Compare commits

...

1 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
0019cb10d8 Revert "Python: Use new dataflow API" 2023-09-05 09:47:32 +02:00
108 changed files with 728 additions and 1032 deletions

View File

@@ -16,11 +16,9 @@ private import semmle.python.dataflow.new.SensitiveDataSources
import CleartextLoggingCustomizations::CleartextLogging import CleartextLoggingCustomizations::CleartextLogging
/** /**
* DEPRECATED: Use `CleartextLoggingFlow` module instead.
*
* A taint-tracking configuration for detecting "Clear-text logging of sensitive information". * A taint-tracking configuration for detecting "Clear-text logging of sensitive information".
*/ */
deprecated class Configuration extends TaintTracking::Configuration { class Configuration extends TaintTracking::Configuration {
Configuration() { this = "CleartextLogging" } Configuration() { this = "CleartextLogging" }
override predicate isSource(DataFlow::Node source) { source instanceof Source } override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -33,14 +31,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
node instanceof Sanitizer node instanceof Sanitizer
} }
} }
private module CleartextLoggingConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
}
/** Global taint-tracking for detecting "Clear-text logging of sensitive information" vulnerabilities. */
module CleartextLoggingFlow = TaintTracking::Global<CleartextLoggingConfig>;

View File

@@ -16,11 +16,9 @@ private import semmle.python.dataflow.new.SensitiveDataSources
import CleartextStorageCustomizations::CleartextStorage import CleartextStorageCustomizations::CleartextStorage
/** /**
* DEPRECATED: Use `CleartextStorageFlow` module instead.
*
* A taint-tracking configuration for detecting "Clear-text storage of sensitive information". * A taint-tracking configuration for detecting "Clear-text storage of sensitive information".
*/ */
deprecated class Configuration extends TaintTracking::Configuration { class Configuration extends TaintTracking::Configuration {
Configuration() { this = "CleartextStorage" } Configuration() { this = "CleartextStorage" }
override predicate isSource(DataFlow::Node source) { source instanceof Source } override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -33,14 +31,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
node instanceof Sanitizer node instanceof Sanitizer
} }
} }
private module CleartextStorageConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
}
/** Global taint-tracking for detecting "Clear-text storage of sensitive information" vulnerabilities. */
module CleartextStorageFlow = TaintTracking::Global<CleartextStorageConfig>;

View File

@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
import CodeInjectionCustomizations::CodeInjection import CodeInjectionCustomizations::CodeInjection
/** /**
* DEPRECATED: Use `CodeInjectionFlow` module instead.
*
* A taint-tracking configuration for detecting "code injection" vulnerabilities. * A taint-tracking configuration for detecting "code injection" vulnerabilities.
*/ */
deprecated class Configuration extends TaintTracking::Configuration { class Configuration extends TaintTracking::Configuration {
Configuration() { this = "CodeInjection" } Configuration() { this = "CodeInjection" }
override predicate isSource(DataFlow::Node source) { source instanceof Source } override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -29,14 +27,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
guard instanceof SanitizerGuard guard instanceof SanitizerGuard
} }
} }
private module CodeInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
}
/** Global taint-tracking for detecting "code injection" vulnerabilities. */
module CodeInjectionFlow = TaintTracking::Global<CodeInjectionConfig>;

View File

@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
import CommandInjectionCustomizations::CommandInjection import CommandInjectionCustomizations::CommandInjection
/** /**
* DEPRECATED: Use `CommandInjectionFlow` module instead.
*
* A taint-tracking configuration for detecting "command injection" vulnerabilities. * A taint-tracking configuration for detecting "command injection" vulnerabilities.
*/ */
deprecated class Configuration extends TaintTracking::Configuration { class Configuration extends TaintTracking::Configuration {
Configuration() { this = "CommandInjection" } Configuration() { this = "CommandInjection" }
override predicate isSource(DataFlow::Node source) { source instanceof Source } override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -29,17 +27,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
guard instanceof SanitizerGuard guard instanceof SanitizerGuard
} }
} }
/**
* A taint-tracking configuration for detecting "command injection" vulnerabilities.
*/
module CommandInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
}
/** Global taint-tracking for detecting "command injection" vulnerabilities. */
module CommandInjectionFlow = TaintTracking::Global<CommandInjectionConfig>;

View File

@@ -14,12 +14,10 @@ import semmle.python.dataflow.new.RemoteFlowSources
import LdapInjectionCustomizations::LdapInjection import LdapInjectionCustomizations::LdapInjection
/** /**
* DEPRECATED: Use `LdapInjectionDnFlow` module instead.
*
* A taint-tracking configuration for detecting LDAP injection vulnerabilities * A taint-tracking configuration for detecting LDAP injection vulnerabilities
* via the distinguished name (DN) parameter of an LDAP search. * via the distinguished name (DN) parameter of an LDAP search.
*/ */
deprecated class DnConfiguration extends TaintTracking::Configuration { class DnConfiguration extends TaintTracking::Configuration {
DnConfiguration() { this = "LdapDnInjection" } DnConfiguration() { this = "LdapDnInjection" }
override predicate isSource(DataFlow::Node source) { source instanceof Source } override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -33,24 +31,11 @@ deprecated class DnConfiguration extends TaintTracking::Configuration {
} }
} }
private module LdapInjectionDnConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof DnSink }
predicate isBarrier(DataFlow::Node node) { node instanceof DnSanitizer }
}
/** Global taint-tracking for detecting "LDAP injection via the distinguished name (DN) parameter" vulnerabilities. */
module LdapInjectionDnFlow = TaintTracking::Global<LdapInjectionDnConfig>;
/** /**
* DEPRECATED: Use `LdapInjectionFilterFlow` module instead.
*
* A taint-tracking configuration for detecting LDAP injection vulnerabilities * A taint-tracking configuration for detecting LDAP injection vulnerabilities
* via the filter parameter of an LDAP search. * via the filter parameter of an LDAP search.
*/ */
deprecated class FilterConfiguration extends TaintTracking::Configuration { class FilterConfiguration extends TaintTracking::Configuration {
FilterConfiguration() { this = "LdapFilterInjection" } FilterConfiguration() { this = "LdapFilterInjection" }
override predicate isSource(DataFlow::Node source) { source instanceof Source } override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -63,19 +48,3 @@ deprecated class FilterConfiguration extends TaintTracking::Configuration {
guard instanceof FilterSanitizerGuard guard instanceof FilterSanitizerGuard
} }
} }
private module LdapInjectionFilterConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof FilterSink }
predicate isBarrier(DataFlow::Node node) { node instanceof FilterSanitizer }
}
/** Global taint-tracking for detecting "LDAP injection via the filter parameter" vulnerabilities. */
module LdapInjectionFilterFlow = TaintTracking::Global<LdapInjectionFilterConfig>;
/** Global taint-tracking for detecting "LDAP injection" vulnerabilities. */
module LdapInjectionFlow =
DataFlow::MergePathGraph<LdapInjectionDnFlow::PathNode, LdapInjectionFilterFlow::PathNode,
LdapInjectionDnFlow::PathGraph, LdapInjectionFilterFlow::PathGraph>;

View File

@@ -1,5 +1,5 @@
/** /**
* Provides a taint-tracking configuration for tracking "log injection" vulnerabilities. * Provides a taint-tracking configuration for tracking untrusted user input used in log entries.
* *
* Note, for performance reasons: only import this file if * Note, for performance reasons: only import this file if
* `LogInjection::Configuration` is needed, otherwise * `LogInjection::Configuration` is needed, otherwise
@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
import LogInjectionCustomizations::LogInjection import LogInjectionCustomizations::LogInjection
/** /**
* DEPRECATED: Use `LogInjectionFlow` module instead.
*
* A taint-tracking configuration for tracking untrusted user input used in log entries. * A taint-tracking configuration for tracking untrusted user input used in log entries.
*/ */
deprecated class Configuration extends TaintTracking::Configuration { class Configuration extends TaintTracking::Configuration {
Configuration() { this = "LogInjection" } Configuration() { this = "LogInjection" }
override predicate isSource(DataFlow::Node source) { source instanceof Source } override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -29,14 +27,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
guard instanceof SanitizerGuard guard instanceof SanitizerGuard
} }
} }
private module LogInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
}
/** Global taint-tracking for detecting "log injection" vulnerabilities. */
module LogInjectionFlow = TaintTracking::Global<LogInjectionConfig>;

View File

@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
import PamAuthorizationCustomizations::PamAuthorizationCustomizations import PamAuthorizationCustomizations::PamAuthorizationCustomizations
/** /**
* DEPRECATED: Use `PamAuthorizationFlow` module instead.
*
* A taint-tracking configuration for detecting "PAM Authorization" vulnerabilities. * A taint-tracking configuration for detecting "PAM Authorization" vulnerabilities.
*/ */
deprecated class Configuration extends TaintTracking::Configuration { class Configuration extends TaintTracking::Configuration {
Configuration() { this = "PamAuthorization" } Configuration() { this = "PamAuthorization" }
override predicate isSource(DataFlow::Node node) { node instanceof Source } override predicate isSource(DataFlow::Node node) { node instanceof Source }
@@ -39,28 +37,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
exists(VulnPamAuthCall c | c.getArg(0) = node1 | node2 = c) exists(VulnPamAuthCall c | c.getArg(0) = node1 | node2 = c)
} }
} }
private module PamAuthorizationConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
// Models flow from a remotely supplied username field to a PAM `handle`.
// `retval = pam_start(service, username, byref(conv), byref(handle))`
exists(API::CallNode pamStart, DataFlow::Node handle, API::CallNode pointer |
pointer = API::moduleImport("ctypes").getMember(["pointer", "byref"]).getACall() and
pamStart = libPam().getMember("pam_start").getACall() and
pointer = pamStart.getArg(3) and
handle = pointer.getArg(0) and
pamStart.getArg(1) = node1 and
handle = node2
)
or
// Flow from handle to the authenticate call in the final step
exists(VulnPamAuthCall c | c.getArg(0) = node1 | node2 = c)
}
}
/** Global taint-tracking for detecting "PAM Authorization" vulnerabilities. */
module PamAuthorizationFlow = TaintTracking::Global<PamAuthorizationConfig>;

View File

@@ -13,8 +13,6 @@ import semmle.python.dataflow.new.TaintTracking
import PathInjectionCustomizations::PathInjection import PathInjectionCustomizations::PathInjection
/** /**
* DEPRECATED: Use `PathInjectionFlow` module instead.
*
* A taint-tracking configuration for detecting "path injection" vulnerabilities. * A taint-tracking configuration for detecting "path injection" vulnerabilities.
* *
* This configuration uses two flow states, `NotNormalized` and `NormalizedUnchecked`, * This configuration uses two flow states, `NotNormalized` and `NormalizedUnchecked`,
@@ -27,7 +25,7 @@ import PathInjectionCustomizations::PathInjection
* *
* Such checks are ineffective in the `NotNormalized` state. * Such checks are ineffective in the `NotNormalized` state.
*/ */
deprecated class Configuration extends TaintTracking::Configuration { class Configuration extends TaintTracking::Configuration {
Configuration() { this = "PathInjection" } Configuration() { this = "PathInjection" }
override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) { override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
@@ -76,52 +74,3 @@ class NotNormalized extends DataFlow::FlowState {
class NormalizedUnchecked extends DataFlow::FlowState { class NormalizedUnchecked extends DataFlow::FlowState {
NormalizedUnchecked() { this = "NormalizedUnchecked" } NormalizedUnchecked() { this = "NormalizedUnchecked" }
} }
/**
* This configuration uses two flow states, `NotNormalized` and `NormalizedUnchecked`,
* to track the requirement that a file path must be first normalized and then checked
* before it is safe to use.
*
* At sources, paths are assumed not normalized. At normalization points, they change
* state to `NormalizedUnchecked` after which they can be made safe by an appropriate
* check of the prefix.
*
* Such checks are ineffective in the `NotNormalized` state.
*/
module PathInjectionConfig implements DataFlow::StateConfigSig {
class FlowState = DataFlow::FlowState;
predicate isSource(DataFlow::Node source, FlowState state) {
source instanceof Source and state instanceof NotNormalized
}
predicate isSink(DataFlow::Node sink, FlowState state) {
sink instanceof Sink and
(
state instanceof NotNormalized or
state instanceof NormalizedUnchecked
)
}
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
predicate isBarrier(DataFlow::Node node, FlowState state) {
// Block `NotNormalized` paths here, since they change state to `NormalizedUnchecked`
node instanceof Path::PathNormalization and
state instanceof NotNormalized
or
node instanceof Path::SafeAccessCheck and
state instanceof NormalizedUnchecked
}
predicate isAdditionalFlowStep(
DataFlow::Node nodeFrom, FlowState stateFrom, DataFlow::Node nodeTo, FlowState stateTo
) {
nodeFrom = nodeTo.(Path::PathNormalization).getPathArg() and
stateFrom instanceof NotNormalized and
stateTo instanceof NormalizedUnchecked
}
}
/** Global taint-tracking for detecting "path injection" vulnerabilities. */
module PathInjectionFlow = TaintTracking::GlobalWithState<PathInjectionConfig>;

View File

@@ -6,6 +6,7 @@
private import python private import python
private import semmle.python.dataflow.new.DataFlow private import semmle.python.dataflow.new.DataFlow
private import semmle.python.dataflow.new.DataFlow2
private import semmle.python.dataflow.new.TaintTracking private import semmle.python.dataflow.new.TaintTracking
private import semmle.python.Concepts private import semmle.python.Concepts
private import semmle.python.dataflow.new.RemoteFlowSources private import semmle.python.dataflow.new.RemoteFlowSources

View File

@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
import PolynomialReDoSCustomizations::PolynomialReDoS import PolynomialReDoSCustomizations::PolynomialReDoS
/** /**
* DEPRECATED: Use `PolynomialReDoSFlow` module instead.
*
* A taint-tracking configuration for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities. * A taint-tracking configuration for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities.
*/ */
deprecated class Configuration extends TaintTracking::Configuration { class Configuration extends TaintTracking::Configuration {
Configuration() { this = "PolynomialReDoS" } Configuration() { this = "PolynomialReDoS" }
override predicate isSource(DataFlow::Node source) { source instanceof Source } override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -29,14 +27,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
guard instanceof SanitizerGuard guard instanceof SanitizerGuard
} }
} }
private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
}
/** Global taint-tracking for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities. */
module PolynomialReDoSFlow = TaintTracking::Global<PolynomialReDoSConfig>;

View File

@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
import ReflectedXSSCustomizations::ReflectedXss import ReflectedXSSCustomizations::ReflectedXss
/** /**
* DEPRECATED: Use `ReflectedXssFlow` module instead.
*
* A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities. * A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
*/ */
deprecated class Configuration extends TaintTracking::Configuration { class Configuration extends TaintTracking::Configuration {
Configuration() { this = "ReflectedXSS" } Configuration() { this = "ReflectedXSS" }
override predicate isSource(DataFlow::Node source) { source instanceof Source } override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -29,14 +27,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
guard instanceof SanitizerGuard guard instanceof SanitizerGuard
} }
} }
private module ReflectedXssConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
}
/** Global taint-tracking for detecting "reflected server-side cross-site scripting" vulnerabilities. */
module ReflectedXssFlow = TaintTracking::Global<ReflectedXssConfig>;

View File

@@ -1,5 +1,5 @@
/** /**
* Provides a taint-tracking configuration for detecting "regular expression injection" * Provides a taint-tracking configuration for detecting regular expression injection
* vulnerabilities. * vulnerabilities.
* *
* Note, for performance reasons: only import this file if * Note, for performance reasons: only import this file if
@@ -13,11 +13,9 @@ import semmle.python.dataflow.new.TaintTracking
import RegexInjectionCustomizations::RegexInjection import RegexInjectionCustomizations::RegexInjection
/** /**
* DEPRECATED: Use `RegexInjectionFlow` module instead.
*
* A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities. * A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
*/ */
deprecated class Configuration extends TaintTracking::Configuration { class Configuration extends TaintTracking::Configuration {
Configuration() { this = "RegexInjection" } Configuration() { this = "RegexInjection" }
override predicate isSource(DataFlow::Node source) { source instanceof Source } override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -30,14 +28,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
guard instanceof SanitizerGuard guard instanceof SanitizerGuard
} }
} }
private module RegexInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
}
/** Global taint-tracking for detecting "regular expression injection" vulnerabilities. */
module RegexInjectionFlow = TaintTracking::Global<RegexInjectionConfig>;

View File

@@ -13,8 +13,6 @@ import semmle.python.Concepts
import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery
/** /**
* DEPRECATED: Use `FullServerSideRequestForgeryFlow` module instead.
*
* A taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities. * A taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
* *
* This configuration has a sanitizer to limit results to cases where attacker has full control of URL. * This configuration has a sanitizer to limit results to cases where attacker has full control of URL.
@@ -23,7 +21,7 @@ import ServerSideRequestForgeryCustomizations::ServerSideRequestForgery
* You should use the `fullyControlledRequest` to only select results where all * You should use the `fullyControlledRequest` to only select results where all
* URL parts are fully controlled. * URL parts are fully controlled.
*/ */
deprecated class FullServerSideRequestForgeryConfiguration extends TaintTracking::Configuration { class FullServerSideRequestForgeryConfiguration extends TaintTracking::Configuration {
FullServerSideRequestForgeryConfiguration() { this = "FullServerSideRequestForgery" } FullServerSideRequestForgeryConfiguration() { this = "FullServerSideRequestForgery" }
override predicate isSource(DataFlow::Node source) { source instanceof Source } override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -41,51 +39,24 @@ deprecated class FullServerSideRequestForgeryConfiguration extends TaintTracking
} }
} }
/**
* This configuration has a sanitizer to limit results to cases where attacker has full control of URL.
* See `PartialServerSideRequestForgery` for a variant without this requirement.
*
* You should use the `fullyControlledRequest` to only select results where all
* URL parts are fully controlled.
*/
private module FullServerSideRequestForgeryConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) {
node instanceof Sanitizer
or
node instanceof FullUrlControlSanitizer
}
}
/**
* Global taint-tracking for detecting "Full server-side request forgery" vulnerabilities.
*
* You should use the `fullyControlledRequest` to only select results where all
* URL parts are fully controlled.
*/
module FullServerSideRequestForgeryFlow = TaintTracking::Global<FullServerSideRequestForgeryConfig>;
/** /**
* Holds if all URL parts of `request` is fully user controlled. * Holds if all URL parts of `request` is fully user controlled.
*/ */
predicate fullyControlledRequest(Http::Client::Request request) { predicate fullyControlledRequest(Http::Client::Request request) {
forall(DataFlow::Node urlPart | urlPart = request.getAUrlPart() | exists(FullServerSideRequestForgeryConfiguration fullConfig |
FullServerSideRequestForgeryFlow::flow(_, urlPart) forall(DataFlow::Node urlPart | urlPart = request.getAUrlPart() |
fullConfig.hasFlow(_, urlPart)
)
) )
} }
/** /**
* DEPRECATED: Use `FullServerSideRequestForgeryFlow` module instead.
*
* A taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities. * A taint-tracking configuration for detecting "Server-side request forgery" vulnerabilities.
* *
* This configuration has results, even when the attacker does not have full control over the URL. * This configuration has results, even when the attacker does not have full control over the URL.
* See `FullServerSideRequestForgeryConfiguration`, and the `fullyControlledRequest` predicate. * See `FullServerSideRequestForgeryConfiguration`, and the `fullyControlledRequest` predicate.
*/ */
deprecated class PartialServerSideRequestForgeryConfiguration extends TaintTracking::Configuration { class PartialServerSideRequestForgeryConfiguration extends TaintTracking::Configuration {
PartialServerSideRequestForgeryConfiguration() { this = "PartialServerSideRequestForgery" } PartialServerSideRequestForgeryConfiguration() { this = "PartialServerSideRequestForgery" }
override predicate isSource(DataFlow::Node source) { source instanceof Source } override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -98,21 +69,3 @@ deprecated class PartialServerSideRequestForgeryConfiguration extends TaintTrack
guard instanceof SanitizerGuard guard instanceof SanitizerGuard
} }
} }
/**
* This configuration has results, even when the attacker does not have full control over the URL.
* See `FullServerSideRequestForgeryConfiguration`, and the `fullyControlledRequest` predicate.
*/
private module PartialServerSideRequestForgeryConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
}
/**
* Global taint-tracking for detecting "partial server-side request forgery" vulnerabilities.
*/
module PartialServerSideRequestForgeryFlow =
TaintTracking::Global<PartialServerSideRequestForgeryConfig>;

