Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 8549c9c

Browse files
yoffyoff
committed
Python: Rewrite logic to split on nomalization
1 parent 3919255 commit 8549c9c

1 file changed

Lines changed: 28 additions & 25 deletions

File tree

python/ql/src/experimental/Security-new-dataflow/CWE-022/PathInjection.ql

Lines changed: 28 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -25,35 +25,35 @@ import experimental.semmle.python.Concepts
2525
import experimental.dataflow.RemoteFlowSources
2626
import DataFlow::PathGraph
2727

28-
/** Configuration to find paths from sources to sinks that contain no checks. */
29-
class UncheckedPathConfiguration extends TaintTracking::Configuration {
30-
UncheckedPathConfiguration() { this = "UncheckedPathConfiguration" }
28+
/** Configuration to find paths from sources to sinks that contain no normalization. */
29+
class UnNormalizedPathConfiguration extends TaintTracking::Configuration {
30+
UnNormalizedPathConfiguration() { this = "UnNormalizedPathConfiguration" }
3131

3232
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
3333

3434
override predicate isSink(DataFlow::Node sink) {
3535
sink = any(FileSystemAccess e).getAPathArgument()
3636
}
3737

38-
override predicate isSanitizer(DataFlow::Node node) { node instanceof PathCheck }
38+
override predicate isSanitizer(DataFlow::Node node) { node instanceof PathNormalization }
3939
}
4040

41-
/** Configuration to find paths from sources to checks that contain no normalization. */
42-
class CheckUnnormalizedConfiguration extends TaintTracking2::Configuration {
43-
CheckUnnormalizedConfiguration() { this = "CheckUnnormalizedConfiguration" }
41+
/** Configuration to find paths from sources to normalizations that contain no prior normalizations. */
42+
class FirstNormalizationConfiguration extends TaintTracking2::Configuration {
43+
FirstNormalizationConfiguration() { this = "FirstNormalizationConfiguration" }
4444

4545
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
4646

47-
override predicate isSink(DataFlow::Node sink) { sink instanceof PathCheck }
47+
override predicate isSink(DataFlow::Node sink) { sink instanceof PathNormalization }
4848

49-
override predicate isSanitizer(DataFlow::Node node) { node instanceof PathNormalization }
49+
override predicate isSanitizerOut(DataFlow::Node node) { node instanceof PathNormalization }
5050
}
5151

52-
class CheckUnnormalized extends DataFlow2::PathNode {
52+
class FirstNormalization extends DataFlow2::PathNode {
5353
DataFlow::Node sourceNode;
5454

55-
CheckUnnormalized() {
56-
exists(CheckUnnormalizedConfiguration conf, DataFlow2::PathNode source |
55+
FirstNormalization() {
56+
exists(FirstNormalizationConfiguration conf, DataFlow2::PathNode source |
5757
sourceNode = source.getNode() and
5858
conf.hasFlowPath(source, this)
5959
)
@@ -62,32 +62,35 @@ class CheckUnnormalized extends DataFlow2::PathNode {
6262
DataFlow::Node getSourceNode() { result = sourceNode }
6363
}
6464

65-
/** Configuration to find paths from checks to sinks that contain no further checks. */
66-
class LastCheckConfiguration extends TaintTracking::Configuration {
67-
LastCheckConfiguration() { this = "UncheckedPathConfiguration" }
65+
/** Configuration to find paths from normalizations to sinks that do not go through a check. */
66+
class UncheckedNormalizedConfiguration extends TaintTracking::Configuration {
67+
UncheckedNormalizedConfiguration() { this = "UncheckedNormalizedConfiguration" }
6868

69-
override predicate isSource(DataFlow::Node source) {
70-
source = any(CheckUnnormalized cu).getNode()
71-
}
69+
override predicate isSource(DataFlow::Node source) { source instanceof PathNormalization }
7270

7371
override predicate isSink(DataFlow::Node sink) {
7472
sink = any(FileSystemAccess e).getAPathArgument()
7573
}
7674

77-
override predicate isSanitizer(DataFlow::Node node) { node instanceof PathCheck }
75+
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { guard instanceof PathCheck }
7876
}
7977

8078
from TaintTracking::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
8179
where
82-
// Path has no check on it.
83-
config instanceof UncheckedPathConfiguration and
80+
// Path has no normalization on it.
81+
config instanceof UnNormalizedPathConfiguration and
82+
config.hasFlowPath(source, sink)
83+
or
84+
// Path has a normalization on it, but no subsequent check.
85+
config instanceof UncheckedNormalizedConfiguration and
8486
config.hasFlowPath(source, sink)
8587
or
86-
// Path has a check on it, but no prior normalization.
87-
config instanceof LastCheckConfiguration and
88-
exists(DataFlow::PathNode c, CheckUnnormalized cu | cu.getNode() = c.getNode() |
88+
// This should report a better source, but does not quite work.
89+
// Path has a normalization on it, but no subsequent check.
90+
config instanceof UncheckedNormalizedConfiguration and
91+
exists(DataFlow::PathNode c, FirstNormalization n | n.getNode() = c.getNode() |
8992
config.hasFlowPath(c, sink) and
90-
source.getNode() = cu.getSourceNode()
93+
source.getNode() = n.getSourceNode()
9194
)
9295
select sink.getNode(), source, sink, "This path depends on $@.", source.getNode(),
9396
"a user-provided value"

0 commit comments

Comments
 (0)