mirror of
https://github.com/github/codeql.git
synced 2025-12-24 04:36:35 +01:00
1170 lines
41 KiB
Plaintext
1170 lines
41 KiB
Plaintext
/**
|
|
* Provides abstract classes representing generic concepts such as file system
|
|
* access or system command execution, for which individual framework libraries
|
|
* provide concrete subclasses.
|
|
*/
|
|
|
|
private import python
|
|
private import semmle.python.dataflow.new.DataFlow
|
|
private import semmle.python.dataflow.new.RemoteFlowSources
|
|
private import semmle.python.dataflow.new.TaintTracking
|
|
private import semmle.python.Frameworks
|
|
|
|
/**
|
|
* A data-flow node that executes an operating system command,
|
|
* for instance by spawning a new process.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `SystemCommandExecution::Range` instead.
|
|
*/
|
|
class SystemCommandExecution extends DataFlow::Node {
|
|
SystemCommandExecution::Range range;
|
|
|
|
SystemCommandExecution() { this = range }
|
|
|
|
/** Gets the argument that specifies the command to be executed. */
|
|
DataFlow::Node getCommand() { result = range.getCommand() }
|
|
}
|
|
|
|
/** Provides a class for modeling new system-command execution APIs. */
|
|
module SystemCommandExecution {
|
|
/**
|
|
* A data-flow node that executes an operating system command,
|
|
* for instance by spawning a new process.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `SystemCommandExecution` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/** Gets the argument that specifies the command to be executed. */
|
|
abstract DataFlow::Node getCommand();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A data flow node that performs a file system access, including reading and writing data,
|
|
* creating and deleting files and folders, checking and updating permissions, and so on.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `FileSystemAccess::Range` instead.
|
|
*/
|
|
class FileSystemAccess extends DataFlow::Node {
|
|
FileSystemAccess::Range range;
|
|
|
|
FileSystemAccess() { this = range }
|
|
|
|
/** Gets an argument to this file system access that is interpreted as a path. */
|
|
DataFlow::Node getAPathArgument() { result = range.getAPathArgument() }
|
|
}
|
|
|
|
/** Provides a class for modeling new file system access APIs. */
|
|
module FileSystemAccess {
|
|
/**
|
|
* A data-flow node that performs a file system access, including reading and writing data,
|
|
* creating and deleting files and folders, checking and updating permissions, and so on.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `FileSystemAccess` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/** Gets an argument to this file system access that is interpreted as a path. */
|
|
abstract DataFlow::Node getAPathArgument();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A data flow node that writes data to the file system access.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `FileSystemWriteAccess::Range` instead.
|
|
*/
|
|
class FileSystemWriteAccess extends FileSystemAccess {
|
|
override FileSystemWriteAccess::Range range;
|
|
|
|
/**
|
|
* Gets a node that represents data to be written to the file system (possibly with
|
|
* some transformation happening before it is written, like JSON encoding).
|
|
*/
|
|
DataFlow::Node getADataNode() { result = range.getADataNode() }
|
|
}
|
|
|
|
/** Provides a class for modeling new file system writes. */
|
|
module FileSystemWriteAccess {
|
|
/**
|
|
* A data flow node that writes data to the file system access.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `FileSystemWriteAccess` instead.
|
|
*/
|
|
abstract class Range extends FileSystemAccess::Range {
|
|
/**
|
|
* Gets a node that represents data to be written to the file system (possibly with
|
|
* some transformation happening before it is written, like JSON encoding).
|
|
*/
|
|
abstract DataFlow::Node getADataNode();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A data-flow node that may set or unset Cross-site request forgery protection
|
|
* in a global manner.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `CsrfProtectionSetting::Range` instead.
|
|
*/
|
|
class CsrfProtectionSetting extends DataFlow::Node instanceof CsrfProtectionSetting::Range {
|
|
/**
|
|
* Gets the boolean value corresponding to if CSRF protection is enabled
|
|
* (`true`) or disabled (`false`) by this node.
|
|
*/
|
|
boolean getVerificationSetting() { result = super.getVerificationSetting() }
|
|
}
|
|
|
|
/** Provides a class for modeling new CSRF protection setting APIs. */
|
|
module CsrfProtectionSetting {
|
|
/**
|
|
* A data-flow node that may set or unset Cross-site request forgery protection
|
|
* in a global manner.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `CsrfProtectionSetting` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/**
|
|
* Gets the boolean value corresponding to if CSRF protection is enabled
|
|
* (`true`) or disabled (`false`) by this node.
|
|
*/
|
|
abstract boolean getVerificationSetting();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A data-flow node that provides Cross-site request forgery protection
|
|
* for a specific part of an application.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `CsrfLocalProtection::Range` instead.
|
|
*/
|
|
class CsrfLocalProtection extends DataFlow::Node instanceof CsrfLocalProtection::Range {
|
|
/**
|
|
* Gets a `Function` representing the protected interaction
|
|
* (probably a request handler).