View File

@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
import SqlInjectionCustomizations::SqlInjection import SqlInjectionCustomizations::SqlInjection
/** /**
* DEPRECATED: Use `SqlInjectionFlow` module instead.
*
* A taint-tracking configuration for detecting "SQL injection" vulnerabilities. * A taint-tracking configuration for detecting "SQL injection" vulnerabilities.
*/ */
deprecated class Configuration extends TaintTracking::Configuration { class Configuration extends TaintTracking::Configuration {
Configuration() { this = "SqlInjection" } Configuration() { this = "SqlInjection" }
override predicate isSource(DataFlow::Node source) { source instanceof Source } override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -29,14 +27,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
guard instanceof SanitizerGuard guard instanceof SanitizerGuard
} }
} }
private module SqlInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
}
/** Global taint-tracking for detecting "SQL injection" vulnerabilities. */
module SqlInjectionFlow = TaintTracking::Global<SqlInjectionConfig>;

View File

@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
import StackTraceExposureCustomizations::StackTraceExposure import StackTraceExposureCustomizations::StackTraceExposure
/** /**
* DEPRECATED: Use `StackTraceExposureFlow` module instead.
*
* A taint-tracking configuration for detecting "stack trace exposure" vulnerabilities. * A taint-tracking configuration for detecting "stack trace exposure" vulnerabilities.
*/ */
deprecated class Configuration extends TaintTracking::Configuration { class Configuration extends TaintTracking::Configuration {
Configuration() { this = "StackTraceExposure" } Configuration() { this = "StackTraceExposure" }
override predicate isSource(DataFlow::Node source) { source instanceof Source } override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -38,23 +36,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
) )
} }
} }
private module StackTraceExposureConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
// A stack trace is accessible as the `__traceback__` attribute of a caught exception.
// see https://docs.python.org/3/reference/datamodel.html#traceback-objects
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
exists(DataFlow::AttrRead attr | attr.getAttributeName() = "__traceback__" |
nodeFrom = attr.getObject() and
nodeTo = attr
)
}
}
/** Global taint-tracking for detecting "stack trace exposure" vulnerabilities. */
module StackTraceExposureFlow = TaintTracking::Global<StackTraceExposureConfig>;

View File

@@ -1,5 +1,5 @@
/** /**
* Provides a taint-tracking configuration for detecting "tar slip" vulnerabilities. * Provides a taint-tracking configuration for detecting "command injection" vulnerabilities.
* *
* Note, for performance reasons: only import this file if * Note, for performance reasons: only import this file if
* `TarSlip::Configuration` is needed, otherwise * `TarSlip::Configuration` is needed, otherwise
@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
import TarSlipCustomizations::TarSlip import TarSlipCustomizations::TarSlip
/** /**
* DEPRECATED: Use `TarSlipFlow` module instead. * A taint-tracking configuration for detecting "command injection" vulnerabilities.
*
* A taint-tracking configuration for detecting "tar slip" vulnerabilities.
*/ */
deprecated class Configuration extends TaintTracking::Configuration { class Configuration extends TaintTracking::Configuration {
Configuration() { this = "TarSlip" } Configuration() { this = "TarSlip" }
override predicate isSource(DataFlow::Node source) { source instanceof Source } override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -25,14 +23,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
} }
private module TarSlipConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
}
/** Global taint-tracking for detecting "tar slip" vulnerabilities. */
module TarSlipFlow = TaintTracking::Global<TarSlipConfig>;

View File

@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
import UnsafeDeserializationCustomizations::UnsafeDeserialization import UnsafeDeserializationCustomizations::UnsafeDeserialization
/** /**
* DEPRECATED: Use `UnsafeDeserializationFlow` module instead.
*
* A taint-tracking configuration for detecting "code execution from deserialization" vulnerabilities. * A taint-tracking configuration for detecting "code execution from deserialization" vulnerabilities.
*/ */
deprecated class Configuration extends TaintTracking::Configuration { class Configuration extends TaintTracking::Configuration {
Configuration() { this = "UnsafeDeserialization" } Configuration() { this = "UnsafeDeserialization" }
override predicate isSource(DataFlow::Node source) { source instanceof Source } override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -29,14 +27,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
guard instanceof SanitizerGuard guard instanceof SanitizerGuard
} }
} }
private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
}
/** Global taint-tracking for detecting "code execution from deserialization" vulnerabilities. */
module UnsafeDeserializationFlow = TaintTracking::Global<UnsafeDeserializationConfig>;

View File

@@ -14,11 +14,9 @@ private import CommandInjectionCustomizations::CommandInjection as CommandInject
private import semmle.python.dataflow.new.BarrierGuards private import semmle.python.dataflow.new.BarrierGuards
/** /**
* DEPRECATED: Use `UnsafeShellCommandConstructionFlow` module instead.
*
* A taint-tracking configuration for detecting shell command constructed from library input vulnerabilities. * A taint-tracking configuration for detecting shell command constructed from library input vulnerabilities.
*/ */
deprecated class Configuration extends TaintTracking::Configuration { class Configuration extends TaintTracking::Configuration {
Configuration() { this = "UnsafeShellCommandConstruction" } Configuration() { this = "UnsafeShellCommandConstruction" }
override predicate isSource(DataFlow::Node source) { source instanceof Source } override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -35,23 +33,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
result instanceof DataFlow::FeatureHasSourceCallContext result instanceof DataFlow::FeatureHasSourceCallContext
} }
} }
/**
* A taint-tracking configuration for detecting "shell command constructed from library input" vulnerabilities.
*/
module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) {
node instanceof CommandInjection::Sanitizer // using all sanitizers from `py/command-injection`
}
// override to require the path doesn't have unmatched return steps
DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
}
/** Global taint-tracking for detecting "shell command constructed from library input" vulnerabilities. */
module UnsafeShellCommandConstructionFlow =
TaintTracking::Global<UnsafeShellCommandConstructionConfig>;

View File

@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
import UrlRedirectCustomizations::UrlRedirect import UrlRedirectCustomizations::UrlRedirect
/** /**
* DEPRECATED: Use `UrlRedirectFlow` module instead.
*
* A taint-tracking configuration for detecting "URL redirection" vulnerabilities. * A taint-tracking configuration for detecting "URL redirection" vulnerabilities.
*/ */
deprecated class Configuration extends TaintTracking::Configuration { class Configuration extends TaintTracking::Configuration {
Configuration() { this = "UrlRedirect" } Configuration() { this = "UrlRedirect" }
override predicate isSource(DataFlow::Node source) { source instanceof Source } override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -29,14 +27,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
guard instanceof SanitizerGuard guard instanceof SanitizerGuard
} }
} }
private module UrlRedirectConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
}
/** Global taint-tracking for detecting "URL redirection" vulnerabilities. */
module UrlRedirectFlow = TaintTracking::Global<UrlRedirectConfig>;

View File

@@ -24,12 +24,10 @@ module NormalHashFunction {
import WeakSensitiveDataHashingCustomizations::NormalHashFunction import WeakSensitiveDataHashingCustomizations::NormalHashFunction
/** /**
* DEPRECATED: Use `Flow` module instead.
*
* A taint-tracking configuration for detecting use of a broken or weak * A taint-tracking configuration for detecting use of a broken or weak
* cryptographic hashing algorithm on sensitive data. * cryptographic hashing algorithm on sensitive data.
*/ */
deprecated class Configuration extends TaintTracking::Configuration { class Configuration extends TaintTracking::Configuration {
Configuration() { this = "NormalHashFunction" } Configuration() { this = "NormalHashFunction" }
override predicate isSource(DataFlow::Node source) { source instanceof Source } override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -46,21 +44,6 @@ module NormalHashFunction {
sensitiveDataExtraStepForCalls(node1, node2) sensitiveDataExtraStepForCalls(node1, node2)
} }
} }
private module Config implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
sensitiveDataExtraStepForCalls(node1, node2)
}
}
/** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on sensitive data" vulnerabilities. */
module Flow = TaintTracking::Global<Config>;
} }
/** /**
@@ -74,15 +57,13 @@ module ComputationallyExpensiveHashFunction {
import WeakSensitiveDataHashingCustomizations::ComputationallyExpensiveHashFunction import WeakSensitiveDataHashingCustomizations::ComputationallyExpensiveHashFunction
/** /**
* DEPRECATED: Use `Flow` module instead.
*
* A taint-tracking configuration for detecting use of a broken or weak * A taint-tracking configuration for detecting use of a broken or weak
* cryptographic hashing algorithm on passwords. * cryptographic hashing algorithm on passwords.
* *
* Passwords has stricter requirements on the hashing algorithm used (must be * Passwords has stricter requirements on the hashing algorithm used (must be
* computationally expensive to prevent brute-force attacks). * computationally expensive to prevent brute-force attacks).
*/ */
deprecated class Configuration extends TaintTracking::Configuration { class Configuration extends TaintTracking::Configuration {
Configuration() { this = "ComputationallyExpensiveHashFunction" } Configuration() { this = "ComputationallyExpensiveHashFunction" }
override predicate isSource(DataFlow::Node source) { source instanceof Source } override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -99,49 +80,4 @@ module ComputationallyExpensiveHashFunction {
sensitiveDataExtraStepForCalls(node1, node2) sensitiveDataExtraStepForCalls(node1, node2)
} }
} }
/**
* Passwords has stricter requirements on the hashing algorithm used (must be
* computationally expensive to prevent brute-force attacks).
*/
private module Config implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
sensitiveDataExtraStepForCalls(node1, node2)
}
}
/** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on passwords" vulnerabilities. */
module Flow = TaintTracking::Global<Config>;
}
/**
* Global taint-tracking for detecting both variants of "use of a broken or weak
* cryptographic hashing algorithm on sensitive data" vulnerabilities.
*
* See convenience predicates `normalHashFunctionFlowPath` and
* `computationallyExpensiveHashFunctionFlowPath`.
*/
module WeakSensitiveDataHashingFlow =
DataFlow::MergePathGraph<NormalHashFunction::Flow::PathNode,
ComputationallyExpensiveHashFunction::Flow::PathNode, NormalHashFunction::Flow::PathGraph,
ComputationallyExpensiveHashFunction::Flow::PathGraph>;
/** Holds if data can flow from `source` to `sink` with `NormalHashFunction::Flow`. */
predicate normalHashFunctionFlowPath(
WeakSensitiveDataHashingFlow::PathNode source, WeakSensitiveDataHashingFlow::PathNode sink
) {
NormalHashFunction::Flow::flowPath(source.asPathNode1(), sink.asPathNode1())
}
/** Holds if data can flow from `source` to `sink` with `ComputationallyExpensiveHashFunction::Flow`. */
predicate computationallyExpensiveHashFunctionFlowPath(
WeakSensitiveDataHashingFlow::PathNode source, WeakSensitiveDataHashingFlow::PathNode sink
) {
ComputationallyExpensiveHashFunction::Flow::flowPath(source.asPathNode2(), sink.asPathNode2())
} }

View File

@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
import XmlBombCustomizations::XmlBomb import XmlBombCustomizations::XmlBomb
/** /**
* DEPRECATED: Use `XmlBombFlow` module instead.
*
* A taint-tracking configuration for detecting "XML bomb" vulnerabilities. * A taint-tracking configuration for detecting "XML bomb" vulnerabilities.
*/ */
deprecated class Configuration extends TaintTracking::Configuration { class Configuration extends TaintTracking::Configuration {
Configuration() { this = "XmlBomb" } Configuration() { this = "XmlBomb" }
override predicate isSource(DataFlow::Node source) { source instanceof Source } override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -28,14 +26,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
node instanceof Sanitizer node instanceof Sanitizer
} }
} }
private module XmlBombConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
}
/** Global taint-tracking for detecting "XML bomb" vulnerabilities. */
module XmlBombFlow = TaintTracking::Global<XmlBombConfig>;

View File

@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
import XpathInjectionCustomizations::XpathInjection import XpathInjectionCustomizations::XpathInjection
/** /**
* DEPRECATED: Use `XpathInjectionFlow` module instead.
*
* A taint-tracking configuration for detecting "Xpath Injection" vulnerabilities. * A taint-tracking configuration for detecting "Xpath Injection" vulnerabilities.
*/ */
deprecated class Configuration extends TaintTracking::Configuration { class Configuration extends TaintTracking::Configuration {
Configuration() { this = "Xpath Injection" } Configuration() { this = "Xpath Injection" }
override predicate isSource(DataFlow::Node source) { source instanceof Source } override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -29,14 +27,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
guard instanceof SanitizerGuard guard instanceof SanitizerGuard
} }
} }
private module XpathInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
}
/** Global taint-tracking for detecting "Xpath Injection" vulnerabilities. */
module XpathInjectionFlow = TaintTracking::Global<XpathInjectionConfig>;

View File

@@ -12,11 +12,9 @@ import semmle.python.dataflow.new.TaintTracking
import XxeCustomizations::Xxe import XxeCustomizations::Xxe
/** /**
* DEPRECATED: Use `XxeFlow` module instead.
*
* A taint-tracking configuration for detecting "XML External Entity (XXE)" vulnerabilities. * A taint-tracking configuration for detecting "XML External Entity (XXE)" vulnerabilities.
*/ */
deprecated class Configuration extends TaintTracking::Configuration { class Configuration extends TaintTracking::Configuration {
Configuration() { this = "Xxe" } Configuration() { this = "Xxe" }
override predicate isSource(DataFlow::Node source) { source instanceof Source } override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -28,14 +26,3 @@ deprecated class Configuration extends TaintTracking::Configuration {
node instanceof Sanitizer node instanceof Sanitizer
} }
} }
private module XxeConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
}
/** Global taint-tracking for detecting "XML External Entity (XXE)" vulnerabilities. */
module XxeFlow = TaintTracking::Global<XxeConfig>;

View File

@@ -13,11 +13,11 @@
import python import python
import semmle.python.functions.ModificationOfParameterWithDefault import semmle.python.functions.ModificationOfParameterWithDefault
import ModificationOfParameterWithDefault::Flow::PathGraph import DataFlow::PathGraph
from from
ModificationOfParameterWithDefault::Flow::PathNode source, ModificationOfParameterWithDefault::Configuration config, DataFlow::PathNode source,
ModificationOfParameterWithDefault::Flow::PathNode sink DataFlow::PathNode sink
where ModificationOfParameterWithDefault::Flow::flowPath(source, sink) where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "This expression mutates a $@.", source.getNode(), select sink.getNode(), source, sink, "This expression mutates a $@.", source.getNode(),
"default value" "default value"

View File

@@ -167,12 +167,8 @@ class ExternalApiDataNode extends DataFlow::Node {
} }
} }
/** /** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
* DEPRECATED: Use `XmlBombFlow` module instead. class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
*
* A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s.
*/
deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
UntrustedDataToExternalApiConfig() { this = "UntrustedDataToExternalAPIConfig" } UntrustedDataToExternalApiConfig() { this = "UntrustedDataToExternalAPIConfig" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -180,21 +176,14 @@ deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configu
override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode } override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
} }
private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
}
/** Global taint-tracking from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
module UntrustedDataToExternalApiFlow = TaintTracking::Global<UntrustedDataToExternalApiConfig>;
/** A node representing untrusted data being passed to an external API. */ /** A node representing untrusted data being passed to an external API. */
class UntrustedExternalApiDataNode extends ExternalApiDataNode { class UntrustedExternalApiDataNode extends ExternalApiDataNode {
UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flow(_, this) } UntrustedExternalApiDataNode() { any(UntrustedDataToExternalApiConfig c).hasFlow(_, this) }
/** Gets a source of untrusted data which is passed to this external API data node. */ /** Gets a source of untrusted data which is passed to this external API data node. */
DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) } DataFlow::Node getAnUntrustedSource() {
any(UntrustedDataToExternalApiConfig c).hasFlow(result, this)
}
} }
/** An external API which is used with untrusted data. */ /** An external API which is used with untrusted data. */

View File

@@ -11,14 +11,14 @@
import python import python
import ExternalAPIs import ExternalAPIs
import UntrustedDataToExternalApiFlow::PathGraph import DataFlow::PathGraph
from from
UntrustedDataToExternalApiFlow::PathNode source, UntrustedDataToExternalApiFlow::PathNode sink, UntrustedDataToExternalApiConfig config, DataFlow::PathNode source, DataFlow::PathNode sink,
ExternalApiUsedWithUntrustedData externalApi ExternalApiUsedWithUntrustedData externalApi
where where
sink.getNode() = externalApi.getUntrustedDataNode() and sink.getNode() = externalApi.getUntrustedDataNode() and
UntrustedDataToExternalApiFlow::flowPath(source, sink) config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, select sink.getNode(), source, sink,
"Call to " + externalApi.toString() + " with untrusted data from $@.", source.getNode(), "Call to " + externalApi.toString() + " with untrusted data from $@.", source.getNode(),
source.toString() source.toString()

View File

@@ -18,9 +18,9 @@
import python import python
import semmle.python.security.dataflow.PathInjectionQuery import semmle.python.security.dataflow.PathInjectionQuery
import PathInjectionFlow::PathGraph import DataFlow::PathGraph
from PathInjectionFlow::PathNode source, PathInjectionFlow::PathNode sink from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where PathInjectionFlow::flowPath(source, sink) where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "This path depends on a $@.", source.getNode(), select sink.getNode(), source, sink, "This path depends on a $@.", source.getNode(),
"user-provided value" "user-provided value"

