle.python.ApiGraphs
|
import semmle.python.ApiGraphs
|
||||||
import semmle.python.dataflow.new.internal.Attributes
|
import semmle.python.dataflow.new.internal.Attributes
|
||||||
import semmle.python.dataflow.new.BarrierGuards
|
import semmle.python.dataflow.new.BarrierGuards
|
||||||
@@ -54,10 +54,12 @@ class AllTarfileOpens extends API::CallNode {
|
|||||||
/**
|
/**
|
||||||
* A taint-tracking configuration for detecting more "TarSlip" vulnerabilities.
|
* A taint-tracking configuration for detecting more "TarSlip" vulnerabilities.
|
||||||
*/
|
*/
|
||||||
private module TarSlipImprovConfig implements DataFlow::ConfigSig {
|
class Configuration extends TaintTracking::Configuration {
|
||||||
predicate isSource(DataFlow::Node source) { source = tarfileOpen().getACall() }
|
Configuration() { this = "TarSlip" }
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) {
|
override predicate isSource(DataFlow::Node source) { source = tarfileOpen().getACall() }
|
||||||
|
|
||||||
|
override predicate isSink(DataFlow::Node sink) {
|
||||||
(
|
(
|
||||||
// A sink capturing method calls to `extractall` without `members` argument.
|
// A sink capturing method calls to `extractall` without `members` argument.
|
||||||
// For a call to `file.extractall` without `members` argument, `file` is considered a sink.
|
// For a call to `file.extractall` without `members` argument, `file` is considered a sink.
|
||||||
@@ -98,7 +100,7 @@ private module TarSlipImprovConfig implements DataFlow::ConfigSig {
|
|||||||
not sink.getScope().getLocation().getFile().inStdlib()
|
not sink.getScope().getLocation().getFile().inStdlib()
|
||||||
}
|
}
|
||||||
|
|
||||||
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
|
override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
|
||||||
nodeTo.(MethodCallNode).calls(nodeFrom, "getmembers") and
|
nodeTo.(MethodCallNode).calls(nodeFrom, "getmembers") and
|
||||||
nodeFrom instanceof AllTarfileOpens
|
nodeFrom instanceof AllTarfileOpens
|
||||||
or
|
or
|
||||||
@@ -111,10 +113,7 @@ private module TarSlipImprovConfig implements DataFlow::ConfigSig {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Global taint-tracking for detecting more "TarSlip" vulnerabilities. */
|
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
module TarSlipImprovFlow = TaintTracking::Global<TarSlipImprovConfig>;
|
where config.hasFlowPath(source, sink)
|
||||||
|
|
||||||
from TarSlipImprovFlow::PathNode source, TarSlipImprovFlow::PathNode sink
|
|
||||||
where TarSlipImprovFlow::flowPath(source, sink)
|
|
||||||
select sink, source, sink, "Extraction of tarfile from $@ to a potentially untrusted source $@.",
|
select sink, source, sink, "Extraction of tarfile from $@ to a potentially untrusted source $@.",
|
||||||
source.getNode(), source.getNode().toString(), sink.getNode(), sink.getNode().toString()
|
source.getNode(), source.getNode().toString(), sink.getNode(), sink.getNode().toString()
|
||||||
|
|||||||
@@ -16,9 +16,9 @@
|
|||||||
|
|
||||||
import python
|
import python
|
||||||
import experimental.Security.UnsafeUnpackQuery
|
import experimental.Security.UnsafeUnpackQuery
|
||||||
import UnsafeUnpackFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from UnsafeUnpackFlow::PathNode source, UnsafeUnpackFlow::PathNode sink
|
from UnsafeUnpackingConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
where UnsafeUnpackFlow::flowPath(source, sink)
|
where config.hasFlowPath(source, sink)
|
||||||
select sink.getNode(), source, sink,
|
select sink.getNode(), source, sink,
|
||||||
"Unsafe extraction from a malicious tarball retrieved from a remote location."
|
"Unsafe extraction from a malicious tarball retrieved from a remote location."
|
||||||
|
|||||||
@@ -16,13 +16,16 @@ import semmle.python.dataflow.new.DataFlow
|
|||||||
import semmle.python.dataflow.new.TaintTracking
|
import semmle.python.dataflow.new.TaintTracking
|
||||||
import semmle.python.dataflow.new.RemoteFlowSources
|
import semmle.python.dataflow.new.RemoteFlowSources
|
||||||
import semmle.python.ApiGraphs
|
import semmle.python.ApiGraphs
|
||||||
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
private API::Node paramikoClient() {
|
private API::Node paramikoClient() {
|
||||||
result = API::moduleImport("paramiko").getMember("SSHClient").getReturn()
|
result = API::moduleImport("paramiko").getMember("SSHClient").getReturn()
|
||||||
}
|
}
|
||||||
|
|
||||||
private module ParamikoConfig implements DataFlow::ConfigSig {
|
class ParamikoCmdInjectionConfiguration extends TaintTracking::Configuration {
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
ParamikoCmdInjectionConfiguration() { this = "ParamikoCMDInjectionConfiguration" }
|
||||||
|
|
||||||
|
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* exec_command of `paramiko.SSHClient` class execute command on ssh target server
|
* exec_command of `paramiko.SSHClient` class execute command on ssh target server
|
||||||
@@ -30,7 +33,7 @@ private module ParamikoConfig implements DataFlow::ConfigSig {
|
|||||||
* and it run CMD on current system that running the ssh command
|
* and it run CMD on current system that running the ssh command
|
||||||
* the Sink related to proxy command is the `connect` method of `paramiko.SSHClient` class
|
* the Sink related to proxy command is the `connect` method of `paramiko.SSHClient` class
|
||||||
*/
|
*/
|
||||||
predicate isSink(DataFlow::Node sink) {
|
override predicate isSink(DataFlow::Node sink) {
|
||||||
sink = paramikoClient().getMember("exec_command").getACall().getParameter(0, "command").asSink()
|
sink = paramikoClient().getMember("exec_command").getACall().getParameter(0, "command").asSink()
|
||||||
or
|
or
|
||||||
sink = paramikoClient().getMember("connect").getACall().getParameter(11, "sock").asSink()
|
sink = paramikoClient().getMember("connect").getACall().getParameter(11, "sock").asSink()
|
||||||
@@ -39,7 +42,7 @@ private module ParamikoConfig implements DataFlow::ConfigSig {
|
|||||||
/**
|
/**
|
||||||
* this additional taint step help taint tracking to find the vulnerable `connect` method of `paramiko.SSHClient` class
|
* this additional taint step help taint tracking to find the vulnerable `connect` method of `paramiko.SSHClient` class
|
||||||
*/
|
*/
|
||||||
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
|
override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
|
||||||
exists(API::CallNode call |
|
exists(API::CallNode call |
|
||||||
call = API::moduleImport("paramiko").getMember("ProxyCommand").getACall() and
|
call = API::moduleImport("paramiko").getMember("ProxyCommand").getACall() and
|
||||||
nodeFrom = call.getParameter(0, "command_line").asSink() and
|
nodeFrom = call.getParameter(0, "command_line").asSink() and
|
||||||
@@ -48,12 +51,7 @@ private module ParamikoConfig implements DataFlow::ConfigSig {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "paramiko command injection" vulnerabilities. */
|
from ParamikoCmdInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
module ParamikoFlow = TaintTracking::Global<ParamikoConfig>;
|
where config.hasFlowPath(source, sink)
|
||||||
|
|
||||||
import ParamikoFlow::PathGraph
|
|
||||||
|
|
||||||
from ParamikoFlow::PathNode source, ParamikoFlow::PathNode sink
|
|
||||||
where ParamikoFlow::flowPath(source, sink)
|
|
||||||
select sink.getNode(), source, sink, "This code execution depends on a $@.", source.getNode(),
|
select sink.getNode(), source, sink, "This code execution depends on a $@.", source.getNode(),
|
||||||
"a user-provided value"
|
"a user-provided value"
|
||||||
|
|||||||
@@ -15,10 +15,10 @@
|
|||||||
|
|
||||||
// determine precision above
|
// determine precision above
|
||||||
import python
|
import python
|
||||||
import experimental.semmle.python.security.dataflow.EmailXss
|
import experimental.semmle.python.security.dataflow.ReflectedXSS
|
||||||
import EmailXssFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from EmailXssFlow::PathNode source, EmailXssFlow::PathNode sink
|
from ReflectedXssConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
where EmailXssFlow::flowPath(source, sink)
|
where config.hasFlowPath(source, sink)
|
||||||
select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
|
select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
|
||||||
source.getNode(), "a user-provided value"
|
source.getNode(), "a user-provided value"
|
||||||
@@ -14,9 +14,9 @@
|
|||||||
// determine precision above
|
// determine precision above
|
||||||
import python
|
import python
|
||||||
import experimental.semmle.python.security.injection.HTTPHeaders
|
import experimental.semmle.python.security.injection.HTTPHeaders
|
||||||
import HeaderInjectionFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from HeaderInjectionFlow::PathNode source, HeaderInjectionFlow::PathNode sink
|
from HeaderInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
where HeaderInjectionFlow::flowPath(source, sink)
|
where config.hasFlowPath(source, sink)
|
||||||
select sink.getNode(), source, sink, "This HTTP header is constructed from a $@.", source.getNode(),
|
select sink.getNode(), source, sink, "This HTTP header is constructed from a $@.", source.getNode(),
|
||||||
"user-provided value"
|
"user-provided value"
|
||||||
|
|||||||
@@ -11,11 +11,11 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
import python
|
import python
|
||||||
import CsvInjectionFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
import semmle.python.dataflow.new.DataFlow
|
import semmle.python.dataflow.new.DataFlow
|
||||||
import experimental.semmle.python.security.injection.CsvInjection
|
import experimental.semmle.python.security.injection.CsvInjection
|
||||||
|
|
||||||
from CsvInjectionFlow::PathNode source, CsvInjectionFlow::PathNode sink
|
from CsvInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
where CsvInjectionFlow::flowPath(source, sink)
|
where config.hasFlowPath(source, sink)
|
||||||
select sink.getNode(), source, sink, "Csv injection might include code from $@.", source.getNode(),
|
select sink.getNode(), source, sink, "Csv injection might include code from $@.", source.getNode(),
|
||||||
"this user input"
|
"this user input"
|
||||||
|
|||||||
@@ -14,10 +14,10 @@
|
|||||||
|
|
||||||
import python
|
import python
|
||||||
import UnicodeBypassValidationQuery
|
import UnicodeBypassValidationQuery
|
||||||
import UnicodeBypassValidationFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from UnicodeBypassValidationFlow::PathNode source, UnicodeBypassValidationFlow::PathNode sink
|
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
where UnicodeBypassValidationFlow::flowPath(source, sink)
|
where config.hasFlowPath(source, sink)
|
||||||
select sink.getNode(), source, sink,
|
select sink.getNode(), source, sink,
|
||||||
"This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters.",
|
"This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters.",
|
||||||
sink.getNode(), "Unicode transformation (Unicode normalization)", source.getNode(),
|
sink.getNode(), "Unicode transformation (Unicode normalization)", source.getNode(),
|
||||||
|
|||||||
@@ -3,7 +3,6 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
private import python
|
private import python
|
||||||
import semmle.python.dataflow.new.DataFlow
|
|
||||||
import semmle.python.ApiGraphs
|
import semmle.python.ApiGraphs
|
||||||
import semmle.python.Concepts
|
import semmle.python.Concepts
|
||||||
import semmle.python.dataflow.new.internal.DataFlowPublic
|
import semmle.python.dataflow.new.internal.DataFlowPublic
|
||||||
@@ -28,15 +27,16 @@ class PostValidation extends DataFlow::FlowState {
|
|||||||
* This configuration uses two flow states, `PreValidation` and `PostValidation`,
|
* This configuration uses two flow states, `PreValidation` and `PostValidation`,
|
||||||
* to track the requirement that a logical validation has been performed before the Unicode Transformation.
|
* to track the requirement that a logical validation has been performed before the Unicode Transformation.