|
|
*/
|
|
Function getProtected() { result = super.getProtected() }
|
|
}
|
|
|
|
/** Provides a class for modeling new CSRF protection setting APIs. */
|
|
module CsrfLocalProtection {
|
|
/**
|
|
* A data-flow node that provides Cross-site request forgery protection
|
|
* for a specific part of an application.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `CsrfLocalProtection` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/**
|
|
* Gets a `Function` representing the protected interaction
|
|
* (probably a request handler).
|
|
*/
|
|
abstract Function getProtected();
|
|
}
|
|
}
|
|
|
|
/** Provides classes for modeling path-related APIs. */
|
|
module Path {
|
|
/**
|
|
* A data-flow node that performs path normalization. This is often needed in order
|
|
* to safely access paths.
|
|
*/
|
|
class PathNormalization extends DataFlow::Node {
|
|
PathNormalization::Range range;
|
|
|
|
PathNormalization() { this = range }
|
|
|
|
/** Gets an argument to this path normalization that is interpreted as a path. */
|
|
DataFlow::Node getPathArg() { result = range.getPathArg() }
|
|
}
|
|
|
|
/** Provides a class for modeling new path normalization APIs. */
|
|
module PathNormalization {
|
|
/**
|
|
* A data-flow node that performs path normalization. This is often needed in order
|
|
* to safely access paths.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/** Gets an argument to this path normalization that is interpreted as a path. */
|
|
abstract DataFlow::Node getPathArg();
|
|
}
|
|
}
|
|
|
|
/** A data-flow node that checks that a path is safe to access. */
|
|
class SafeAccessCheck extends DataFlow::BarrierGuard {
|
|
SafeAccessCheck::Range range;
|
|
|
|
SafeAccessCheck() { this = range }
|
|
|
|
override predicate checks(ControlFlowNode node, boolean branch) { range.checks(node, branch) }
|
|
}
|
|
|
|
/** Provides a class for modeling new path safety checks. */
|
|
module SafeAccessCheck {
|
|
/** A data-flow node that checks that a path is safe to access. */
|
|
abstract class Range extends DataFlow::BarrierGuard { }
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A data-flow node that decodes data from a binary or textual format. This
|
|
* is intended to include deserialization, unmarshalling, decoding, unpickling,
|
|
* decompressing, decrypting, parsing etc.
|
|
*
|
|
* A decoding (automatically) preserves taint from input to output. However, it can
|
|
* also be a problem in itself, for example if it allows code execution or could result
|
|
* in denial-of-service.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `Decoding::Range` instead.
|
|
*/
|
|
class Decoding extends DataFlow::Node {
|
|
Decoding::Range range;
|
|
|
|
Decoding() { this = range }
|
|
|
|
/** Holds if this call may execute code embedded in its input. */
|
|
predicate mayExecuteInput() { range.mayExecuteInput() }
|
|
|
|
/** Gets an input that is decoded by this function. */
|
|
DataFlow::Node getAnInput() { result = range.getAnInput() }
|
|
|
|
/** Gets the output that contains the decoded data produced by this function. */
|
|
DataFlow::Node getOutput() { result = range.getOutput() }
|
|
|
|
/** Gets an identifier for the format this function decodes from, such as "JSON". */
|
|
string getFormat() { result = range.getFormat() }
|
|
}
|
|
|
|
/** Provides a class for modeling new decoding mechanisms. */
|
|
module Decoding {
|
|
/**
|
|
* A data-flow node that decodes data from a binary or textual format. This
|
|
* is intended to include deserialization, unmarshalling, decoding, unpickling,
|
|
* decompressing, decrypting, parsing etc.
|
|
*
|
|
* A decoding (automatically) preserves taint from input to output. However, it can
|
|
* also be a problem in itself, for example if it allows code execution or could result
|
|
* in denial-of-service.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `Decoding` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/** Holds if this call may execute code embedded in its input. */
|
|
abstract predicate mayExecuteInput();
|
|
|
|
/** Gets an input that is decoded by this function. */
|
|
abstract DataFlow::Node getAnInput();
|
|
|
|
/** Gets the output that contains the decoded data produced by this function. */
|
|
abstract DataFlow::Node getOutput();
|
|
|
|
/** Gets an identifier for the format this function decodes from, such as "JSON". */
|
|
abstract string getFormat();
|
|
}
|
|
}
|
|
|
|
private class DecodingAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
|
|
override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
|
|
exists(Decoding decoding |
|
|
nodeFrom = decoding.getAnInput() and
|
|
nodeTo = decoding.getOutput()
|
|
)
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A data-flow node that encodes data to a binary or textual format. This
|
|
* is intended to include serialization, marshalling, encoding, pickling,
|
|
* compressing, encrypting, etc.
|
|
*
|
|
* An encoding (automatically) preserves taint from input to output.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `Encoding::Range` instead.