View File

@@ -14,9 +14,9 @@
import python import python
import semmle.python.security.dataflow.TarSlipQuery import semmle.python.security.dataflow.TarSlipQuery
import TarSlipFlow::PathGraph import DataFlow::PathGraph
from TarSlipFlow::PathNode source, TarSlipFlow::PathNode sink from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where TarSlipFlow::flowPath(source, sink) where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "This file extraction depends on a $@.", source.getNode(), select sink.getNode(), source, sink, "This file extraction depends on a $@.", source.getNode(),
"potentially untrusted source" "potentially untrusted source"

View File

@@ -16,9 +16,9 @@
import python import python
import semmle.python.security.dataflow.CommandInjectionQuery import semmle.python.security.dataflow.CommandInjectionQuery
import CommandInjectionFlow::PathGraph import DataFlow::PathGraph
from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where CommandInjectionFlow::flowPath(source, sink) where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "This command line depends on a $@.", source.getNode(), select sink.getNode(), source, sink, "This command line depends on a $@.", source.getNode(),
"user-provided value" "user-provided value"

View File

@@ -16,13 +16,11 @@
import python import python
import semmle.python.security.dataflow.UnsafeShellCommandConstructionQuery import semmle.python.security.dataflow.UnsafeShellCommandConstructionQuery
import UnsafeShellCommandConstructionFlow::PathGraph import DataFlow::PathGraph
from from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, Sink sinkNode
UnsafeShellCommandConstructionFlow::PathNode source,
UnsafeShellCommandConstructionFlow::PathNode sink, Sink sinkNode
where where
UnsafeShellCommandConstructionFlow::flowPath(source, sink) and config.hasFlowPath(source, sink) and
sinkNode = sink.getNode() sinkNode = sink.getNode()
select sinkNode.getStringConstruction(), source, sink, select sinkNode.getStringConstruction(), source, sink,
"This " + sinkNode.describe() + " which depends on $@ is later used in a $@.", source.getNode(), "This " + sinkNode.describe() + " which depends on $@ is later used in a $@.", source.getNode(),

View File

@@ -15,9 +15,9 @@
import python import python
import semmle.python.security.dataflow.ReflectedXssQuery import semmle.python.security.dataflow.ReflectedXssQuery
import ReflectedXssFlow::PathGraph import DataFlow::PathGraph
from ReflectedXssFlow::PathNode source, ReflectedXssFlow::PathNode sink from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where ReflectedXssFlow::flowPath(source, sink) where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to a $@.", select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to a $@.",
source.getNode(), "user-provided value" source.getNode(), "user-provided value"

View File

@@ -13,9 +13,9 @@
import python import python
import semmle.python.security.dataflow.SqlInjectionQuery import semmle.python.security.dataflow.SqlInjectionQuery
import SqlInjectionFlow::PathGraph import DataFlow::PathGraph
from SqlInjectionFlow::PathNode source, SqlInjectionFlow::PathNode sink from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where SqlInjectionFlow::flowPath(source, sink) where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "This SQL query depends on a $@.", source.getNode(), select sink.getNode(), source, sink, "This SQL query depends on a $@.", source.getNode(),
"user-provided value" "user-provided value"

View File

@@ -14,14 +14,14 @@
// Determine precision above // Determine precision above
import python import python
import semmle.python.security.dataflow.LdapInjectionQuery import semmle.python.security.dataflow.LdapInjectionQuery
import LdapInjectionFlow::PathGraph import DataFlow::PathGraph
from LdapInjectionFlow::PathNode source, LdapInjectionFlow::PathNode sink, string parameterName from DataFlow::PathNode source, DataFlow::PathNode sink, string parameterName
where where
LdapInjectionDnFlow::flowPath(source.asPathNode1(), sink.asPathNode1()) and any(DnConfiguration dnConfig).hasFlowPath(source, sink) and
parameterName = "DN" parameterName = "DN"
or or
LdapInjectionFilterFlow::flowPath(source.asPathNode2(), sink.asPathNode2()) and any(FilterConfiguration filterConfig).hasFlowPath(source, sink) and
parameterName = "filter" parameterName = "filter"
select sink.getNode(), source, sink, select sink.getNode(), source, sink,
"LDAP query parameter (" + parameterName + ") depends on a $@.", source.getNode(), "LDAP query parameter (" + parameterName + ") depends on a $@.", source.getNode(),

View File

@@ -16,9 +16,9 @@
import python import python
import semmle.python.security.dataflow.CodeInjectionQuery import semmle.python.security.dataflow.CodeInjectionQuery
import CodeInjectionFlow::PathGraph import DataFlow::PathGraph
from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where CodeInjectionFlow::flowPath(source, sink) where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "This code execution depends on a $@.", source.getNode(), select sink.getNode(), source, sink, "This code execution depends on a $@.", source.getNode(),
"user-provided value" "user-provided value"

View File

@@ -13,9 +13,9 @@
import python import python
import semmle.python.security.dataflow.LogInjectionQuery import semmle.python.security.dataflow.LogInjectionQuery
import LogInjectionFlow::PathGraph import DataFlow::PathGraph
from LogInjectionFlow::PathNode source, LogInjectionFlow::PathNode sink from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where LogInjectionFlow::flowPath(source, sink) where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "This log entry depends on a $@.", source.getNode(), select sink.getNode(), source, sink, "This log entry depends on a $@.", source.getNode(),
"user-provided value" "user-provided value"

View File

@@ -15,10 +15,10 @@
import python import python
import semmle.python.security.dataflow.StackTraceExposureQuery import semmle.python.security.dataflow.StackTraceExposureQuery
import StackTraceExposureFlow::PathGraph import DataFlow::PathGraph
from StackTraceExposureFlow::PathNode source, StackTraceExposureFlow::PathNode sink from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where StackTraceExposureFlow::flowPath(source, sink) where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, select sink.getNode(), source, sink,
"$@ flows to this location and may be exposed to an external user.", source.getNode(), "$@ flows to this location and may be exposed to an external user.", source.getNode(),
"Stack trace information" "Stack trace information"

View File

@@ -11,12 +11,12 @@
*/ */
import python import python
import PamAuthorizationFlow::PathGraph import DataFlow::PathGraph
import semmle.python.ApiGraphs import semmle.python.ApiGraphs
import semmle.python.security.dataflow.PamAuthorizationQuery import semmle.python.security.dataflow.PamAuthorizationQuery
from PamAuthorizationFlow::PathNode source, PamAuthorizationFlow::PathNode sink from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where PamAuthorizationFlow::flowPath(source, sink) where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, select sink.getNode(), source, sink,
"This PAM authentication depends on a $@, and 'pam_acct_mgmt' is not called afterwards.", "This PAM authentication depends on a $@, and 'pam_acct_mgmt' is not called afterwards.",
source.getNode(), "user-provided value" source.getNode(), "user-provided value"

View File

@@ -15,13 +15,12 @@
import python import python
private import semmle.python.dataflow.new.DataFlow private import semmle.python.dataflow.new.DataFlow
import CleartextLoggingFlow::PathGraph import DataFlow::PathGraph
import semmle.python.security.dataflow.CleartextLoggingQuery import semmle.python.security.dataflow.CleartextLoggingQuery
from from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, string classification
CleartextLoggingFlow::PathNode source, CleartextLoggingFlow::PathNode sink, string classification
where where
CleartextLoggingFlow::flowPath(source, sink) and config.hasFlowPath(source, sink) and
classification = source.getNode().(Source).getClassification() classification = source.getNode().(Source).getClassification()
select sink.getNode(), source, sink, "This expression logs $@ as clear text.", source.getNode(), select sink.getNode(), source, sink, "This expression logs $@ as clear text.", source.getNode(),
"sensitive data (" + classification + ")" "sensitive data (" + classification + ")"

View File

@@ -15,13 +15,12 @@
import python import python
private import semmle.python.dataflow.new.DataFlow private import semmle.python.dataflow.new.DataFlow
import CleartextStorageFlow::PathGraph import DataFlow::PathGraph
import semmle.python.security.dataflow.CleartextStorageQuery import semmle.python.security.dataflow.CleartextStorageQuery
from from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, string classification
CleartextStorageFlow::PathNode source, CleartextStorageFlow::PathNode sink, string classification
where where
CleartextStorageFlow::flowPath(source, sink) and config.hasFlowPath(source, sink) and
classification = source.getNode().(Source).getClassification() classification = source.getNode().(Source).getClassification()
select sink.getNode(), source, sink, "This expression stores $@ as clear text.", source.getNode(), select sink.getNode(), source, sink, "This expression stores $@ as clear text.", source.getNode(),
"sensitive data (" + classification + ")" "sensitive data (" + classification + ")"

View File

@@ -16,29 +16,33 @@ import python
import semmle.python.security.dataflow.WeakSensitiveDataHashingQuery import semmle.python.security.dataflow.WeakSensitiveDataHashingQuery
import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.TaintTracking import semmle.python.dataflow.new.TaintTracking
import WeakSensitiveDataHashingFlow::PathGraph import DataFlow::PathGraph
from from
WeakSensitiveDataHashingFlow::PathNode source, WeakSensitiveDataHashingFlow::PathNode sink, DataFlow::PathNode source, DataFlow::PathNode sink, string ending, string algorithmName,
string ending, string algorithmName, string classification string classification
where where
normalHashFunctionFlowPath(source, sink) and exists(NormalHashFunction::Configuration config |
algorithmName = sink.getNode().(NormalHashFunction::Sink).getAlgorithmName() and config.hasFlowPath(source, sink) and
classification = source.getNode().(NormalHashFunction::Source).getClassification() and algorithmName = sink.getNode().(NormalHashFunction::Sink).getAlgorithmName() and
ending = "." classification = source.getNode().(NormalHashFunction::Source).getClassification() and
or
computationallyExpensiveHashFunctionFlowPath(source, sink) and
algorithmName = sink.getNode().(ComputationallyExpensiveHashFunction::Sink).getAlgorithmName() and
classification =
source.getNode().(ComputationallyExpensiveHashFunction::Source).getClassification() and
(
sink.getNode().(ComputationallyExpensiveHashFunction::Sink).isComputationallyExpensive() and
ending = "." ending = "."
or )
not sink.getNode().(ComputationallyExpensiveHashFunction::Sink).isComputationallyExpensive() and or
ending = exists(ComputationallyExpensiveHashFunction::Configuration config |
" for " + classification + config.hasFlowPath(source, sink) and
" hashing, since it is not a computationally expensive hash function." algorithmName = sink.getNode().(ComputationallyExpensiveHashFunction::Sink).getAlgorithmName() and
classification =
source.getNode().(ComputationallyExpensiveHashFunction::Source).getClassification() and
(
sink.getNode().(ComputationallyExpensiveHashFunction::Sink).isComputationallyExpensive() and
ending = "."
or
not sink.getNode().(ComputationallyExpensiveHashFunction::Sink).isComputationallyExpensive() and
ending =
" for " + classification +
" hashing, since it is not a computationally expensive hash function."
)
) )
select sink.getNode(), source, sink, select sink.getNode(), source, sink,
"$@ is used in a hashing algorithm (" + algorithmName + ") that is insecure" + ending, "$@ is used in a hashing algorithm (" + algorithmName + ") that is insecure" + ending,

View File

@@ -14,9 +14,9 @@
import python import python
import semmle.python.security.dataflow.UnsafeDeserializationQuery import semmle.python.security.dataflow.UnsafeDeserializationQuery
import UnsafeDeserializationFlow::PathGraph import DataFlow::PathGraph
from UnsafeDeserializationFlow::PathNode source, UnsafeDeserializationFlow::PathNode sink from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where UnsafeDeserializationFlow::flowPath(source, sink) where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "Unsafe deserialization depends on a $@.", source.getNode(), select sink.getNode(), source, sink, "Unsafe deserialization depends on a $@.", source.getNode(),
"user-provided value" "user-provided value"

View File

@@ -14,9 +14,9 @@
import python import python
import semmle.python.security.dataflow.UrlRedirectQuery import semmle.python.security.dataflow.UrlRedirectQuery
import UrlRedirectFlow::PathGraph import DataFlow::PathGraph
from UrlRedirectFlow::PathNode source, UrlRedirectFlow::PathNode sink from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where UrlRedirectFlow::flowPath(source, sink) where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "Untrusted URL redirection depends on a $@.", source.getNode(), select sink.getNode(), source, sink, "Untrusted URL redirection depends on a $@.", source.getNode(),
"user-provided value" "user-provided value"

View File

@@ -14,10 +14,10 @@
import python import python
import semmle.python.security.dataflow.XxeQuery import semmle.python.security.dataflow.XxeQuery
import XxeFlow::PathGraph import DataFlow::PathGraph
from XxeFlow::PathNode source, XxeFlow::PathNode sink from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where XxeFlow::flowPath(source, sink) where cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink, select sink.getNode(), source, sink,
"XML parsing depends on a $@ without guarding against external entity expansion.", "XML parsing depends on a $@ without guarding against external entity expansion.",
source.getNode(), "user-provided value" source.getNode(), "user-provided value"

View File

@@ -13,9 +13,9 @@
import python import python
import semmle.python.security.dataflow.XpathInjectionQuery import semmle.python.security.dataflow.XpathInjectionQuery
import XpathInjectionFlow::PathGraph import DataFlow::PathGraph
from XpathInjectionFlow::PathNode source, XpathInjectionFlow::PathNode sink from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where XpathInjectionFlow::flowPath(source, sink) where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "XPath expression depends on a $@.", source.getNode(), select sink.getNode(), source, sink, "XPath expression depends on a $@.", source.getNode(),
"user-provided value" "user-provided value"

View File

@@ -15,13 +15,13 @@
import python import python
import semmle.python.security.dataflow.PolynomialReDoSQuery import semmle.python.security.dataflow.PolynomialReDoSQuery
import PolynomialReDoSFlow::PathGraph import DataFlow::PathGraph
from from
PolynomialReDoSFlow::PathNode source, PolynomialReDoSFlow::PathNode sink, Sink sinkNode, Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, Sink sinkNode,
PolynomialBackTrackingTerm regexp PolynomialBackTrackingTerm regexp
where where
PolynomialReDoSFlow::flowPath(source, sink) and config.hasFlowPath(source, sink) and
sinkNode = sink.getNode() and sinkNode = sink.getNode() and
regexp.getRootTerm() = sinkNode.getRegExp() regexp.getRootTerm() = sinkNode.getRegExp()
// not ( // not (

View File

@@ -16,13 +16,13 @@
import python import python
private import semmle.python.Concepts private import semmle.python.Concepts
import semmle.python.security.dataflow.RegexInjectionQuery import semmle.python.security.dataflow.RegexInjectionQuery
import RegexInjectionFlow::PathGraph import DataFlow::PathGraph
from from
RegexInjectionFlow::PathNode source, RegexInjectionFlow::PathNode sink, Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink,
RegexExecution regexExecution RegexExecution regexExecution
where where
RegexInjectionFlow::flowPath(source, sink) and config.hasFlowPath(source, sink) and
regexExecution = sink.getNode().(Sink).getRegexExecution() regexExecution = sink.getNode().(Sink).getRegexExecution()
select sink.getNode(), source, sink, select sink.getNode(), source, sink,
"This regular expression depends on a $@ and is executed by $@.", source.getNode(), "This regular expression depends on a $@ and is executed by $@.", source.getNode(),

View File

@@ -14,10 +14,10 @@
import python import python
import semmle.python.security.dataflow.XmlBombQuery import semmle.python.security.dataflow.XmlBombQuery
import XmlBombFlow::PathGraph import DataFlow::PathGraph
from XmlBombFlow::PathNode source, XmlBombFlow::PathNode sink from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where XmlBombFlow::flowPath(source, sink) where cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink, select sink.getNode(), source, sink,
"XML parsing depends on a $@ without guarding against uncontrolled entity expansion.", "XML parsing depends on a $@ without guarding against uncontrolled entity expansion.",
source.getNode(), "user-provided value" source.getNode(), "user-provided value"

View File

@@ -16,6 +16,7 @@ import python
import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.TaintTracking import semmle.python.dataflow.new.TaintTracking
import semmle.python.filters.Tests import semmle.python.filters.Tests
import DataFlow::PathGraph
bindingset[char, fraction] bindingset[char, fraction]
predicate fewer_characters_than(StrConst str, string char, float fraction) { predicate fewer_characters_than(StrConst str, string char, float fraction) {
@@ -107,19 +108,17 @@ private string getACredentialRegex() {
result = "(?i).*(cert)(?!.*(format|name)).*" result = "(?i).*(cert)(?!.*(format|name)).*"
} }
private module HardcodedCredentialsConfig implements DataFlow::ConfigSig { class HardcodedCredentialsConfiguration extends TaintTracking::Configuration {
predicate isSource(DataFlow::Node source) { source instanceof HardcodedValueSource } HardcodedCredentialsConfiguration() { this = "Hardcoded credentials configuration" }
predicate isSink(DataFlow::Node sink) { sink instanceof CredentialSink } override predicate isSource(DataFlow::Node source) { source instanceof HardcodedValueSource }
override predicate isSink(DataFlow::Node sink) { sink instanceof CredentialSink }
} }
module HardcodedCredentialsFlow = TaintTracking::Global<HardcodedCredentialsConfig>; from HardcodedCredentialsConfiguration config, DataFlow::PathNode src, DataFlow::PathNode sink
import HardcodedCredentialsFlow::PathGraph
from HardcodedCredentialsFlow::PathNode src, HardcodedCredentialsFlow::PathNode sink
where where
HardcodedCredentialsFlow::flowPath(src, sink) and config.hasFlowPath(src, sink) and
not any(TestScope test).contains(src.getNode().asCfgNode().getNode()) not any(TestScope test).contains(src.getNode().asCfgNode().getNode())
select src.getNode(), src, sink, "This hardcoded value is $@.", sink.getNode(), select src.getNode(), src, sink, "This hardcoded value is $@.", sink.getNode(),
"used as credentials" "used as credentials"

View File

@@ -12,14 +12,14 @@
import python import python
import semmle.python.security.dataflow.ServerSideRequestForgeryQuery import semmle.python.security.dataflow.ServerSideRequestForgeryQuery
import FullServerSideRequestForgeryFlow::PathGraph import DataFlow::PathGraph
from from
FullServerSideRequestForgeryFlow::PathNode source, FullServerSideRequestForgeryConfiguration fullConfig, DataFlow::PathNode source,
FullServerSideRequestForgeryFlow::PathNode sink, Http::Client::Request request DataFlow::PathNode sink, Http::Client::Request request
where where
request = sink.getNode().(Sink).getRequest() and request = sink.getNode().(Sink).getRequest() and
FullServerSideRequestForgeryFlow::flowPath(source, sink) and fullConfig.hasFlowPath(source, sink) and
fullyControlledRequest(request) fullyControlledRequest(request)
select request, source, sink, "The full URL of this request depends on a $@.", source.getNode(), select request, source, sink, "The full URL of this request depends on a $@.", source.getNode(),
"user-provided value" "user-provided value"