|
||||||
*/
|
*/
|
||||||
private module UnicodeBypassValidationConfig implements DataFlow::StateConfigSig {
|
class Configuration extends TaintTracking::Configuration {
|
||||||
class FlowState = DataFlow::FlowState;
|
Configuration() { this = "UnicodeBypassValidation" }
|
||||||
|
|
||||||
predicate isSource(DataFlow::Node source, FlowState state) {
|
override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
|
||||||
source instanceof RemoteFlowSource and state instanceof PreValidation
|
source instanceof RemoteFlowSource and state instanceof PreValidation
|
||||||
}
|
}
|
||||||
|
|
||||||
predicate isAdditionalFlowStep(
|
override predicate isAdditionalTaintStep(
|
||||||
DataFlow::Node nodeFrom, FlowState stateFrom, DataFlow::Node nodeTo, FlowState stateTo
|
DataFlow::Node nodeFrom, DataFlow::FlowState stateFrom, DataFlow::Node nodeTo,
|
||||||
|
DataFlow::FlowState stateTo
|
||||||
) {
|
) {
|
||||||
(
|
(
|
||||||
exists(Escaping escaping | nodeFrom = escaping.getAnInput() and nodeTo = escaping.getOutput())
|
exists(Escaping escaping | nodeFrom = escaping.getAnInput() and nodeTo = escaping.getOutput())
|
||||||
@@ -51,7 +51,7 @@ private module UnicodeBypassValidationConfig implements DataFlow::StateConfigSig
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* A Unicode Tranformation (Unicode tranformation) is considered a sink when the algorithm used is either NFC or NFKC. */
|
/* A Unicode Tranformation (Unicode tranformation) is considered a sink when the algorithm used is either NFC or NFKC. */
|
||||||
predicate isSink(DataFlow::Node sink, FlowState state) {
|
override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
|
||||||
exists(API::CallNode cn |
|
exists(API::CallNode cn |
|
||||||
cn = API::moduleImport("unicodedata").getMember("normalize").getACall() and
|
cn = API::moduleImport("unicodedata").getMember("normalize").getACall() and
|
||||||
sink = cn.getArg(1)
|
sink = cn.getArg(1)
|
||||||
@@ -71,6 +71,3 @@ private module UnicodeBypassValidationConfig implements DataFlow::StateConfigSig
|
|||||||
state instanceof PostValidation
|
state instanceof PostValidation
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "Unicode transformation mishandling" vulnerabilities. */
|
|
||||||
module UnicodeBypassValidationFlow = TaintTracking::GlobalWithState<UnicodeBypassValidationConfig>;
|
|
||||||
|
|||||||
@@ -17,25 +17,21 @@ import python
|
|||||||
import semmle.python.dataflow.new.DataFlow
|
import semmle.python.dataflow.new.DataFlow
|
||||||
import semmle.python.dataflow.new.TaintTracking
|
import semmle.python.dataflow.new.TaintTracking
|
||||||
import experimental.semmle.python.security.TimingAttack
|
import experimental.semmle.python.security.TimingAttack
|
||||||
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A configuration that tracks data flow from cryptographic operations
|
* A configuration that tracks data flow from cryptographic operations
|
||||||
* to equality test
|
* to equality test
|
||||||
*/
|
*/
|
||||||
private module PossibleTimingAttackAgainstHashConfig implements DataFlow::ConfigSig {
|
class PossibleTimingAttackAgainstHash extends TaintTracking::Configuration {
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall }
|
PossibleTimingAttackAgainstHash() { this = "PossibleTimingAttackAgainstHash" }
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
|
override predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall }
|
||||||
|
|
||||||
|
override predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
|
||||||
}
|
}
|
||||||
|
|
||||||
module PossibleTimingAttackAgainstHashFlow =
|
from PossibleTimingAttackAgainstHash config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
TaintTracking::Global<PossibleTimingAttackAgainstHashConfig>;
|
where config.hasFlowPath(source, sink)
|
||||||
|
|
||||||
import PossibleTimingAttackAgainstHashFlow::PathGraph
|
|
||||||
|
|
||||||
from
|
|
||||||
PossibleTimingAttackAgainstHashFlow::PathNode source,
|
|
||||||
PossibleTimingAttackAgainstHashFlow::PathNode sink
|
|
||||||
where PossibleTimingAttackAgainstHashFlow::flowPath(source, sink)
|
|
||||||
select sink.getNode(), source, sink, "Possible Timing attack against $@ validation.",
|
select sink.getNode(), source, sink, "Possible Timing attack against $@ validation.",
|
||||||
source.getNode().(ProduceCryptoCall).getResultType(), "message"
|
source.getNode().(ProduceCryptoCall).getResultType(), "message"
|
||||||
|
|||||||
@@ -16,24 +16,23 @@ import python
|
|||||||
import semmle.python.dataflow.new.DataFlow
|
import semmle.python.dataflow.new.DataFlow
|
||||||
import semmle.python.dataflow.new.TaintTracking
|
import semmle.python.dataflow.new.TaintTracking
|
||||||
import experimental.semmle.python.security.TimingAttack
|
import experimental.semmle.python.security.TimingAttack
|
||||||
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A configuration that tracks data flow from cryptographic operations
|
* A configuration that tracks data flow from cryptographic operations
|
||||||
* to Equality test.
|
* to Equality test.
|
||||||
*/
|
*/
|
||||||
private module TimingAttackAgainstHashConfig implements DataFlow::ConfigSig {
|
class TimingAttackAgainsthash extends TaintTracking::Configuration {
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall }
|
TimingAttackAgainsthash() { this = "TimingAttackAgainsthash" }
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
|
override predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall }
|
||||||
|
|
||||||
|
override predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
|
||||||
}
|
}
|
||||||
|
|
||||||
module TimingAttackAgainstHashFlow = TaintTracking::Global<TimingAttackAgainstHashConfig>;
|
from TimingAttackAgainsthash config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
|
|
||||||
import TimingAttackAgainstHashFlow::PathGraph
|
|
||||||
|
|
||||||
from TimingAttackAgainstHashFlow::PathNode source, TimingAttackAgainstHashFlow::PathNode sink
|
|
||||||
where
|
where
|
||||||
TimingAttackAgainstHashFlow::flowPath(source, sink) and
|
config.hasFlowPath(source, sink) and
|
||||||
sink.getNode().(NonConstantTimeComparisonSink).includesUserInput()
|
sink.getNode().(NonConstantTimeComparisonSink).includesUserInput()
|
||||||
select sink.getNode(), source, sink, "Timing attack against $@ validation.",
|
select sink.getNode(), source, sink, "Timing attack against $@ validation.",
|
||||||
source.getNode().(ProduceCryptoCall).getResultType(), "message"
|
source.getNode().(ProduceCryptoCall).getResultType(), "message"
|
||||||
|
|||||||
@@ -15,26 +15,20 @@ import python
|
|||||||
import semmle.python.dataflow.new.DataFlow
|
import semmle.python.dataflow.new.DataFlow
|
||||||
import semmle.python.dataflow.new.TaintTracking
|
import semmle.python.dataflow.new.TaintTracking
|
||||||
import experimental.semmle.python.security.TimingAttack
|
import experimental.semmle.python.security.TimingAttack
|
||||||
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A configuration tracing flow from a client Secret obtained by an HTTP header to a unsafe Comparison.
|
* A configuration tracing flow from a client Secret obtained by an HTTP header to a unsafe Comparison.
|
||||||
*/
|
*/
|
||||||
private module TimingAttackAgainstHeaderValueConfig implements DataFlow::ConfigSig {
|
class ClientSuppliedSecretConfig extends TaintTracking::Configuration {
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof ClientSuppliedSecret }
|
ClientSuppliedSecretConfig() { this = "ClientSuppliedSecretConfig" }
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof CompareSink }
|
override predicate isSource(DataFlow::Node source) { source instanceof ClientSuppliedSecret }
|
||||||
|
|
||||||
|
override predicate isSink(DataFlow::Node sink) { sink instanceof CompareSink }
|
||||||
}
|
}
|
||||||
|
|
||||||
module TimingAttackAgainstHeaderValueFlow =
|
from ClientSuppliedSecretConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
TaintTracking::Global<TimingAttackAgainstHeaderValueConfig>;
|
where config.hasFlowPath(source, sink) and not sink.getNode().(CompareSink).flowtolen()
|
||||||
|
|
||||||
import TimingAttackAgainstHeaderValueFlow::PathGraph
|
|
||||||
|
|
||||||
from
|
|
||||||
TimingAttackAgainstHeaderValueFlow::PathNode source,
|
|
||||||
TimingAttackAgainstHeaderValueFlow::PathNode sink
|
|
||||||
where
|
|
||||||
TimingAttackAgainstHeaderValueFlow::flowPath(source, sink) and
|
|
||||||
not sink.getNode().(CompareSink).flowtolen()
|
|
||||||
select sink.getNode(), source, sink, "Timing attack against $@ validation.", source.getNode(),
|
select sink.getNode(), source, sink, "Timing attack against $@ validation.", source.getNode(),
|
||||||
"client-supplied token"
|
"client-supplied token"
|
||||||
|
|||||||
@@ -15,24 +15,20 @@ import python
|
|||||||
import semmle.python.dataflow.new.DataFlow
|
import semmle.python.dataflow.new.DataFlow
|
||||||
import semmle.python.dataflow.new.TaintTracking
|
import semmle.python.dataflow.new.TaintTracking
|
||||||
import experimental.semmle.python.security.TimingAttack
|
import experimental.semmle.python.security.TimingAttack
|
||||||
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A configuration tracing flow from obtaining a client Secret to a unsafe Comparison.
|
* A configuration tracing flow from obtaining a client Secret to a unsafe Comparison.
|
||||||
*/
|
*/
|
||||||
private module PossibleTimingAttackAgainstSensitiveInfoConfig implements DataFlow::ConfigSig {
|
class ClientSuppliedSecretConfig extends TaintTracking::Configuration {
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof SecretSource }
|
ClientSuppliedSecretConfig() { this = "ClientSuppliedSecretConfig" }
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
|
override predicate isSource(DataFlow::Node source) { source instanceof SecretSource }
|
||||||
|
|
||||||
|
override predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
|
||||||
}
|
}
|
||||||
|
|
||||||
module PossibleTimingAttackAgainstSensitiveInfoFlow =
|
from ClientSuppliedSecretConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
TaintTracking::Global<PossibleTimingAttackAgainstSensitiveInfoConfig>;
|
where config.hasFlowPath(source, sink)
|
||||||
|
|
||||||
import PossibleTimingAttackAgainstSensitiveInfoFlow::PathGraph
|
|
||||||
|
|
||||||
from
|
|
||||||
PossibleTimingAttackAgainstSensitiveInfoFlow::PathNode source,
|
|
||||||
PossibleTimingAttackAgainstSensitiveInfoFlow::PathNode sink
|
|
||||||
where PossibleTimingAttackAgainstSensitiveInfoFlow::flowPath(source, sink)
|
|
||||||
select sink.getNode(), source, sink, "Timing attack against $@ validation.", source.getNode(),
|
select sink.getNode(), source, sink, "Timing attack against $@ validation.", source.getNode(),
|
||||||
"client-supplied token"
|
"client-supplied token"
|
||||||
|
|||||||
@@ -15,25 +15,22 @@ import python
|
|||||||
import semmle.python.dataflow.new.DataFlow
|
import semmle.python.dataflow.new.DataFlow
|
||||||
import semmle.python.dataflow.new.TaintTracking
|
import semmle.python.dataflow.new.TaintTracking
|
||||||
import experimental.semmle.python.security.TimingAttack
|
import experimental.semmle.python.security.TimingAttack
|
||||||
import TimingAttackAgainstSensitiveInfoFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A configuration tracing flow from obtaining a client Secret to a unsafe Comparison.
|
* A configuration tracing flow from obtaining a client Secret to a unsafe Comparison.
|
||||||
*/
|
*/
|
||||||
private module TimingAttackAgainstSensitiveInfoConfig implements DataFlow::ConfigSig {
|
class ClientSuppliedSecretConfig extends TaintTracking::Configuration {
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof SecretSource }
|
ClientSuppliedSecretConfig() { this = "ClientSuppliedSecretConfig" }
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
|
override predicate isSource(DataFlow::Node source) { source instanceof SecretSource }
|
||||||
|
|
||||||
|
override predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
|
||||||
}
|
}
|
||||||
|
|
||||||
module TimingAttackAgainstSensitiveInfoFlow =
|
from ClientSuppliedSecretConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
TaintTracking::Global<TimingAttackAgainstSensitiveInfoConfig>;
|
|
||||||
|
|
||||||
from
|
|
||||||
TimingAttackAgainstSensitiveInfoFlow::PathNode source,
|
|
||||||
TimingAttackAgainstSensitiveInfoFlow::PathNode sink
|
|
||||||
where
|
where
|
||||||
TimingAttackAgainstSensitiveInfoFlow::flowPath(source, sink) and
|
config.hasFlowPath(source, sink) and
|
||||||
(
|
(
|
||||||
source.getNode().(SecretSource).includesUserInput() or
|
source.getNode().(SecretSource).includesUserInput() or
|
||||||
sink.getNode().(NonConstantTimeComparisonSink).includesUserInput()
|
sink.getNode().(NonConstantTimeComparisonSink).includesUserInput()
|
||||||
|
|||||||
@@ -25,7 +25,7 @@ newtype TFrameWork =
|
|||||||
Flask() or
|
Flask() or
|
||||||
Django()
|
Django()
|
||||||
|
|
||||||
private module WebAppConstantSecretKeyConfig implements DataFlow::StateConfigSig {
|
module WebAppConstantSecretKeyConfig implements DataFlow::StateConfigSig {
|
||||||
class FlowState = TFrameWork;
|
class FlowState = TFrameWork;
|
||||||
|
|
||||||
predicate isSource(DataFlow::Node source, FlowState state) {
|
predicate isSource(DataFlow::Node source, FlowState state) {
|
||||||
@@ -54,11 +54,11 @@ private module WebAppConstantSecretKeyConfig implements DataFlow::StateConfigSig
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module WebAppConstantSecretKeyFlow = TaintTracking::GlobalWithState<WebAppConstantSecretKeyConfig>;
|
module WebAppConstantSecretKey = TaintTracking::GlobalWithState<WebAppConstantSecretKeyConfig>;
|
||||||
|
|
||||||
import WebAppConstantSecretKeyFlow::PathGraph
|
import WebAppConstantSecretKey::PathGraph
|
||||||
|
|
||||||
from WebAppConstantSecretKeyFlow::PathNode source, WebAppConstantSecretKeyFlow::PathNode sink
|
from WebAppConstantSecretKey::PathNode source, WebAppConstantSecretKey::PathNode sink
|
||||||
where WebAppConstantSecretKeyFlow::flowPath(source, sink)
|
where WebAppConstantSecretKey::flowPath(source, sink)
|
||||||
select sink, source, sink, "The SECRET_KEY config variable is assigned by $@.", source,
|
select sink, source, sink, "The SECRET_KEY config variable is assigned by $@.", source,
|
||||||