|
|
*/
|
|
class Encoding extends DataFlow::Node {
|
|
Encoding::Range range;
|
|
|
|
Encoding() { this = range }
|
|
|
|
/** Gets an input that is encoded by this function. */
|
|
DataFlow::Node getAnInput() { result = range.getAnInput() }
|
|
|
|
/** Gets the output that contains the encoded data produced by this function. */
|
|
DataFlow::Node getOutput() { result = range.getOutput() }
|
|
|
|
/** Gets an identifier for the format this function decodes from, such as "JSON". */
|
|
string getFormat() { result = range.getFormat() }
|
|
}
|
|
|
|
/** Provides a class for modeling new encoding mechanisms. */
|
|
module Encoding {
|
|
/**
|
|
* A data-flow node that encodes data to a binary or textual format. This
|
|
* is intended to include serialization, marshalling, encoding, pickling,
|
|
* compressing, encrypting, etc.
|
|
*
|
|
* An encoding (automatically) preserves taint from input to output.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `Encoding` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/** Gets an input that is encoded by this function. */
|
|
abstract DataFlow::Node getAnInput();
|
|
|
|
/** Gets the output that contains the encoded data produced by this function. */
|
|
abstract DataFlow::Node getOutput();
|
|
|
|
/** Gets an identifier for the format this function decodes from, such as "JSON". */
|
|
abstract string getFormat();
|
|
}
|
|
}
|
|
|
|
private class EncodingAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
|
|
override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
|
|
exists(Encoding encoding |
|
|
nodeFrom = encoding.getAnInput() and
|
|
nodeTo = encoding.getOutput()
|
|
)
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A data-flow node that logs data.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `Logging::Range` instead.
|
|
*/
|
|
class Logging extends DataFlow::Node {
|
|
Logging::Range range;
|
|
|
|
Logging() { this = range }
|
|
|
|
/** Gets an input that is logged. */
|
|
DataFlow::Node getAnInput() { result = range.getAnInput() }
|
|
}
|
|
|
|
/** Provides a class for modeling new logging mechanisms. */
|
|
module Logging {
|
|
/**
|
|
* A data-flow node that logs data.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `Logging` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/** Gets an input that is logged. */
|
|
abstract DataFlow::Node getAnInput();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A data-flow node that dynamically executes Python code.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `CodeExecution::Range` instead.
|
|
*/
|
|
class CodeExecution extends DataFlow::Node {
|
|
CodeExecution::Range range;
|
|
|
|
CodeExecution() { this = range }
|
|
|
|
/** Gets the argument that specifies the code to be executed. */
|
|
DataFlow::Node getCode() { result = range.getCode() }
|
|
}
|
|
|
|
/** Provides a class for modeling new dynamic code execution APIs. */
|
|
module CodeExecution {
|
|
/**
|
|
* A data-flow node that dynamically executes Python code.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `CodeExecution` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/** Gets the argument that specifies the code to be executed. */
|
|
abstract DataFlow::Node getCode();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A data-flow node that constructs an SQL statement.
|
|
* Often, it is worthy of an alert if an SQL statement is constructed such that
|
|
* executing it would be a security risk.
|
|
*
|
|
* If it is important that the SQL statement is indeed executed, then use `SQLExecution`.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `SqlConstruction::Range` instead.
|
|
*/
|
|
class SqlConstruction extends DataFlow::Node {
|
|
SqlConstruction::Range range;
|
|
|
|
SqlConstruction() { this = range }
|
|
|
|
/** Gets the argument that specifies the SQL statements to be constructed. */
|
|
DataFlow::Node getSql() { result = range.getSql() }
|
|
}
|
|
|
|
/** Provides a class for modeling new SQL execution APIs. */
|
|
module SqlConstruction {
|
|
/**
|
|
* A data-flow node that constructs an SQL statement.
|
|
* Often, it is worthy of an alert if an SQL statement is constructed such that
|
|
* executing it would be a security risk.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `SqlExecution` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/** Gets the argument that specifies the SQL statements to be constructed. */
|
|
abstract DataFlow::Node getSql();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A data-flow node that executes SQL statements.
|
|
*
|
|
* If the context of interest is such that merely constructing an SQL statement
|
|
* would be valuabe to report, then consider using `SqlConstruction`.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `SqlExecution::Range` instead.
|
|
*/
|
|
class SqlExecution extends DataFlow::Node {
|
|
SqlExecution::Range range;
|
|
|
|
SqlExecution() { this = range }
|
|
|
|
/** Gets the argument that specifies the SQL statements to be executed. */
|
|
DataFlow::Node getSql() { result = range.getSql() }
|
|
}
|
|
|
|
/** Provides a class for modeling new SQL execution APIs. */
|
|
module SqlExecution {
|
|
/**
|
|
* A data-flow node that executes SQL statements.
|
|
*
|
|
* If the context of interest is such that merely constructing an SQL statement
|
|
* would be valuabe to report, then consider using `SqlConstruction`.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `SqlExecution` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/** Gets the argument that specifies the SQL statements to be executed. */
|
|
abstract DataFlow::Node getSql();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A data-flow node that executes a regular expression.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `RegexExecution::Range` instead.
|
|
*/
|
|
class RegexExecution extends DataFlow::Node {
|
|
RegexExecution::Range range;
|
|
|
|
RegexExecution() { this = range }
|
|
|
|
/** Gets the data flow node for the regex being executed by this node. */
|
|
DataFlow::Node getRegex() { result = range.getRegex() }
|
|
|
|
/** Gets a dataflow node for the string to be searched or matched against. */
|
|
DataFlow::Node getString() { result = range.getString() }
|
|
|
|
/**
|
|
* Gets the name of this regex execution, typically the name of an executing method.
