Python: Add library support for cookies. Update and extend sensitive data library.

markshannon · markshannon · commit 79ebd5652a08 · 2019-08-22T15:27:48.000+01:00
diff --git a/python/ql/src/semmle/python/security/ClearText.qll b/python/ql/src/semmle/python/security/ClearText.qll
@@ -0,0 +1,66 @@
+import python
+import semmle.python.security.TaintTracking
+import semmle.python.security.SensitiveData
+import semmle.python.dataflow.Files
+import semmle.python.web.Http
+
+module ClearTextStorage {
+
+    abstract class Sink extends TaintSink {
+        override predicate sinks(TaintKind kind) {
+            kind instanceof SensitiveData
+        }
+    }
+
+    class CookieStorageSink extends Sink {
+        CookieStorageSink() {
+            any(CookieSet cookie).getValue() = this
+        }
+    }
+
+    class FileStorageSink extends Sink {
+        FileStorageSink() {
+            exists(CallNode call, AttrNode meth, string name |
+                any(OpenFile fd).taints(meth.getObject(name)) and
+                call.getFunction() = meth and
+                call.getAnArg() = this |
+                name = "write"
+            )
+        }
+    }
+
+}
+
+module ClearTextLogging {
+
+    abstract class Sink extends TaintSink {
+        override predicate sinks(TaintKind kind) {
+            kind instanceof SensitiveData
+        }
+    }
+
+    class PrintSink extends Sink {
+        PrintSink() {
+            exists(CallNode call |
+                call.getAnArg() = this and
+                thePrintFunction().(FunctionObject).getACall() = call
+            )
+        }
+    }
+
+    class LoggingSink extends Sink {
+        LoggingSink() {
+            exists(CallNode call, AttrNode meth, string name |
+                call.getFunction() = meth and
+                meth.getObject(name).(NameNode).getId().matches("logg%") and
+                call.getAnArg() = this |
+                name = "error" or
+                name = "warn" or
+                name = "warning" or
+                name = "debug" or
+                name = "info"
+            )
+        }
+    }
+
+}
diff --git a/python/ql/src/semmle/python/security/SensitiveData.qll b/python/ql/src/semmle/python/security/SensitiveData.qll
@@ -13,91 +13,160 @@ import python
 import semmle.python.security.TaintTracking
 
 
-/** A regular expression that identifies strings that look like they represent secret data that are not passwords. */
-private string suspiciousNonPassword() {
-  result = "(?is).*(account|accnt|(?<!un)trusted).*"
-}
-/** A regular expression that identifies strings that look like they represent secret data that are passwords. */
-private string suspiciousPassword() {
-  result = "(?is).*(password|passwd).*"
-}
-
-/** A regular expression that identifies strings that look like they represent secret data. */
-private string suspicious() {
-  result = suspiciousPassword() or result = suspiciousNonPassword()
-}
-
 /**
- * A string for `match` that identifies strings that look like they represent secret data that is
- * hashed or encrypted.
+ * Provides heuristics for identifying names related to sensitive information.
+ *
+ * INTERNAL: Do not use directly.
+ * This is copied from the javascript library, but should be language independent.
  */
-private string nonSuspicious() {
-  result = "(?is).*(hash|(?<!un)encrypted|\\bcrypt\\b).*"
-}
+private module HeuristicNames {
+
+    /**
+     * Gets a regular expression that identifies strings that may indicate the presence of secret
+     * or trusted data.
+     */
+    string maybeSecret() { result = "(?is).*((?<!is)secret|(?<!un|is)trusted).*" }
+
+    /**
+     * Gets a regular expression that identifies strings that may indicate the presence of
+     * user names or other account information.
+     */
+    string maybeAccountInfo() {
+      result = "(?is).*acc(ou)?nt.*" or
+      result = "(?is).*(puid|username|userid).*"
+    }
 
-/** An expression that might contain sensitive data. */
-abstract class SensitiveExpr extends Expr { }
-
-/** A method access that might produce sensitive data. */
-class SensitiveCall extends SensitiveExpr, Call {
-    SensitiveCall() {
-        exists(string name |
-            name = this.getFunc().(Name).getId() or
-            name = this.getFunc().(Attribute).getName() or
-            exists(StringObject s |
-                this.getAnArg().refersTo(s) |
-                name = s.getText()
-            )
-            |
-            name.regexpMatch(suspicious()) and
-            not name.regexpMatch(nonSuspicious())
-        )
+    /**
+     * Gets a regular expression that identifies strings that may indicate the presence of
+     * a password or an authorization key.
+     */
+    string maybePassword() {
+      result = "(?is).*pass(wd|word|code|phrase)(?!.*question).*" or
+      result = "(?is).*(auth(entication|ori[sz]ation)?)key.*"
     }
-}
 