" this constant String"
|
" this constant String"
|
||||||
|
|||||||
@@ -96,7 +96,7 @@ newtype TAzureFlowState =
|
|||||||
MkUsesV1Encryption() or
|
MkUsesV1Encryption() or
|
||||||
MkUsesNoEncryption()
|
MkUsesNoEncryption()
|
||||||
|
|
||||||
private module AzureBlobClientConfig implements DataFlow::StateConfigSig {
|
module AzureBlobClientConfig implements DataFlow::StateConfigSig {
|
||||||
class FlowState = TAzureFlowState;
|
class FlowState = TAzureFlowState;
|
||||||
|
|
||||||
predicate isSource(DataFlow::Node node, FlowState state) {
|
predicate isSource(DataFlow::Node node, FlowState state) {
|
||||||
@@ -147,10 +147,10 @@ private module AzureBlobClientConfig implements DataFlow::StateConfigSig {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module AzureBlobClientFlow = DataFlow::GlobalWithState<AzureBlobClientConfig>;
|
module AzureBlobClient = DataFlow::GlobalWithState<AzureBlobClientConfig>;
|
||||||
|
|
||||||
import AzureBlobClientFlow::PathGraph
|
import AzureBlobClient::PathGraph
|
||||||
|
|
||||||
from AzureBlobClientFlow::PathNode source, AzureBlobClientFlow::PathNode sink
|
from AzureBlobClient::PathNode source, AzureBlobClient::PathNode sink
|
||||||
where AzureBlobClientFlow::flowPath(source, sink)
|
where AzureBlobClient::flowPath(source, sink)
|
||||||
select sink, source, sink, "Unsafe usage of v1 version of Azure Storage client-side encryption"
|
select sink, source, sink, "Unsafe usage of v1 version of Azure Storage client-side encryption"
|
||||||
|
|||||||
@@ -14,11 +14,11 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
import python
|
import python
|
||||||
import experimental.semmle.python.security.InsecureRandomness
|
import experimental.semmle.python.security.InsecureRandomness::InsecureRandomness
|
||||||
import semmle.python.dataflow.new.DataFlow
|
import semmle.python.dataflow.new.DataFlow
|
||||||
import InsecureRandomness::Flow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from InsecureRandomness::Flow::PathNode source, InsecureRandomness::Flow::PathNode sink
|
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
where InsecureRandomness::Flow::flowPath(source, sink)
|
where cfg.hasFlowPath(source, sink)
|
||||||
select sink.getNode(), source, sink, "Cryptographically insecure $@ in a security context.",
|
select sink.getNode(), source, sink, "Cryptographically insecure $@ in a security context.",
|
||||||
source.getNode(), "random value"
|
source.getNode(), "random value"
|
||||||
|
|||||||
@@ -16,6 +16,7 @@ import python
|
|||||||
import semmle.python.dataflow.new.DataFlow
|
import semmle.python.dataflow.new.DataFlow
|
||||||
import semmle.python.ApiGraphs
|
import semmle.python.ApiGraphs
|
||||||
import semmle.python.dataflow.new.TaintTracking
|
import semmle.python.dataflow.new.TaintTracking
|
||||||
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
class PredictableResultSource extends DataFlow::Node {
|
class PredictableResultSource extends DataFlow::Node {
|
||||||
PredictableResultSource() {
|
PredictableResultSource() {
|
||||||
@@ -39,12 +40,14 @@ class TokenAssignmentValueSink extends DataFlow::Node {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private module TokenBuiltFromUuidConfig implements DataFlow::ConfigSig {
|
class TokenBuiltFromUuidConfig extends TaintTracking::Configuration {
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof PredictableResultSource }
|
TokenBuiltFromUuidConfig() { this = "TokenBuiltFromUuidConfig" }
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof TokenAssignmentValueSink }
|
override predicate isSource(DataFlow::Node source) { source instanceof PredictableResultSource }
|
||||||
|
|
||||||
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
|
override predicate isSink(DataFlow::Node sink) { sink instanceof TokenAssignmentValueSink }
|
||||||
|
|
||||||
|
override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
|
||||||
exists(DataFlow::CallCfgNode call |
|
exists(DataFlow::CallCfgNode call |
|
||||||
call = API::builtin("str").getACall() and
|
call = API::builtin("str").getACall() and
|
||||||
nodeFrom = call.getArg(0) and
|
nodeFrom = call.getArg(0) and
|
||||||
@@ -53,11 +56,6 @@ private module TokenBuiltFromUuidConfig implements DataFlow::ConfigSig {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "TokenBuiltFromUUID" vulnerabilities. */
|
from DataFlow::PathNode source, DataFlow::PathNode sink, TokenBuiltFromUuidConfig config
|
||||||
module TokenBuiltFromUuidFlow = TaintTracking::Global<TokenBuiltFromUuidConfig>;
|
where config.hasFlowPath(source, sink)
|
||||||
|
|
||||||
import TokenBuiltFromUuidFlow::PathGraph
|
|
||||||
|
|
||||||
from TokenBuiltFromUuidFlow::PathNode source, TokenBuiltFromUuidFlow::PathNode sink
|
|
||||||
where TokenBuiltFromUuidFlow::flowPath(source, sink)
|
|
||||||
select sink.getNode(), source, sink, "Token built from $@.", source.getNode(), "predictable value"
|
select sink.getNode(), source, sink, "Token built from $@.", source.getNode(), "predictable value"
|
||||||
|
|||||||
@@ -16,19 +16,21 @@ import semmle.python.dataflow.new.DataFlow
|
|||||||
import semmle.python.dataflow.new.TaintTracking
|
import semmle.python.dataflow.new.TaintTracking
|
||||||
import semmle.python.ApiGraphs
|
import semmle.python.ApiGraphs
|
||||||
import ClientSuppliedIpUsedInSecurityCheckLib
|
import ClientSuppliedIpUsedInSecurityCheckLib
|
||||||
import ClientSuppliedIpUsedInSecurityCheckFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A taint-tracking configuration tracing flow from obtaining a client ip from an HTTP header to a sensitive use.
|
* A taint-tracking configuration tracing flow from obtaining a client ip from an HTTP header to a sensitive use.
|
||||||
*/
|
*/
|
||||||
private module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::ConfigSig {
|
class ClientSuppliedIpUsedInSecurityCheckConfig extends TaintTracking::Configuration {
|
||||||
predicate isSource(DataFlow::Node source) {
|
ClientSuppliedIpUsedInSecurityCheckConfig() { this = "ClientSuppliedIpUsedInSecurityCheckConfig" }
|
||||||
|
|
||||||
|
override predicate isSource(DataFlow::Node source) {
|
||||||
source instanceof ClientSuppliedIpUsedInSecurityCheck
|
source instanceof ClientSuppliedIpUsedInSecurityCheck
|
||||||
}
|
}
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof PossibleSecurityCheck }
|
override predicate isSink(DataFlow::Node sink) { sink instanceof PossibleSecurityCheck }
|
||||||
|
|
||||||
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
|
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
|
||||||
exists(DataFlow::CallCfgNode ccn |
|
exists(DataFlow::CallCfgNode ccn |
|
||||||
ccn = API::moduleImport("netaddr").getMember("IPAddress").getACall() and
|
ccn = API::moduleImport("netaddr").getMember("IPAddress").getACall() and
|
||||||
ccn.getArg(0) = pred and
|
ccn.getArg(0) = pred and
|
||||||
@@ -36,7 +38,7 @@ private module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::Co
|
|||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) {
|
override predicate isSanitizer(DataFlow::Node node) {
|
||||||
// `client_supplied_ip.split(",")[n]` for `n` > 0
|
// `client_supplied_ip.split(",")[n]` for `n` > 0
|
||||||
exists(Subscript ss |
|
exists(Subscript ss |
|
||||||
not ss.getIndex().(IntegerLiteral).getText() = "0" and
|
not ss.getIndex().(IntegerLiteral).getText() = "0" and
|
||||||
@@ -47,13 +49,9 @@ private module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::Co
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "client ip used in security check" vulnerabilities. */
|
|
||||||
module ClientSuppliedIpUsedInSecurityCheckFlow =
|
|
||||||
TaintTracking::Global<ClientSuppliedIpUsedInSecurityCheckConfig>;
|
|
||||||
|
|
||||||
from
|
from
|
||||||
ClientSuppliedIpUsedInSecurityCheckFlow::PathNode source,
|
ClientSuppliedIpUsedInSecurityCheckConfig config, DataFlow::PathNode source,
|
||||||
ClientSuppliedIpUsedInSecurityCheckFlow::PathNode sink
|
DataFlow::PathNode sink
|
||||||
where ClientSuppliedIpUsedInSecurityCheckFlow::flowPath(source, sink)
|
where config.hasFlowPath(source, sink)
|
||||||
select sink.getNode(), source, sink, "IP address spoofing might include code from $@.",
|
select sink.getNode(), source, sink, "IP address spoofing might include code from $@.",
|
||||||
source.getNode(), "this user input"
|
source.getNode(), "this user input"
|
||||||
|
|||||||
@@ -12,9 +12,9 @@
|
|||||||
|
|
||||||
// determine precision above
|
// determine precision above
|
||||||
import python
|
import python
|
||||||
import experimental.semmle.python.security.LdapInsecureAuth
|
import DataFlow::PathGraph
|
||||||
import LdapInsecureAuthFlow::PathGraph
|
import experimental.semmle.python.security.LDAPInsecureAuth
|
||||||
|
|
||||||
from LdapInsecureAuthFlow::PathNode source, LdapInsecureAuthFlow::PathNode sink
|
from LdapInsecureAuthConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||||
where LdapInsecureAuthFlow::flowPath(source, sink)
|
where config.hasFlowPath(source, sink)
|
||||||
select sink.getNode(), source, sink, "This LDAP host is authenticated insecurely."
|
select sink.getNode(), source, sink, "This LDAP host is authenticated insecurely."
|
||||||
@@ -15,11 +15,13 @@ import semmle.python.dataflow.new.DataFlow
|
|||||||
import experimental.semmle.python.Concepts
|
import experimental.semmle.python.Concepts
|
||||||
import experimental.semmle.python.CookieHeader
|
import experimental.semmle.python.CookieHeader
|
||||||
import experimental.semmle.python.security.injection.CookieInjection
|
import experimental.semmle.python.security.injection.CookieInjection
|
||||||
import CookieInjectionFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
from CookieInjectionFlow::PathNode source, CookieInjectionFlow::PathNode sink, string insecure
|
from
|
||||||
|
CookieInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink,
|
||||||
|
string insecure
|
||||||
where
|
where
|
||||||
CookieInjectionFlow::flowPath(source, sink) and
|
config.hasFlowPath(source, sink) and
|
||||||
if exists(sink.getNode().(CookieSink))
|
if exists(sink.getNode().(CookieSink))
|
||||||
then insecure = ",and its " + sink.getNode().(CookieSink).getFlag() + " flag is not properly set."
|
then insecure = ",and its " + sink.getNode().(CookieSink).getFlag() + " flag is not properly set."
|
||||||
else insecure = "."
|
else insecure = "."
|
||||||
|
|||||||
@@ -39,8 +39,10 @@ class AllTarfileOpens extends API::CallNode {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module UnsafeUnpackConfig implements DataFlow::ConfigSig {
|
class UnsafeUnpackingConfig extends TaintTracking::Configuration {
|
||||||
predicate isSource(DataFlow::Node source) {
|
UnsafeUnpackingConfig() { this = "UnsafeUnpackingConfig" }
|
||||||
|
|
||||||
|
override predicate isSource(DataFlow::Node source) {
|
||||||
// A source coming from a remote location
|
// A source coming from a remote location
|
||||||
source instanceof RemoteFlowSource
|
source instanceof RemoteFlowSource
|
||||||
or
|
or
|
||||||
@@ -90,7 +92,7 @@ module UnsafeUnpackConfig implements DataFlow::ConfigSig {
|
|||||||
source.(AttrRead).getAttributeName() = "FILES"
|
source.(AttrRead).getAttributeName() = "FILES"
|
||||||
}
|
}
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) {
|
override predicate isSink(DataFlow::Node sink) {
|
||||||
(
|
(
|
||||||
// A sink capturing method calls to `unpack_archive`.
|
// A sink capturing method calls to `unpack_archive`.
|
||||||
sink = API::moduleImport("shutil").getMember("unpack_archive").getACall().getArg(0)
|
sink = API::moduleImport("shutil").getMember("unpack_archive").getACall().getArg(0)
|
||||||
@@ -134,7 +136,7 @@ module UnsafeUnpackConfig implements DataFlow::ConfigSig {
|
|||||||
not sink.getScope().getLocation().getFile().inStdlib()
|
not sink.getScope().getLocation().getFile().inStdlib()
|
||||||
}
|
}
|
||||||
|
|
||||||
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
|
override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
|
||||||
// Reading the response
|
// Reading the response
|
||||||
nodeTo.(MethodCallNode).calls(nodeFrom, "read")
|
nodeTo.(MethodCallNode).calls(nodeFrom, "read")
|
||||||
or
|
or
|
||||||
@@ -209,6 +211,3 @@ module UnsafeUnpackConfig implements DataFlow::ConfigSig {
|
|||||||
)
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "UnsafeUnpacking" vulnerabilities. */
|
|
||||||
module UnsafeUnpackFlow = TaintTracking::Global<UnsafeUnpackConfig>;
|
|
||||||
|
|||||||
@@ -2,7 +2,7 @@ private import python
|
|||||||
private import semmle.python.dataflow.new.DataFlow
|
private import semmle.python.dataflow.new.DataFlow
|
||||||
private import experimental.semmle.python.Concepts
|
private import experimental.semmle.python.Concepts
|
||||||
private import semmle.python.ApiGraphs
|
private import semmle.python.ApiGraphs
|
||||||
private import semmle.python.dataflow.new.TaintTracking
|
private import semmle.python.dataflow.new.TaintTracking2
|
||||||
|
|
||||||
module SmtpLib {
|
module SmtpLib {
|
||||||
/** Gets a reference to `smtplib.SMTP_SSL` */
|
/** Gets a reference to `smtplib.SMTP_SSL` */
|
||||||
@@ -31,16 +31,16 @@ module SmtpLib {
|
|||||||
* argument. Used because of the impossibility to get local source nodes from `_subparts`'
|
* argument. Used because of the impossibility to get local source nodes from `_subparts`'
|
||||||
* `(List|Tuple)` elements.
|
* `(List|Tuple)` elements.
|
||||||
*/
|
*/
|
||||||
private module SmtpMessageConfig implements DataFlow::ConfigSig {
|
private class SmtpMessageConfig extends TaintTracking2::Configuration {
|
||||||
predicate isSource(DataFlow::Node source) { source = mimeText(_) }
|
SmtpMessageConfig() { this = "SMTPMessageConfig" }
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) {
|
override predicate isSource(DataFlow::Node source) { source = mimeText(_) }
|
||||||
|
|
||||||
|
override predicate isSink(DataFlow::Node sink) {
|
||||||
sink = smtpMimeMultipartInstance().getACall().getArgByName("_subparts")
|
sink = smtpMimeMultipartInstance().getACall().getArgByName("_subparts")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module SmtpMessageFlow = TaintTracking::Global<SmtpMessageConfig>;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Using the `MimeText` call retrieves the content argument whose type argument equals `mimetype`.