|
|
* This is used for nice alert messages and should include the module if possible.
|
|
*/
|
|
string getName() { result = range.getName() }
|
|
}
|
|
|
|
/** Provides classes for modeling new regular-expression execution APIs. */
|
|
module RegexExecution {
|
|
/**
|
|
* A data-flow node that executes a regular expression.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `RegexExecution` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/** Gets the data flow node for the regex being executed by this node. */
|
|
abstract DataFlow::Node getRegex();
|
|
|
|
/** Gets a dataflow node for the string to be searched or matched against. */
|
|
abstract DataFlow::Node getString();
|
|
|
|
/**
|
|
* Gets the name of this regex execution, typically the name of an executing method.
|
|
* This is used for nice alert messages and should include the module if possible.
|
|
*/
|
|
abstract string getName();
|
|
}
|
|
}
|
|
|
|
/** Provides classes for modeling LDAP-related APIs. */
|
|
module LDAP {
|
|
/**
|
|
* A data-flow node that executes an LDAP query.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `LDAPQuery::Range` instead.
|
|
*/
|
|
class LdapExecution extends DataFlow::Node {
|
|
LdapExecution::Range range;
|
|
|
|
LdapExecution() { this = range }
|
|
|
|
/** Gets the argument containing the filter string. */
|
|
DataFlow::Node getFilter() { result = range.getFilter() }
|
|
|
|
/** Gets the argument containing the base DN. */
|
|
DataFlow::Node getBaseDn() { result = range.getBaseDn() }
|
|
}
|
|
|
|
/** Provides classes for modeling new LDAP query execution-related APIs. */
|
|
module LdapExecution {
|
|
/**
|
|
* A data-flow node that executes an LDAP query.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `LDAPQuery` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/** Gets the argument containing the filter string. */
|
|
abstract DataFlow::Node getFilter();
|
|
|
|
/** Gets the argument containing the base DN. */
|
|
abstract DataFlow::Node getBaseDn();
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A data-flow node that escapes meta-characters, which could be used to prevent
|
|
* injection attacks.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `Escaping::Range` instead.
|
|
*/
|
|
class Escaping extends DataFlow::Node {
|
|
Escaping::Range range;
|
|
|
|
Escaping() {
|
|
this = range and
|
|
// escapes that don't have _both_ input/output defined are not valid
|
|
exists(range.getAnInput()) and
|
|
exists(range.getOutput())
|
|
}
|
|
|
|
/** Gets an input that will be escaped. */
|
|
DataFlow::Node getAnInput() { result = range.getAnInput() }
|
|
|
|
/** Gets the output that contains the escaped data. */
|
|
DataFlow::Node getOutput() { result = range.getOutput() }
|
|
|
|
/**
|
|
* Gets the context that this function escapes for, such as `html`, or `url`.
|
|
*/
|
|
string getKind() { result = range.getKind() }
|
|
}
|
|
|
|
/** Provides a class for modeling new escaping APIs. */
|
|
module Escaping {
|
|
/**
|
|
* A data-flow node that escapes meta-characters, which could be used to prevent
|
|
* injection attacks.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `Escaping` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/** Gets an input that will be escaped. */
|
|
abstract DataFlow::Node getAnInput();
|
|
|
|
/** Gets the output that contains the escaped data. */
|
|
abstract DataFlow::Node getOutput();
|
|
|
|
/**
|
|
* Gets the context that this function escapes for.
|
|
*
|
|
* While kinds are represented as strings, this should not be relied upon. Use the
|
|
* predicates in the `Escaping` module, such as `getHtmlKind`.
|
|
*/
|
|
abstract string getKind();
|
|
}
|
|
|
|
/** Gets the escape-kind for escaping a string so it can safely be included in HTML. */
|
|
string getHtmlKind() { result = "html" }
|
|
|
|
/** Gets the escape-kind for escaping a string so it can safely be included in a regular expression. */
|
|
string getRegexKind() { result = "regex" }
|
|
|
|
/**
|
|
* Gets the escape-kind for escaping a string so it can safely be used as a
|
|
* distinguished name (DN) in an LDAP search.
|
|
*/
|
|
string getLdapDnKind() { result = "ldap_dn" }
|
|
|
|
/**
|
|
* Gets the escape-kind for escaping a string so it can safely be used as a
|
|
* filter in an LDAP search.
|
|
*/
|
|
string getLdapFilterKind() { result = "ldap_filter" }
|
|
// TODO: If adding an XML kind, update the modeling of the `MarkupSafe` PyPI package.
|
|
//
|
|
// Technically it claims to escape for both HTML and XML, but for now we don't have
|
|
// anything that relies on XML escaping, so I'm going to defer deciding whether they
|
|
// should be the same kind, or whether they deserve to be treated differently.
|
|
}
|
|
|
|
/**
|
|
* An escape of a string so it can be safely included in
|
|
* the body of an HTML element, for example, replacing `{}` in
|
|
* `<p>{}</p>`.
