mirror of
https://github.com/github/codeql.git
synced 2026-07-13 07:25:38 +02:00
75 lines
3.7 KiB
XML
75 lines
3.7 KiB
XML
<!DOCTYPE qhelp PUBLIC
|
|
"-//Semmle//qhelp//EN"
|
|
"qhelp.dtd">
|
|
<qhelp>
|
|
<overview>
|
|
<p>Using unsanitized untrusted data in an external API can cause a variety of security
|
|
issues. This query reports external APIs that use untrusted data. The results are not
|
|
filtered so that you can audit all examples. The query provides data for security
|
|
reviews of the application and you can also use it to identify external APIs that should
|
|
be modeled as either taint steps, or sinks for specific problems.</p>
|
|
|
|
<p>An external API is defined as a call to a method that is not defined in the source
|
|
code, and is not modeled as a taint step in the default taint library. External APIs may
|
|
be from the Python standard library or dependencies. The query will report the fully qualified name,
|
|
along with <code>[param x]</code>, where <code>x</code> indicates the position of
|
|
the parameter receiving the untrusted data. Note that for methods and
|
|
<code>classmethod</code>s, parameter 0 represents the class instance or class itself
|
|
respectively.</p>
|
|
|
|
<p>Note that an excepted sink might not be included in the results, if it also defines a
|
|
taint step. This is the case for <code>pickle.loads</code> which is a sink for the
|
|
Unsafe Deserialization query, but is also a taint step for other queries.</p>
|
|
|
|
<p>Note: Compared to the Java version of this query, we currently do not give special
|
|
care to methods that are overridden in the source code.</p>
|
|
|
|
<p>Note: Currently this query will only report results for external packages that are extracted.</p>
|
|
|
|
</overview>
|
|
<recommendation>
|
|
|
|
<p>For each result:</p>
|
|
|
|
<ul>
|
|
<li>If the result highlights a known sink, confirm that the result is reported by the relevant query, or
|
|
that the result is a false positive because this data is sanitized.</li>
|
|
<li>If the result highlights an unknown sink for a problem, then add modeling for the sink to the relevant query,
|
|
and confirm that the result is either found, or is safe due to appropriate sanitization.</li>
|
|
<li>If the result represents a call to an external API that transfers taint, add the appropriate modeling, and
|
|
re-run the query to determine what new results have appeared due to this additional modeling.</li>
|
|
</ul>
|
|
|
|
<p>Otherwise, the result is likely uninteresting. Custom versions of this query can extend the <code>SafeExternalAPI</code>
|
|
class and specify <code>getSafeCallable</code> to exclude known safe external APIs from future analysis.</p>
|
|
|
|
</recommendation>
|
|
<example>
|
|
|
|
<p>In this first example, a request parameter is read from the Flask <code>request</code> and then ultimately used in a call to the
|
|
<code>flask.make_response</code> external API:</p>
|
|
|
|
<sample src="ExternalAPISinkExample.py" />
|
|
|
|
<p>This is an XSS sink. The XSS query should therefore be reviewed to confirm that this sink is appropriately modeled,
|
|
and if it is, to confirm that the query reports this particular result, or that the result is a false positive due to
|
|
some existing sanitization.</p>
|
|
|
|
<p>In this second example, again a request parameter is read from the Flask <code>request</code>.</p>
|
|
|
|
<sample src="ExternalAPITaintStepExample.py" />
|
|
|
|
<p>If the query reported the call to <code>base64.decodebytes</code> on line 10, this
|
|
would suggest that this external API is not currently modeled as a taint step in the
|
|
taint tracking library. The next step would be to model this as a taint step, then
|
|
re-run the query to determine what additional results might be found. In this example,
|
|
the result of the Base64 decoding is pickled, which can result in remote code execution due
|
|
to unsafe deserialization.</p>
|
|
|
|
<p>Note that both examples are correctly handled by the standard taint tracking library and Unsafe Deserialization query.</p>
|
|
</example>
|
|
<references>
|
|
|
|
</references>
|
|
</qhelp>
|