Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 054c06b

Browse files
Sim4n6Sim4n6
committed
Update UnsafeUnpack.ql
1 parent 68fd75c commit 054c06b

1 file changed

Lines changed: 24 additions & 19 deletions

File tree

python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpack.ql

Lines changed: 24 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -8,49 +8,54 @@
88
* @problem.severity error
99
* @security-severity 7.5
1010
* @precision high
11-
* @tags security
11+
* @tags securityimport semmle.python.dataflow.TaintTracking
1212
* external/cwe/cwe-022bis
1313
*/
1414

1515
import python
16-
import experimental.semmle.python.Concepts
17-
import DataFlow::PathGraph
18-
import semmle.python.ApiGraphs
19-
import semmle.python.dataflow.new.internal.Attributes
20-
import semmle.python.dataflow.new.DataFlow
16+
import semmle.python.Concepts
17+
import semmle.python.dataflow.new.internal.DataFlowPublic
2118
import semmle.python.ApiGraphs
19+
import DataFlow::PathGraph
2220
import semmle.python.dataflow.new.TaintTracking
23-
import semmle.python.Concepts
2421

2522
class UnsafeUnpackingConfig extends TaintTracking::Configuration {
2623
UnsafeUnpackingConfig() { this = "UnsafeUnpackingConfig" }
2724

2825
override predicate isSource(DataFlow::Node source) {
2926
// A source coming from a remote location
30-
exists(Http::Client::Request request | source = request) and
31-
not source.getScope().getLocation().getFile().inStdlib()
27+
exists(Http::Client::Request request | source = request)
3228
}
3329

3430
override predicate isSink(DataFlow::Node sink) {
3531
// A sink capturing method calls to `unpack_archive`.
36-
sink =
37-
API::moduleImport("shutil").getMember("unpack_archive").getACall().getParameter(0).asSink() and
38-
not sink.getScope().getLocation().getFile().inStdlib()
32+
sink = API::moduleImport("shutil").getMember("unpack_archive").getACall().getArg(0)
3933
}
4034

4135
override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
4236
// Writing the response data to the archive
43-
exists(API::CallNode call, MethodCallNode w |
44-
nodeTo = call.getArg(0) and
37+
(exists(API::CallNode call, MethodCallNode mc, Node f |
38+
mc.getMethodName() = "write" and
39+
f = mc.getObject() and
40+
nodeTo = mc.getArg(0) and
4541
call = API::builtin("open").getACall() and
46-
w.getMethodName() = "write" and
47-
w.getObject() = call.getReturn().getAValueReachableFromSource() and
48-
nodeFrom = w.getArg(0)
42+
call.flowsTo(f) and
43+
nodeFrom = call.getArg(0)
44+
)
45+
or
46+
// Reading the response
47+
exists(MethodCallNode mc |
48+
nodeFrom = mc.getObject() and
49+
mc.getMethodName() = "read" and
50+
nodeTo = mc
4951
)
52+
or
53+
// Accessing the name
54+
exists(AttrRead ar | ar.accesses(nodeFrom, "name") and nodeTo = ar))
5055
}
5156
}
5257

5358
from UnsafeUnpackingConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
5459
where config.hasFlowPath(source, sink)
55-
select source.getNode(), source, sink, "Unsafe extraction from a malicious tarball, is used in a $@",
56-
source.getAQlClass(), "during archive unpacking."
60+
select sink.getNode(), source, sink,
61+
"Unsafe extraction from a malicious tarball retrieved from a remote location."

0 commit comments

Comments
 (0)