|
* Using the `MimeText` call retrieves the content argument whose type argument equals `mimetype`.
|
||||||
* This call flows into `MIMEMultipart`'s `_subparts` argument or the `.attach()` method call
|
* This call flows into `MIMEMultipart`'s `_subparts` argument or the `.attach()` method call
|
||||||
@@ -87,7 +87,8 @@ module SmtpLib {
|
|||||||
sink =
|
sink =
|
||||||
[sendCall.getArg(2), sendCall.getArg(2).(DataFlow::MethodCallNode).getObject()]
|
[sendCall.getArg(2), sendCall.getArg(2).(DataFlow::MethodCallNode).getObject()]
|
||||||
.getALocalSource() and
|
.getALocalSource() and
|
||||||
SmtpMessageFlow::flow(source, sink.(DataFlow::CallCfgNode).getArgByName("_subparts"))
|
any(SmtpMessageConfig a)
|
||||||
|
.hasFlow(source, sink.(DataFlow::CallCfgNode).getArgByName("_subparts"))
|
||||||
or
|
or
|
||||||
// via .attach()
|
// via .attach()
|
||||||
sink = smtpMimeMultipartInstance().getReturn().getMember("attach").getACall() and
|
sink = smtpMimeMultipartInstance().getReturn().getMember("attach").getACall() and
|
||||||
|
|||||||
@@ -21,14 +21,17 @@ module InsecureRandomness {
|
|||||||
* A taint-tracking configuration for reasoning about random values that are
|
* A taint-tracking configuration for reasoning about random values that are
|
||||||
* not cryptographically secure.
|
* not cryptographically secure.
|
||||||
*/
|
*/
|
||||||
private module Config implements DataFlow::ConfigSig {
|
class Configuration extends TaintTracking::Configuration {
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
Configuration() { this = "InsecureRandomness" }
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||||
|
|
||||||
|
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
|
||||||
|
|
||||||
|
deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
|
||||||
|
guard instanceof SanitizerGuard
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "random values that are not cryptographically secure" vulnerabilities. */
|
|
||||||
module Flow = TaintTracking::Global<Config>;
|
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -88,8 +88,10 @@ class LdapStringVar extends BinaryExpr {
|
|||||||
/**
|
/**
|
||||||
* A taint-tracking configuration for detecting LDAP insecure authentications.
|
* A taint-tracking configuration for detecting LDAP insecure authentications.
|
||||||
*/
|
*/
|
||||||
private module LdapInsecureAuthConfig implements DataFlow::ConfigSig {
|
class LdapInsecureAuthConfig extends TaintTracking::Configuration {
|
||||||
predicate isSource(DataFlow::Node source) {
|
LdapInsecureAuthConfig() { this = "LDAPInsecureAuthConfig" }
|
||||||
|
|
||||||
|
override predicate isSource(DataFlow::Node source) {
|
||||||
source instanceof RemoteFlowSource or
|
source instanceof RemoteFlowSource or
|
||||||
source.asExpr() instanceof LdapFullHost or
|
source.asExpr() instanceof LdapFullHost or
|
||||||
source.asExpr() instanceof LdapBothStrings or
|
source.asExpr() instanceof LdapBothStrings or
|
||||||
@@ -98,10 +100,7 @@ private module LdapInsecureAuthConfig implements DataFlow::ConfigSig {
|
|||||||
source.asExpr() instanceof LdapStringVar
|
source.asExpr() instanceof LdapStringVar
|
||||||
}
|
}
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) {
|
override predicate isSink(DataFlow::Node sink) {
|
||||||
exists(LdapBind ldapBind | not ldapBind.useSsl() and sink = ldapBind.getHost())
|
exists(LdapBind ldapBind | not ldapBind.useSsl() and sink = ldapBind.getHost())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "LDAP insecure authentications" vulnerabilities. */
|
|
||||||
module LdapInsecureAuthFlow = TaintTracking::Global<LdapInsecureAuthConfig>;
|
|
||||||
@@ -1,6 +1,8 @@
|
|||||||
private import python
|
private import python
|
||||||
|
private import semmle.python.dataflow.new.TaintTracking2
|
||||||
private import semmle.python.dataflow.new.TaintTracking
|
private import semmle.python.dataflow.new.TaintTracking
|
||||||
private import semmle.python.dataflow.new.DataFlow
|
private import semmle.python.dataflow.new.DataFlow
|
||||||
|
private import semmle.python.dataflow.new.DataFlow2
|
||||||
private import semmle.python.ApiGraphs
|
private import semmle.python.ApiGraphs
|
||||||
private import semmle.python.dataflow.new.RemoteFlowSources
|
private import semmle.python.dataflow.new.RemoteFlowSources
|
||||||
private import semmle.python.frameworks.Flask
|
private import semmle.python.frameworks.Flask
|
||||||
@@ -162,7 +164,9 @@ class NonConstantTimeComparisonSink extends DataFlow::Node {
|
|||||||
|
|
||||||
/** Holds if remote user input was used in the comparison. */
|
/** Holds if remote user input was used in the comparison. */
|
||||||
predicate includesUserInput() {
|
predicate includesUserInput() {
|
||||||
UserInputInComparisonFlow::flowTo(DataFlow::exprNode(anotherParameter))
|
exists(UserInputInComparisonConfig config |
|
||||||
|
config.hasFlowTo(DataFlow2::exprNode(anotherParameter))
|
||||||
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -173,7 +177,9 @@ class SecretSource extends DataFlow::Node {
|
|||||||
SecretSource() { secret = this.asExpr() }
|
SecretSource() { secret = this.asExpr() }
|
||||||
|
|
||||||
/** Holds if the secret was deliverd by remote user. */
|
/** Holds if the secret was deliverd by remote user. */
|
||||||
predicate includesUserInput() { UserInputSecretFlow::flowTo(DataFlow::exprNode(secret)) }
|
predicate includesUserInput() {
|
||||||
|
exists(UserInputSecretConfig config | config.hasFlowTo(DataFlow2::exprNode(secret)))
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/** A string for `match` that identifies strings that look like they represent secret data. */
|
/** A string for `match` that identifies strings that look like they represent secret data. */
|
||||||
@@ -261,21 +267,23 @@ private string sensitiveheaders() {
|
|||||||
/**
|
/**
|
||||||
* A config that tracks data flow from remote user input to Variable that hold sensitive info
|
* A config that tracks data flow from remote user input to Variable that hold sensitive info
|
||||||
*/
|
*/
|
||||||
module UserInputSecretConfig implements DataFlow::ConfigSig {
|
class UserInputSecretConfig extends TaintTracking::Configuration {
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
UserInputSecretConfig() { this = "UserInputSecretConfig" }
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof CredentialExpr }
|
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||||
|
|
||||||
|
override predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof CredentialExpr }
|
||||||
}
|
}
|
||||||
|
|
||||||
module UserInputSecretFlow = TaintTracking::Global<UserInputSecretConfig>;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A config that tracks data flow from remote user input to Equality test
|
* A config that tracks data flow from remote user input to Equality test
|
||||||
*/
|
*/
|
||||||
module UserInputInComparisonConfig implements DataFlow::ConfigSig {
|
class UserInputInComparisonConfig extends TaintTracking2::Configuration {
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
UserInputInComparisonConfig() { this = "UserInputInComparisonConfig" }
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) {
|
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||||
|
|
||||||
|
override predicate isSink(DataFlow::Node sink) {
|
||||||
exists(Compare cmp, Expr left, Expr right, Cmpop cmpop |
|
exists(Compare cmp, Expr left, Expr right, Cmpop cmpop |
|
||||||
cmpop.getSymbol() = ["==", "in", "is not", "!="] and
|
cmpop.getSymbol() = ["==", "in", "is not", "!="] and
|
||||||
cmp.compares(left, cmpop, right) and
|
cmp.compares(left, cmpop, right) and
|
||||||
@@ -284,15 +292,15 @@ module UserInputInComparisonConfig implements DataFlow::ConfigSig {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module UserInputInComparisonFlow = TaintTracking::Global<UserInputInComparisonConfig>;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A configuration tracing flow from a client Secret obtained by an HTTP header to a len() function.
|
* A configuration tracing flow from a client Secret obtained by an HTTP header to a len() function.
|
||||||
*/
|
*/
|
||||||
private module ExcludeLenFuncConfig implements DataFlow::ConfigSig {
|
private class ExcludeLenFunc extends TaintTracking2::Configuration {
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof ClientSuppliedSecret }
|
ExcludeLenFunc() { this = "ExcludeLenFunc" }
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) {
|
override predicate isSource(DataFlow::Node source) { source instanceof ClientSuppliedSecret }
|
||||||
|
|
||||||
|
override predicate isSink(DataFlow::Node sink) {
|
||||||
exists(Call call |
|
exists(Call call |
|
||||||
call.getFunc().(Name).getId() = "len" and
|
call.getFunc().(Name).getId() = "len" and
|
||||||
sink.asExpr() = call.getArg(0)
|
sink.asExpr() = call.getArg(0)
|
||||||
@@ -300,8 +308,6 @@ private module ExcludeLenFuncConfig implements DataFlow::ConfigSig {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module ExcludeLenFuncFlow = TaintTracking::Global<ExcludeLenFuncConfig>;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds if there is a fast-fail check.
|
* Holds if there is a fast-fail check.
|
||||||
*/
|
*/
|
||||||
@@ -337,7 +343,8 @@ class CompareSink extends DataFlow::Node {
|
|||||||
* Holds if there is a flow to len().
|
* Holds if there is a flow to len().
|
||||||
*/
|
*/
|
||||||
predicate flowtolen() {
|
predicate flowtolen() {
|
||||||
// TODO: Fly by comment: I don't understand this code at all, seems very strange.
|
exists(ExcludeLenFunc config, DataFlow2::PathNode source, DataFlow2::PathNode sink |
|
||||||
ExcludeLenFuncFlow::flowPath(_, _)
|
config.hasFlowPath(source, sink)
|
||||||
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -4,8 +4,10 @@ import semmle.python.dataflow.new.DataFlow
|
|||||||
import semmle.python.ApiGraphs
|
import semmle.python.ApiGraphs
|
||||||
import semmle.python.dataflow.new.TaintTracking
|
import semmle.python.dataflow.new.TaintTracking
|
||||||
|
|
||||||
private module ZipSlipConfig implements DataFlow::ConfigSig {
|
class ZipSlipConfig extends TaintTracking::Configuration {
|
||||||
predicate isSource(DataFlow::Node source) {
|
ZipSlipConfig() { this = "ZipSlipConfig" }
|
||||||
|
|
||||||
|
override predicate isSource(DataFlow::Node source) {
|
||||||
(
|
(
|
||||||
source =
|
source =
|
||||||
API::moduleImport("zipfile").getMember("ZipFile").getReturn().getMember("open").getACall() or
|
API::moduleImport("zipfile").getMember("ZipFile").getReturn().getMember("open").getACall() or
|
||||||
@@ -27,7 +29,7 @@ private module ZipSlipConfig implements DataFlow::ConfigSig {
|
|||||||
not source.getScope().getLocation().getFile().inStdlib()
|
not source.getScope().getLocation().getFile().inStdlib()
|
||||||
}
|
}
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) {
|
override predicate isSink(DataFlow::Node sink) {
|
||||||
(
|
(
|
||||||
sink = any(CopyFile copyfile).getAPathArgument() or
|
sink = any(CopyFile copyfile).getAPathArgument() or
|
||||||
sink = any(CopyFile copyfile).getfsrcArgument()
|
sink = any(CopyFile copyfile).getfsrcArgument()
|
||||||
@@ -35,6 +37,3 @@ private module ZipSlipConfig implements DataFlow::ConfigSig {
|
|||||||
not sink.getScope().getLocation().getFile().inStdlib()
|
not sink.getScope().getLocation().getFile().inStdlib()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "zip slip" vulnerabilities. */
|
|
||||||
module ZipSlipFlow = TaintTracking::Global<ZipSlipConfig>;
|
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
/**
|
/**
|
||||||
* Provides a taint-tracking configuration for detecting "Email XSS" vulnerabilities.
|
* Provides a taint-tracking configuration for detecting reflected server-side
|
||||||
|
* cross-site scripting vulnerabilities.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
import python
|
import python
|
||||||
@@ -11,18 +12,24 @@ import experimental.semmle.python.Concepts
|
|||||||
import semmle.python.Concepts
|
import semmle.python.Concepts
|
||||||
import semmle.python.ApiGraphs
|
import semmle.python.ApiGraphs
|
||||||
|
|
||||||
private module EmailXssConfig implements DataFlow::ConfigSig {
|
/**
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
* A taint-tracking configuration for detecting reflected server-side cross-site
|
||||||
|
* scripting vulnerabilities.
|
||||||
|
*/
|
||||||
|
class ReflectedXssConfiguration extends TaintTracking::Configuration {
|
||||||
|
ReflectedXssConfiguration() { this = "ReflectedXssConfiguration" }
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink = any(EmailSender email).getHtmlBody() }
|
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node sanitizer) {
|
override predicate isSink(DataFlow::Node sink) { sink = any(EmailSender email).getHtmlBody() }
|
||||||
|
|
||||||
|
override predicate isSanitizer(DataFlow::Node sanitizer) {
|
||||||
sanitizer = any(HtmlEscaping esc).getOutput()
|
sanitizer = any(HtmlEscaping esc).getOutput()
|
||||||
or
|
or
|
||||||
sanitizer instanceof StringConstCompareBarrier
|
sanitizer instanceof StringConstCompareBarrier
|
||||||
}
|
}
|
||||||
|
|
||||||
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
|
override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
|
||||||
exists(DataFlow::CallCfgNode htmlContentCall |
|
exists(DataFlow::CallCfgNode htmlContentCall |
|
||||||
htmlContentCall =
|
htmlContentCall =
|
||||||
API::moduleImport("sendgrid")
|
API::moduleImport("sendgrid")
|
||||||
@@ -35,6 +42,3 @@ private module EmailXssConfig implements DataFlow::ConfigSig {
|
|||||||
)
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "Email XSS" vulnerabilities. */
|
|
||||||
module EmailXssFlow = TaintTracking::Global<EmailXssConfig>;
|
|
||||||
@@ -29,13 +29,12 @@ class CookieSink extends DataFlow::Node {
|
|||||||
/**
|
/**
|
||||||
* A taint-tracking configuration for detecting Cookie injections.