|
|
*/
|
|
class HtmlEscaping extends Escaping {
|
|
HtmlEscaping() { range.getKind() = Escaping::getHtmlKind() }
|
|
}
|
|
|
|
/**
|
|
* An escape of a string so it can be safely included in
|
|
* the body of a regex.
|
|
*/
|
|
class RegexEscaping extends Escaping {
|
|
RegexEscaping() { range.getKind() = Escaping::getRegexKind() }
|
|
}
|
|
|
|
/**
|
|
* An escape of a string so it can be safely used as a distinguished name (DN)
|
|
* in an LDAP search.
|
|
*/
|
|
class LdapDnEscaping extends Escaping {
|
|
LdapDnEscaping() { range.getKind() = Escaping::getLdapDnKind() }
|
|
}
|
|
|
|
/**
|
|
* An escape of a string so it can be safely used as a filter in an LDAP search.
|
|
*/
|
|
class LdapFilterEscaping extends Escaping {
|
|
LdapFilterEscaping() { range.getKind() = Escaping::getLdapFilterKind() }
|
|
}
|
|
|
|
/** Provides classes for modeling HTTP-related APIs. */
|
|
module HTTP {
|
|
/** Gets an HTTP verb, in upper case */
|
|
string httpVerb() { result in ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS", "HEAD"] }
|
|
|
|
/** Gets an HTTP verb, in lower case */
|
|
string httpVerbLower() { result = httpVerb().toLowerCase() }
|
|
|
|
/** Provides classes for modeling HTTP servers. */
|
|
module Server {
|
|
/**
|
|
* A data-flow node that sets up a route on a server.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `RouteSetup::Range` instead.
|
|
*/
|
|
class RouteSetup extends DataFlow::Node {
|
|
RouteSetup::Range range;
|
|
|
|
RouteSetup() { this = range }
|
|
|
|
/** Gets the URL pattern for this route, if it can be statically determined. */
|
|
string getUrlPattern() { result = range.getUrlPattern() }
|
|
|
|
/**
|
|
* Gets a function that will handle incoming requests for this route, if any.
|
|
*
|
|
* NOTE: This will be modified in the near future to have a `RequestHandler` result, instead of a `Function`.
|
|
*/
|
|
Function getARequestHandler() { result = range.getARequestHandler() }
|
|
|
|
/**
|
|
* Gets a parameter that will receive parts of the url when handling incoming
|
|
* requests for this route, if any. These automatically become a `RemoteFlowSource`.
|
|
*/
|
|
Parameter getARoutedParameter() { result = range.getARoutedParameter() }
|
|
|
|
/** Gets a string that identifies the framework used for this route setup. */
|
|
string getFramework() { result = range.getFramework() }
|
|
}
|
|
|
|
/** Provides a class for modeling new HTTP routing APIs. */
|
|
module RouteSetup {
|
|
/**
|
|
* A data-flow node that sets up a route on a server.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `RouteSetup` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/** Gets the argument used to set the URL pattern. */
|
|
abstract DataFlow::Node getUrlPatternArg();
|
|
|
|
/** Gets the URL pattern for this route, if it can be statically determined. */
|
|
string getUrlPattern() {
|
|
exists(StrConst str |
|
|
this.getUrlPatternArg().getALocalSource() = DataFlow::exprNode(str) and
|
|
result = str.getText()
|
|
)
|
|
}
|
|
|
|
/**
|
|
* Gets a function that will handle incoming requests for this route, if any.
|
|
*
|
|
* NOTE: This will be modified in the near future to have a `RequestHandler` result, instead of a `Function`.
|
|
*/
|
|
abstract Function getARequestHandler();
|
|
|
|
/**
|
|
* Gets a parameter that will receive parts of the url when handling incoming
|
|
* requests for this route, if any. These automatically become a `RemoteFlowSource`.
|
|
*/
|
|
abstract Parameter getARoutedParameter();
|
|
|
|
/** Gets a string that identifies the framework used for this route setup. */
|
|
abstract string getFramework();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A function that will handle incoming HTTP requests.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `RequestHandler::Range` instead.
|
|
*/
|
|
class RequestHandler extends Function {
|
|
RequestHandler::Range range;
|
|
|
|
RequestHandler() { this = range }
|
|
|
|
/**
|
|
* Gets a parameter that could receive parts of the url when handling incoming
|
|
* requests, if any. These automatically become a `RemoteFlowSource`.
|
|
*/
|
|
Parameter getARoutedParameter() { result = range.getARoutedParameter() }
|
|
|
|
/** Gets a string that identifies the framework used for this route setup. */
|
|
string getFramework() { result = range.getFramework() }
|
|
}
|
|
|
|
/** Provides a class for modeling new HTTP request handlers. */
|
|
module RequestHandler {
|
|
/**
|
|
* A function that will handle incoming HTTP requests.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `RequestHandler` instead.
|
|
*
|
|
* Only extend this class if you can't provide a `RouteSetup`, since we handle that case automatically.
