Python: Check os.open as well as os.chmod for weak file permissions.

markshannon · markshannon · commit 6d553ae2be62 · 2019-01-28T14:26:16.000Z
diff --git a/python/ql/src/Security/CWE-732/WeakFilePermissions.ql b/python/ql/src/Security/CWE-732/WeakFilePermissions.ql
@@ -34,9 +34,20 @@ string permissive_permission(int p) {
     world_permission(p) = 0 and result = "group " + access(group_permission(p))
 }
 
-from FunctionObject chmod, CallNode call, NumericObject num, string permission
-where
+predicate chmod_call(CallNode call, FunctionObject chmod, NumericObject num) {
     any(ModuleObject os | os.getName() = "os").getAttribute("chmod") = chmod and
-    chmod.getACall() = call and call.getArg(1).refersTo(num) and
+    chmod.getACall() = call and call.getArg(1).refersTo(num)
+}
+
+predicate open_call(CallNode call, FunctionObject open, NumericObject num) {
+    any(ModuleObject os | os.getName() = "os").getAttribute("open") = open and
+    open.getACall() = call and call.getArg(2).refersTo(num)
+}
+
+
+from CallNode call, FunctionObject func, NumericObject num, string permission
+where
+    (chmod_call(call, func, num) or open_call(call, func, num))
+    and
     permission = permissive_permission(num.intValue())
-select call, "Overly permissive mask in chmod sets file to " + permission + "."
+select call, "Overly permissive mask in " + func.getName() + " sets file to " + permission + "."
diff --git a/python/ql/test/query-tests/Security/CWE-732/WeakFilePermissions.expected b/python/ql/test/query-tests/Security/CWE-732/WeakFilePermissions.expected
@@ -4,3 +4,4 @@
 | test.py:11:1:11:21 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to group readable. |
 | test.py:13:1:13:28 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to group writable. |
 | test.py:14:1:14:19 | ControlFlowNode for Attribute() | Overly permissive mask in chmod sets file to group writable. |
+| test.py:16:1:16:25 | ControlFlowNode for Attribute() | Overly permissive mask in open sets file to world readable. |
diff --git a/python/ql/test/query-tests/Security/CWE-732/test.py b/python/ql/test/query-tests/Security/CWE-732/test.py
@@ -12,3 +12,5 @@
 os.chmod(file, stat.S_IRWXU) # GOOD
 os.chmod(file, stat.S_IWGRP) # BAD
 os.chmod(file, 400) # BAD -- Decimal format.
+
+os.open(file, 'w', 0o704) # BAD
diff --git a/python/ql/test/query-tests/Security/lib/os/__init__.py b/python/ql/test/query-tests/Security/lib/os/__init__.py
@@ -6,3 +6,6 @@ def popen(cmd, *args, **kwargs):
 
 def chmod(path, mode):
     pass
+
+def open(path, flags, mode):
+    pass
