Python: Add StringConstCompare to new data-flow queries

RasmusWL · RasmusWL · commit 6c8937c5a97a · 2020-11-20T10:44:50.000+01:00
In the future, I could imagine we would have something like this, but for now,
I'm just keeping it simple.

```codeql
  /**
   * A collection of common guards that ensure the checked value cannot have arbitrary
   * values.
   *
   * Currently only supports comparison with constant string value, but could also
   * include checking whether all characters are alphanumeric, or whether a regex is
   * matched against the value.
   *
   * Such guards will be useful for many taint-tracking queries, but not necessarily
   * all, which is why you need to opt into these manually.
   */
  class CommonNonArbitraryGuard extends BarrierGuard {
    CommonNonArbitraryGuard() {
      this instanceof StringConstCompare
    }

    override predicate checks(ControlFlowNode node, boolean branch) {
      this.(StringConstCompare).checks(node, branch)
    }
  }
```
diff --git a/python/ql/src/semmle/python/security/dataflow/CodeInjection.qll b/python/ql/src/semmle/python/security/dataflow/CodeInjection.qll
@@ -18,4 +18,8 @@ class CodeInjectionConfiguration extends TaintTracking::Configuration {
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) { sink = any(CodeExecution e).getCode() }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof DataFlow::BarrierGuard::StringConstCompare
+  }
 }
diff --git a/python/ql/src/semmle/python/security/dataflow/CommandInjection.qll b/python/ql/src/semmle/python/security/dataflow/CommandInjection.qll
@@ -48,4 +48,8 @@ class CommandInjectionConfiguration extends TaintTracking::Configuration {
     // https://github.com/python/cpython/blob/fa7ce080175f65d678a7d5756c94f82887fc9803/Lib/subprocess.py#L341
     not sink.getScope().getEnclosingModule().getName() in ["os", "subprocess", "platform", "popen2"]
   }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof DataFlow::BarrierGuard::StringConstCompare
+  }
 }
diff --git a/python/ql/src/semmle/python/security/dataflow/PathInjection.qll b/python/ql/src/semmle/python/security/dataflow/PathInjection.qll
@@ -46,6 +46,10 @@ class PathNotNormalizedConfiguration extends TaintTracking::Configuration {
   }
 
   override predicate isSanitizer(DataFlow::Node node) { node instanceof Path::PathNormalization }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof DataFlow::BarrierGuard::StringConstCompare
+  }
 }
 
 /**
@@ -68,6 +72,10 @@ class FirstNormalizationConfiguration extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof Path::PathNormalization }
 
   override predicate isSanitizerOut(DataFlow::Node node) { node instanceof Path::PathNormalization }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof DataFlow::BarrierGuard::StringConstCompare
+  }
 }
 
 /** Configuration to find paths from normalizations to sinks that do not go through a check. */
@@ -82,6 +90,8 @@ class NormalizedPathNotCheckedConfiguration extends TaintTracking2::Configuratio
 
   override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
     guard instanceof Path::SafeAccessCheck
+    or
+    guard instanceof DataFlow::BarrierGuard::StringConstCompare
   }
 }
 
