codeql/2021-05-10-ujson-add-modeling.md at z80coder/query-pack-release-candidate-2

mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00

Files

Rasmus Wriedt Larsen c2a6b811fc Python: Add modeling of ujson PyPI package

The problem with `tainted_filelike` not having taint, is that in the call

`ujson.dump(tainted_obj, tainted_filelike)`

there is no PostUpdateNote for `tainted_filelike` :( The reason is that
points-to is not able to resolve the call, so none of the clauses in
`argumentPreUpdateNode` matches

See 08731fc6cf/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll (L101-L111)

Let's deal with that issue in an other PR though

2021-05-10 15:10:31 +02:00

64 B

Raw Permalink Blame History

lgtm,codescanning

Added modeling of the PyPI package ujson.

64 B Raw Permalink Blame History

64 B

Raw Permalink Blame History