|
|
*/
|
|
abstract class Range extends Function {
|
|
/**
|
|
* Gets a parameter that could receive parts of the url when handling incoming
|
|
* requests, if any. These automatically become a `RemoteFlowSource`.
|
|
*/
|
|
abstract Parameter getARoutedParameter();
|
|
|
|
/** Gets a string that identifies the framework used for this request handler. */
|
|
abstract string getFramework();
|
|
}
|
|
}
|
|
|
|
private class RequestHandlerFromRouteSetup extends RequestHandler::Range {
|
|
RouteSetup rs;
|
|
|
|
RequestHandlerFromRouteSetup() { this = rs.getARequestHandler() }
|
|
|
|
override Parameter getARoutedParameter() {
|
|
result = rs.getARoutedParameter() and
|
|
result in [this.getArg(_), this.getArgByName(_)]
|
|
}
|
|
|
|
override string getFramework() { result = rs.getFramework() }
|
|
}
|
|
|
|
/** A parameter that will receive parts of the url when handling an incoming request. */
|
|
private class RoutedParameter extends RemoteFlowSource::Range, DataFlow::ParameterNode {
|
|
RequestHandler handler;
|
|
|
|
RoutedParameter() { this.getParameter() = handler.getARoutedParameter() }
|
|
|
|
override string getSourceType() { result = handler.getFramework() + " RoutedParameter" }
|
|
}
|
|
|
|
/**
|
|
* A data-flow node that creates a HTTP response on a server.
|
|
*
|
|
* Note: we don't require that this response must be sent to a client (a kind of
|
|
* "if a tree falls in a forest and nobody hears it" situation).
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `HttpResponse::Range` instead.
|
|
*/
|
|
class HttpResponse extends DataFlow::Node {
|
|
HttpResponse::Range range;
|
|
|
|
HttpResponse() { this = range }
|
|
|
|
/** Gets the data-flow node that specifies the body of this HTTP response. */
|
|
DataFlow::Node getBody() { result = range.getBody() }
|
|
|
|
/** Gets the mimetype of this HTTP response, if it can be statically determined. */
|
|
string getMimetype() { result = range.getMimetype() }
|
|
}
|
|
|
|
/** Provides a class for modeling new HTTP response APIs. */
|
|
module HttpResponse {
|
|
/**
|
|
* A data-flow node that creates a HTTP response on a server.
|
|
*
|
|
* Note: we don't require that this response must be sent to a client (a kind of
|
|
* "if a tree falls in a forest and nobody hears it" situation).
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `HttpResponse` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/** Gets the data-flow node that specifies the body of this HTTP response. */
|
|
abstract DataFlow::Node getBody();
|
|
|
|
/** Gets the data-flow node that specifies the content-type/mimetype of this HTTP response, if any. */
|
|
abstract DataFlow::Node getMimetypeOrContentTypeArg();
|
|
|
|
/** Gets the default mimetype that should be used if `getMimetypeOrContentTypeArg` has no results. */
|
|
abstract string getMimetypeDefault();
|
|
|
|
/** Gets the mimetype of this HTTP response, if it can be statically determined. */
|
|
string getMimetype() {
|
|
exists(StrConst str |
|
|
this.getMimetypeOrContentTypeArg().getALocalSource() = DataFlow::exprNode(str) and
|
|
result = str.getText().splitAt(";", 0)
|
|
)
|
|
or
|
|
not exists(this.getMimetypeOrContentTypeArg()) and
|
|
result = this.getMimetypeDefault()
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A data-flow node that creates a HTTP redirect response on a server.
|
|
*
|
|
* Note: we don't require that this redirect must be sent to a client (a kind of
|
|
* "if a tree falls in a forest and nobody hears it" situation).
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `HttpRedirectResponse::Range` instead.
|
|
*/
|
|
class HttpRedirectResponse extends HttpResponse {
|
|
override HttpRedirectResponse::Range range;
|
|
|
|
HttpRedirectResponse() { this = range }
|
|
|
|
/** Gets the data-flow node that specifies the location of this HTTP redirect response. */
|
|
DataFlow::Node getRedirectLocation() { result = range.getRedirectLocation() }
|
|
}
|
|
|
|
/** Provides a class for modeling new HTTP redirect response APIs. */
|
|
module HttpRedirectResponse {
|
|
/**
|
|
* A data-flow node that creates a HTTP redirect response on a server.
|
|
*
|
|
* Note: we don't require that this redirect must be sent to a client (a kind of
|
|
* "if a tree falls in a forest and nobody hears it" situation).