View File

@@ -12,14 +12,14 @@
import python import python
import semmle.python.security.dataflow.ServerSideRequestForgeryQuery import semmle.python.security.dataflow.ServerSideRequestForgeryQuery
import PartialServerSideRequestForgeryFlow::PathGraph import DataFlow::PathGraph
from from
PartialServerSideRequestForgeryFlow::PathNode source, PartialServerSideRequestForgeryConfiguration partialConfig, DataFlow::PathNode source,
PartialServerSideRequestForgeryFlow::PathNode sink, Http::Client::Request request DataFlow::PathNode sink, Http::Client::Request request
where where
request = sink.getNode().(Sink).getRequest() and request = sink.getNode().(Sink).getRequest() and
PartialServerSideRequestForgeryFlow::flowPath(source, sink) and partialConfig.hasFlowPath(source, sink) and
not fullyControlledRequest(request) not fullyControlledRequest(request)
select request, source, sink, "Part of the URL of this request depends on a $@.", source.getNode(), select request, source, sink, "Part of the URL of this request depends on a $@.", source.getNode(),
"user-provided value" "user-provided value"

View File

@@ -15,10 +15,10 @@
import python import python
import experimental.semmle.python.security.ZipSlip import experimental.semmle.python.security.ZipSlip
import ZipSlipFlow::PathGraph import DataFlow::PathGraph
from ZipSlipFlow::PathNode source, ZipSlipFlow::PathNode sink from ZipSlipConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
where ZipSlipFlow::flowPath(source, sink) where config.hasFlowPath(source, sink)
select source.getNode(), source, sink, select source.getNode(), source, sink,
"This unsanitized archive entry, which may contain '..', is used in a $@.", sink.getNode(), "This unsanitized archive entry, which may contain '..', is used in a $@.", sink.getNode(),
"file system operation" "file system operation"

View File

@@ -16,7 +16,7 @@
import python import python
import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.TaintTracking import semmle.python.dataflow.new.TaintTracking
import TarSlipImprovFlow::PathGraph import DataFlow::PathGraph
import semmle.python.ApiGraphs import semmle.python.ApiGraphs
import semmle.python.dataflow.new.internal.Attributes import semmle.python.dataflow.new.internal.Attributes
import semmle.python.dataflow.new.BarrierGuards import semmle.python.dataflow.new.BarrierGuards
@@ -54,10 +54,12 @@ class AllTarfileOpens extends API::CallNode {
/** /**
* A taint-tracking configuration for detecting more "TarSlip" vulnerabilities. * A taint-tracking configuration for detecting more "TarSlip" vulnerabilities.
*/ */
private module TarSlipImprovConfig implements DataFlow::ConfigSig { class Configuration extends TaintTracking::Configuration {
predicate isSource(DataFlow::Node source) { source = tarfileOpen().getACall() } Configuration() { this = "TarSlip" }
predicate isSink(DataFlow::Node sink) { override predicate isSource(DataFlow::Node source) { source = tarfileOpen().getACall() }
override predicate isSink(DataFlow::Node sink) {
( (
// A sink capturing method calls to `extractall` without `members` argument. // A sink capturing method calls to `extractall` without `members` argument.
// For a call to `file.extractall` without `members` argument, `file` is considered a sink. // For a call to `file.extractall` without `members` argument, `file` is considered a sink.
@@ -98,7 +100,7 @@ private module TarSlipImprovConfig implements DataFlow::ConfigSig {
not sink.getScope().getLocation().getFile().inStdlib() not sink.getScope().getLocation().getFile().inStdlib()
} }
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
nodeTo.(MethodCallNode).calls(nodeFrom, "getmembers") and nodeTo.(MethodCallNode).calls(nodeFrom, "getmembers") and
nodeFrom instanceof AllTarfileOpens nodeFrom instanceof AllTarfileOpens
or or
@@ -111,10 +113,7 @@ private module TarSlipImprovConfig implements DataFlow::ConfigSig {
} }
} }
/** Global taint-tracking for detecting more "TarSlip" vulnerabilities. */ from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
module TarSlipImprovFlow = TaintTracking::Global<TarSlipImprovConfig>; where config.hasFlowPath(source, sink)
from TarSlipImprovFlow::PathNode source, TarSlipImprovFlow::PathNode sink
where TarSlipImprovFlow::flowPath(source, sink)
select sink, source, sink, "Extraction of tarfile from $@ to a potentially untrusted source $@.", select sink, source, sink, "Extraction of tarfile from $@ to a potentially untrusted source $@.",
source.getNode(), source.getNode().toString(), sink.getNode(), sink.getNode().toString() source.getNode(), source.getNode().toString(), sink.getNode(), sink.getNode().toString()

View File

@@ -16,9 +16,9 @@
import python import python
import experimental.Security.UnsafeUnpackQuery import experimental.Security.UnsafeUnpackQuery
import UnsafeUnpackFlow::PathGraph import DataFlow::PathGraph
from UnsafeUnpackFlow::PathNode source, UnsafeUnpackFlow::PathNode sink from UnsafeUnpackingConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
where UnsafeUnpackFlow::flowPath(source, sink) where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, select sink.getNode(), source, sink,
"Unsafe extraction from a malicious tarball retrieved from a remote location." "Unsafe extraction from a malicious tarball retrieved from a remote location."

View File

@@ -16,13 +16,16 @@ import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.TaintTracking import semmle.python.dataflow.new.TaintTracking
import semmle.python.dataflow.new.RemoteFlowSources import semmle.python.dataflow.new.RemoteFlowSources
import semmle.python.ApiGraphs import semmle.python.ApiGraphs
import DataFlow::PathGraph
private API::Node paramikoClient() { private API::Node paramikoClient() {
result = API::moduleImport("paramiko").getMember("SSHClient").getReturn() result = API::moduleImport("paramiko").getMember("SSHClient").getReturn()
} }
private module ParamikoConfig implements DataFlow::ConfigSig { class ParamikoCmdInjectionConfiguration extends TaintTracking::Configuration {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } ParamikoCmdInjectionConfiguration() { this = "ParamikoCMDInjectionConfiguration" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
/** /**
* exec_command of `paramiko.SSHClient` class execute command on ssh target server * exec_command of `paramiko.SSHClient` class execute command on ssh target server
@@ -30,7 +33,7 @@ private module ParamikoConfig implements DataFlow::ConfigSig {
* and it run CMD on current system that running the ssh command * and it run CMD on current system that running the ssh command
* the Sink related to proxy command is the `connect` method of `paramiko.SSHClient` class * the Sink related to proxy command is the `connect` method of `paramiko.SSHClient` class
*/ */
predicate isSink(DataFlow::Node sink) { override predicate isSink(DataFlow::Node sink) {
sink = paramikoClient().getMember("exec_command").getACall().getParameter(0, "command").asSink() sink = paramikoClient().getMember("exec_command").getACall().getParameter(0, "command").asSink()
or or
sink = paramikoClient().getMember("connect").getACall().getParameter(11, "sock").asSink() sink = paramikoClient().getMember("connect").getACall().getParameter(11, "sock").asSink()
@@ -39,7 +42,7 @@ private module ParamikoConfig implements DataFlow::ConfigSig {
/** /**
* this additional taint step help taint tracking to find the vulnerable `connect` method of `paramiko.SSHClient` class * this additional taint step help taint tracking to find the vulnerable `connect` method of `paramiko.SSHClient` class
*/ */
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
exists(API::CallNode call | exists(API::CallNode call |
call = API::moduleImport("paramiko").getMember("ProxyCommand").getACall() and call = API::moduleImport("paramiko").getMember("ProxyCommand").getACall() and
nodeFrom = call.getParameter(0, "command_line").asSink() and nodeFrom = call.getParameter(0, "command_line").asSink() and
@@ -48,12 +51,7 @@ private module ParamikoConfig implements DataFlow::ConfigSig {
} }
} }
/** Global taint-tracking for detecting "paramiko command injection" vulnerabilities. */ from ParamikoCmdInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
module ParamikoFlow = TaintTracking::Global<ParamikoConfig>; where config.hasFlowPath(source, sink)
import ParamikoFlow::PathGraph
from ParamikoFlow::PathNode source, ParamikoFlow::PathNode sink
where ParamikoFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "This code execution depends on a $@.", source.getNode(), select sink.getNode(), source, sink, "This code execution depends on a $@.", source.getNode(),
"a user-provided value" "a user-provided value"

View File

@@ -15,10 +15,10 @@
// determine precision above // determine precision above
import python import python
import experimental.semmle.python.security.dataflow.EmailXss import experimental.semmle.python.security.dataflow.ReflectedXSS
import EmailXssFlow::PathGraph import DataFlow::PathGraph
from EmailXssFlow::PathNode source, EmailXssFlow::PathNode sink from ReflectedXssConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
where EmailXssFlow::flowPath(source, sink) where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.", select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
source.getNode(), "a user-provided value" source.getNode(), "a user-provided value"

View File

@@ -14,9 +14,9 @@
// determine precision above // determine precision above
import python import python
import experimental.semmle.python.security.injection.HTTPHeaders import experimental.semmle.python.security.injection.HTTPHeaders
import HeaderInjectionFlow::PathGraph import DataFlow::PathGraph
from HeaderInjectionFlow::PathNode source, HeaderInjectionFlow::PathNode sink from HeaderInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
where HeaderInjectionFlow::flowPath(source, sink) where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "This HTTP header is constructed from a $@.", source.getNode(), select sink.getNode(), source, sink, "This HTTP header is constructed from a $@.", source.getNode(),
"user-provided value" "user-provided value"

View File

@@ -11,11 +11,11 @@
*/ */
import python import python
import CsvInjectionFlow::PathGraph import DataFlow::PathGraph
import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.DataFlow
import experimental.semmle.python.security.injection.CsvInjection import experimental.semmle.python.security.injection.CsvInjection
from CsvInjectionFlow::PathNode source, CsvInjectionFlow::PathNode sink from CsvInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
where CsvInjectionFlow::flowPath(source, sink) where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "Csv injection might include code from $@.", source.getNode(), select sink.getNode(), source, sink, "Csv injection might include code from $@.", source.getNode(),
"this user input" "this user input"

View File

@@ -14,10 +14,10 @@
import python import python
import UnicodeBypassValidationQuery import UnicodeBypassValidationQuery
import UnicodeBypassValidationFlow::PathGraph import DataFlow::PathGraph
from UnicodeBypassValidationFlow::PathNode source, UnicodeBypassValidationFlow::PathNode sink from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
where UnicodeBypassValidationFlow::flowPath(source, sink) where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, select sink.getNode(), source, sink,
"This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters.", "This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters.",
sink.getNode(), "Unicode transformation (Unicode normalization)", source.getNode(), sink.getNode(), "Unicode transformation (Unicode normalization)", source.getNode(),

View File

@@ -3,7 +3,6 @@
*/ */
private import python private import python
import semmle.python.dataflow.new.DataFlow
import semmle.python.ApiGraphs import semmle.python.ApiGraphs
import semmle.python.Concepts import semmle.python.Concepts
import semmle.python.dataflow.new.internal.DataFlowPublic import semmle.python.dataflow.new.internal.DataFlowPublic
@@ -28,15 +27,16 @@ class PostValidation extends DataFlow::FlowState {
* This configuration uses two flow states, `PreValidation` and `PostValidation`, * This configuration uses two flow states, `PreValidation` and `PostValidation`,
* to track the requirement that a logical validation has been performed before the Unicode Transformation. * to track the requirement that a logical validation has been performed before the Unicode Transformation.
*/ */
private module UnicodeBypassValidationConfig implements DataFlow::StateConfigSig { class Configuration extends TaintTracking::Configuration {
class FlowState = DataFlow::FlowState; Configuration() { this = "UnicodeBypassValidation" }
predicate isSource(DataFlow::Node source, FlowState state) { override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
source instanceof RemoteFlowSource and state instanceof PreValidation source instanceof RemoteFlowSource and state instanceof PreValidation
} }
predicate isAdditionalFlowStep( override predicate isAdditionalTaintStep(
DataFlow::Node nodeFrom, FlowState stateFrom, DataFlow::Node nodeTo, FlowState stateTo DataFlow::Node nodeFrom, DataFlow::FlowState stateFrom, DataFlow::Node nodeTo,
DataFlow::FlowState stateTo
) { ) {
( (
exists(Escaping escaping | nodeFrom = escaping.getAnInput() and nodeTo = escaping.getOutput()) exists(Escaping escaping | nodeFrom = escaping.getAnInput() and nodeTo = escaping.getOutput())
@@ -51,7 +51,7 @@ private module UnicodeBypassValidationConfig implements DataFlow::StateConfigSig
} }
/* A Unicode Tranformation (Unicode tranformation) is considered a sink when the algorithm used is either NFC or NFKC. */ /* A Unicode Tranformation (Unicode tranformation) is considered a sink when the algorithm used is either NFC or NFKC. */
predicate isSink(DataFlow::Node sink, FlowState state) { override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
exists(API::CallNode cn | exists(API::CallNode cn |
cn = API::moduleImport("unicodedata").getMember("normalize").getACall() and cn = API::moduleImport("unicodedata").getMember("normalize").getACall() and
sink = cn.getArg(1) sink = cn.getArg(1)
@@ -71,6 +71,3 @@ private module UnicodeBypassValidationConfig implements DataFlow::StateConfigSig
state instanceof PostValidation state instanceof PostValidation
} }
} }
/** Global taint-tracking for detecting "Unicode transformation mishandling" vulnerabilities. */
module UnicodeBypassValidationFlow = TaintTracking::GlobalWithState<UnicodeBypassValidationConfig>;

View File

@@ -17,25 +17,21 @@ import python
import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.TaintTracking import semmle.python.dataflow.new.TaintTracking
import experimental.semmle.python.security.TimingAttack import experimental.semmle.python.security.TimingAttack
import DataFlow::PathGraph
/** /**
* A configuration that tracks data flow from cryptographic operations * A configuration that tracks data flow from cryptographic operations
* to equality test * to equality test
*/ */
private module PossibleTimingAttackAgainstHashConfig implements DataFlow::ConfigSig { class PossibleTimingAttackAgainstHash extends TaintTracking::Configuration {
predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall } PossibleTimingAttackAgainstHash() { this = "PossibleTimingAttackAgainstHash" }
predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink } override predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall }
override predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
} }
module PossibleTimingAttackAgainstHashFlow = from PossibleTimingAttackAgainstHash config, DataFlow::PathNode source, DataFlow::PathNode sink
TaintTracking::Global<PossibleTimingAttackAgainstHashConfig>; where config.hasFlowPath(source, sink)
import PossibleTimingAttackAgainstHashFlow::PathGraph
from
PossibleTimingAttackAgainstHashFlow::PathNode source,
PossibleTimingAttackAgainstHashFlow::PathNode sink
where PossibleTimingAttackAgainstHashFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "Possible Timing attack against $@ validation.", select sink.getNode(), source, sink, "Possible Timing attack against $@ validation.",
source.getNode().(ProduceCryptoCall).getResultType(), "message" source.getNode().(ProduceCryptoCall).getResultType(), "message"

View File

@@ -16,24 +16,23 @@ import python
import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.TaintTracking import semmle.python.dataflow.new.TaintTracking
import experimental.semmle.python.security.TimingAttack import experimental.semmle.python.security.TimingAttack
import DataFlow::PathGraph
/** /**
* A configuration that tracks data flow from cryptographic operations * A configuration that tracks data flow from cryptographic operations
* to Equality test. * to Equality test.
*/ */
private module TimingAttackAgainstHashConfig implements DataFlow::ConfigSig { class TimingAttackAgainsthash extends TaintTracking::Configuration {
predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall } TimingAttackAgainsthash() { this = "TimingAttackAgainsthash" }
predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink } override predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall }
override predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
} }
module TimingAttackAgainstHashFlow = TaintTracking::Global<TimingAttackAgainstHashConfig>; from TimingAttackAgainsthash config, DataFlow::PathNode source, DataFlow::PathNode sink
import TimingAttackAgainstHashFlow::PathGraph
from TimingAttackAgainstHashFlow::PathNode source, TimingAttackAgainstHashFlow::PathNode sink
where where
TimingAttackAgainstHashFlow::flowPath(source, sink) and config.hasFlowPath(source, sink) and
sink.getNode().(NonConstantTimeComparisonSink).includesUserInput() sink.getNode().(NonConstantTimeComparisonSink).includesUserInput()
select sink.getNode(), source, sink, "Timing attack against $@ validation.", select sink.getNode(), source, sink, "Timing attack against $@ validation.",
source.getNode().(ProduceCryptoCall).getResultType(), "message" source.getNode().(ProduceCryptoCall).getResultType(), "message"

View File

@@ -15,26 +15,20 @@ import python
import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.TaintTracking import semmle.python.dataflow.new.TaintTracking
import experimental.semmle.python.security.TimingAttack import experimental.semmle.python.security.TimingAttack
import DataFlow::PathGraph
/** /**
* A configuration tracing flow from a client Secret obtained by an HTTP header to a unsafe Comparison. * A configuration tracing flow from a client Secret obtained by an HTTP header to a unsafe Comparison.
*/ */
private module TimingAttackAgainstHeaderValueConfig implements DataFlow::ConfigSig { class ClientSuppliedSecretConfig extends TaintTracking::Configuration {
predicate isSource(DataFlow::Node source) { source instanceof ClientSuppliedSecret } ClientSuppliedSecretConfig() { this = "ClientSuppliedSecretConfig" }
predicate isSink(DataFlow::Node sink) { sink instanceof CompareSink } override predicate isSource(DataFlow::Node source) { source instanceof ClientSuppliedSecret }
override predicate isSink(DataFlow::Node sink) { sink instanceof CompareSink }
} }
module TimingAttackAgainstHeaderValueFlow = from ClientSuppliedSecretConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
TaintTracking::Global<TimingAttackAgainstHeaderValueConfig>; where config.hasFlowPath(source, sink) and not sink.getNode().(CompareSink).flowtolen()
import TimingAttackAgainstHeaderValueFlow::PathGraph
from
TimingAttackAgainstHeaderValueFlow::PathNode source,
TimingAttackAgainstHeaderValueFlow::PathNode sink
where
TimingAttackAgainstHeaderValueFlow::flowPath(source, sink) and
not sink.getNode().(CompareSink).flowtolen()
select sink.getNode(), source, sink, "Timing attack against $@ validation.", source.getNode(), select sink.getNode(), source, sink, "Timing attack against $@ validation.", source.getNode(),
"client-supplied token" "client-supplied token"