-/** An access to a variable or property that might contain sensitive data. */
-abstract class SensitiveVariableAccess extends SensitiveExpr {
+    /**
+     * Gets a regular expression that identifies strings that may indicate the presence of
+     * a certificate.
+     */
+    string maybeCertificate() { result = "(?is).*(cert)(?!.*(format|name)).*" }
+
+     /**
+     * Gets a regular expression that identifies strings that may indicate the presence
+     * of sensitive data, with `classification` describing the kind of sensitive data involved.
+     */
+    string maybeSensitive(SensitiveData data) {
+        result = maybeSecret() and data instanceof SensitiveData::Secret
+        or
+        result = maybeAccountInfo() and data instanceof SensitiveData::Id
+        or
+        result = maybePassword() and data instanceof SensitiveData::Password
+        or
+        result = maybeCertificate() and data instanceof SensitiveData::Certificate
+    }
 
-  string name;
+    /**
+     * Gets a regular expression that identifies strings that may indicate the presence of data
+     * that is hashed or encrypted, and hence rendered non-sensitive.
+     */
+    string notSensitive() {
+        result = "(?is).*(redact|censor|obfuscate|hash|md5|sha|((?<!un)(en))?(crypt|code)).*"
+    }
 
-  SensitiveVariableAccess() {
-    this.(Name).getId() = name or
-    this.(Attribute).getName() = name
-  }
+    bindingset[name]
+    SensitiveData getSensitiveDataForName(string name) {
+        name.regexpMatch(HeuristicNames::maybeSensitive(result)) and
+        not name.regexpMatch(HeuristicNames::notSensitive())
+    }
 
 }
 
-/** An access to a variable or property that might contain sensitive data. */
-private class BasicSensitiveVariableAccess extends SensitiveVariableAccess {
+abstract class SensitiveData extends TaintKind {
 
-  BasicSensitiveVariableAccess() {
-    name.regexpMatch(suspicious()) and not name.regexpMatch(nonSuspicious())
-  }
+    bindingset[this]
+    SensitiveData() { this = this }
 
 }
 
-class SensitiveData extends TaintKind {
+module SensitiveData {
 
-    SensitiveData() {
-        this = "sensitive.data"
+    class Secret extends SensitiveData {
+        Secret() { this = "sensitive.data.secret" }
+        override string repr() { result = "a secret" }
     }
 
-}
+    class Id extends SensitiveData {
+        Id() { this = "sensitive.data.id" }
+        override string repr() { result = "an ID" }
+    }
+
+    class Password extends SensitiveData {
+        Password() { this = "sensitive.data.password" }
+        override string repr() { result = "a password" }
+    }
+
+    class Certificate extends SensitiveData {
+        Certificate() { this = "sensitive.data.certificate" }
+        override string repr() { result = "a certificate or key" }
+    }
 
+    private SensitiveData fromFunction(FunctionObject f) {
+        result = HeuristicNames::getSensitiveDataForName(f.getName())
+        or
+        // This is particularly to pick up methods with an argument like "password", which
+        // may indicate a lookup.
+        exists(string name | name = f.getFunction().getAnArg().asName().getId() |
+            result = HeuristicNames::getSensitiveDataForName(name)
+        )
+    }
 
-class SensitiveDataSource extends TaintSource {
+    abstract class Source extends TaintSource {
+
+        abstract string repr();
 
-    SensitiveDataSource() {
-        this.(ControlFlowNode).getNode() instanceof SensitiveExpr
     }
 
-    override string toString() {
-        result = "sensitive.data.source"
+    private class SensitiveCallSource extends Source {
+
+        SensitiveData data;
+
+        SensitiveCallSource() {
+            exists(FunctionObject callee |
+                callee.getACall() = this |
+                data = fromFunction(callee)
+            )
+        }
+
+        override predicate isSourceOf(TaintKind kind) {
+            kind = data
+        }
+
+        override string repr() {
+            result = "Call returning " + data.repr()
+        }
+
     }
 
