Python: Model encoding/decoding with base64 module

RasmusWL · RasmusWL · commit 66f5d0d9d53f · 2020-11-02T14:44:53.000+01:00
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -753,6 +753,131 @@ private class OpenCall extends FileSystemAccess::Range, DataFlow::CfgNode {
   }
 }
 
+// ---------------------------------------------------------------------------
+// base64
+// ---------------------------------------------------------------------------
+/** Gets a reference to the `base64` module. */
+private DataFlow::Node base64(DataFlow::TypeTracker t) {
+  t.start() and
+  result = DataFlow::importNode("base64")
+  or
+  exists(DataFlow::TypeTracker t2 | result = base64(t2).track(t2, t))
+}
+
+/** Gets a reference to the `base64` module. */
+DataFlow::Node base64() { result = base64(DataFlow::TypeTracker::end()) }
+
+/**
+ * Gets a reference to the attribute `attr_name` of the `base64` module.
+ * WARNING: Only holds for a few predefined attributes.
+ */
+private DataFlow::Node base64_attr(DataFlow::TypeTracker t, string attr_name) {
+  attr_name in ["b64encode", "b64decode", "standard_b64encode", "standard_b64decode",
+        "urlsafe_b64encode", "urlsafe_b64decode", "b32encode", "b32decode", "b16encode",
+        "b16decode", "encodestring", "decodestring", "a85encode", "a85decode", "b85encode",
+        "b85decode", "encodebytes", "decodebytes"] and
+  (
+    t.start() and
+    result = DataFlow::importNode("base64" + "." + attr_name)
+    or
+    t.startInAttr(attr_name) and
+    result = base64()
+  )
+  or
+  // Due to bad performance when using normal setup with `base64_attr(t2, attr_name).track(t2, t)`
+  // we have inlined that code and forced a join
+  exists(DataFlow::TypeTracker t2 |
+    exists(DataFlow::StepSummary summary |
+      base64_attr_first_join(t2, attr_name, result, summary) and
+      t = t2.append(summary)
+    )
+  )
+}
+
+pragma[nomagic]
+private predicate base64_attr_first_join(
+  DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
+) {
+  DataFlow::StepSummary::step(base64_attr(t2, attr_name), res, summary)
+}
+
+/**
+ * Gets a reference to the attribute `attr_name` of the `base64` module.
+ * WARNING: Only holds for a few predefined attributes.
+ */
+private DataFlow::Node base64_attr(string attr_name) {
+  result = base64_attr(DataFlow::TypeTracker::end(), attr_name)
+}
+
+/** A call to any of the encode functions in the `base64` module. */
+private class Base64EncodeCall extends Encoding::Range, DataFlow::CfgNode {
+  override CallNode node;
+
+  Base64EncodeCall() {
+    exists(string name |
+      name in ["b64encode", "standard_b64encode", "urlsafe_b64encode", "b32encode", "b16encode",
+            "encodestring", "a85encode", "b85encode", "encodebytes"] and
+      node.getFunction() = base64_attr(name).asCfgNode()
+    )
+  }
+
+  override DataFlow::Node getAnInput() { result.asCfgNode() = node.getArg(0) }
+
+  override DataFlow::Node getOutput() { result = this }
+
+  override string getFormat() {
+    exists(string name | node.getFunction() = base64_attr(name).asCfgNode() |
+      name in ["b64encode", "standard_b64encode", "urlsafe_b64encode", "encodestring", "encodebytes"] and
+      result = "Base64"
+      or
+      name = "b32encode" and result = "Base32"
+      or
+      name = "b16encode" and result = "Base16"
+      or
+      name = "a85encode" and result = "Ascii85"
+      or
+      name = "b85encode" and result = "Base85"
+    )
+  }
+}
+
+/** A call to any of the decode functions in the `base64` module. */
+private class Base64DecodeCall extends Decoding::Range, DataFlow::CfgNode {
+  override CallNode node;
+
+  Base64DecodeCall() {
+    exists(string name |
+      name in ["b64decode", "standard_b64decode", "urlsafe_b64decode", "b32decode", "b16decode",
+            "decodestring", "a85decode", "b85decode", "decodebytes"] and
+      node.getFunction() = base64_attr(name).asCfgNode()
+    )
+  }
+
+  override predicate mayExecuteInput() { none() }
+
+  override DataFlow::Node getAnInput() { result.asCfgNode() = node.getArg(0) }
+
+  override DataFlow::Node getOutput() { result = this }
+
+  override string getFormat() {
+    exists(string name | node.getFunction() = base64_attr(name).asCfgNode() |
+      name in ["b64decode", "standard_b64decode", "urlsafe_b64decode", "decodestring", "decodebytes"] and
+      result = "Base64"
+      or
+      name = "b32decode" and result = "Base32"
+      or
+      name = "b16decode" and result = "Base16"
+      or
+      name = "a85decode" and result = "Ascii85"
+      or
+      name = "b85decode" and result = "Base85"
+    )
+  }
+}
+
+// ---------------------------------------------------------------------------
+// OTHER
+// ---------------------------------------------------------------------------
 /**
  * A call to the `startswith` method on a string.
  * See https://docs.python.org/3.9/library/stdtypes.html#str.startswith
diff --git a/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/Decoding.py b/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/Decoding.py
@@ -0,0 +1,6 @@
+import base64
+
+# TODO: These tests should be merged with python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/test_string.py
+base64.a85decode(payload)  # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=Ascii85
+base64.b85decode(payload)  # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=Base85
+base64.decodebytes(payload)  # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=Base64
diff --git a/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/Encoding.py b/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/Encoding.py
@@ -0,0 +1,6 @@
+import base64
+
+# TODO: These tests should be merged with python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/test_string.py
+base64.a85encode(bs) # $encodeInput=bs $encodeOutput=Attribute() $encodeFormat=Ascii85
+base64.b85encode(bs)# $encodeInput=bs $encodeOutput=Attribute() $encodeFormat=Base85
+base64.encodebytes(bs)# $encodeInput=bs $encodeOutput=Attribute() $encodeFormat=Base64
diff --git a/python/ql/test/experimental/library-tests/frameworks/stdlib/Decoding.py b/python/ql/test/experimental/library-tests/frameworks/stdlib/Decoding.py
@@ -1,5 +1,15 @@
 import pickle
 import marshal
+import base64
 