View File

@@ -15,24 +15,20 @@ import python
import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.TaintTracking import semmle.python.dataflow.new.TaintTracking
import experimental.semmle.python.security.TimingAttack import experimental.semmle.python.security.TimingAttack
import DataFlow::PathGraph
/** /**
* A configuration tracing flow from obtaining a client Secret to a unsafe Comparison. * A configuration tracing flow from obtaining a client Secret to a unsafe Comparison.
*/ */
private module PossibleTimingAttackAgainstSensitiveInfoConfig implements DataFlow::ConfigSig { class ClientSuppliedSecretConfig extends TaintTracking::Configuration {
predicate isSource(DataFlow::Node source) { source instanceof SecretSource } ClientSuppliedSecretConfig() { this = "ClientSuppliedSecretConfig" }
predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink } override predicate isSource(DataFlow::Node source) { source instanceof SecretSource }
override predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
} }
module PossibleTimingAttackAgainstSensitiveInfoFlow = from ClientSuppliedSecretConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
TaintTracking::Global<PossibleTimingAttackAgainstSensitiveInfoConfig>; where config.hasFlowPath(source, sink)
import PossibleTimingAttackAgainstSensitiveInfoFlow::PathGraph
from
PossibleTimingAttackAgainstSensitiveInfoFlow::PathNode source,
PossibleTimingAttackAgainstSensitiveInfoFlow::PathNode sink
where PossibleTimingAttackAgainstSensitiveInfoFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "Timing attack against $@ validation.", source.getNode(), select sink.getNode(), source, sink, "Timing attack against $@ validation.", source.getNode(),
"client-supplied token" "client-supplied token"

View File

@@ -15,25 +15,22 @@ import python
import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.TaintTracking import semmle.python.dataflow.new.TaintTracking
import experimental.semmle.python.security.TimingAttack import experimental.semmle.python.security.TimingAttack
import TimingAttackAgainstSensitiveInfoFlow::PathGraph import DataFlow::PathGraph
/** /**
* A configuration tracing flow from obtaining a client Secret to a unsafe Comparison. * A configuration tracing flow from obtaining a client Secret to a unsafe Comparison.
*/ */
private module TimingAttackAgainstSensitiveInfoConfig implements DataFlow::ConfigSig { class ClientSuppliedSecretConfig extends TaintTracking::Configuration {
predicate isSource(DataFlow::Node source) { source instanceof SecretSource } ClientSuppliedSecretConfig() { this = "ClientSuppliedSecretConfig" }
predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink } override predicate isSource(DataFlow::Node source) { source instanceof SecretSource }
override predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
} }
module TimingAttackAgainstSensitiveInfoFlow = from ClientSuppliedSecretConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
TaintTracking::Global<TimingAttackAgainstSensitiveInfoConfig>;
from
TimingAttackAgainstSensitiveInfoFlow::PathNode source,
TimingAttackAgainstSensitiveInfoFlow::PathNode sink
where where
TimingAttackAgainstSensitiveInfoFlow::flowPath(source, sink) and config.hasFlowPath(source, sink) and
( (
source.getNode().(SecretSource).includesUserInput() or source.getNode().(SecretSource).includesUserInput() or
sink.getNode().(NonConstantTimeComparisonSink).includesUserInput() sink.getNode().(NonConstantTimeComparisonSink).includesUserInput()

View File

@@ -25,7 +25,7 @@ newtype TFrameWork =
Flask() or Flask() or
Django() Django()
private module WebAppConstantSecretKeyConfig implements DataFlow::StateConfigSig { module WebAppConstantSecretKeyConfig implements DataFlow::StateConfigSig {
class FlowState = TFrameWork; class FlowState = TFrameWork;
predicate isSource(DataFlow::Node source, FlowState state) { predicate isSource(DataFlow::Node source, FlowState state) {
@@ -54,11 +54,11 @@ private module WebAppConstantSecretKeyConfig implements DataFlow::StateConfigSig
} }
} }
module WebAppConstantSecretKeyFlow = TaintTracking::GlobalWithState<WebAppConstantSecretKeyConfig>; module WebAppConstantSecretKey = TaintTracking::GlobalWithState<WebAppConstantSecretKeyConfig>;
import WebAppConstantSecretKeyFlow::PathGraph import WebAppConstantSecretKey::PathGraph
from WebAppConstantSecretKeyFlow::PathNode source, WebAppConstantSecretKeyFlow::PathNode sink from WebAppConstantSecretKey::PathNode source, WebAppConstantSecretKey::PathNode sink
where WebAppConstantSecretKeyFlow::flowPath(source, sink) where WebAppConstantSecretKey::flowPath(source, sink)
select sink, source, sink, "The SECRET_KEY config variable is assigned by $@.", source, select sink, source, sink, "The SECRET_KEY config variable is assigned by $@.", source,
" this constant String" " this constant String"

View File

@@ -96,7 +96,7 @@ newtype TAzureFlowState =
MkUsesV1Encryption() or MkUsesV1Encryption() or
MkUsesNoEncryption() MkUsesNoEncryption()
private module AzureBlobClientConfig implements DataFlow::StateConfigSig { module AzureBlobClientConfig implements DataFlow::StateConfigSig {
class FlowState = TAzureFlowState; class FlowState = TAzureFlowState;
predicate isSource(DataFlow::Node node, FlowState state) { predicate isSource(DataFlow::Node node, FlowState state) {
@@ -147,10 +147,10 @@ private module AzureBlobClientConfig implements DataFlow::StateConfigSig {
} }
} }
module AzureBlobClientFlow = DataFlow::GlobalWithState<AzureBlobClientConfig>; module AzureBlobClient = DataFlow::GlobalWithState<AzureBlobClientConfig>;
import AzureBlobClientFlow::PathGraph import AzureBlobClient::PathGraph
from AzureBlobClientFlow::PathNode source, AzureBlobClientFlow::PathNode sink from AzureBlobClient::PathNode source, AzureBlobClient::PathNode sink
where AzureBlobClientFlow::flowPath(source, sink) where AzureBlobClient::flowPath(source, sink)
select sink, source, sink, "Unsafe usage of v1 version of Azure Storage client-side encryption" select sink, source, sink, "Unsafe usage of v1 version of Azure Storage client-side encryption"

View File

@@ -14,11 +14,11 @@
*/ */
import python import python
import experimental.semmle.python.security.InsecureRandomness import experimental.semmle.python.security.InsecureRandomness::InsecureRandomness
import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.DataFlow
import InsecureRandomness::Flow::PathGraph import DataFlow::PathGraph
from InsecureRandomness::Flow::PathNode source, InsecureRandomness::Flow::PathNode sink from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where InsecureRandomness::Flow::flowPath(source, sink) where cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "Cryptographically insecure $@ in a security context.", select sink.getNode(), source, sink, "Cryptographically insecure $@ in a security context.",
source.getNode(), "random value" source.getNode(), "random value"

View File

@@ -16,6 +16,7 @@ import python
import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.DataFlow
import semmle.python.ApiGraphs import semmle.python.ApiGraphs
import semmle.python.dataflow.new.TaintTracking import semmle.python.dataflow.new.TaintTracking
import DataFlow::PathGraph
class PredictableResultSource extends DataFlow::Node { class PredictableResultSource extends DataFlow::Node {
PredictableResultSource() { PredictableResultSource() {
@@ -39,12 +40,14 @@ class TokenAssignmentValueSink extends DataFlow::Node {
} }
} }
private module TokenBuiltFromUuidConfig implements DataFlow::ConfigSig { class TokenBuiltFromUuidConfig extends TaintTracking::Configuration {
predicate isSource(DataFlow::Node source) { source instanceof PredictableResultSource } TokenBuiltFromUuidConfig() { this = "TokenBuiltFromUuidConfig" }
predicate isSink(DataFlow::Node sink) { sink instanceof TokenAssignmentValueSink } override predicate isSource(DataFlow::Node source) { source instanceof PredictableResultSource }
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { override predicate isSink(DataFlow::Node sink) { sink instanceof TokenAssignmentValueSink }
override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
exists(DataFlow::CallCfgNode call | exists(DataFlow::CallCfgNode call |
call = API::builtin("str").getACall() and call = API::builtin("str").getACall() and
nodeFrom = call.getArg(0) and nodeFrom = call.getArg(0) and
@@ -53,11 +56,6 @@ private module TokenBuiltFromUuidConfig implements DataFlow::ConfigSig {
} }
} }
/** Global taint-tracking for detecting "TokenBuiltFromUUID" vulnerabilities. */ from DataFlow::PathNode source, DataFlow::PathNode sink, TokenBuiltFromUuidConfig config
module TokenBuiltFromUuidFlow = TaintTracking::Global<TokenBuiltFromUuidConfig>; where config.hasFlowPath(source, sink)
import TokenBuiltFromUuidFlow::PathGraph
from TokenBuiltFromUuidFlow::PathNode source, TokenBuiltFromUuidFlow::PathNode sink
where TokenBuiltFromUuidFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "Token built from $@.", source.getNode(), "predictable value" select sink.getNode(), source, sink, "Token built from $@.", source.getNode(), "predictable value"

View File

@@ -16,19 +16,21 @@ import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.TaintTracking import semmle.python.dataflow.new.TaintTracking
import semmle.python.ApiGraphs import semmle.python.ApiGraphs
import ClientSuppliedIpUsedInSecurityCheckLib import ClientSuppliedIpUsedInSecurityCheckLib
import ClientSuppliedIpUsedInSecurityCheckFlow::PathGraph import DataFlow::PathGraph
/** /**
* A taint-tracking configuration tracing flow from obtaining a client ip from an HTTP header to a sensitive use. * A taint-tracking configuration tracing flow from obtaining a client ip from an HTTP header to a sensitive use.
*/ */
private module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::ConfigSig { class ClientSuppliedIpUsedInSecurityCheckConfig extends TaintTracking::Configuration {
predicate isSource(DataFlow::Node source) { ClientSuppliedIpUsedInSecurityCheckConfig() { this = "ClientSuppliedIpUsedInSecurityCheckConfig" }
override predicate isSource(DataFlow::Node source) {
source instanceof ClientSuppliedIpUsedInSecurityCheck source instanceof ClientSuppliedIpUsedInSecurityCheck
} }
predicate isSink(DataFlow::Node sink) { sink instanceof PossibleSecurityCheck } override predicate isSink(DataFlow::Node sink) { sink instanceof PossibleSecurityCheck }
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
exists(DataFlow::CallCfgNode ccn | exists(DataFlow::CallCfgNode ccn |
ccn = API::moduleImport("netaddr").getMember("IPAddress").getACall() and ccn = API::moduleImport("netaddr").getMember("IPAddress").getACall() and
ccn.getArg(0) = pred and ccn.getArg(0) = pred and
@@ -36,7 +38,7 @@ private module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::Co
) )
} }
predicate isBarrier(DataFlow::Node node) { override predicate isSanitizer(DataFlow::Node node) {
// `client_supplied_ip.split(",")[n]` for `n` > 0 // `client_supplied_ip.split(",")[n]` for `n` > 0
exists(Subscript ss | exists(Subscript ss |
not ss.getIndex().(IntegerLiteral).getText() = "0" and not ss.getIndex().(IntegerLiteral).getText() = "0" and
@@ -47,13 +49,9 @@ private module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::Co
} }
} }
/** Global taint-tracking for detecting "client ip used in security check" vulnerabilities. */
module ClientSuppliedIpUsedInSecurityCheckFlow =
TaintTracking::Global<ClientSuppliedIpUsedInSecurityCheckConfig>;
from from
ClientSuppliedIpUsedInSecurityCheckFlow::PathNode source, ClientSuppliedIpUsedInSecurityCheckConfig config, DataFlow::PathNode source,
ClientSuppliedIpUsedInSecurityCheckFlow::PathNode sink DataFlow::PathNode sink
where ClientSuppliedIpUsedInSecurityCheckFlow::flowPath(source, sink) where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "IP address spoofing might include code from $@.", select sink.getNode(), source, sink, "IP address spoofing might include code from $@.",
source.getNode(), "this user input" source.getNode(), "this user input"

View File

@@ -12,9 +12,9 @@
// determine precision above // determine precision above
import python import python
import experimental.semmle.python.security.LdapInsecureAuth import DataFlow::PathGraph
import LdapInsecureAuthFlow::PathGraph import experimental.semmle.python.security.LDAPInsecureAuth
from LdapInsecureAuthFlow::PathNode source, LdapInsecureAuthFlow::PathNode sink from LdapInsecureAuthConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
where LdapInsecureAuthFlow::flowPath(source, sink) where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "This LDAP host is authenticated insecurely." select sink.getNode(), source, sink, "This LDAP host is authenticated insecurely."

View File

@@ -15,11 +15,13 @@ import semmle.python.dataflow.new.DataFlow
import experimental.semmle.python.Concepts import experimental.semmle.python.Concepts
import experimental.semmle.python.CookieHeader import experimental.semmle.python.CookieHeader
import experimental.semmle.python.security.injection.CookieInjection import experimental.semmle.python.security.injection.CookieInjection
import CookieInjectionFlow::PathGraph import DataFlow::PathGraph
from CookieInjectionFlow::PathNode source, CookieInjectionFlow::PathNode sink, string insecure from
CookieInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink,
string insecure
where where
CookieInjectionFlow::flowPath(source, sink) and config.hasFlowPath(source, sink) and
if exists(sink.getNode().(CookieSink)) if exists(sink.getNode().(CookieSink))
then insecure = ",and its " + sink.getNode().(CookieSink).getFlag() + " flag is not properly set." then insecure = ",and its " + sink.getNode().(CookieSink).getFlag() + " flag is not properly set."
else insecure = "." else insecure = "."

View File

@@ -39,8 +39,10 @@ class AllTarfileOpens extends API::CallNode {
} }
} }
module UnsafeUnpackConfig implements DataFlow::ConfigSig { class UnsafeUnpackingConfig extends TaintTracking::Configuration {
predicate isSource(DataFlow::Node source) { UnsafeUnpackingConfig() { this = "UnsafeUnpackingConfig" }
override predicate isSource(DataFlow::Node source) {
// A source coming from a remote location // A source coming from a remote location
source instanceof RemoteFlowSource source instanceof RemoteFlowSource
or or
@@ -90,7 +92,7 @@ module UnsafeUnpackConfig implements DataFlow::ConfigSig {
source.(AttrRead).getAttributeName() = "FILES" source.(AttrRead).getAttributeName() = "FILES"
} }
predicate isSink(DataFlow::Node sink) { override predicate isSink(DataFlow::Node sink) {
( (
// A sink capturing method calls to `unpack_archive`. // A sink capturing method calls to `unpack_archive`.
sink = API::moduleImport("shutil").getMember("unpack_archive").getACall().getArg(0) sink = API::moduleImport("shutil").getMember("unpack_archive").getACall().getArg(0)
@@ -134,7 +136,7 @@ module UnsafeUnpackConfig implements DataFlow::ConfigSig {
not sink.getScope().getLocation().getFile().inStdlib() not sink.getScope().getLocation().getFile().inStdlib()
} }
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
// Reading the response // Reading the response
nodeTo.(MethodCallNode).calls(nodeFrom, "read") nodeTo.(MethodCallNode).calls(nodeFrom, "read")
or or
@@ -209,6 +211,3 @@ module UnsafeUnpackConfig implements DataFlow::ConfigSig {
) )
} }
} }
/** Global taint-tracking for detecting "UnsafeUnpacking" vulnerabilities. */
module UnsafeUnpackFlow = TaintTracking::Global<UnsafeUnpackConfig>;

View File

@@ -2,7 +2,7 @@ private import python
private import semmle.python.dataflow.new.DataFlow private import semmle.python.dataflow.new.DataFlow
private import experimental.semmle.python.Concepts private import experimental.semmle.python.Concepts
private import semmle.python.ApiGraphs private import semmle.python.ApiGraphs
private import semmle.python.dataflow.new.TaintTracking private import semmle.python.dataflow.new.TaintTracking2
module SmtpLib { module SmtpLib {
/** Gets a reference to `smtplib.SMTP_SSL` */ /** Gets a reference to `smtplib.SMTP_SSL` */
@@ -31,16 +31,16 @@ module SmtpLib {
* argument. Used because of the impossibility to get local source nodes from `_subparts`' * argument. Used because of the impossibility to get local source nodes from `_subparts`'
* `(List|Tuple)` elements. * `(List|Tuple)` elements.
*/ */
private module SmtpMessageConfig implements DataFlow::ConfigSig { private class SmtpMessageConfig extends TaintTracking2::Configuration {
predicate isSource(DataFlow::Node source) { source = mimeText(_) } SmtpMessageConfig() { this = "SMTPMessageConfig" }
predicate isSink(DataFlow::Node sink) { override predicate isSource(DataFlow::Node source) { source = mimeText(_) }
override predicate isSink(DataFlow::Node sink) {
sink = smtpMimeMultipartInstance().getACall().getArgByName("_subparts") sink = smtpMimeMultipartInstance().getACall().getArgByName("_subparts")
} }
} }
module SmtpMessageFlow = TaintTracking::Global<SmtpMessageConfig>;
/** /**
* Using the `MimeText` call retrieves the content argument whose type argument equals `mimetype`. * Using the `MimeText` call retrieves the content argument whose type argument equals `mimetype`.
* This call flows into `MIMEMultipart`'s `_subparts` argument or the `.attach()` method call * This call flows into `MIMEMultipart`'s `_subparts` argument or the `.attach()` method call
@@ -87,7 +87,8 @@ module SmtpLib {
sink = sink =
[sendCall.getArg(2), sendCall.getArg(2).(DataFlow::MethodCallNode).getObject()] [sendCall.getArg(2), sendCall.getArg(2).(DataFlow::MethodCallNode).getObject()]
.getALocalSource() and .getALocalSource() and
SmtpMessageFlow::flow(source, sink.(DataFlow::CallCfgNode).getArgByName("_subparts")) any(SmtpMessageConfig a)
.hasFlow(source, sink.(DataFlow::CallCfgNode).getArgByName("_subparts"))
or or
// via .attach() // via .attach()
sink = smtpMimeMultipartInstance().getReturn().getMember("attach").getACall() and sink = smtpMimeMultipartInstance().getReturn().getMember("attach").getACall() and

View File

@@ -21,14 +21,17 @@ module InsecureRandomness {
* A taint-tracking configuration for reasoning about random values that are * A taint-tracking configuration for reasoning about random values that are
* not cryptographically secure. * not cryptographically secure.
*/ */
private module Config implements DataFlow::ConfigSig { class Configuration extends TaintTracking::Configuration {
predicate isSource(DataFlow::Node source) { source instanceof Source } Configuration() { this = "InsecureRandomness" }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink } override predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
guard instanceof SanitizerGuard
}
} }
/** Global taint-tracking for detecting "random values that are not cryptographically secure" vulnerabilities. */
module Flow = TaintTracking::Global<Config>;
} }

View File

@@ -88,8 +88,10 @@ class LdapStringVar extends BinaryExpr {
/** /**
* A taint-tracking configuration for detecting LDAP insecure authentications. * A taint-tracking configuration for detecting LDAP insecure authentications.
*/ */
private module LdapInsecureAuthConfig implements DataFlow::ConfigSig { class LdapInsecureAuthConfig extends TaintTracking::Configuration {
predicate isSource(DataFlow::Node source) { LdapInsecureAuthConfig() { this = "LDAPInsecureAuthConfig" }
override predicate isSource(DataFlow::Node source) {
source instanceof RemoteFlowSource or source instanceof RemoteFlowSource or
source.asExpr() instanceof LdapFullHost or source.asExpr() instanceof LdapFullHost or
source.asExpr() instanceof LdapBothStrings or source.asExpr() instanceof LdapBothStrings or
@@ -98,10 +100,7 @@ private module LdapInsecureAuthConfig implements DataFlow::ConfigSig {
source.asExpr() instanceof LdapStringVar source.asExpr() instanceof LdapStringVar
} }
predicate isSink(DataFlow::Node sink) { override predicate isSink(DataFlow::Node sink) {
exists(LdapBind ldapBind | not ldapBind.useSsl() and sink = ldapBind.getHost()) exists(LdapBind ldapBind | not ldapBind.useSsl() and sink = ldapBind.getHost())
} }
} }
/** Global taint-tracking for detecting "LDAP insecure authentications" vulnerabilities. */
module LdapInsecureAuthFlow = TaintTracking::Global<LdapInsecureAuthConfig>;