-    override predicate isSourceOf(TaintKind kind) {
-        kind instanceof SensitiveData
+    /** An access to a variable or property that might contain sensitive data. */
+    private class SensitiveVariableAccess extends SensitiveData::Source {
+
+        SensitiveData data;
+
+        SensitiveVariableAccess() {
+            data = HeuristicNames::getSensitiveDataForName(this.(AttrNode).getName())
+        }
+
+        override predicate isSourceOf(TaintKind kind) {
+            kind = data
+        }
+
+        override string repr() {
+            result = "an attribute or property containing " + data.repr()
+        }
+
     }
 
 }
 
+//Backwards compatibility
+class SensitiveDataSource = SensitiveData::Source;
diff --git a/python/ql/src/semmle/python/web/Http.qll b/python/ql/src/semmle/python/web/Http.qll
@@ -72,6 +72,19 @@ class UntrustedCookie extends TaintKind {
 
 }
 
+abstract class CookieOperation extends @py_flow_node {
+
+    abstract string toString();
+
+    abstract ControlFlowNode getKey();
+
+    abstract ControlFlowNode getValue();
+
+}
+
+abstract class CookieGet extends CookieOperation {}
+
+abstract class CookieSet extends CookieOperation {}
 
 /** Generic taint sink in a http response */
 abstract class HttpResponseTaintSink extends TaintSink {
diff --git a/python/ql/src/semmle/python/web/bottle/Response.qll b/python/ql/src/semmle/python/web/bottle/Response.qll
@@ -56,3 +56,17 @@ class BottleHandlerFunctionResult extends HttpResponseTaintSink {
 
 }
 
+class BottleCookieSet extends CookieSet, CallNode {
+
+    BottleCookieSet() {
+        any(BottleResponse r).taints(this.getFunction().(AttrNode).getObject("set_cookie"))
+    }
+
+    override string toString() { result = this.(CallNode).toString() }
+
+    override ControlFlowNode getKey() { result = this.getArg(0) }
+
+    override ControlFlowNode getValue() { result = this.getArg(1) }
+
+}
+
diff --git a/python/ql/src/semmle/python/web/django/Response.qll b/python/ql/src/semmle/python/web/django/Response.qll
@@ -83,5 +83,16 @@ class DjangoResponseContent extends HttpResponseTaintSink {
 
 }
 
+class DjangoCookieSet extends CookieSet, CallNode {
 
+    DjangoCookieSet() {
+        any(DjangoResponse r).taints(this.getFunction().(AttrNode).getObject("set_cookie"))
+    }
+
+    override string toString() { result = this.(CallNode).toString() }
+
+    override ControlFlowNode getKey() { result = this.getArg(0) }
 
+    override ControlFlowNode getValue() { result = this.getArg(1) }
+
+}
diff --git a/python/ql/src/semmle/python/web/flask/General.qll b/python/ql/src/semmle/python/web/flask/General.qll
@@ -115,3 +115,18 @@ private class AsView extends TaintSource {
 
 }
 
+
+class FlaskCookieSet extends CookieSet, CallNode {
+
+    FlaskCookieSet() {
+        this.getFunction().(AttrNode).getObject("set_cookie").refersTo(_, theFlaskReponseClass(), _)
+    }
+
+    override string toString() { result = this.(CallNode).toString() }
+
+    override ControlFlowNode getKey() { result = this.getArg(0) }
+
+    override ControlFlowNode getValue() { result = this.getArg(1) }
+
+
+}
diff --git a/python/ql/src/semmle/python/web/pyramid/Response.qll b/python/ql/src/semmle/python/web/pyramid/Response.qll
@@ -3,6 +3,7 @@ import python
 
 import semmle.python.security.TaintTracking
 import semmle.python.security.strings.Basic
+import semmle.python.web.Http
 
 private import semmle.python.web.pyramid.View
 private import semmle.python.web.Http
@@ -27,3 +28,21 @@ class PyramidRoutedResponse extends HttpResponseTaintSink {
     }
 
 }
+
+
+class PyramidCookieSet extends CookieSet, CallNode {
+
+    PyramidCookieSet() {
+        exists(ControlFlowNode f |
+            f = this.getFunction().(AttrNode).getObject("set_cookie") and
+            f.refersTo(_, ModuleObject::named("pyramid").attr("Response"), _)
+        )
+    }
+
+    override string toString() { result = this.(CallNode).toString() }
+
+    override ControlFlowNode getKey() { result = this.getArg(0) }
+
+    override ControlFlowNode getValue() { result = this.getArg(1) }
+
+}
diff --git a/python/ql/src/semmle/python/web/tornado/Tornado.qll b/python/ql/src/semmle/python/web/tornado/Tornado.qll
