|
| 1 | +/** |
| 2 | + * Provides classes modeling security-relevant aspects of the `invoke` PyPI package. |
| 3 | + * See https://www.pyinvoke.org/. |
| 4 | + */ |
| 5 | + |
| 6 | +private import python |
| 7 | +private import experimental.dataflow.DataFlow |
| 8 | +private import experimental.dataflow.RemoteFlowSources |
| 9 | +private import experimental.dataflow.TaintTracking |
| 10 | +private import experimental.semmle.python.Concepts |
| 11 | +private import experimental.semmle.python.frameworks.Werkzeug |
| 12 | + |
| 13 | +/** |
| 14 | + * Provides models for the `invoke` PyPI package. |
| 15 | + * See https://www.pyinvoke.org/. |
| 16 | + */ |
| 17 | +private module Invoke { |
| 18 | + // --------------------------------------------------------------------------- |
| 19 | + // invoke |
| 20 | + // --------------------------------------------------------------------------- |
| 21 | + /** Gets a reference to the `invoke` module. */ |
| 22 | + private DataFlow::Node invoke(DataFlow::TypeTracker t) { |
| 23 | + t.start() and |
| 24 | + result = DataFlow::importModule("invoke") |
| 25 | + or |
| 26 | + exists(DataFlow::TypeTracker t2 | result = invoke(t2).track(t2, t)) |
| 27 | + } |
| 28 | + |
| 29 | + /** Gets a reference to the `invoke` module. */ |
| 30 | + DataFlow::Node invoke() { result = invoke(DataFlow::TypeTracker::end()) } |
| 31 | + |
| 32 | + /** |
| 33 | + * Gets a reference to the attribute `attr_name` of the `invoke` module. |
| 34 | + * WARNING: Only holds for a few predefined attributes. |
| 35 | + */ |
| 36 | + private DataFlow::Node invoke_attr(DataFlow::TypeTracker t, string attr_name) { |
| 37 | + attr_name in ["run", "sudo"] and |
| 38 | + ( |
| 39 | + t.start() and |
| 40 | + result = DataFlow::importMember("invoke", attr_name) |
| 41 | + or |
| 42 | + t.startInAttr(attr_name) and |
| 43 | + result = DataFlow::importModule("invoke") |
| 44 | + ) |
| 45 | + or |
| 46 | + // Due to bad performance when using normal setup with `invoke_attr(t2, attr_name).track(t2, t)` |
| 47 | + // we have inlined that code and forced a join |
| 48 | + exists(DataFlow::TypeTracker t2 | |
| 49 | + exists(DataFlow::StepSummary summary | |
| 50 | + invoke_attr_first_join(t2, attr_name, result, summary) and |
| 51 | + t = t2.append(summary) |
| 52 | + ) |
| 53 | + ) |
| 54 | + } |
| 55 | + |
| 56 | + pragma[nomagic] |
| 57 | + private predicate invoke_attr_first_join( |
| 58 | + DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary |
| 59 | + ) { |
| 60 | + DataFlow::StepSummary::step(invoke_attr(t2, attr_name), res, summary) |
| 61 | + } |
| 62 | + |
| 63 | + /** |
| 64 | + * Gets a reference to the attribute `attr_name` of the `invoke` module. |
| 65 | + * WARNING: Only holds for a few predefined attributes. |
| 66 | + */ |
| 67 | + private DataFlow::Node invoke_attr(string attr_name) { |
| 68 | + result = invoke_attr(DataFlow::TypeTracker::end(), attr_name) |
| 69 | + } |
| 70 | + |
| 71 | + /** Provides models for the `invoke` module. */ |
| 72 | + module invoke { } |
| 73 | + |
| 74 | + /** |
| 75 | + * A call to either of the `invoke.run` or `invoke.sudo` functions |
| 76 | + * See http://docs.pyinvoke.org/en/stable/api/__init__.html |
| 77 | + */ |
| 78 | + private class InvokeRunCommandCall extends SystemCommandExecution::Range { |
| 79 | + InvokeRunCommandCall() { |
| 80 | + this.asCfgNode().(CallNode).getFunction() = invoke_attr(["run", "sudo"]).asCfgNode() |
| 81 | + } |
| 82 | + |
| 83 | + override DataFlow::Node getCommand() { |
| 84 | + result.asCfgNode() = this.asCfgNode().(CallNode).getArg(0) |
| 85 | + or |
| 86 | + result.asCfgNode() = this.asCfgNode().(CallNode).getArgByName("command") |
| 87 | + } |
| 88 | + } |
| 89 | +} |
0 commit comments