|
* A taint-tracking configuration for detecting Cookie injections.
|
||||||
*/
|
*/
|
||||||
private module CookieInjectionConfig implements DataFlow::ConfigSig {
|
class CookieInjectionFlowConfig extends TaintTracking::Configuration {
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
CookieInjectionFlowConfig() { this = "CookieInjectionFlowConfig" }
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) {
|
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||||
|
|
||||||
|
override predicate isSink(DataFlow::Node sink) {
|
||||||
exists(Cookie c | sink in [c.getNameArg(), c.getValueArg()])
|
exists(Cookie c | sink in [c.getNameArg(), c.getValueArg()])
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "Cookie injections" vulnerabilities. */
|
|
||||||
module CookieInjectionFlow = TaintTracking::Global<CookieInjectionConfig>;
|
|
||||||
|
|||||||
@@ -8,12 +8,14 @@ import semmle.python.dataflow.new.RemoteFlowSources
|
|||||||
/**
|
/**
|
||||||
* A taint-tracking configuration for tracking untrusted user input used in file read.
|
* A taint-tracking configuration for tracking untrusted user input used in file read.
|
||||||
*/
|
*/
|
||||||
private module CsvInjectionConfig implements DataFlow::ConfigSig {
|
class CsvInjectionFlowConfig extends TaintTracking::Configuration {
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
CsvInjectionFlowConfig() { this = "CsvInjectionFlowConfig" }
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink = any(CsvWriter cw).getAnInput() }
|
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node) {
|
override predicate isSink(DataFlow::Node sink) { sink = any(CsvWriter cw).getAnInput() }
|
||||||
|
|
||||||
|
override predicate isSanitizer(DataFlow::Node node) {
|
||||||
node = DataFlow::BarrierGuard<startsWithCheck/3>::getABarrierNode() or
|
node = DataFlow::BarrierGuard<startsWithCheck/3>::getABarrierNode() or
|
||||||
node instanceof StringConstCompareBarrier
|
node instanceof StringConstCompareBarrier
|
||||||
}
|
}
|
||||||
@@ -27,6 +29,3 @@ private predicate startsWithCheck(DataFlow::GuardNode g, ControlFlowNode node, b
|
|||||||
branch = true
|
branch = true
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "CSV injection" vulnerabilities. */
|
|
||||||
module CsvInjectionFlow = TaintTracking::Global<CsvInjectionConfig>;
|
|
||||||
|
|||||||
@@ -7,15 +7,14 @@ import semmle.python.dataflow.new.RemoteFlowSources
|
|||||||
/**
|
/**
|
||||||
* A taint-tracking configuration for detecting HTTP Header injections.
|
* A taint-tracking configuration for detecting HTTP Header injections.
|
||||||
*/
|
*/
|
||||||
private module HeaderInjectionConfig implements DataFlow::ConfigSig {
|
class HeaderInjectionFlowConfig extends TaintTracking::Configuration {
|
||||||
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
HeaderInjectionFlowConfig() { this = "HeaderInjectionFlowConfig" }
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) {
|
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||||
|
|
||||||
|
override predicate isSink(DataFlow::Node sink) {
|
||||||
exists(HeaderDeclaration headerDeclaration |
|
exists(HeaderDeclaration headerDeclaration |
|
||||||
sink in [headerDeclaration.getNameArg(), headerDeclaration.getValueArg()]
|
sink in [headerDeclaration.getNameArg(), headerDeclaration.getValueArg()]
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Global taint-tracking for detecting "HTTP Header injection" vulnerabilities. */
|
|
||||||
module HeaderInjectionFlow = TaintTracking::Global<HeaderInjectionConfig>;
|
|
||||||
|
|||||||
@@ -16,11 +16,9 @@ module ModificationOfParameterWithDefault {
|
|||||||
import ModificationOfParameterWithDefaultCustomizations::ModificationOfParameterWithDefault
|
import ModificationOfParameterWithDefaultCustomizations::ModificationOfParameterWithDefault
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `Flow` module instead.
|
|
||||||
*
|
|
||||||
* A data-flow configuration for detecting modifications of a parameters default value.
|
* A data-flow configuration for detecting modifications of a parameters default value.
|
||||||
*/
|
*/
|
||||||
deprecated class Configuration extends DataFlow::Configuration {
|
class Configuration extends DataFlow::Configuration {
|
||||||
/** Record whether the default value being tracked is non-empty. */
|
/** Record whether the default value being tracked is non-empty. */
|
||||||
boolean nonEmptyDefault;
|
boolean nonEmptyDefault;
|
||||||
|
|
||||||
@@ -45,33 +43,4 @@ module ModificationOfParameterWithDefault {
|
|||||||
nonEmptyDefault = false and node instanceof MustBeNonEmpty
|
nonEmptyDefault = false and node instanceof MustBeNonEmpty
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private module Config implements DataFlow::StateConfigSig {
|
|
||||||
class FlowState = boolean;
|
|
||||||
|
|
||||||
predicate isSource(DataFlow::Node source, FlowState state) {
|
|
||||||
source.(Source).isNonEmpty() = state
|
|
||||||
}
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink, FlowState state) {
|
|
||||||
// dummy implementation since this predicate is required, but actual logic is in
|
|
||||||
// the predicate above.
|
|
||||||
none()
|
|
||||||
}
|
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node node, FlowState state) {
|
|
||||||
// if we are tracking a non-empty default, then it is ok to modify empty values,
|
|
||||||
// so our tracking ends at those.
|
|
||||||
state = true and node instanceof MustBeEmpty
|
|
||||||
or
|
|
||||||
// if we are tracking a empty default, then it is ok to modify non-empty values,
|
|
||||||
// so our tracking ends at those.
|
|
||||||
state = false and node instanceof MustBeNonEmpty
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Global data-flow for detecting modifications of a parameters default value. */
|
|
||||||
module Flow = DataFlow::GlobalWithState<Config>;
|
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -33,8 +33,7 @@ edges
|
|||||||
| TarSlipImprov.py:141:34:141:36 | GSSA Variable tar | TarSlipImprov.py:142:9:142:13 | GSSA Variable entry |
|
| TarSlipImprov.py:141:34:141:36 | GSSA Variable tar | TarSlipImprov.py:142:9:142:13 | GSSA Variable entry |
|
||||||
| TarSlipImprov.py:142:9:142:13 | GSSA Variable entry | TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry |
|
| TarSlipImprov.py:142:9:142:13 | GSSA Variable entry | TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry |
|
||||||
| TarSlipImprov.py:159:9:159:14 | SSA variable tar_cm | TarSlipImprov.py:162:20:162:23 | SSA variable tarc |
|
| TarSlipImprov.py:159:9:159:14 | SSA variable tar_cm | TarSlipImprov.py:162:20:162:23 | SSA variable tarc |
|
||||||
| TarSlipImprov.py:159:18:159:52 | ControlFlowNode for closing() | TarSlipImprov.py:159:9:159:14 | SSA variable tar_cm |
|
| TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:159:9:159:14 | SSA variable tar_cm |
|
||||||
| TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:159:18:159:52 | ControlFlowNode for closing() |
|
|
||||||
| TarSlipImprov.py:162:20:162:23 | SSA variable tarc | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc |
|
| TarSlipImprov.py:162:20:162:23 | SSA variable tarc | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc |
|
||||||
| TarSlipImprov.py:176:6:176:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:176:36:176:38 | GSSA Variable tar |
|
| TarSlipImprov.py:176:6:176:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:176:36:176:38 | GSSA Variable tar |
|
||||||
| TarSlipImprov.py:176:36:176:38 | GSSA Variable tar | TarSlipImprov.py:177:9:177:13 | GSSA Variable entry |
|
| TarSlipImprov.py:176:36:176:38 | GSSA Variable tar | TarSlipImprov.py:177:9:177:13 | GSSA Variable entry |
|
||||||
@@ -123,7 +122,6 @@ nodes
|
|||||||
| TarSlipImprov.py:142:9:142:13 | GSSA Variable entry | semmle.label | GSSA Variable entry |
|
| TarSlipImprov.py:142:9:142:13 | GSSA Variable entry | semmle.label | GSSA Variable entry |
|
||||||
| TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry |
|
| TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry |
|
||||||
| TarSlipImprov.py:159:9:159:14 | SSA variable tar_cm | semmle.label | SSA variable tar_cm |
|
| TarSlipImprov.py:159:9:159:14 | SSA variable tar_cm | semmle.label | SSA variable tar_cm |
|
||||||
| TarSlipImprov.py:159:18:159:52 | ControlFlowNode for closing() | semmle.label | ControlFlowNode for closing() |
|
|
||||||
| TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
| TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||||
| TarSlipImprov.py:162:20:162:23 | SSA variable tarc | semmle.label | SSA variable tarc |
|
| TarSlipImprov.py:162:20:162:23 | SSA variable tarc | semmle.label | SSA variable tarc |
|
||||||
| TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | semmle.label | ControlFlowNode for tarc |
|
| TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | semmle.label | ControlFlowNode for tarc |
|
||||||
|
|||||||
@@ -1,3 +1,3 @@
|
|||||||
missingAnnotationOnSink
|
missingAnnotationOnSink
|
||||||
testFailures
|
|
||||||
failures
|
failures
|
||||||
|
testFailures
|
||||||
|
|||||||
@@ -1,4 +1,4 @@
|
|||||||
import python
|
import python
|
||||||
import experimental.dataflow.TestUtil.DataflowQueryTest
|
import experimental.dataflow.TestUtil.DataflowQueryTest
|
||||||
import experimental.Security.UnsafeUnpackQuery
|
import experimental.Security.UnsafeUnpackQuery
|
||||||
import FromTaintTrackingConfig<UnsafeUnpackConfig>
|
import FromLegacyConfiguration<UnsafeUnpackingConfig>
|
||||||
|
|||||||
@@ -1,86 +1,43 @@
|
|||||||
edges
|
edges
|
||||||
| UnsafeUnpack.py:5:26:5:32 | ControlFlowNode for ImportMember | UnsafeUnpack.py:5:26:5:32 | GSSA Variable request |
|
| UnsafeUnpack.py:5:26:5:32 | ControlFlowNode for ImportMember | UnsafeUnpack.py:5:26:5:32 | GSSA Variable request |
|
||||||
| UnsafeUnpack.py:5:26:5:32 | GSSA Variable request | UnsafeUnpack.py:11:18:11:24 | ControlFlowNode for request |
|
| UnsafeUnpack.py:5:26:5:32 | GSSA Variable request | UnsafeUnpack.py:11:18:11:24 | ControlFlowNode for request |
|
||||||
| UnsafeUnpack.py:11:7:11:14 | SSA variable filename | UnsafeUnpack.py:13:24:13:58 | ControlFlowNode for Attribute() |
|
| UnsafeUnpack.py:11:7:11:14 | SSA variable filename | UnsafeUnpack.py:13:13:13:20 | SSA variable response |
|
||||||
|
| UnsafeUnpack.py:11:18:11:24 | ControlFlowNode for request | UnsafeUnpack.py:11:7:11:14 | SSA variable filename |
|
||||||
| UnsafeUnpack.py:11:18:11:24 | ControlFlowNode for request | UnsafeUnpack.py:11:18:11:29 | ControlFlowNode for Attribute |
|
| UnsafeUnpack.py:11:18:11:24 | ControlFlowNode for request | UnsafeUnpack.py:11:18:11:29 | ControlFlowNode for Attribute |
|
||||||
| UnsafeUnpack.py:11:18:11:29 | ControlFlowNode for Attribute | UnsafeUnpack.py:11:18:11:49 | ControlFlowNode for Attribute() |
|
| UnsafeUnpack.py:11:18:11:29 | ControlFlowNode for Attribute | UnsafeUnpack.py:11:18:11:49 | ControlFlowNode for Attribute() |
|
||||||
| UnsafeUnpack.py:11:18:11:49 | ControlFlowNode for Attribute() | UnsafeUnpack.py:11:7:11:14 | SSA variable filename |
|
| UnsafeUnpack.py:11:18:11:49 | ControlFlowNode for Attribute() | UnsafeUnpack.py:11:7:11:14 | SSA variable filename |
|
||||||
| UnsafeUnpack.py:13:13:13:20 | SSA variable response | UnsafeUnpack.py:17:27:17:34 | ControlFlowNode for response |
|
| UnsafeUnpack.py:13:13:13:20 | SSA variable response | UnsafeUnpack.py:19:35:19:41 | ControlFlowNode for tarpath |
|
||||||
| UnsafeUnpack.py:13:24:13:58 | ControlFlowNode for Attribute() | UnsafeUnpack.py:13:13:13:20 | SSA variable response |
|
|
||||||
| UnsafeUnpack.py:16:23:16:29 | ControlFlowNode for tarpath | UnsafeUnpack.py:19:35:19:41 | ControlFlowNode for tarpath |
|
|
||||||
| UnsafeUnpack.py:17:19:17:19 | ControlFlowNode for f | UnsafeUnpack.py:16:23:16:29 | ControlFlowNode for tarpath |
|
|
||||||
| UnsafeUnpack.py:17:27:17:34 | ControlFlowNode for response | UnsafeUnpack.py:17:27:17:38 | ControlFlowNode for Attribute |
|
|
||||||
| UnsafeUnpack.py:17:27:17:38 | ControlFlowNode for Attribute | UnsafeUnpack.py:17:27:17:45 | ControlFlowNode for Attribute() |
|
|
||||||
| UnsafeUnpack.py:17:27:17:45 | ControlFlowNode for Attribute() | UnsafeUnpack.py:17:19:17:19 | ControlFlowNode for f |
|
|