diff --git a/python/ql/src/semmle/python/security/dataflow/ReflectedXSS.qll b/python/ql/src/semmle/python/security/dataflow/ReflectedXSS.qll
@@ -24,4 +24,8 @@ class ReflectedXssConfiguration extends TaintTracking::Configuration {
       sink = response.getBody()
     )
   }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof DataFlow::BarrierGuard::StringConstCompare
+  }
 }
diff --git a/python/ql/src/semmle/python/security/dataflow/SqlInjection.qll b/python/ql/src/semmle/python/security/dataflow/SqlInjection.qll
@@ -18,4 +18,8 @@ class SQLInjectionConfiguration extends TaintTracking::Configuration {
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) { sink = any(SqlExecution e).getSql() }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof DataFlow::BarrierGuard::StringConstCompare
+  }
 }
diff --git a/python/ql/src/semmle/python/security/dataflow/UnsafeDeserialization.qll b/python/ql/src/semmle/python/security/dataflow/UnsafeDeserialization.qll
@@ -24,4 +24,8 @@ class UnsafeDeserializationConfiguration extends TaintTracking::Configuration {
       sink = d.getAnInput()
     )
   }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof DataFlow::BarrierGuard::StringConstCompare
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -18,4 +18,8 @@ class CodeInjectionConfiguration extends TaintTracking::Configuration {`
`18`	`18`	`override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }`
`19`	`19`
`20`	`20`	`override predicate isSink(DataFlow::Node sink) { sink = any(CodeExecution e).getCode() }`
	`21`	`+`
	`22`	`+ override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {`
	`23`	`+ guard instanceof DataFlow::BarrierGuard::StringConstCompare`
	`24`	`+ }`
`21`	`25`	`}`
Original file line number	Diff line number	Diff line change
`@@ -48,4 +48,8 @@ class CommandInjectionConfiguration extends TaintTracking::Configuration {`
`48`	`48`	`// https://github.com/python/cpython/blob/fa7ce080175f65d678a7d5756c94f82887fc9803/Lib/subprocess.py#L341`
`49`	`49`	`not sink.getScope().getEnclosingModule().getName() in ["os", "subprocess", "platform", "popen2"]`
`50`	`50`	`}`
	`51`	`+`
	`52`	`+ override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {`
	`53`	`+ guard instanceof DataFlow::BarrierGuard::StringConstCompare`
	`54`	`+ }`
`51`	`55`	`}`
Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,10 @@ class PathNotNormalizedConfiguration extends TaintTracking::Configuration {`
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`override predicate isSanitizer(DataFlow::Node node) { node instanceof Path::PathNormalization }`
	`49`	`+`
	`50`	`+ override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {`
	`51`	`+ guard instanceof DataFlow::BarrierGuard::StringConstCompare`
	`52`	`+ }`
`49`	`53`	`}`
`50`	`54`
`51`	`55`	`/**`
`@@ -68,6 +72,10 @@ class FirstNormalizationConfiguration extends TaintTracking::Configuration {`
`68`	`72`	`override predicate isSink(DataFlow::Node sink) { sink instanceof Path::PathNormalization }`
`69`	`73`
`70`	`74`	`override predicate isSanitizerOut(DataFlow::Node node) { node instanceof Path::PathNormalization }`
	`75`	`+`
	`76`	`+ override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {`
	`77`	`+ guard instanceof DataFlow::BarrierGuard::StringConstCompare`
	`78`	`+ }`
`71`	`79`	`}`
`72`	`80`
`73`	`81`	`/** Configuration to find paths from normalizations to sinks that do not go through a check. */`
`@@ -82,6 +90,8 @@ class NormalizedPathNotCheckedConfiguration extends TaintTracking2::Configuratio`
`82`	`90`
`83`	`91`	`override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {`
`84`	`92`	`guard instanceof Path::SafeAccessCheck`
	`93`	`+ or`
	`94`	`+ guard instanceof DataFlow::BarrierGuard::StringConstCompare`
`85`	`95`	`}`
`86`	`96`	`}`
`87`	`97`
Original file line number	Diff line number	Diff line change
`@@ -24,4 +24,8 @@ class ReflectedXssConfiguration extends TaintTracking::Configuration {`
`24`	`24`	`sink = response.getBody()`
`25`	`25`	`)`
`26`	`26`	`}`
	`27`	`+`
	`28`	`+ override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {`
	`29`	`+ guard instanceof DataFlow::BarrierGuard::StringConstCompare`
	`30`	`+ }`
`27`	`31`	`}`
Original file line number	Diff line number	Diff line change
`@@ -18,4 +18,8 @@ class SQLInjectionConfiguration extends TaintTracking::Configuration {`
`18`	`18`	`override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }`
`19`	`19`
`20`	`20`	`override predicate isSink(DataFlow::Node sink) { sink = any(SqlExecution e).getSql() }`
	`21`	`+`
	`22`	`+ override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {`
	`23`	`+ guard instanceof DataFlow::BarrierGuard::StringConstCompare`
	`24`	`+ }`
`21`	`25`	`}`
Original file line number	Diff line number	Diff line change
`@@ -24,4 +24,8 @@ class UnsafeDeserializationConfiguration extends TaintTracking::Configuration {`
`24`	`24`	`sink = d.getAnInput()`
`25`	`25`	`)`
`26`	`26`	`}`
	`27`	`+`
	`28`	`+ override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {`
	`29`	`+ guard instanceof DataFlow::BarrierGuard::StringConstCompare`
	`30`	`+ }`
`27`	`31`	`}`