mirror of
https://github.com/github/codeql.git
synced 2025-12-27 14:16:34 +01:00
33 lines
1.1 KiB
Plaintext
33 lines
1.1 KiB
Plaintext
import python
|
|
import experimental.dataflow.DataFlow
|
|
|
|
/**
|
|
* A configuration to check routing of arguments through magic methods.
|
|
*/
|
|
class ArgumentRoutingConfig extends DataFlow::Configuration {
|
|
ArgumentRoutingConfig() { this = "ArgumentRoutingConfig" }
|
|
|
|
override predicate isSource(DataFlow::Node node) {
|
|
exists(AssignmentDefinition def, DataFlow::DataFlowCall call |
|
|
def.getVariable() = node.(DataFlow::EssaNode).getVar() and
|
|
def.getValue() = call.getNode() and
|
|
call.getCallable().getName().matches("With\\_%")
|
|
) and
|
|
node.(DataFlow::EssaNode).getVar().getName().matches("with\\_%")
|
|
}
|
|
|
|
override predicate isSink(DataFlow::Node node) {
|
|
exists(CallNode call |
|
|
call.getFunction().(NameNode).getId() = "SINK1" and
|
|
node.(DataFlow::CfgNode).getNode() = call.getAnArg()
|
|
)
|
|
}
|
|
}
|
|
|
|
from DataFlow::Node source, DataFlow::Node sink
|
|
where
|
|
source.getLocation().getFile().getBaseName() = "classes.py" and
|
|
sink.getLocation().getFile().getBaseName() = "classes.py" and
|
|
exists(ArgumentRoutingConfig cfg | cfg.hasFlow(source, sink))
|
|
select source, sink
|