||||||
| UnsafeUnpack.py:33:50:33:65 | ControlFlowNode for local_ziped_path | UnsafeUnpack.py:34:23:34:38 | ControlFlowNode for local_ziped_path |
|
| UnsafeUnpack.py:33:50:33:65 | ControlFlowNode for local_ziped_path | UnsafeUnpack.py:34:23:34:38 | ControlFlowNode for local_ziped_path |
|
||||||
| UnsafeUnpack.py:47:20:47:34 | ControlFlowNode for compressed_file | UnsafeUnpack.py:48:23:48:37 | ControlFlowNode for compressed_file |
|
| UnsafeUnpack.py:47:20:47:34 | ControlFlowNode for compressed_file | UnsafeUnpack.py:48:23:48:37 | ControlFlowNode for compressed_file |
|
||||||
| UnsafeUnpack.py:51:1:51:15 | GSSA Variable compressed_file | UnsafeUnpack.py:52:23:52:37 | ControlFlowNode for compressed_file |
|
| UnsafeUnpack.py:51:1:51:15 | GSSA Variable compressed_file | UnsafeUnpack.py:52:23:52:37 | ControlFlowNode for compressed_file |
|
||||||
| UnsafeUnpack.py:51:19:51:36 | ControlFlowNode for Attribute() | UnsafeUnpack.py:51:1:51:15 | GSSA Variable compressed_file |
|
| UnsafeUnpack.py:51:19:51:36 | ControlFlowNode for Attribute() | UnsafeUnpack.py:51:1:51:15 | GSSA Variable compressed_file |
|
||||||
| UnsafeUnpack.py:65:1:65:15 | GSSA Variable compressed_file | UnsafeUnpack.py:66:23:66:37 | ControlFlowNode for compressed_file |
|
| UnsafeUnpack.py:65:1:65:15 | GSSA Variable compressed_file | UnsafeUnpack.py:66:23:66:37 | ControlFlowNode for compressed_file |
|
||||||
| UnsafeUnpack.py:65:19:65:31 | ControlFlowNode for Attribute | UnsafeUnpack.py:65:1:65:15 | GSSA Variable compressed_file |
|
| UnsafeUnpack.py:65:19:65:31 | ControlFlowNode for Attribute | UnsafeUnpack.py:65:1:65:15 | GSSA Variable compressed_file |
|
||||||
| UnsafeUnpack.py:79:1:79:12 | GSSA Variable url_filename | UnsafeUnpack.py:81:12:81:50 | ControlFlowNode for Attribute() |
|
| UnsafeUnpack.py:79:1:79:12 | GSSA Variable url_filename | UnsafeUnpack.py:81:1:81:8 | GSSA Variable response |
|
||||||
| UnsafeUnpack.py:79:1:79:12 | GSSA Variable url_filename | UnsafeUnpack.py:171:12:171:50 | ControlFlowNode for Attribute() |
|
| UnsafeUnpack.py:79:1:79:12 | GSSA Variable url_filename | UnsafeUnpack.py:171:1:171:8 | GSSA Variable response |
|
||||||
| UnsafeUnpack.py:79:16:79:28 | ControlFlowNode for Attribute | UnsafeUnpack.py:79:1:79:12 | GSSA Variable url_filename |
|
| UnsafeUnpack.py:79:16:79:28 | ControlFlowNode for Attribute | UnsafeUnpack.py:79:1:79:12 | GSSA Variable url_filename |
|
||||||
| UnsafeUnpack.py:81:1:81:8 | GSSA Variable response | UnsafeUnpack.py:85:15:85:22 | ControlFlowNode for response |
|
| UnsafeUnpack.py:81:1:81:8 | GSSA Variable response | UnsafeUnpack.py:87:23:87:29 | ControlFlowNode for tarpath |
|
||||||
| UnsafeUnpack.py:81:12:81:50 | ControlFlowNode for Attribute() | UnsafeUnpack.py:81:1:81:8 | GSSA Variable response |
|
| UnsafeUnpack.py:103:23:103:27 | SSA variable chunk | UnsafeUnpack.py:105:35:105:42 | ControlFlowNode for savepath |
|
||||||
| UnsafeUnpack.py:84:11:84:17 | ControlFlowNode for tarpath | UnsafeUnpack.py:87:23:87:29 | ControlFlowNode for tarpath |
|
| UnsafeUnpack.py:103:32:103:44 | ControlFlowNode for Attribute | UnsafeUnpack.py:103:23:103:27 | SSA variable chunk |
|
||||||
| UnsafeUnpack.py:85:7:85:7 | ControlFlowNode for f | UnsafeUnpack.py:84:11:84:17 | ControlFlowNode for tarpath |
|
| UnsafeUnpack.py:108:13:108:18 | SSA variable myfile | UnsafeUnpack.py:112:35:112:43 | ControlFlowNode for file_path |
|
||||||
| UnsafeUnpack.py:85:15:85:22 | ControlFlowNode for response | UnsafeUnpack.py:85:15:85:26 | ControlFlowNode for Attribute |
|
| UnsafeUnpack.py:108:22:108:34 | ControlFlowNode for Attribute | UnsafeUnpack.py:108:13:108:18 | SSA variable myfile |
|
||||||
| UnsafeUnpack.py:85:15:85:26 | ControlFlowNode for Attribute | UnsafeUnpack.py:85:15:85:33 | ControlFlowNode for Attribute() |
|
|
||||||
| UnsafeUnpack.py:85:15:85:33 | ControlFlowNode for Attribute() | UnsafeUnpack.py:85:7:85:7 | ControlFlowNode for f |
|
|
||||||
| UnsafeUnpack.py:102:23:102:30 | ControlFlowNode for savepath | UnsafeUnpack.py:105:35:105:42 | ControlFlowNode for savepath |
|
|
||||||
| UnsafeUnpack.py:103:23:103:27 | SSA variable chunk | UnsafeUnpack.py:104:37:104:41 | ControlFlowNode for chunk |
|
|
||||||
| UnsafeUnpack.py:103:32:103:44 | ControlFlowNode for Attribute | UnsafeUnpack.py:103:32:103:54 | ControlFlowNode for Subscript |
|
|
||||||
| UnsafeUnpack.py:103:32:103:54 | ControlFlowNode for Subscript | UnsafeUnpack.py:103:32:103:63 | ControlFlowNode for Attribute() |
|
|
||||||
| UnsafeUnpack.py:103:32:103:63 | ControlFlowNode for Attribute() | UnsafeUnpack.py:103:23:103:27 | SSA variable chunk |
|
|
||||||
| UnsafeUnpack.py:104:25:104:29 | ControlFlowNode for wfile | UnsafeUnpack.py:102:23:102:30 | ControlFlowNode for savepath |
|
|
||||||
| UnsafeUnpack.py:104:37:104:41 | ControlFlowNode for chunk | UnsafeUnpack.py:104:25:104:29 | ControlFlowNode for wfile |
|
|
||||||
| UnsafeUnpack.py:108:13:108:18 | SSA variable myfile | UnsafeUnpack.py:111:27:111:32 | ControlFlowNode for myfile |
|
|
||||||
| UnsafeUnpack.py:108:22:108:34 | ControlFlowNode for Attribute | UnsafeUnpack.py:108:22:108:48 | ControlFlowNode for Attribute() |
|
| UnsafeUnpack.py:108:22:108:34 | ControlFlowNode for Attribute | UnsafeUnpack.py:108:22:108:48 | ControlFlowNode for Attribute() |
|
||||||
| UnsafeUnpack.py:108:22:108:48 | ControlFlowNode for Attribute() | UnsafeUnpack.py:108:13:108:18 | SSA variable myfile |
|
| UnsafeUnpack.py:108:22:108:48 | ControlFlowNode for Attribute() | UnsafeUnpack.py:108:13:108:18 | SSA variable myfile |
|
||||||
| UnsafeUnpack.py:110:18:110:26 | ControlFlowNode for file_path | UnsafeUnpack.py:112:35:112:43 | ControlFlowNode for file_path |
|
| UnsafeUnpack.py:116:17:116:21 | SSA variable ufile | UnsafeUnpack.py:118:19:118:26 | SSA variable filename |
|
||||||
| UnsafeUnpack.py:111:19:111:19 | ControlFlowNode for f | UnsafeUnpack.py:110:18:110:26 | ControlFlowNode for file_path |
|
| UnsafeUnpack.py:116:27:116:39 | ControlFlowNode for Attribute | UnsafeUnpack.py:116:17:116:21 | SSA variable ufile |
|
||||||
| UnsafeUnpack.py:111:27:111:32 | ControlFlowNode for myfile | UnsafeUnpack.py:111:27:111:39 | ControlFlowNode for Attribute() |
|
| UnsafeUnpack.py:118:19:118:26 | SSA variable filename | UnsafeUnpack.py:119:19:119:36 | SSA variable uploaded_file_path |
|
||||||
| UnsafeUnpack.py:111:27:111:39 | ControlFlowNode for Attribute() | UnsafeUnpack.py:111:19:111:19 | ControlFlowNode for f |
|
|
||||||
| UnsafeUnpack.py:116:17:116:21 | SSA variable ufile | UnsafeUnpack.py:118:38:118:42 | ControlFlowNode for ufile |
|
|
||||||
| UnsafeUnpack.py:116:27:116:39 | ControlFlowNode for Attribute | UnsafeUnpack.py:116:27:116:49 | ControlFlowNode for Attribute() |
|
|
||||||
| UnsafeUnpack.py:116:27:116:49 | ControlFlowNode for Attribute() | UnsafeUnpack.py:116:17:116:21 | SSA variable ufile |
|
|
||||||
| UnsafeUnpack.py:118:19:118:26 | SSA variable filename | UnsafeUnpack.py:119:48:119:55 | ControlFlowNode for filename |
|
|
||||||
| UnsafeUnpack.py:118:30:118:55 | ControlFlowNode for Attribute() | UnsafeUnpack.py:118:19:118:26 | SSA variable filename |
|
|
||||||
| UnsafeUnpack.py:118:38:118:42 | ControlFlowNode for ufile | UnsafeUnpack.py:118:38:118:47 | ControlFlowNode for Attribute |
|
|
||||||
| UnsafeUnpack.py:118:38:118:47 | ControlFlowNode for Attribute | UnsafeUnpack.py:118:30:118:55 | ControlFlowNode for Attribute() |
|
|
||||||
| UnsafeUnpack.py:119:19:119:36 | SSA variable uploaded_file_path | UnsafeUnpack.py:120:41:120:58 | ControlFlowNode for uploaded_file_path |
|
| UnsafeUnpack.py:119:19:119:36 | SSA variable uploaded_file_path | UnsafeUnpack.py:120:41:120:58 | ControlFlowNode for uploaded_file_path |
|
||||||
| UnsafeUnpack.py:119:40:119:56 | ControlFlowNode for Attribute() | UnsafeUnpack.py:119:19:119:36 | SSA variable uploaded_file_path |
|
| UnsafeUnpack.py:140:1:140:19 | GSSA Variable unsafe_filename_tar | UnsafeUnpack.py:141:56:141:58 | GSSA Variable tar |
|
||||||
| UnsafeUnpack.py:119:48:119:55 | ControlFlowNode for filename | UnsafeUnpack.py:119:40:119:56 | ControlFlowNode for Attribute() |
|
|
||||||
| UnsafeUnpack.py:140:1:140:19 | GSSA Variable unsafe_filename_tar | UnsafeUnpack.py:141:22:141:40 | ControlFlowNode for unsafe_filename_tar |
|
|
||||||
| UnsafeUnpack.py:140:23:140:35 | ControlFlowNode for Attribute | UnsafeUnpack.py:140:1:140:19 | GSSA Variable unsafe_filename_tar |
|
| UnsafeUnpack.py:140:23:140:35 | ControlFlowNode for Attribute | UnsafeUnpack.py:140:1:140:19 | GSSA Variable unsafe_filename_tar |
|
||||||
| UnsafeUnpack.py:141:6:141:51 | ControlFlowNode for Attribute() | UnsafeUnpack.py:141:56:141:58 | GSSA Variable tar |
|
|
||||||
| UnsafeUnpack.py:141:22:141:40 | ControlFlowNode for unsafe_filename_tar | UnsafeUnpack.py:141:6:141:51 | ControlFlowNode for Attribute() |
|
|
||||||
| UnsafeUnpack.py:141:56:141:58 | GSSA Variable tar | UnsafeUnpack.py:142:49:142:51 | ControlFlowNode for tar |
|
| UnsafeUnpack.py:141:56:141:58 | GSSA Variable tar | UnsafeUnpack.py:142:49:142:51 | ControlFlowNode for tar |
|
||||||
| UnsafeUnpack.py:157:23:157:30 | ControlFlowNode for savepath | UnsafeUnpack.py:161:38:161:45 | ControlFlowNode for savepath |
|
| UnsafeUnpack.py:158:23:158:27 | SSA variable chunk | UnsafeUnpack.py:161:19:161:21 | SSA variable tar |
|
||||||
| UnsafeUnpack.py:158:23:158:27 | SSA variable chunk | UnsafeUnpack.py:159:37:159:41 | ControlFlowNode for chunk |
|
| UnsafeUnpack.py:158:32:158:44 | ControlFlowNode for Attribute | UnsafeUnpack.py:158:23:158:27 | SSA variable chunk |
|
||||||
| UnsafeUnpack.py:158:32:158:44 | ControlFlowNode for Attribute | UnsafeUnpack.py:158:32:158:54 | ControlFlowNode for Subscript |
|
| UnsafeUnpack.py:161:19:161:21 | SSA variable tar | UnsafeUnpack.py:163:23:163:28 | SSA variable member |
|
||||||
| UnsafeUnpack.py:158:32:158:54 | ControlFlowNode for Subscript | UnsafeUnpack.py:158:32:158:63 | ControlFlowNode for Attribute() |
|
|
||||||
| UnsafeUnpack.py:158:32:158:63 | ControlFlowNode for Attribute() | UnsafeUnpack.py:158:23:158:27 | SSA variable chunk |
|
|
||||||
| UnsafeUnpack.py:159:25:159:29 | ControlFlowNode for wfile | UnsafeUnpack.py:157:23:157:30 | ControlFlowNode for savepath |
|
|
||||||
| UnsafeUnpack.py:159:37:159:41 | ControlFlowNode for chunk | UnsafeUnpack.py:159:25:159:29 | ControlFlowNode for wfile |
|
|
||||||
| UnsafeUnpack.py:161:19:161:21 | SSA variable tar | UnsafeUnpack.py:163:33:163:35 | ControlFlowNode for tar |
|
|
||||||
| UnsafeUnpack.py:161:25:161:46 | ControlFlowNode for Attribute() | UnsafeUnpack.py:161:19:161:21 | SSA variable tar |
|
|
||||||
| UnsafeUnpack.py:161:38:161:45 | ControlFlowNode for savepath | UnsafeUnpack.py:161:25:161:46 | ControlFlowNode for Attribute() |
|
|
||||||
| UnsafeUnpack.py:163:23:163:28 | SSA variable member | UnsafeUnpack.py:166:37:166:42 | ControlFlowNode for member |
|
| UnsafeUnpack.py:163:23:163:28 | SSA variable member | UnsafeUnpack.py:166:37:166:42 | ControlFlowNode for member |
|
||||||
| UnsafeUnpack.py:163:33:163:35 | ControlFlowNode for tar | UnsafeUnpack.py:163:23:163:28 | SSA variable member |
|
|
||||||
| UnsafeUnpack.py:166:23:166:28 | [post] ControlFlowNode for result | UnsafeUnpack.py:167:67:167:72 | ControlFlowNode for result |
|
| UnsafeUnpack.py:166:23:166:28 | [post] ControlFlowNode for result | UnsafeUnpack.py:167:67:167:72 | ControlFlowNode for result |
|
||||||
| UnsafeUnpack.py:166:37:166:42 | ControlFlowNode for member | UnsafeUnpack.py:166:23:166:28 | [post] ControlFlowNode for result |
|
| UnsafeUnpack.py:166:37:166:42 | ControlFlowNode for member | UnsafeUnpack.py:166:23:166:28 | [post] ControlFlowNode for result |
|
||||||
| UnsafeUnpack.py:171:1:171:8 | GSSA Variable response | UnsafeUnpack.py:174:15:174:22 | ControlFlowNode for response |
|
| UnsafeUnpack.py:171:1:171:8 | GSSA Variable response | UnsafeUnpack.py:176:1:176:34 | ControlFlowNode for Attribute() |
|
||||||
| UnsafeUnpack.py:171:12:171:50 | ControlFlowNode for Attribute() | UnsafeUnpack.py:171:1:171:8 | GSSA Variable response |
|
| UnsafeUnpack.py:194:53:194:55 | ControlFlowNode for tmp | UnsafeUnpack.py:201:29:201:36 | ControlFlowNode for Attribute |
|
||||||
| UnsafeUnpack.py:173:11:173:17 | ControlFlowNode for tarpath | UnsafeUnpack.py:176:17:176:23 | ControlFlowNode for tarpath |
