mirror of
https://github.com/github/codeql.git
synced 2026-01-01 00:27:24 +01:00
f07a7bf8cf
Will need subsequent PRs fixing up test failures (due to deprecated methods moving around), but other than that everything should be straight-forward.
22 lines
650 B
Plaintext
22 lines
650 B
Plaintext
/**
|
|
* @name 'input' function used in Python 2
|
|
* @description The built-in function 'input' is used which, in Python 2, can allow arbitrary code to be run.
|
|
* @kind problem
|
|
* @tags security
|
|
* correctness
|
|
* @problem.severity error
|
|
* @sub-severity high
|
|
* @precision high
|
|
* @id py/use-of-input
|
|
*/
|
|
|
|
import python
|
|
|
|
from CallNode call, Context context, ControlFlowNode func
|
|
where
|
|
context.getAVersion().includes(2, _) and
|
|
call.getFunction() = func and
|
|
func.pointsTo(context, Value::named("input"), _) and
|
|
not func.pointsTo(context, Value::named("raw_input"), _)
|
|
select call, "The unsafe built-in function 'input' is used in Python 2."
|