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `HttpResponse` instead.
|
|
*/
|
|
abstract class Range extends HTTP::Server::HttpResponse::Range {
|
|
/** Gets the data-flow node that specifies the location of this HTTP redirect response. */
|
|
abstract DataFlow::Node getRedirectLocation();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A data-flow node that sets a cookie in an HTTP response.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `HTTP::CookieWrite::Range` instead.
|
|
*/
|
|
class CookieWrite extends DataFlow::Node {
|
|
CookieWrite::Range range;
|
|
|
|
CookieWrite() { this = range }
|
|
|
|
/**
|
|
* Gets the argument, if any, specifying the raw cookie header.
|
|
*/
|
|
DataFlow::Node getHeaderArg() { result = range.getHeaderArg() }
|
|
|
|
/**
|
|
* Gets the argument, if any, specifying the cookie name.
|
|
*/
|
|
DataFlow::Node getNameArg() { result = range.getNameArg() }
|
|
|
|
/**
|
|
* Gets the argument, if any, specifying the cookie value.
|
|
*/
|
|
DataFlow::Node getValueArg() { result = range.getValueArg() }
|
|
}
|
|
|
|
/** Provides a class for modeling new cookie writes on HTTP responses. */
|
|
module CookieWrite {
|
|
/**
|
|
* A data-flow node that sets a cookie in an HTTP response.
|
|
*
|
|
* Note: we don't require that this redirect must be sent to a client (a kind of
|
|
* "if a tree falls in a forest and nobody hears it" situation).
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `HttpResponse` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/**
|
|
* Gets the argument, if any, specifying the raw cookie header.
|
|
*/
|
|
abstract DataFlow::Node getHeaderArg();
|
|
|
|
/**
|
|
* Gets the argument, if any, specifying the cookie name.
|
|
*/
|
|
abstract DataFlow::Node getNameArg();
|
|
|
|
/**
|
|
* Gets the argument, if any, specifying the cookie value.
|
|
*/
|
|
abstract DataFlow::Node getValueArg();
|
|
}
|
|
}
|
|
}
|
|
|
|
/** Provides classes for modeling HTTP clients. */
|
|
module Client {
|
|
/**
|
|
* A data-flow node that makes an outgoing HTTP request.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `HTTP::Client::Request::Range` instead.
|
|
*/
|
|
class Request extends DataFlow::Node instanceof Request::Range {
|
|
/**
|
|
* Gets a data-flow node that contributes to the URL of the request.
|
|
* Depending on the framework, a request may have multiple nodes which contribute to the URL.
|
|
*/
|
|
DataFlow::Node getAUrlPart() { result = super.getAUrlPart() }
|
|
|
|
/** Gets a string that identifies the framework used for this request. */
|
|
string getFramework() { result = super.getFramework() }
|
|
|
|
/**
|
|
* Holds if this request is made using a mode that disables SSL/TLS
|
|
* certificate validation, where `disablingNode` represents the point at
|
|
* which the validation was disabled, and `argumentOrigin` represents the origin
|
|
* of the argument that disabled the validation (which could be the same node as
|
|
* `disablingNode`).
|
|
*/
|
|
predicate disablesCertificateValidation(
|
|
DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
|
|
) {
|
|
super.disablesCertificateValidation(disablingNode, argumentOrigin)
|
|
}
|
|
}
|
|
|
|
/** Provides a class for modeling new HTTP requests. */
|
|
module Request {
|
|
/**
|
|
* A data-flow node that makes an outgoing HTTP request.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `HTTP::Client::Request` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/**
|
|
* Gets a data-flow node that contributes to the URL of the request.
|
|
* Depending on the framework, a request may have multiple nodes which contribute to the URL.
|
|
*/
|
|
abstract DataFlow::Node getAUrlPart();
|
|
|
|
/** Gets a string that identifies the framework used for this request. */
|
|
abstract string getFramework();
|
|
|
|
/**
|
|
* Holds if this request is made using a mode that disables SSL/TLS
|
|
* certificate validation, where `disablingNode` represents the point at
|
|
* which the validation was disabled, and `argumentOrigin` represents the origin
|
|
* of the argument that disabled the validation (which could be the same node as
|
|
* `disablingNode`).
|
|
*/
|
|
abstract predicate disablesCertificateValidation(
|
|
DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
|
|
);
|
|
}
|
|
}
|
|
// TODO: investigate whether we should treat responses to client requests as
|
|
// remote-flow-sources in general.
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Provides models for cryptographic things.
|
|
*
|
|
* Note: The `CryptographicAlgorithm` class currently doesn't take weak keys into
|
|
* consideration for the `isWeak` member predicate. So RSA is always considered
|
|
* secure, although using a low number of bits will actually make it insecure. We plan
|
|
* to improve our libraries in the future to more precisely capture this aspect.
|
|
*/
|
|
module Cryptography {
|
|
/** Provides models for public-key cryptography, also called asymmetric cryptography. */
|
|
module PublicKey {
|
|
/**
|
|
* A data-flow node that generates a new key-pair for use with public-key cryptography.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `KeyGeneration::Range` instead.
|
|
*/
|
|
class KeyGeneration extends DataFlow::Node {
|
|
KeyGeneration::Range range;
|
|
|
|
KeyGeneration() { this = range }
|
|
|
|
/** Gets the name of the cryptographic algorithm (for example `"RSA"` or `"AES"`). */
|
|
string getName() { result = range.getName() }
|
|
|
|
/** Gets the argument that specifies the size of the key in bits, if available. */
|
|
DataFlow::Node getKeySizeArg() { result = range.getKeySizeArg() }
|
|
|
|
/**
|
|
* Gets the size of the key generated (in bits), as well as the `origin` that
|
|
* explains how we obtained this specific key size.