|
|
||||||
| UnsafeUnpack.py:174:7:174:7 | ControlFlowNode for f | UnsafeUnpack.py:173:11:173:17 | ControlFlowNode for tarpath |
|
|
||||||
| UnsafeUnpack.py:174:15:174:22 | ControlFlowNode for response | UnsafeUnpack.py:174:15:174:26 | ControlFlowNode for Attribute |
|
|
||||||
| UnsafeUnpack.py:174:15:174:26 | ControlFlowNode for Attribute | UnsafeUnpack.py:174:15:174:33 | ControlFlowNode for Attribute() |
|
|
||||||
| UnsafeUnpack.py:174:15:174:33 | ControlFlowNode for Attribute() | UnsafeUnpack.py:174:7:174:7 | ControlFlowNode for f |
|
|
||||||
| UnsafeUnpack.py:176:17:176:23 | ControlFlowNode for tarpath | UnsafeUnpack.py:176:1:176:34 | ControlFlowNode for Attribute() |
|
|
||||||
| UnsafeUnpack.py:194:53:194:55 | ControlFlowNode for tmp | UnsafeUnpack.py:201:29:201:31 | ControlFlowNode for tmp |
|
|
||||||
| UnsafeUnpack.py:201:29:201:31 | ControlFlowNode for tmp | UnsafeUnpack.py:201:29:201:36 | ControlFlowNode for Attribute |
|
|
||||||
nodes
|
nodes
|
||||||
| UnsafeUnpack.py:5:26:5:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
|
| UnsafeUnpack.py:5:26:5:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
|
||||||
| UnsafeUnpack.py:5:26:5:32 | GSSA Variable request | semmle.label | GSSA Variable request |
|
| UnsafeUnpack.py:5:26:5:32 | GSSA Variable request | semmle.label | GSSA Variable request |
|
||||||
@@ -89,12 +46,6 @@ nodes
|
|||||||
| UnsafeUnpack.py:11:18:11:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
| UnsafeUnpack.py:11:18:11:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||||
| UnsafeUnpack.py:11:18:11:49 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
| UnsafeUnpack.py:11:18:11:49 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||||
| UnsafeUnpack.py:13:13:13:20 | SSA variable response | semmle.label | SSA variable response |
|
| UnsafeUnpack.py:13:13:13:20 | SSA variable response | semmle.label | SSA variable response |
|
||||||
| UnsafeUnpack.py:13:24:13:58 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
|
||||||
| UnsafeUnpack.py:16:23:16:29 | ControlFlowNode for tarpath | semmle.label | ControlFlowNode for tarpath |
|
|
||||||
| UnsafeUnpack.py:17:19:17:19 | ControlFlowNode for f | semmle.label | ControlFlowNode for f |
|
|
||||||
| UnsafeUnpack.py:17:27:17:34 | ControlFlowNode for response | semmle.label | ControlFlowNode for response |
|
|
||||||
| UnsafeUnpack.py:17:27:17:38 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
|
||||||
| UnsafeUnpack.py:17:27:17:45 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
|
||||||
| UnsafeUnpack.py:19:35:19:41 | ControlFlowNode for tarpath | semmle.label | ControlFlowNode for tarpath |
|
| UnsafeUnpack.py:19:35:19:41 | ControlFlowNode for tarpath | semmle.label | ControlFlowNode for tarpath |
|
||||||
| UnsafeUnpack.py:33:50:33:65 | ControlFlowNode for local_ziped_path | semmle.label | ControlFlowNode for local_ziped_path |
|
| UnsafeUnpack.py:33:50:33:65 | ControlFlowNode for local_ziped_path | semmle.label | ControlFlowNode for local_ziped_path |
|
||||||
| UnsafeUnpack.py:34:23:34:38 | ControlFlowNode for local_ziped_path | semmle.label | ControlFlowNode for local_ziped_path |
|
| UnsafeUnpack.py:34:23:34:38 | ControlFlowNode for local_ziped_path | semmle.label | ControlFlowNode for local_ziped_path |
|
||||||
@@ -109,72 +60,33 @@ nodes
|
|||||||
| UnsafeUnpack.py:79:1:79:12 | GSSA Variable url_filename | semmle.label | GSSA Variable url_filename |
|
| UnsafeUnpack.py:79:1:79:12 | GSSA Variable url_filename | semmle.label | GSSA Variable url_filename |
|
||||||
| UnsafeUnpack.py:79:16:79:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
| UnsafeUnpack.py:79:16:79:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||||
| UnsafeUnpack.py:81:1:81:8 | GSSA Variable response | semmle.label | GSSA Variable response |
|
| UnsafeUnpack.py:81:1:81:8 | GSSA Variable response | semmle.label | GSSA Variable response |
|
||||||
| UnsafeUnpack.py:81:12:81:50 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
|
||||||
| UnsafeUnpack.py:84:11:84:17 | ControlFlowNode for tarpath | semmle.label | ControlFlowNode for tarpath |
|
|
||||||
| UnsafeUnpack.py:85:7:85:7 | ControlFlowNode for f | semmle.label | ControlFlowNode for f |
|
|
||||||
| UnsafeUnpack.py:85:15:85:22 | ControlFlowNode for response | semmle.label | ControlFlowNode for response |
|
|
||||||
| UnsafeUnpack.py:85:15:85:26 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
|
||||||
| UnsafeUnpack.py:85:15:85:33 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
|
||||||
| UnsafeUnpack.py:87:23:87:29 | ControlFlowNode for tarpath | semmle.label | ControlFlowNode for tarpath |
|
| UnsafeUnpack.py:87:23:87:29 | ControlFlowNode for tarpath | semmle.label | ControlFlowNode for tarpath |
|
||||||
| UnsafeUnpack.py:102:23:102:30 | ControlFlowNode for savepath | semmle.label | ControlFlowNode for savepath |
|
|
||||||
| UnsafeUnpack.py:103:23:103:27 | SSA variable chunk | semmle.label | SSA variable chunk |
|
| UnsafeUnpack.py:103:23:103:27 | SSA variable chunk | semmle.label | SSA variable chunk |
|
||||||
| UnsafeUnpack.py:103:32:103:44 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
| UnsafeUnpack.py:103:32:103:44 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||||
| UnsafeUnpack.py:103:32:103:54 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
|
|
||||||
| UnsafeUnpack.py:103:32:103:63 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
|
||||||
| UnsafeUnpack.py:104:25:104:29 | ControlFlowNode for wfile | semmle.label | ControlFlowNode for wfile |
|
|
||||||
| UnsafeUnpack.py:104:37:104:41 | ControlFlowNode for chunk | semmle.label | ControlFlowNode for chunk |
|
|
||||||
| UnsafeUnpack.py:105:35:105:42 | ControlFlowNode for savepath | semmle.label | ControlFlowNode for savepath |
|
| UnsafeUnpack.py:105:35:105:42 | ControlFlowNode for savepath | semmle.label | ControlFlowNode for savepath |
|
||||||
| UnsafeUnpack.py:108:13:108:18 | SSA variable myfile | semmle.label | SSA variable myfile |
|
| UnsafeUnpack.py:108:13:108:18 | SSA variable myfile | semmle.label | SSA variable myfile |
|
||||||
| UnsafeUnpack.py:108:22:108:34 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
| UnsafeUnpack.py:108:22:108:34 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||||
| UnsafeUnpack.py:108:22:108:48 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
| UnsafeUnpack.py:108:22:108:48 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||||
| UnsafeUnpack.py:110:18:110:26 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path |
|
|
||||||
| UnsafeUnpack.py:111:19:111:19 | ControlFlowNode for f | semmle.label | ControlFlowNode for f |
|
|
||||||
| UnsafeUnpack.py:111:27:111:32 | ControlFlowNode for myfile | semmle.label | ControlFlowNode for myfile |
|
|
||||||
| UnsafeUnpack.py:111:27:111:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
|
||||||
| UnsafeUnpack.py:112:35:112:43 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path |
|
| UnsafeUnpack.py:112:35:112:43 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path |
|
||||||
| UnsafeUnpack.py:116:17:116:21 | SSA variable ufile | semmle.label | SSA variable ufile |
|
| UnsafeUnpack.py:116:17:116:21 | SSA variable ufile | semmle.label | SSA variable ufile |
|
||||||
| UnsafeUnpack.py:116:27:116:39 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
| UnsafeUnpack.py:116:27:116:39 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||||
| UnsafeUnpack.py:116:27:116:49 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
|
||||||
| UnsafeUnpack.py:118:19:118:26 | SSA variable filename | semmle.label | SSA variable filename |
|
| UnsafeUnpack.py:118:19:118:26 | SSA variable filename | semmle.label | SSA variable filename |
|
||||||
| UnsafeUnpack.py:118:30:118:55 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
|
||||||
| UnsafeUnpack.py:118:38:118:42 | ControlFlowNode for ufile | semmle.label | ControlFlowNode for ufile |
|
|
||||||
| UnsafeUnpack.py:118:38:118:47 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
|
||||||
| UnsafeUnpack.py:119:19:119:36 | SSA variable uploaded_file_path | semmle.label | SSA variable uploaded_file_path |
|
| UnsafeUnpack.py:119:19:119:36 | SSA variable uploaded_file_path | semmle.label | SSA variable uploaded_file_path |
|
||||||
| UnsafeUnpack.py:119:40:119:56 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
|
||||||
| UnsafeUnpack.py:119:48:119:55 | ControlFlowNode for filename | semmle.label | ControlFlowNode for filename |
|
|
||||||
| UnsafeUnpack.py:120:41:120:58 | ControlFlowNode for uploaded_file_path | semmle.label | ControlFlowNode for uploaded_file_path |
|
| UnsafeUnpack.py:120:41:120:58 | ControlFlowNode for uploaded_file_path | semmle.label | ControlFlowNode for uploaded_file_path |
|
||||||
| UnsafeUnpack.py:140:1:140:19 | GSSA Variable unsafe_filename_tar | semmle.label | GSSA Variable unsafe_filename_tar |
|
| UnsafeUnpack.py:140:1:140:19 | GSSA Variable unsafe_filename_tar | semmle.label | GSSA Variable unsafe_filename_tar |
|
||||||
| UnsafeUnpack.py:140:23:140:35 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
| UnsafeUnpack.py:140:23:140:35 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||||
| UnsafeUnpack.py:141:6:141:51 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
|
||||||
| UnsafeUnpack.py:141:22:141:40 | ControlFlowNode for unsafe_filename_tar | semmle.label | ControlFlowNode for unsafe_filename_tar |
|
|
||||||
| UnsafeUnpack.py:141:56:141:58 | GSSA Variable tar | semmle.label | GSSA Variable tar |
|
| UnsafeUnpack.py:141:56:141:58 | GSSA Variable tar | semmle.label | GSSA Variable tar |
|
||||||
| UnsafeUnpack.py:142:49:142:51 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar |
|
| UnsafeUnpack.py:142:49:142:51 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar |
|
||||||
| UnsafeUnpack.py:157:23:157:30 | ControlFlowNode for savepath | semmle.label | ControlFlowNode for savepath |
|
|
||||||
| UnsafeUnpack.py:158:23:158:27 | SSA variable chunk | semmle.label | SSA variable chunk |
|
| UnsafeUnpack.py:158:23:158:27 | SSA variable chunk | semmle.label | SSA variable chunk |
|
||||||
| UnsafeUnpack.py:158:32:158:44 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
| UnsafeUnpack.py:158:32:158:44 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||||
| UnsafeUnpack.py:158:32:158:54 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
|
|
||||||
| UnsafeUnpack.py:158:32:158:63 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
|
||||||
| UnsafeUnpack.py:159:25:159:29 | ControlFlowNode for wfile | semmle.label | ControlFlowNode for wfile |
|
|
||||||
| UnsafeUnpack.py:159:37:159:41 | ControlFlowNode for chunk | semmle.label | ControlFlowNode for chunk |
|
|
||||||
| UnsafeUnpack.py:161:19:161:21 | SSA variable tar | semmle.label | SSA variable tar |
|
| UnsafeUnpack.py:161:19:161:21 | SSA variable tar | semmle.label | SSA variable tar |
|
||||||
| UnsafeUnpack.py:161:25:161:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
|
||||||
| UnsafeUnpack.py:161:38:161:45 | ControlFlowNode for savepath | semmle.label | ControlFlowNode for savepath |
|
|
||||||
| UnsafeUnpack.py:163:23:163:28 | SSA variable member | semmle.label | SSA variable member |
|
| UnsafeUnpack.py:163:23:163:28 | SSA variable member | semmle.label | SSA variable member |
|
||||||
| UnsafeUnpack.py:163:33:163:35 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar |
|
|
||||||
| UnsafeUnpack.py:166:23:166:28 | [post] ControlFlowNode for result | semmle.label | [post] ControlFlowNode for result |
|
| UnsafeUnpack.py:166:23:166:28 | [post] ControlFlowNode for result | semmle.label | [post] ControlFlowNode for result |
|
||||||
| UnsafeUnpack.py:166:37:166:42 | ControlFlowNode for member | semmle.label | ControlFlowNode for member |
|
| UnsafeUnpack.py:166:37:166:42 | ControlFlowNode for member | semmle.label | ControlFlowNode for member |
|
||||||
| UnsafeUnpack.py:167:67:167:72 | ControlFlowNode for result | semmle.label | ControlFlowNode for result |
|
| UnsafeUnpack.py:167:67:167:72 | ControlFlowNode for result | semmle.label | ControlFlowNode for result |
|
||||||
| UnsafeUnpack.py:171:1:171:8 | GSSA Variable response | semmle.label | GSSA Variable response |