 pickle.loads(payload)  # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=pickle $decodeMayExecuteInput
 marshal.loads(payload)  # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=marshal $decodeMayExecuteInput
+
+# TODO: These tests should be merged with python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_string.py
+base64.b64decode(payload)  # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=Base64
+base64.standard_b64decode(payload)  # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=Base64
+base64.urlsafe_b64decode(payload)  # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=Base64
+base64.b32decode(payload)  # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=Base32
+base64.b16decode(payload)  # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=Base16
+# deprecated since Python 3.1, but still works
+base64.decodestring(payload)  # $decodeInput=payload $decodeOutput=Attribute() $decodeFormat=Base64
diff --git a/python/ql/test/experimental/library-tests/frameworks/stdlib/Encoding.py b/python/ql/test/experimental/library-tests/frameworks/stdlib/Encoding.py
@@ -0,0 +1,15 @@
+import pickle
+import marshal
+import base64
+
+pickle.dumps(obj)  # $f-:encodeInput=obj $f-:encodeOutput=Attribute() $f-:encodeFormat=pickle $f-:encodeMayExecuteInput
+marshal.dumps(obj)  # $f-:encodeInput=obj $f-:encodeOutput=Attribute() $f-:encodeFormat=marshal $f-:encodeMayExecuteInput
+
+# TODO: These tests should be merged with python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_string.py
+base64.b64encode(bs)  # $encodeInput=bs $encodeOutput=Attribute() $encodeFormat=Base64
+base64.standard_b64encode(bs)  # $encodeInput=bs $encodeOutput=Attribute() $encodeFormat=Base64
+base64.urlsafe_b64encode(bs)  # $encodeInput=bs $encodeOutput=Attribute() $encodeFormat=Base64
+base64.b32encode(bs)  # $encodeInput=bs $encodeOutput=Attribute() $encodeFormat=Base32
+base64.b16encode(bs)  # $encodeInput=bs $encodeOutput=Attribute() $encodeFormat=Base16
+# deprecated since Python 3.1, but still works
+base64.encodestring(bs)  # $encodeInput=bs $encodeOutput=Attribute() $encodeFormat=Base64