|
|
*/
|
|
int getKeySizeWithOrigin(DataFlow::Node origin) {
|
|
result = range.getKeySizeWithOrigin(origin)
|
|
}
|
|
|
|
/** Gets the minimum key size (in bits) for this algorithm to be considered secure. */
|
|
int minimumSecureKeySize() { result = range.minimumSecureKeySize() }
|
|
}
|
|
|
|
/** Provides classes for modeling new key-pair generation APIs. */
|
|
module KeyGeneration {
|
|
/** Gets a back-reference to the keysize argument `arg` that was used to generate a new key-pair. */
|
|
private DataFlow::TypeTrackingNode keysizeBacktracker(
|
|
DataFlow::TypeBackTracker t, DataFlow::Node arg
|
|
) {
|
|
t.start() and
|
|
arg = any(KeyGeneration::Range r).getKeySizeArg() and
|
|
result = arg.getALocalSource()
|
|
or
|
|
exists(DataFlow::TypeBackTracker t2 | result = keysizeBacktracker(t2, arg).backtrack(t2, t))
|
|
}
|
|
|
|
/** Gets a back-reference to the keysize argument `arg` that was used to generate a new key-pair. */
|
|
DataFlow::LocalSourceNode keysizeBacktracker(DataFlow::Node arg) {
|
|
result = keysizeBacktracker(DataFlow::TypeBackTracker::end(), arg)
|
|
}
|
|
|
|
/**
|
|
* A data-flow node that generates a new key-pair for use with public-key cryptography.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `KeyGeneration` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/** Gets the name of the cryptographic algorithm (for example `"RSA"`). */
|
|
abstract string getName();
|
|
|
|
/** Gets the argument that specifies the size of the key in bits, if available. */
|
|
abstract DataFlow::Node getKeySizeArg();
|
|
|
|
/**
|
|
* Gets the size of the key generated (in bits), as well as the `origin` that
|
|
* explains how we obtained this specific key size.
|
|
*/
|
|
int getKeySizeWithOrigin(DataFlow::Node origin) {
|
|
origin = keysizeBacktracker(this.getKeySizeArg()) and
|
|
result = origin.asExpr().(IntegerLiteral).getValue()
|
|
}
|
|
|
|
/** Gets the minimum key size (in bits) for this algorithm to be considered secure. */
|
|
abstract int minimumSecureKeySize();
|
|
}
|
|
|
|
/** A data-flow node that generates a new RSA key-pair. */
|
|
abstract class RsaRange extends Range {
|
|
final override string getName() { result = "RSA" }
|
|
|
|
final override int minimumSecureKeySize() { result = 2048 }
|
|
}
|
|
|
|
/** A data-flow node that generates a new DSA key-pair. */
|
|
abstract class DsaRange extends Range {
|
|
final override string getName() { result = "DSA" }
|
|
|
|
final override int minimumSecureKeySize() { result = 2048 }
|
|
}
|
|
|
|
/** A data-flow node that generates a new ECC key-pair. */
|
|
abstract class EccRange extends Range {
|
|
final override string getName() { result = "ECC" }
|
|
|
|
final override int minimumSecureKeySize() { result = 224 }
|
|
}
|
|
}
|
|
}
|
|
|
|
import semmle.python.concepts.CryptoAlgorithms
|
|
|
|
/**
|
|
* A data-flow node that is an application of a cryptographic algorithm. For example,
|
|
* encryption, decryption, signature-validation.
|
|
*
|
|
* Extend this class to refine existing API models. If you want to model new APIs,
|
|
* extend `CryptographicOperation::Range` instead.
|
|
*/
|
|
class CryptographicOperation extends DataFlow::Node {
|
|
CryptographicOperation::Range range;
|
|
|
|
CryptographicOperation() { this = range }
|
|
|
|
/** Gets the algorithm used, if it matches a known `CryptographicAlgorithm`. */
|
|
CryptographicAlgorithm getAlgorithm() { result = range.getAlgorithm() }
|
|
|
|
/** Gets an input the algorithm is used on, for example the plain text input to be encrypted. */
|
|
DataFlow::Node getAnInput() { result = range.getAnInput() }
|
|
}
|
|
|
|
/** Provides classes for modeling new applications of a cryptographic algorithms. */
|
|
module CryptographicOperation {
|
|
/**
|
|
* A data-flow node that is an application of a cryptographic algorithm. For example,
|
|
* encryption, decryption, signature-validation.
|
|
*
|
|
* Extend this class to model new APIs. If you want to refine existing API models,
|
|
* extend `CryptographicOperation` instead.
|
|
*/
|
|
abstract class Range extends DataFlow::Node {
|
|
/** Gets the algorithm used, if it matches a known `CryptographicAlgorithm`. */
|
|
abstract CryptographicAlgorithm getAlgorithm();
|
|
|
|
/** Gets an input the algorithm is used on, for example the plain text input to be encrypted. */
|
|
abstract DataFlow::Node getAnInput();
|
|
}
|
|
}
|
|
}
|