|
| UnsafeUnpack.py:171:1:171:8 | GSSA Variable response | semmle.label | GSSA Variable response |
|
||||||
| UnsafeUnpack.py:171:12:171:50 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
|
||||||
| UnsafeUnpack.py:173:11:173:17 | ControlFlowNode for tarpath | semmle.label | ControlFlowNode for tarpath |
|
|
||||||
| UnsafeUnpack.py:174:7:174:7 | ControlFlowNode for f | semmle.label | ControlFlowNode for f |
|
|
||||||
| UnsafeUnpack.py:174:15:174:22 | ControlFlowNode for response | semmle.label | ControlFlowNode for response |
|
|
||||||
| UnsafeUnpack.py:174:15:174:26 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
|
||||||
| UnsafeUnpack.py:174:15:174:33 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
|
||||||
| UnsafeUnpack.py:176:1:176:34 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
| UnsafeUnpack.py:176:1:176:34 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||||
| UnsafeUnpack.py:176:17:176:23 | ControlFlowNode for tarpath | semmle.label | ControlFlowNode for tarpath |
|
|
||||||
| UnsafeUnpack.py:194:53:194:55 | ControlFlowNode for tmp | semmle.label | ControlFlowNode for tmp |
|
| UnsafeUnpack.py:194:53:194:55 | ControlFlowNode for tmp | semmle.label | ControlFlowNode for tmp |
|
||||||
| UnsafeUnpack.py:201:29:201:31 | ControlFlowNode for tmp | semmle.label | ControlFlowNode for tmp |
|
|
||||||
| UnsafeUnpack.py:201:29:201:36 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
| UnsafeUnpack.py:201:29:201:36 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||||
subpaths
|
subpaths
|
||||||
#select
|
#select
|
||||||
|
|||||||
@@ -1,8 +1,7 @@
|
|||||||
edges
|
edges
|
||||||
| paramiko.py:15:21:15:23 | ControlFlowNode for cmd | paramiko.py:16:62:16:64 | ControlFlowNode for cmd |
|
| paramiko.py:15:21:15:23 | ControlFlowNode for cmd | paramiko.py:16:62:16:64 | ControlFlowNode for cmd |
|
||||||
| paramiko.py:20:21:20:23 | ControlFlowNode for cmd | paramiko.py:21:70:21:72 | ControlFlowNode for cmd |
|
| paramiko.py:20:21:20:23 | ControlFlowNode for cmd | paramiko.py:21:70:21:72 | ControlFlowNode for cmd |
|
||||||
| paramiko.py:25:21:25:23 | ControlFlowNode for cmd | paramiko.py:26:136:26:138 | ControlFlowNode for cmd |
|
| paramiko.py:25:21:25:23 | ControlFlowNode for cmd | paramiko.py:26:114:26:139 | ControlFlowNode for Attribute() |
|
||||||
| paramiko.py:26:136:26:138 | ControlFlowNode for cmd | paramiko.py:26:114:26:139 | ControlFlowNode for Attribute() |
|
|
||||||
nodes
|
nodes
|
||||||
| paramiko.py:15:21:15:23 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
|
| paramiko.py:15:21:15:23 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
|
||||||
| paramiko.py:16:62:16:64 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
|
| paramiko.py:16:62:16:64 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
|
||||||
@@ -10,7 +9,6 @@ nodes
|
|||||||
| paramiko.py:21:70:21:72 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
|
| paramiko.py:21:70:21:72 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
|
||||||
| paramiko.py:25:21:25:23 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
|
| paramiko.py:25:21:25:23 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
|
||||||
| paramiko.py:26:114:26:139 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
| paramiko.py:26:114:26:139 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||||
| paramiko.py:26:136:26:138 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
|
|
||||||
subpaths
|
subpaths
|
||||||
#select
|
#select
|
||||||
| paramiko.py:16:62:16:64 | ControlFlowNode for cmd | paramiko.py:15:21:15:23 | ControlFlowNode for cmd | paramiko.py:16:62:16:64 | ControlFlowNode for cmd | This code execution depends on a $@. | paramiko.py:15:21:15:23 | ControlFlowNode for cmd | a user-provided value |
|
| paramiko.py:16:62:16:64 | ControlFlowNode for cmd | paramiko.py:15:21:15:23 | ControlFlowNode for cmd | paramiko.py:16:62:16:64 | ControlFlowNode for cmd | This code execution depends on a $@. | paramiko.py:15:21:15:23 | ControlFlowNode for cmd | a user-provided value |
|
||||||
|
|||||||
@@ -1 +0,0 @@
|
|||||||
experimental/Security/CWE-079/EmailXss.ql
|
|
||||||
@@ -12,8 +12,7 @@ edges
|
|||||||
| sendgrid_mail.py:1:19:1:25 | GSSA Variable request | sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request |
|
| sendgrid_mail.py:1:19:1:25 | GSSA Variable request | sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request |
|
||||||
| sendgrid_mail.py:1:19:1:25 | GSSA Variable request | sendgrid_mail.py:37:41:37:47 | ControlFlowNode for request |
|
| sendgrid_mail.py:1:19:1:25 | GSSA Variable request | sendgrid_mail.py:37:41:37:47 | ControlFlowNode for request |
|
||||||
| sendgrid_mail.py:14:22:14:28 | ControlFlowNode for request | sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript |
|
| sendgrid_mail.py:14:22:14:28 | ControlFlowNode for request | sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript |
|
||||||
| sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request | sendgrid_mail.py:26:34:26:61 | ControlFlowNode for Subscript |
|
| sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request | sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() |
|
||||||
| sendgrid_mail.py:26:34:26:61 | ControlFlowNode for Subscript | sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() |
|
|
||||||
| sendgrid_mail.py:37:41:37:47 | ControlFlowNode for request | sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript |
|
| sendgrid_mail.py:37:41:37:47 | ControlFlowNode for request | sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript |
|
||||||
| sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | GSSA Variable request |
|
| sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | GSSA Variable request |
|
||||||
| sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | GSSA Variable request | sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:57 | ControlFlowNode for request |
|
| sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | GSSA Variable request | sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:57 | ControlFlowNode for request |
|
||||||
@@ -53,7 +52,6 @@ nodes
|
|||||||
| sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
|
| sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
|
||||||
| sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() | semmle.label | ControlFlowNode for HtmlContent() |
|
| sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() | semmle.label | ControlFlowNode for HtmlContent() |
|
||||||
| sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
| sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||||
| sendgrid_mail.py:26:34:26:61 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
|
|
||||||
| sendgrid_mail.py:37:41:37:47 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
| sendgrid_mail.py:37:41:37:47 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||||
| sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
|
| sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
|
||||||
| sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
|
| sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
experimental/Security/CWE-079/ReflectedXSS.ql
|
||||||
@@ -1,6 +1,27 @@
|
|||||||
edges
|
edges
|
||||||
|
| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | ControlFlowNode for ImportMember | TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | GSSA Variable request |
|
||||||
|
| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | GSSA Variable request | TimingAttackAgainstSensitiveInfo.py:14:8:14:14 | ControlFlowNode for request |
|
||||||
|
| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | GSSA Variable request | TimingAttackAgainstSensitiveInfo.py:15:20:15:26 | ControlFlowNode for request |
|
||||||
|
| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | GSSA Variable request | TimingAttackAgainstSensitiveInfo.py:20:8:20:14 | ControlFlowNode for request |
|
||||||
|
| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | GSSA Variable request | TimingAttackAgainstSensitiveInfo.py:21:20:21:26 | ControlFlowNode for request |
|
||||||
|
| TimingAttackAgainstSensitiveInfo.py:14:8:14:14 | ControlFlowNode for request | TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | SSA variable password |
|
||||||
|
| TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | SSA variable password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password |
|
||||||
|
| TimingAttackAgainstSensitiveInfo.py:15:20:15:26 | ControlFlowNode for request | TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | SSA variable password |
|
||||||
|
| TimingAttackAgainstSensitiveInfo.py:20:8:20:14 | ControlFlowNode for request | TimingAttackAgainstSensitiveInfo.py:21:9:21:16 | SSA variable password |
|
||||||
|
| TimingAttackAgainstSensitiveInfo.py:21:9:21:16 | SSA variable password | TimingAttackAgainstSensitiveInfo.py:22:38:22:45 | ControlFlowNode for password |
|
||||||
|
| TimingAttackAgainstSensitiveInfo.py:21:20:21:26 | ControlFlowNode for request | TimingAttackAgainstSensitiveInfo.py:21:9:21:16 | SSA variable password |
|
||||||
nodes
|
nodes
|
||||||
|
| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
|
||||||
|
| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | GSSA Variable request | semmle.label | GSSA Variable request |
|
||||||
|
| TimingAttackAgainstSensitiveInfo.py:14:8:14:14 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||||
|
| TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | SSA variable password | semmle.label | SSA variable password |
|
||||||
|
| TimingAttackAgainstSensitiveInfo.py:15:20:15:26 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||||
| TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
|
| TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
|
||||||
|
| TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
|
||||||
|
| TimingAttackAgainstSensitiveInfo.py:20:8:20:14 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||||
|
| TimingAttackAgainstSensitiveInfo.py:21:9:21:16 | SSA variable password | semmle.label | SSA variable password |
|
||||||
|
| TimingAttackAgainstSensitiveInfo.py:21:20:21:26 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||||
|
| TimingAttackAgainstSensitiveInfo.py:22:38:22:45 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
|
||||||
subpaths
|
subpaths
|
||||||
#select
|
#select
|
||||||
| TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | Timing attack against $@ validation. | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | client-supplied token |
|
| TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | Timing attack against $@ validation. | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | client-supplied token |
|
||||||
|
|||||||
@@ -0,0 +1 @@
|
|||||||
|
experimental/Security/CWE-522/LDAPInsecureAuth.ql
|
||||||
@@ -1 +0,0 @@
|
|||||||
experimental/Security/CWE-522/LdapInsecureAuth.ql
|
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
experimental/Security/CWE-522/LDAPInsecureAuth.ql
|
||||||
@@ -1 +0,0 @@
|
|||||||
experimental/Security/CWE-522/LdapInsecureAuth.ql
|
|
||||||
@@ -8,7 +8,7 @@ module ModificationOfParameterWithDefaultTest implements TestSig {
|
|||||||
string getARelevantTag() { result = "modification" }
|
string getARelevantTag() { result = "modification" }
|
||||||
|
|
||||||
private predicate relevant_node(DataFlow::Node sink) {
|
private predicate relevant_node(DataFlow::Node sink) {
|
||||||
ModificationOfParameterWithDefault::Flow::flowTo(sink)
|
exists(ModificationOfParameterWithDefault::Configuration cfg | cfg.hasFlowTo(sink))
|
||||||
}
|
}
|
||||||
|
|
||||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||||
|
|||||||
@@ -1,4 +1,4 @@
|
|||||||
import python
|
import python
|
||||||
import experimental.dataflow.TestUtil.DataflowQueryTest
|
import experimental.dataflow.TestUtil.DataflowQueryTest
|
||||||
import semmle.python.security.dataflow.PathInjectionQuery
|
import semmle.python.security.dataflow.PathInjectionQuery
|
||||||
import FromTaintTrackingStateConfig<PathInjectionConfig>
|
import FromLegacyConfiguration<Configuration>
|
||||||
|
|||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user