-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathJmespath.qll
More file actions
35 lines (33 loc) · 1.13 KB
/
Jmespath.qll
File metadata and controls
35 lines (33 loc) · 1.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
/**
* Provides classes modeling security-relevant aspects of the `jmespath` PyPI package.
* See https://pypi.org/project/jmespath/.
*/
private import python
private import semmle.python.dataflow.new.DataFlow
private import semmle.python.dataflow.new.TaintTracking
private import semmle.python.Concepts
private import semmle.python.ApiGraphs
/**
* Provides models for the `jmespath` PyPI package.
* See https://pypi.org/project/jmespath/.
*/
private module Jmespath {
class JmespathAdditionalTaintSteps extends TaintTracking::AdditionalTaintStep {
override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
exists(DataFlow::CallCfgNode call |
call = API::moduleImport("jmespath").getMember("search").getACall() and
nodeFrom in [call.getArg(1), call.getArgByName("data")] and
nodeTo = call
or
call =
API::moduleImport("jmespath")
.getMember("compile")
.getReturn()
.getMember("search")
.getACall() and
nodeFrom in [call.getArg(0), call.getArgByName("value")] and
nodeTo = call
)
}
}
}