View File

@@ -1,6 +1,8 @@
private import python private import python
private import semmle.python.dataflow.new.TaintTracking2
private import semmle.python.dataflow.new.TaintTracking private import semmle.python.dataflow.new.TaintTracking
private import semmle.python.dataflow.new.DataFlow private import semmle.python.dataflow.new.DataFlow
private import semmle.python.dataflow.new.DataFlow2
private import semmle.python.ApiGraphs private import semmle.python.ApiGraphs
private import semmle.python.dataflow.new.RemoteFlowSources private import semmle.python.dataflow.new.RemoteFlowSources
private import semmle.python.frameworks.Flask private import semmle.python.frameworks.Flask
@@ -162,7 +164,9 @@ class NonConstantTimeComparisonSink extends DataFlow::Node {
/** Holds if remote user input was used in the comparison. */ /** Holds if remote user input was used in the comparison. */
predicate includesUserInput() { predicate includesUserInput() {
UserInputInComparisonFlow::flowTo(DataFlow::exprNode(anotherParameter)) exists(UserInputInComparisonConfig config |
config.hasFlowTo(DataFlow2::exprNode(anotherParameter))
)
} }
} }
@@ -173,7 +177,9 @@ class SecretSource extends DataFlow::Node {
SecretSource() { secret = this.asExpr() } SecretSource() { secret = this.asExpr() }
/** Holds if the secret was deliverd by remote user. */ /** Holds if the secret was deliverd by remote user. */
predicate includesUserInput() { UserInputSecretFlow::flowTo(DataFlow::exprNode(secret)) } predicate includesUserInput() {
exists(UserInputSecretConfig config | config.hasFlowTo(DataFlow2::exprNode(secret)))
}
} }
/** A string for `match` that identifies strings that look like they represent secret data. */ /** A string for `match` that identifies strings that look like they represent secret data. */
@@ -261,21 +267,23 @@ private string sensitiveheaders() {
/** /**
* A config that tracks data flow from remote user input to Variable that hold sensitive info * A config that tracks data flow from remote user input to Variable that hold sensitive info
*/ */
module UserInputSecretConfig implements DataFlow::ConfigSig { class UserInputSecretConfig extends TaintTracking::Configuration {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } UserInputSecretConfig() { this = "UserInputSecretConfig" }
predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof CredentialExpr } override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof CredentialExpr }
} }
module UserInputSecretFlow = TaintTracking::Global<UserInputSecretConfig>;
/** /**
* A config that tracks data flow from remote user input to Equality test * A config that tracks data flow from remote user input to Equality test
*/ */
module UserInputInComparisonConfig implements DataFlow::ConfigSig { class UserInputInComparisonConfig extends TaintTracking2::Configuration {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } UserInputInComparisonConfig() { this = "UserInputInComparisonConfig" }
predicate isSink(DataFlow::Node sink) { override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) {
exists(Compare cmp, Expr left, Expr right, Cmpop cmpop | exists(Compare cmp, Expr left, Expr right, Cmpop cmpop |
cmpop.getSymbol() = ["==", "in", "is not", "!="] and cmpop.getSymbol() = ["==", "in", "is not", "!="] and
cmp.compares(left, cmpop, right) and cmp.compares(left, cmpop, right) and
@@ -284,15 +292,15 @@ module UserInputInComparisonConfig implements DataFlow::ConfigSig {
} }
} }
module UserInputInComparisonFlow = TaintTracking::Global<UserInputInComparisonConfig>;
/** /**
* A configuration tracing flow from a client Secret obtained by an HTTP header to a len() function. * A configuration tracing flow from a client Secret obtained by an HTTP header to a len() function.
*/ */
private module ExcludeLenFuncConfig implements DataFlow::ConfigSig { private class ExcludeLenFunc extends TaintTracking2::Configuration {
predicate isSource(DataFlow::Node source) { source instanceof ClientSuppliedSecret } ExcludeLenFunc() { this = "ExcludeLenFunc" }
predicate isSink(DataFlow::Node sink) { override predicate isSource(DataFlow::Node source) { source instanceof ClientSuppliedSecret }
override predicate isSink(DataFlow::Node sink) {
exists(Call call | exists(Call call |
call.getFunc().(Name).getId() = "len" and call.getFunc().(Name).getId() = "len" and
sink.asExpr() = call.getArg(0) sink.asExpr() = call.getArg(0)
@@ -300,8 +308,6 @@ private module ExcludeLenFuncConfig implements DataFlow::ConfigSig {
} }
} }
module ExcludeLenFuncFlow = TaintTracking::Global<ExcludeLenFuncConfig>;
/** /**
* Holds if there is a fast-fail check. * Holds if there is a fast-fail check.
*/ */
@@ -337,7 +343,8 @@ class CompareSink extends DataFlow::Node {
* Holds if there is a flow to len(). * Holds if there is a flow to len().
*/ */
predicate flowtolen() { predicate flowtolen() {
// TODO: Fly by comment: I don't understand this code at all, seems very strange. exists(ExcludeLenFunc config, DataFlow2::PathNode source, DataFlow2::PathNode sink |
ExcludeLenFuncFlow::flowPath(_, _) config.hasFlowPath(source, sink)
)
} }
} }

View File

@@ -4,8 +4,10 @@ import semmle.python.dataflow.new.DataFlow
import semmle.python.ApiGraphs import semmle.python.ApiGraphs
import semmle.python.dataflow.new.TaintTracking import semmle.python.dataflow.new.TaintTracking
private module ZipSlipConfig implements DataFlow::ConfigSig { class ZipSlipConfig extends TaintTracking::Configuration {
predicate isSource(DataFlow::Node source) { ZipSlipConfig() { this = "ZipSlipConfig" }
override predicate isSource(DataFlow::Node source) {
( (
source = source =
API::moduleImport("zipfile").getMember("ZipFile").getReturn().getMember("open").getACall() or API::moduleImport("zipfile").getMember("ZipFile").getReturn().getMember("open").getACall() or
@@ -27,7 +29,7 @@ private module ZipSlipConfig implements DataFlow::ConfigSig {
not source.getScope().getLocation().getFile().inStdlib() not source.getScope().getLocation().getFile().inStdlib()
} }
predicate isSink(DataFlow::Node sink) { override predicate isSink(DataFlow::Node sink) {
( (
sink = any(CopyFile copyfile).getAPathArgument() or sink = any(CopyFile copyfile).getAPathArgument() or
sink = any(CopyFile copyfile).getfsrcArgument() sink = any(CopyFile copyfile).getfsrcArgument()
@@ -35,6 +37,3 @@ private module ZipSlipConfig implements DataFlow::ConfigSig {
not sink.getScope().getLocation().getFile().inStdlib() not sink.getScope().getLocation().getFile().inStdlib()
} }
} }
/** Global taint-tracking for detecting "zip slip" vulnerabilities. */
module ZipSlipFlow = TaintTracking::Global<ZipSlipConfig>;

View File

@@ -1,5 +1,6 @@
/** /**
* Provides a taint-tracking configuration for detecting "Email XSS" vulnerabilities. * Provides a taint-tracking configuration for detecting reflected server-side
* cross-site scripting vulnerabilities.
*/ */
import python import python
@@ -11,18 +12,24 @@ import experimental.semmle.python.Concepts
import semmle.python.Concepts import semmle.python.Concepts
import semmle.python.ApiGraphs import semmle.python.ApiGraphs
private module EmailXssConfig implements DataFlow::ConfigSig { /**
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } * A taint-tracking configuration for detecting reflected server-side cross-site
* scripting vulnerabilities.
*/
class ReflectedXssConfiguration extends TaintTracking::Configuration {
ReflectedXssConfiguration() { this = "ReflectedXssConfiguration" }
predicate isSink(DataFlow::Node sink) { sink = any(EmailSender email).getHtmlBody() } override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isBarrier(DataFlow::Node sanitizer) { override predicate isSink(DataFlow::Node sink) { sink = any(EmailSender email).getHtmlBody() }
override predicate isSanitizer(DataFlow::Node sanitizer) {
sanitizer = any(HtmlEscaping esc).getOutput() sanitizer = any(HtmlEscaping esc).getOutput()
or or
sanitizer instanceof StringConstCompareBarrier sanitizer instanceof StringConstCompareBarrier
} }
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
exists(DataFlow::CallCfgNode htmlContentCall | exists(DataFlow::CallCfgNode htmlContentCall |
htmlContentCall = htmlContentCall =
API::moduleImport("sendgrid") API::moduleImport("sendgrid")
@@ -35,6 +42,3 @@ private module EmailXssConfig implements DataFlow::ConfigSig {
) )
} }
} }
/** Global taint-tracking for detecting "Email XSS" vulnerabilities. */
module EmailXssFlow = TaintTracking::Global<EmailXssConfig>;

View File

@@ -29,13 +29,12 @@ class CookieSink extends DataFlow::Node {
/** /**
* A taint-tracking configuration for detecting Cookie injections. * A taint-tracking configuration for detecting Cookie injections.
*/ */
private module CookieInjectionConfig implements DataFlow::ConfigSig { class CookieInjectionFlowConfig extends TaintTracking::Configuration {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } CookieInjectionFlowConfig() { this = "CookieInjectionFlowConfig" }
predicate isSink(DataFlow::Node sink) { override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) {
exists(Cookie c | sink in [c.getNameArg(), c.getValueArg()]) exists(Cookie c | sink in [c.getNameArg(), c.getValueArg()])
} }
} }
/** Global taint-tracking for detecting "Cookie injections" vulnerabilities. */
module CookieInjectionFlow = TaintTracking::Global<CookieInjectionConfig>;

View File

@@ -8,12 +8,14 @@ import semmle.python.dataflow.new.RemoteFlowSources
/** /**
* A taint-tracking configuration for tracking untrusted user input used in file read. * A taint-tracking configuration for tracking untrusted user input used in file read.
*/ */
private module CsvInjectionConfig implements DataFlow::ConfigSig { class CsvInjectionFlowConfig extends TaintTracking::Configuration {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } CsvInjectionFlowConfig() { this = "CsvInjectionFlowConfig" }
predicate isSink(DataFlow::Node sink) { sink = any(CsvWriter cw).getAnInput() } override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isBarrier(DataFlow::Node node) { override predicate isSink(DataFlow::Node sink) { sink = any(CsvWriter cw).getAnInput() }
override predicate isSanitizer(DataFlow::Node node) {
node = DataFlow::BarrierGuard<startsWithCheck/3>::getABarrierNode() or node = DataFlow::BarrierGuard<startsWithCheck/3>::getABarrierNode() or
node instanceof StringConstCompareBarrier node instanceof StringConstCompareBarrier
} }
@@ -27,6 +29,3 @@ private predicate startsWithCheck(DataFlow::GuardNode g, ControlFlowNode node, b
branch = true branch = true
) )
} }
/** Global taint-tracking for detecting "CSV injection" vulnerabilities. */
module CsvInjectionFlow = TaintTracking::Global<CsvInjectionConfig>;

View File

@@ -7,15 +7,14 @@ import semmle.python.dataflow.new.RemoteFlowSources
/** /**
* A taint-tracking configuration for detecting HTTP Header injections. * A taint-tracking configuration for detecting HTTP Header injections.
*/ */
private module HeaderInjectionConfig implements DataFlow::ConfigSig { class HeaderInjectionFlowConfig extends TaintTracking::Configuration {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } HeaderInjectionFlowConfig() { this = "HeaderInjectionFlowConfig" }
predicate isSink(DataFlow::Node sink) { override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) {
exists(HeaderDeclaration headerDeclaration | exists(HeaderDeclaration headerDeclaration |
sink in [headerDeclaration.getNameArg(), headerDeclaration.getValueArg()] sink in [headerDeclaration.getNameArg(), headerDeclaration.getValueArg()]
) )
} }
} }
/** Global taint-tracking for detecting "HTTP Header injection" vulnerabilities. */
module HeaderInjectionFlow = TaintTracking::Global<HeaderInjectionConfig>;

View File

@@ -16,11 +16,9 @@ module ModificationOfParameterWithDefault {
import ModificationOfParameterWithDefaultCustomizations::ModificationOfParameterWithDefault import ModificationOfParameterWithDefaultCustomizations::ModificationOfParameterWithDefault
/** /**
* DEPRECATED: Use `Flow` module instead.
*
* A data-flow configuration for detecting modifications of a parameters default value. * A data-flow configuration for detecting modifications of a parameters default value.
*/ */
deprecated class Configuration extends DataFlow::Configuration { class Configuration extends DataFlow::Configuration {
/** Record whether the default value being tracked is non-empty. */ /** Record whether the default value being tracked is non-empty. */
boolean nonEmptyDefault; boolean nonEmptyDefault;
@@ -45,33 +43,4 @@ module ModificationOfParameterWithDefault {
nonEmptyDefault = false and node instanceof MustBeNonEmpty nonEmptyDefault = false and node instanceof MustBeNonEmpty
} }
} }
private module Config implements DataFlow::StateConfigSig {
class FlowState = boolean;
predicate isSource(DataFlow::Node source, FlowState state) {
source.(Source).isNonEmpty() = state
}
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isSink(DataFlow::Node sink, FlowState state) {
// dummy implementation since this predicate is required, but actual logic is in
// the predicate above.
none()
}
predicate isBarrier(DataFlow::Node node, FlowState state) {
// if we are tracking a non-empty default, then it is ok to modify empty values,
// so our tracking ends at those.
state = true and node instanceof MustBeEmpty
or
// if we are tracking a empty default, then it is ok to modify non-empty values,
// so our tracking ends at those.
state = false and node instanceof MustBeNonEmpty
}
}
/** Global data-flow for detecting modifications of a parameters default value. */
module Flow = DataFlow::GlobalWithState<Config>;
} }

View File

@@ -33,8 +33,7 @@ edges
| TarSlipImprov.py:141:34:141:36 | GSSA Variable tar | TarSlipImprov.py:142:9:142:13 | GSSA Variable entry | | TarSlipImprov.py:141:34:141:36 | GSSA Variable tar | TarSlipImprov.py:142:9:142:13 | GSSA Variable entry |
| TarSlipImprov.py:142:9:142:13 | GSSA Variable entry | TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | | TarSlipImprov.py:142:9:142:13 | GSSA Variable entry | TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry |
| TarSlipImprov.py:159:9:159:14 | SSA variable tar_cm | TarSlipImprov.py:162:20:162:23 | SSA variable tarc | | TarSlipImprov.py:159:9:159:14 | SSA variable tar_cm | TarSlipImprov.py:162:20:162:23 | SSA variable tarc |
| TarSlipImprov.py:159:18:159:52 | ControlFlowNode for closing() | TarSlipImprov.py:159:9:159:14 | SSA variable tar_cm | | TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:159:9:159:14 | SSA variable tar_cm |
| TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:159:18:159:52 | ControlFlowNode for closing() |
| TarSlipImprov.py:162:20:162:23 | SSA variable tarc | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | | TarSlipImprov.py:162:20:162:23 | SSA variable tarc | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc |
| TarSlipImprov.py:176:6:176:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:176:36:176:38 | GSSA Variable tar | | TarSlipImprov.py:176:6:176:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:176:36:176:38 | GSSA Variable tar |
| TarSlipImprov.py:176:36:176:38 | GSSA Variable tar | TarSlipImprov.py:177:9:177:13 | GSSA Variable entry | | TarSlipImprov.py:176:36:176:38 | GSSA Variable tar | TarSlipImprov.py:177:9:177:13 | GSSA Variable entry |
@@ -123,7 +122,6 @@ nodes
| TarSlipImprov.py:142:9:142:13 | GSSA Variable entry | semmle.label | GSSA Variable entry | | TarSlipImprov.py:142:9:142:13 | GSSA Variable entry | semmle.label | GSSA Variable entry |
| TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | | TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry |
| TarSlipImprov.py:159:9:159:14 | SSA variable tar_cm | semmle.label | SSA variable tar_cm | | TarSlipImprov.py:159:9:159:14 | SSA variable tar_cm | semmle.label | SSA variable tar_cm |
| TarSlipImprov.py:159:18:159:52 | ControlFlowNode for closing() | semmle.label | ControlFlowNode for closing() |
| TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| TarSlipImprov.py:162:20:162:23 | SSA variable tarc | semmle.label | SSA variable tarc | | TarSlipImprov.py:162:20:162:23 | SSA variable tarc | semmle.label | SSA variable tarc |
| TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | semmle.label | ControlFlowNode for tarc | | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | semmle.label | ControlFlowNode for tarc |

View File

@@ -1,3 +1,3 @@
missingAnnotationOnSink missingAnnotationOnSink
testFailures
failures failures
testFailures

View File

@@ -1,4 +1,4 @@
import python import python
import experimental.dataflow.TestUtil.DataflowQueryTest import experimental.dataflow.TestUtil.DataflowQueryTest
import experimental.Security.UnsafeUnpackQuery import experimental.Security.UnsafeUnpackQuery
import FromTaintTrackingConfig<UnsafeUnpackConfig> import FromLegacyConfiguration<UnsafeUnpackingConfig>

View File

@@ -1,86 +1,43 @@
edges edges
| UnsafeUnpack.py:5:26:5:32 | ControlFlowNode for ImportMember | UnsafeUnpack.py:5:26:5:32 | GSSA Variable request | | UnsafeUnpack.py:5:26:5:32 | ControlFlowNode for ImportMember | UnsafeUnpack.py:5:26:5:32 | GSSA Variable request |
| UnsafeUnpack.py:5:26:5:32 | GSSA Variable request | UnsafeUnpack.py:11:18:11:24 | ControlFlowNode for request | | UnsafeUnpack.py:5:26:5:32 | GSSA Variable request | UnsafeUnpack.py:11:18:11:24 | ControlFlowNode for request |
| UnsafeUnpack.py:11:7:11:14 | SSA variable filename | UnsafeUnpack.py:13:24:13:58 | ControlFlowNode for Attribute() | | UnsafeUnpack.py:11:7:11:14 | SSA variable filename | UnsafeUnpack.py:13:13:13:20 | SSA variable response |
| UnsafeUnpack.py:11:18:11:24 | ControlFlowNode for request | UnsafeUnpack.py:11:7:11:14 | SSA variable filename |
| UnsafeUnpack.py:11:18:11:24 | ControlFlowNode for request | UnsafeUnpack.py:11:18:11:29 | ControlFlowNode for Attribute | | UnsafeUnpack.py:11:18:11:24 | ControlFlowNode for request | UnsafeUnpack.py:11:18:11:29 | ControlFlowNode for Attribute |
| UnsafeUnpack.py:11:18:11:29 | ControlFlowNode for Attribute | UnsafeUnpack.py:11:18:11:49 | ControlFlowNode for Attribute() | | UnsafeUnpack.py:11:18:11:29 | ControlFlowNode for Attribute | UnsafeUnpack.py:11:18:11:49 | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:11:18:11:49 | ControlFlowNode for Attribute() | UnsafeUnpack.py:11:7:11:14 | SSA variable filename | | UnsafeUnpack.py:11:18:11:49 | ControlFlowNode for Attribute() | UnsafeUnpack.py:11:7:11:14 | SSA variable filename |
| UnsafeUnpack.py:13:13:13:20 | SSA variable response | UnsafeUnpack.py:17:27:17:34 | ControlFlowNode for response | | UnsafeUnpack.py:13:13:13:20 | SSA variable response | UnsafeUnpack.py:19:35:19:41 | ControlFlowNode for tarpath |
| UnsafeUnpack.py:13:24:13:58 | ControlFlowNode for Attribute() | UnsafeUnpack.py:13:13:13:20 | SSA variable response |
| UnsafeUnpack.py:16:23:16:29 | ControlFlowNode for tarpath | UnsafeUnpack.py:19:35:19:41 | ControlFlowNode for tarpath |
| UnsafeUnpack.py:17:19:17:19 | ControlFlowNode for f | UnsafeUnpack.py:16:23:16:29 | ControlFlowNode for tarpath |
| UnsafeUnpack.py:17:27:17:34 | ControlFlowNode for response | UnsafeUnpack.py:17:27:17:38 | ControlFlowNode for Attribute |
| UnsafeUnpack.py:17:27:17:38 | ControlFlowNode for Attribute | UnsafeUnpack.py:17:27:17:45 | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:17:27:17:45 | ControlFlowNode for Attribute() | UnsafeUnpack.py:17:19:17:19 | ControlFlowNode for f |
| UnsafeUnpack.py:33:50:33:65 | ControlFlowNode for local_ziped_path | UnsafeUnpack.py:34:23:34:38 | ControlFlowNode for local_ziped_path | | UnsafeUnpack.py:33:50:33:65 | ControlFlowNode for local_ziped_path | UnsafeUnpack.py:34:23:34:38 | ControlFlowNode for local_ziped_path |
| UnsafeUnpack.py:47:20:47:34 | ControlFlowNode for compressed_file | UnsafeUnpack.py:48:23:48:37 | ControlFlowNode for compressed_file | | UnsafeUnpack.py:47:20:47:34 | ControlFlowNode for compressed_file | UnsafeUnpack.py:48:23:48:37 | ControlFlowNode for compressed_file |
| UnsafeUnpack.py:51:1:51:15 | GSSA Variable compressed_file | UnsafeUnpack.py:52:23:52:37 | ControlFlowNode for compressed_file | | UnsafeUnpack.py:51:1:51:15 | GSSA Variable compressed_file | UnsafeUnpack.py:52:23:52:37 | ControlFlowNode for compressed_file |
| UnsafeUnpack.py:51:19:51:36 | ControlFlowNode for Attribute() | UnsafeUnpack.py:51:1:51:15 | GSSA Variable compressed_file | | UnsafeUnpack.py:51:19:51:36 | ControlFlowNode for Attribute() | UnsafeUnpack.py:51:1:51:15 | GSSA Variable compressed_file |
| UnsafeUnpack.py:65:1:65:15 | GSSA Variable compressed_file | UnsafeUnpack.py:66:23:66:37 | ControlFlowNode for compressed_file | | UnsafeUnpack.py:65:1:65:15 | GSSA Variable compressed_file | UnsafeUnpack.py:66:23:66:37 | ControlFlowNode for compressed_file |
| UnsafeUnpack.py:65:19:65:31 | ControlFlowNode for Attribute | UnsafeUnpack.py:65:1:65:15 | GSSA Variable compressed_file | | UnsafeUnpack.py:65:19:65:31 | ControlFlowNode for Attribute | UnsafeUnpack.py:65:1:65:15 | GSSA Variable compressed_file |
| UnsafeUnpack.py:79:1:79:12 | GSSA Variable url_filename | UnsafeUnpack.py:81:12:81:50 | ControlFlowNode for Attribute() | | UnsafeUnpack.py:79:1:79:12 | GSSA Variable url_filename | UnsafeUnpack.py:81:1:81:8 | GSSA Variable response |
| UnsafeUnpack.py:79:1:79:12 | GSSA Variable url_filename | UnsafeUnpack.py:171:12:171:50 | ControlFlowNode for Attribute() | | UnsafeUnpack.py:79:1:79:12 | GSSA Variable url_filename | UnsafeUnpack.py:171:1:171:8 | GSSA Variable response |
| UnsafeUnpack.py:79:16:79:28 | ControlFlowNode for Attribute | UnsafeUnpack.py:79:1:79:12 | GSSA Variable url_filename | | UnsafeUnpack.py:79:16:79:28 | ControlFlowNode for Attribute | UnsafeUnpack.py:79:1:79:12 | GSSA Variable url_filename |
| UnsafeUnpack.py:81:1:81:8 | GSSA Variable response | UnsafeUnpack.py:85:15:85:22 | ControlFlowNode for response | | UnsafeUnpack.py:81:1:81:8 | GSSA Variable response | UnsafeUnpack.py:87:23:87:29 | ControlFlowNode for tarpath |
| UnsafeUnpack.py:81:12:81:50 | ControlFlowNode for Attribute() | UnsafeUnpack.py:81:1:81:8 | GSSA Variable response | | UnsafeUnpack.py:103:23:103:27 | SSA variable chunk | UnsafeUnpack.py:105:35:105:42 | ControlFlowNode for savepath |
| UnsafeUnpack.py:84:11:84:17 | ControlFlowNode for tarpath | UnsafeUnpack.py:87:23:87:29 | ControlFlowNode for tarpath | | UnsafeUnpack.py:103:32:103:44 | ControlFlowNode for Attribute | UnsafeUnpack.py:103:23:103:27 | SSA variable chunk |
| UnsafeUnpack.py:85:7:85:7 | ControlFlowNode for f | UnsafeUnpack.py:84:11:84:17 | ControlFlowNode for tarpath | | UnsafeUnpack.py:108:13:108:18 | SSA variable myfile | UnsafeUnpack.py:112:35:112:43 | ControlFlowNode for file_path |
| UnsafeUnpack.py:85:15:85:22 | ControlFlowNode for response | UnsafeUnpack.py:85:15:85:26 | ControlFlowNode for Attribute | | UnsafeUnpack.py:108:22:108:34 | ControlFlowNode for Attribute | UnsafeUnpack.py:108:13:108:18 | SSA variable myfile |
| UnsafeUnpack.py:85:15:85:26 | ControlFlowNode for Attribute | UnsafeUnpack.py:85:15:85:33 | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:85:15:85:33 | ControlFlowNode for Attribute() | UnsafeUnpack.py:85:7:85:7 | ControlFlowNode for f |
| UnsafeUnpack.py:102:23:102:30 | ControlFlowNode for savepath | UnsafeUnpack.py:105:35:105:42 | ControlFlowNode for savepath |
| UnsafeUnpack.py:103:23:103:27 | SSA variable chunk | UnsafeUnpack.py:104:37:104:41 | ControlFlowNode for chunk |
| UnsafeUnpack.py:103:32:103:44 | ControlFlowNode for Attribute | UnsafeUnpack.py:103:32:103:54 | ControlFlowNode for Subscript |
| UnsafeUnpack.py:103:32:103:54 | ControlFlowNode for Subscript | UnsafeUnpack.py:103:32:103:63 | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:103:32:103:63 | ControlFlowNode for Attribute() | UnsafeUnpack.py:103:23:103:27 | SSA variable chunk |
| UnsafeUnpack.py:104:25:104:29 | ControlFlowNode for wfile | UnsafeUnpack.py:102:23:102:30 | ControlFlowNode for savepath |
| UnsafeUnpack.py:104:37:104:41 | ControlFlowNode for chunk | UnsafeUnpack.py:104:25:104:29 | ControlFlowNode for wfile |
| UnsafeUnpack.py:108:13:108:18 | SSA variable myfile | UnsafeUnpack.py:111:27:111:32 | ControlFlowNode for myfile |
| UnsafeUnpack.py:108:22:108:34 | ControlFlowNode for Attribute | UnsafeUnpack.py:108:22:108:48 | ControlFlowNode for Attribute() | | UnsafeUnpack.py:108:22:108:34 | ControlFlowNode for Attribute | UnsafeUnpack.py:108:22:108:48 | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:108:22:108:48 | ControlFlowNode for Attribute() | UnsafeUnpack.py:108:13:108:18 | SSA variable myfile | | UnsafeUnpack.py:108:22:108:48 | ControlFlowNode for Attribute() | UnsafeUnpack.py:108:13:108:18 | SSA variable myfile |
| UnsafeUnpack.py:110:18:110:26 | ControlFlowNode for file_path | UnsafeUnpack.py:112:35:112:43 | ControlFlowNode for file_path | | UnsafeUnpack.py:116:17:116:21 | SSA variable ufile | UnsafeUnpack.py:118:19:118:26 | SSA variable filename |
| UnsafeUnpack.py:111:19:111:19 | ControlFlowNode for f | UnsafeUnpack.py:110:18:110:26 | ControlFlowNode for file_path | | UnsafeUnpack.py:116:27:116:39 | ControlFlowNode for Attribute | UnsafeUnpack.py:116:17:116:21 | SSA variable ufile |
| UnsafeUnpack.py:111:27:111:32 | ControlFlowNode for myfile | UnsafeUnpack.py:111:27:111:39 | ControlFlowNode for Attribute() | | UnsafeUnpack.py:118:19:118:26 | SSA variable filename | UnsafeUnpack.py:119:19:119:36 | SSA variable uploaded_file_path |
| UnsafeUnpack.py:111:27:111:39 | ControlFlowNode for Attribute() | UnsafeUnpack.py:111:19:111:19 | ControlFlowNode for f |
| UnsafeUnpack.py:116:17:116:21 | SSA variable ufile | UnsafeUnpack.py:118:38:118:42 | ControlFlowNode for ufile |
| UnsafeUnpack.py:116:27:116:39 | ControlFlowNode for Attribute | UnsafeUnpack.py:116:27:116:49 | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:116:27:116:49 | ControlFlowNode for Attribute() | UnsafeUnpack.py:116:17:116:21 | SSA variable ufile |
| UnsafeUnpack.py:118:19:118:26 | SSA variable filename | UnsafeUnpack.py:119:48:119:55 | ControlFlowNode for filename |
| UnsafeUnpack.py:118:30:118:55 | ControlFlowNode for Attribute() | UnsafeUnpack.py:118:19:118:26 | SSA variable filename |
| UnsafeUnpack.py:118:38:118:42 | ControlFlowNode for ufile | UnsafeUnpack.py:118:38:118:47 | ControlFlowNode for Attribute |
| UnsafeUnpack.py:118:38:118:47 | ControlFlowNode for Attribute | UnsafeUnpack.py:118:30:118:55 | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:119:19:119:36 | SSA variable uploaded_file_path | UnsafeUnpack.py:120:41:120:58 | ControlFlowNode for uploaded_file_path | | UnsafeUnpack.py:119:19:119:36 | SSA variable uploaded_file_path | UnsafeUnpack.py:120:41:120:58 | ControlFlowNode for uploaded_file_path |
| UnsafeUnpack.py:119:40:119:56 | ControlFlowNode for Attribute() | UnsafeUnpack.py:119:19:119:36 | SSA variable uploaded_file_path | | UnsafeUnpack.py:140:1:140:19 | GSSA Variable unsafe_filename_tar | UnsafeUnpack.py:141:56:141:58 | GSSA Variable tar |
| UnsafeUnpack.py:119:48:119:55 | ControlFlowNode for filename | UnsafeUnpack.py:119:40:119:56 | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:140:1:140:19 | GSSA Variable unsafe_filename_tar | UnsafeUnpack.py:141:22:141:40 | ControlFlowNode for unsafe_filename_tar |
| UnsafeUnpack.py:140:23:140:35 | ControlFlowNode for Attribute | UnsafeUnpack.py:140:1:140:19 | GSSA Variable unsafe_filename_tar | | UnsafeUnpack.py:140:23:140:35 | ControlFlowNode for Attribute | UnsafeUnpack.py:140:1:140:19 | GSSA Variable unsafe_filename_tar |
| UnsafeUnpack.py:141:6:141:51 | ControlFlowNode for Attribute() | UnsafeUnpack.py:141:56:141:58 | GSSA Variable tar |
| UnsafeUnpack.py:141:22:141:40 | ControlFlowNode for unsafe_filename_tar | UnsafeUnpack.py:141:6:141:51 | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:141:56:141:58 | GSSA Variable tar | UnsafeUnpack.py:142:49:142:51 | ControlFlowNode for tar | | UnsafeUnpack.py:141:56:141:58 | GSSA Variable tar | UnsafeUnpack.py:142:49:142:51 | ControlFlowNode for tar |
| UnsafeUnpack.py:157:23:157:30 | ControlFlowNode for savepath | UnsafeUnpack.py:161:38:161:45 | ControlFlowNode for savepath | | UnsafeUnpack.py:158:23:158:27 | SSA variable chunk | UnsafeUnpack.py:161:19:161:21 | SSA variable tar |
| UnsafeUnpack.py:158:23:158:27 | SSA variable chunk | UnsafeUnpack.py:159:37:159:41 | ControlFlowNode for chunk | | UnsafeUnpack.py:158:32:158:44 | ControlFlowNode for Attribute | UnsafeUnpack.py:158:23:158:27 | SSA variable chunk |
| UnsafeUnpack.py:158:32:158:44 | ControlFlowNode for Attribute | UnsafeUnpack.py:158:32:158:54 | ControlFlowNode for Subscript | | UnsafeUnpack.py:161:19:161:21 | SSA variable tar | UnsafeUnpack.py:163:23:163:28 | SSA variable member |
| UnsafeUnpack.py:158:32:158:54 | ControlFlowNode for Subscript | UnsafeUnpack.py:158:32:158:63 | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:158:32:158:63 | ControlFlowNode for Attribute() | UnsafeUnpack.py:158:23:158:27 | SSA variable chunk |
| UnsafeUnpack.py:159:25:159:29 | ControlFlowNode for wfile | UnsafeUnpack.py:157:23:157:30 | ControlFlowNode for savepath |
| UnsafeUnpack.py:159:37:159:41 | ControlFlowNode for chunk | UnsafeUnpack.py:159:25:159:29 | ControlFlowNode for wfile |
| UnsafeUnpack.py:161:19:161:21 | SSA variable tar | UnsafeUnpack.py:163:33:163:35 | ControlFlowNode for tar |
| UnsafeUnpack.py:161:25:161:46 | ControlFlowNode for Attribute() | UnsafeUnpack.py:161:19:161:21 | SSA variable tar |
| UnsafeUnpack.py:161:38:161:45 | ControlFlowNode for savepath | UnsafeUnpack.py:161:25:161:46 | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:163:23:163:28 | SSA variable member | UnsafeUnpack.py:166:37:166:42 | ControlFlowNode for member | | UnsafeUnpack.py:163:23:163:28 | SSA variable member | UnsafeUnpack.py:166:37:166:42 | ControlFlowNode for member |
| UnsafeUnpack.py:163:33:163:35 | ControlFlowNode for tar | UnsafeUnpack.py:163:23:163:28 | SSA variable member |
| UnsafeUnpack.py:166:23:166:28 | [post] ControlFlowNode for result | UnsafeUnpack.py:167:67:167:72 | ControlFlowNode for result | | UnsafeUnpack.py:166:23:166:28 | [post] ControlFlowNode for result | UnsafeUnpack.py:167:67:167:72 | ControlFlowNode for result |
| UnsafeUnpack.py:166:37:166:42 | ControlFlowNode for member | UnsafeUnpack.py:166:23:166:28 | [post] ControlFlowNode for result | | UnsafeUnpack.py:166:37:166:42 | ControlFlowNode for member | UnsafeUnpack.py:166:23:166:28 | [post] ControlFlowNode for result |
| UnsafeUnpack.py:171:1:171:8 | GSSA Variable response | UnsafeUnpack.py:174:15:174:22 | ControlFlowNode for response | | UnsafeUnpack.py:171:1:171:8 | GSSA Variable response | UnsafeUnpack.py:176:1:176:34 | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:171:12:171:50 | ControlFlowNode for Attribute() | UnsafeUnpack.py:171:1:171:8 | GSSA Variable response | | UnsafeUnpack.py:194:53:194:55 | ControlFlowNode for tmp | UnsafeUnpack.py:201:29:201:36 | ControlFlowNode for Attribute |
| UnsafeUnpack.py:173:11:173:17 | ControlFlowNode for tarpath | UnsafeUnpack.py:176:17:176:23 | ControlFlowNode for tarpath |
| UnsafeUnpack.py:174:7:174:7 | ControlFlowNode for f | UnsafeUnpack.py:173:11:173:17 | ControlFlowNode for tarpath |
| UnsafeUnpack.py:174:15:174:22 | ControlFlowNode for response | UnsafeUnpack.py:174:15:174:26 | ControlFlowNode for Attribute |
| UnsafeUnpack.py:174:15:174:26 | ControlFlowNode for Attribute | UnsafeUnpack.py:174:15:174:33 | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:174:15:174:33 | ControlFlowNode for Attribute() | UnsafeUnpack.py:174:7:174:7 | ControlFlowNode for f |
| UnsafeUnpack.py:176:17:176:23 | ControlFlowNode for tarpath | UnsafeUnpack.py:176:1:176:34 | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:194:53:194:55 | ControlFlowNode for tmp | UnsafeUnpack.py:201:29:201:31 | ControlFlowNode for tmp |
| UnsafeUnpack.py:201:29:201:31 | ControlFlowNode for tmp | UnsafeUnpack.py:201:29:201:36 | ControlFlowNode for Attribute |
nodes nodes
| UnsafeUnpack.py:5:26:5:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | | UnsafeUnpack.py:5:26:5:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
| UnsafeUnpack.py:5:26:5:32 | GSSA Variable request | semmle.label | GSSA Variable request | | UnsafeUnpack.py:5:26:5:32 | GSSA Variable request | semmle.label | GSSA Variable request |
@@ -89,12 +46,6 @@ nodes
| UnsafeUnpack.py:11:18:11:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | | UnsafeUnpack.py:11:18:11:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| UnsafeUnpack.py:11:18:11:49 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | UnsafeUnpack.py:11:18:11:49 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:13:13:13:20 | SSA variable response | semmle.label | SSA variable response | | UnsafeUnpack.py:13:13:13:20 | SSA variable response | semmle.label | SSA variable response |
| UnsafeUnpack.py:13:24:13:58 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:16:23:16:29 | ControlFlowNode for tarpath | semmle.label | ControlFlowNode for tarpath |
| UnsafeUnpack.py:17:19:17:19 | ControlFlowNode for f | semmle.label | ControlFlowNode for f |
| UnsafeUnpack.py:17:27:17:34 | ControlFlowNode for response | semmle.label | ControlFlowNode for response |
| UnsafeUnpack.py:17:27:17:38 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| UnsafeUnpack.py:17:27:17:45 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:19:35:19:41 | ControlFlowNode for tarpath | semmle.label | ControlFlowNode for tarpath | | UnsafeUnpack.py:19:35:19:41 | ControlFlowNode for tarpath | semmle.label | ControlFlowNode for tarpath |
| UnsafeUnpack.py:33:50:33:65 | ControlFlowNode for local_ziped_path | semmle.label | ControlFlowNode for local_ziped_path | | UnsafeUnpack.py:33:50:33:65 | ControlFlowNode for local_ziped_path | semmle.label | ControlFlowNode for local_ziped_path |
| UnsafeUnpack.py:34:23:34:38 | ControlFlowNode for local_ziped_path | semmle.label | ControlFlowNode for local_ziped_path | | UnsafeUnpack.py:34:23:34:38 | ControlFlowNode for local_ziped_path | semmle.label | ControlFlowNode for local_ziped_path |
@@ -109,72 +60,33 @@ nodes
| UnsafeUnpack.py:79:1:79:12 | GSSA Variable url_filename | semmle.label | GSSA Variable url_filename | | UnsafeUnpack.py:79:1:79:12 | GSSA Variable url_filename | semmle.label | GSSA Variable url_filename |
| UnsafeUnpack.py:79:16:79:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | | UnsafeUnpack.py:79:16:79:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| UnsafeUnpack.py:81:1:81:8 | GSSA Variable response | semmle.label | GSSA Variable response | | UnsafeUnpack.py:81:1:81:8 | GSSA Variable response | semmle.label | GSSA Variable response |
| UnsafeUnpack.py:81:12:81:50 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:84:11:84:17 | ControlFlowNode for tarpath | semmle.label | ControlFlowNode for tarpath |
| UnsafeUnpack.py:85:7:85:7 | ControlFlowNode for f | semmle.label | ControlFlowNode for f |
| UnsafeUnpack.py:85:15:85:22 | ControlFlowNode for response | semmle.label | ControlFlowNode for response |
| UnsafeUnpack.py:85:15:85:26 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| UnsafeUnpack.py:85:15:85:33 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:87:23:87:29 | ControlFlowNode for tarpath | semmle.label | ControlFlowNode for tarpath | | UnsafeUnpack.py:87:23:87:29 | ControlFlowNode for tarpath | semmle.label | ControlFlowNode for tarpath |
| UnsafeUnpack.py:102:23:102:30 | ControlFlowNode for savepath | semmle.label | ControlFlowNode for savepath |
| UnsafeUnpack.py:103:23:103:27 | SSA variable chunk | semmle.label | SSA variable chunk | | UnsafeUnpack.py:103:23:103:27 | SSA variable chunk | semmle.label | SSA variable chunk |
| UnsafeUnpack.py:103:32:103:44 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | | UnsafeUnpack.py:103:32:103:44 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| UnsafeUnpack.py:103:32:103:54 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
| UnsafeUnpack.py:103:32:103:63 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:104:25:104:29 | ControlFlowNode for wfile | semmle.label | ControlFlowNode for wfile |
| UnsafeUnpack.py:104:37:104:41 | ControlFlowNode for chunk | semmle.label | ControlFlowNode for chunk |
| UnsafeUnpack.py:105:35:105:42 | ControlFlowNode for savepath | semmle.label | ControlFlowNode for savepath | | UnsafeUnpack.py:105:35:105:42 | ControlFlowNode for savepath | semmle.label | ControlFlowNode for savepath |
| UnsafeUnpack.py:108:13:108:18 | SSA variable myfile | semmle.label | SSA variable myfile | | UnsafeUnpack.py:108:13:108:18 | SSA variable myfile | semmle.label | SSA variable myfile |
| UnsafeUnpack.py:108:22:108:34 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | | UnsafeUnpack.py:108:22:108:34 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| UnsafeUnpack.py:108:22:108:48 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | UnsafeUnpack.py:108:22:108:48 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:110:18:110:26 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path |
| UnsafeUnpack.py:111:19:111:19 | ControlFlowNode for f | semmle.label | ControlFlowNode for f |
| UnsafeUnpack.py:111:27:111:32 | ControlFlowNode for myfile | semmle.label | ControlFlowNode for myfile |
| UnsafeUnpack.py:111:27:111:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:112:35:112:43 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path | | UnsafeUnpack.py:112:35:112:43 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path |
| UnsafeUnpack.py:116:17:116:21 | SSA variable ufile | semmle.label | SSA variable ufile | | UnsafeUnpack.py:116:17:116:21 | SSA variable ufile | semmle.label | SSA variable ufile |
| UnsafeUnpack.py:116:27:116:39 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | | UnsafeUnpack.py:116:27:116:39 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| UnsafeUnpack.py:116:27:116:49 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:118:19:118:26 | SSA variable filename | semmle.label | SSA variable filename | | UnsafeUnpack.py:118:19:118:26 | SSA variable filename | semmle.label | SSA variable filename |
| UnsafeUnpack.py:118:30:118:55 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:118:38:118:42 | ControlFlowNode for ufile | semmle.label | ControlFlowNode for ufile |
| UnsafeUnpack.py:118:38:118:47 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| UnsafeUnpack.py:119:19:119:36 | SSA variable uploaded_file_path | semmle.label | SSA variable uploaded_file_path | | UnsafeUnpack.py:119:19:119:36 | SSA variable uploaded_file_path | semmle.label | SSA variable uploaded_file_path |
| UnsafeUnpack.py:119:40:119:56 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:119:48:119:55 | ControlFlowNode for filename | semmle.label | ControlFlowNode for filename |
| UnsafeUnpack.py:120:41:120:58 | ControlFlowNode for uploaded_file_path | semmle.label | ControlFlowNode for uploaded_file_path | | UnsafeUnpack.py:120:41:120:58 | ControlFlowNode for uploaded_file_path | semmle.label | ControlFlowNode for uploaded_file_path |
| UnsafeUnpack.py:140:1:140:19 | GSSA Variable unsafe_filename_tar | semmle.label | GSSA Variable unsafe_filename_tar | | UnsafeUnpack.py:140:1:140:19 | GSSA Variable unsafe_filename_tar | semmle.label | GSSA Variable unsafe_filename_tar |
| UnsafeUnpack.py:140:23:140:35 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | | UnsafeUnpack.py:140:23:140:35 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| UnsafeUnpack.py:141:6:141:51 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:141:22:141:40 | ControlFlowNode for unsafe_filename_tar | semmle.label | ControlFlowNode for unsafe_filename_tar |
| UnsafeUnpack.py:141:56:141:58 | GSSA Variable tar | semmle.label | GSSA Variable tar | | UnsafeUnpack.py:141:56:141:58 | GSSA Variable tar | semmle.label | GSSA Variable tar |
| UnsafeUnpack.py:142:49:142:51 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | | UnsafeUnpack.py:142:49:142:51 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar |
| UnsafeUnpack.py:157:23:157:30 | ControlFlowNode for savepath | semmle.label | ControlFlowNode for savepath |
| UnsafeUnpack.py:158:23:158:27 | SSA variable chunk | semmle.label | SSA variable chunk | | UnsafeUnpack.py:158:23:158:27 | SSA variable chunk | semmle.label | SSA variable chunk |
| UnsafeUnpack.py:158:32:158:44 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | | UnsafeUnpack.py:158:32:158:44 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| UnsafeUnpack.py:158:32:158:54 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
| UnsafeUnpack.py:158:32:158:63 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:159:25:159:29 | ControlFlowNode for wfile | semmle.label | ControlFlowNode for wfile |
| UnsafeUnpack.py:159:37:159:41 | ControlFlowNode for chunk | semmle.label | ControlFlowNode for chunk |
| UnsafeUnpack.py:161:19:161:21 | SSA variable tar | semmle.label | SSA variable tar | | UnsafeUnpack.py:161:19:161:21 | SSA variable tar | semmle.label | SSA variable tar |
| UnsafeUnpack.py:161:25:161:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:161:38:161:45 | ControlFlowNode for savepath | semmle.label | ControlFlowNode for savepath |
| UnsafeUnpack.py:163:23:163:28 | SSA variable member | semmle.label | SSA variable member | | UnsafeUnpack.py:163:23:163:28 | SSA variable member | semmle.label | SSA variable member |
| UnsafeUnpack.py:163:33:163:35 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar |
| UnsafeUnpack.py:166:23:166:28 | [post] ControlFlowNode for result | semmle.label | [post] ControlFlowNode for result | | UnsafeUnpack.py:166:23:166:28 | [post] ControlFlowNode for result | semmle.label | [post] ControlFlowNode for result |
| UnsafeUnpack.py:166:37:166:42 | ControlFlowNode for member | semmle.label | ControlFlowNode for member | | UnsafeUnpack.py:166:37:166:42 | ControlFlowNode for member | semmle.label | ControlFlowNode for member |
| UnsafeUnpack.py:167:67:167:72 | ControlFlowNode for result | semmle.label | ControlFlowNode for result | | UnsafeUnpack.py:167:67:167:72 | ControlFlowNode for result | semmle.label | ControlFlowNode for result |
| UnsafeUnpack.py:171:1:171:8 | GSSA Variable response | semmle.label | GSSA Variable response | | UnsafeUnpack.py:171:1:171:8 | GSSA Variable response | semmle.label | GSSA Variable response |
| UnsafeUnpack.py:171:12:171:50 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:173:11:173:17 | ControlFlowNode for tarpath | semmle.label | ControlFlowNode for tarpath |
| UnsafeUnpack.py:174:7:174:7 | ControlFlowNode for f | semmle.label | ControlFlowNode for f |
| UnsafeUnpack.py:174:15:174:22 | ControlFlowNode for response | semmle.label | ControlFlowNode for response |
| UnsafeUnpack.py:174:15:174:26 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
| UnsafeUnpack.py:174:15:174:33 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:176:1:176:34 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | UnsafeUnpack.py:176:1:176:34 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| UnsafeUnpack.py:176:17:176:23 | ControlFlowNode for tarpath | semmle.label | ControlFlowNode for tarpath |
| UnsafeUnpack.py:194:53:194:55 | ControlFlowNode for tmp | semmle.label | ControlFlowNode for tmp | | UnsafeUnpack.py:194:53:194:55 | ControlFlowNode for tmp | semmle.label | ControlFlowNode for tmp |
| UnsafeUnpack.py:201:29:201:31 | ControlFlowNode for tmp | semmle.label | ControlFlowNode for tmp |
| UnsafeUnpack.py:201:29:201:36 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute | | UnsafeUnpack.py:201:29:201:36 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
subpaths subpaths
#select #select

View File

@@ -1,8 +1,7 @@
edges edges
| paramiko.py:15:21:15:23 | ControlFlowNode for cmd | paramiko.py:16:62:16:64 | ControlFlowNode for cmd | | paramiko.py:15:21:15:23 | ControlFlowNode for cmd | paramiko.py:16:62:16:64 | ControlFlowNode for cmd |
| paramiko.py:20:21:20:23 | ControlFlowNode for cmd | paramiko.py:21:70:21:72 | ControlFlowNode for cmd | | paramiko.py:20:21:20:23 | ControlFlowNode for cmd | paramiko.py:21:70:21:72 | ControlFlowNode for cmd |
| paramiko.py:25:21:25:23 | ControlFlowNode for cmd | paramiko.py:26:136:26:138 | ControlFlowNode for cmd | | paramiko.py:25:21:25:23 | ControlFlowNode for cmd | paramiko.py:26:114:26:139 | ControlFlowNode for Attribute() |
| paramiko.py:26:136:26:138 | ControlFlowNode for cmd | paramiko.py:26:114:26:139 | ControlFlowNode for Attribute() |
nodes nodes
| paramiko.py:15:21:15:23 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | | paramiko.py:15:21:15:23 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
| paramiko.py:16:62:16:64 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | | paramiko.py:16:62:16:64 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
@@ -10,7 +9,6 @@ nodes
| paramiko.py:21:70:21:72 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | | paramiko.py:21:70:21:72 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
| paramiko.py:25:21:25:23 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd | | paramiko.py:25:21:25:23 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
| paramiko.py:26:114:26:139 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | paramiko.py:26:114:26:139 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| paramiko.py:26:136:26:138 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
subpaths subpaths
#select #select
| paramiko.py:16:62:16:64 | ControlFlowNode for cmd | paramiko.py:15:21:15:23 | ControlFlowNode for cmd | paramiko.py:16:62:16:64 | ControlFlowNode for cmd | This code execution depends on a $@. | paramiko.py:15:21:15:23 | ControlFlowNode for cmd | a user-provided value | | paramiko.py:16:62:16:64 | ControlFlowNode for cmd | paramiko.py:15:21:15:23 | ControlFlowNode for cmd | paramiko.py:16:62:16:64 | ControlFlowNode for cmd | This code execution depends on a $@. | paramiko.py:15:21:15:23 | ControlFlowNode for cmd | a user-provided value |

View File

@@ -1 +0,0 @@
experimental/Security/CWE-079/EmailXss.ql

View File

@@ -12,8 +12,7 @@ edges
| sendgrid_mail.py:1:19:1:25 | GSSA Variable request | sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request | | sendgrid_mail.py:1:19:1:25 | GSSA Variable request | sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request |
| sendgrid_mail.py:1:19:1:25 | GSSA Variable request | sendgrid_mail.py:37:41:37:47 | ControlFlowNode for request | | sendgrid_mail.py:1:19:1:25 | GSSA Variable request | sendgrid_mail.py:37:41:37:47 | ControlFlowNode for request |
| sendgrid_mail.py:14:22:14:28 | ControlFlowNode for request | sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript | | sendgrid_mail.py:14:22:14:28 | ControlFlowNode for request | sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript |
| sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request | sendgrid_mail.py:26:34:26:61 | ControlFlowNode for Subscript | | sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request | sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() |
| sendgrid_mail.py:26:34:26:61 | ControlFlowNode for Subscript | sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() |
| sendgrid_mail.py:37:41:37:47 | ControlFlowNode for request | sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript | | sendgrid_mail.py:37:41:37:47 | ControlFlowNode for request | sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript |
| sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | GSSA Variable request | | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | GSSA Variable request |
| sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | GSSA Variable request | sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:57 | ControlFlowNode for request | | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | GSSA Variable request | sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:57 | ControlFlowNode for request |
@@ -53,7 +52,6 @@ nodes
| sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript | | sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
| sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() | semmle.label | ControlFlowNode for HtmlContent() | | sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() | semmle.label | ControlFlowNode for HtmlContent() |
| sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| sendgrid_mail.py:26:34:26:61 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
| sendgrid_mail.py:37:41:37:47 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | sendgrid_mail.py:37:41:37:47 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript | | sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
| sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | | sendgrid_via_mail_send_post_request_body_bad.py:3:19:3:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |

View File

@@ -0,0 +1 @@
experimental/Security/CWE-079/ReflectedXSS.ql

View File

@@ -1,6 +1,27 @@
edges edges
| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | ControlFlowNode for ImportMember | TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | GSSA Variable request |
| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | GSSA Variable request | TimingAttackAgainstSensitiveInfo.py:14:8:14:14 | ControlFlowNode for request |
| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | GSSA Variable request | TimingAttackAgainstSensitiveInfo.py:15:20:15:26 | ControlFlowNode for request |
| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | GSSA Variable request | TimingAttackAgainstSensitiveInfo.py:20:8:20:14 | ControlFlowNode for request |
| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | GSSA Variable request | TimingAttackAgainstSensitiveInfo.py:21:20:21:26 | ControlFlowNode for request |
| TimingAttackAgainstSensitiveInfo.py:14:8:14:14 | ControlFlowNode for request | TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | SSA variable password |
| TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | SSA variable password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password |
| TimingAttackAgainstSensitiveInfo.py:15:20:15:26 | ControlFlowNode for request | TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | SSA variable password |
| TimingAttackAgainstSensitiveInfo.py:20:8:20:14 | ControlFlowNode for request | TimingAttackAgainstSensitiveInfo.py:21:9:21:16 | SSA variable password |
| TimingAttackAgainstSensitiveInfo.py:21:9:21:16 | SSA variable password | TimingAttackAgainstSensitiveInfo.py:22:38:22:45 | ControlFlowNode for password |
| TimingAttackAgainstSensitiveInfo.py:21:20:21:26 | ControlFlowNode for request | TimingAttackAgainstSensitiveInfo.py:21:9:21:16 | SSA variable password |
nodes nodes
| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | GSSA Variable request | semmle.label | GSSA Variable request |
| TimingAttackAgainstSensitiveInfo.py:14:8:14:14 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | SSA variable password | semmle.label | SSA variable password |
| TimingAttackAgainstSensitiveInfo.py:15:20:15:26 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | semmle.label | ControlFlowNode for password | | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
| TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
| TimingAttackAgainstSensitiveInfo.py:20:8:20:14 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| TimingAttackAgainstSensitiveInfo.py:21:9:21:16 | SSA variable password | semmle.label | SSA variable password |
| TimingAttackAgainstSensitiveInfo.py:21:20:21:26 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
| TimingAttackAgainstSensitiveInfo.py:22:38:22:45 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
subpaths subpaths
#select #select
| TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | Timing attack against $@ validation. | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | client-supplied token | | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | Timing attack against $@ validation. | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | client-supplied token |

View File

@@ -0,0 +1 @@
experimental/Security/CWE-522/LDAPInsecureAuth.ql

View File

@@ -1 +0,0 @@
experimental/Security/CWE-522/LdapInsecureAuth.ql

View File

@@ -0,0 +1 @@
experimental/Security/CWE-522/LDAPInsecureAuth.ql

View File

@@ -1 +0,0 @@
experimental/Security/CWE-522/LdapInsecureAuth.ql

View File

@@ -8,7 +8,7 @@ module ModificationOfParameterWithDefaultTest implements TestSig {
string getARelevantTag() { result = "modification" } string getARelevantTag() { result = "modification" }
private predicate relevant_node(DataFlow::Node sink) { private predicate relevant_node(DataFlow::Node sink) {
ModificationOfParameterWithDefault::Flow::flowTo(sink) exists(ModificationOfParameterWithDefault::Configuration cfg | cfg.hasFlowTo(sink))
} }
predicate hasActualResult(Location location, string element, string tag, string value) { predicate hasActualResult(Location location, string element, string tag, string value) {

View File

@@ -1,4 +1,4 @@
import python import python
import experimental.dataflow.TestUtil.DataflowQueryTest import experimental.dataflow.TestUtil.DataflowQueryTest
import semmle.python.security.dataflow.PathInjectionQuery import semmle.python.security.dataflow.PathInjectionQuery
import FromTaintTrackingStateConfig<PathInjectionConfig> import FromLegacyConfiguration<Configuration>

Some files were not shown because too many files have changed in this diff Show More