@@ -61,23 +61,6 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
6161 }
6262
6363 override predicate isAdditionalTaintStep ( DataFlow:: Node nodeFrom , DataFlow:: Node nodeTo ) {
64- // Writing the response data to the archive
65- exists ( Stdlib:: FileLikeObject:: InstanceSource is , Node f , MethodCallNode mc |
66- is .flowsTo ( f ) and
67- mc .calls ( f , "write" ) and
68- nodeFrom = mc .getArg ( 0 ) and
69- nodeTo = is .( CallCfgNode ) .getArg ( 0 )
70- )
71- or
72- // Copying the response data to the archive
73- exists ( Stdlib:: FileLikeObject:: InstanceSource is , Node f , MethodCallNode mc |
74- is .flowsTo ( f ) and
75- mc = API:: moduleImport ( "shutil" ) .getMember ( "copyfileobj" ) .getACall ( ) and
76- f = mc .getArg ( 1 ) and
77- nodeFrom = mc .getArg ( 0 ) and
78- nodeTo = is .( CallCfgNode ) .getArg ( 0 )
79- )
80- or
8164 // Reading the response
8265 exists ( MethodCallNode mc |
8366 nodeFrom = mc .getObject ( ) and
@@ -94,20 +77,37 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
9477 or
9578 // Write for access
9679 exists ( MethodCallNode cn |
97- nodeTo = cn .getObject ( ) and
80+ nodeFrom = cn .getObject ( ) and
9881 cn .getMethodName ( ) = "write" and
99- nodeFrom = cn .getArg ( 0 )
82+ nodeTo = cn .getArg ( 0 )
10083 )
10184 or
10285 // Retrieve Django uploaded files
10386 // see HttpRequest.FILES.getlist(): https://docs.djangoproject.com/en/4.1/ref/request-response/#django.http.QueryDict.getlist
10487 exists ( MethodCallNode mc |
105- nodeFrom = mc .getObject ( ) and mc .getMethodName ( ) = [ "getlist" , "get" ] and nodeTo = mc
88+ nodeFrom = mc .getObject ( ) and
89+ mc .getMethodName ( ) = [ "getlist" , "get" ] and
90+ nodeTo = mc
10691 )
10792 or
10893 // Accessing the name or raw content
10994 exists ( AttrRead ar | ar .accesses ( nodeFrom , [ "name" , "raw" ] ) and ar .flowsTo ( nodeTo ) )
11095 or
96+ // Considering the use of "fs"
97+ exists ( API:: CallNode fs , MethodCallNode mcn |
98+ fs =
99+ API:: moduleImport ( "django" )
100+ .getMember ( "core" )
101+ .getMember ( "files" )
102+ .getMember ( "storage" )
103+ .getMember ( "FileSystemStorage" )
104+ .getACall ( ) and
105+ fs .flowsTo ( mcn .getObject ( ) ) and
106+ mcn .getMethodName ( ) = [ "save" , "path" ] and
107+ nodeFrom = mcn .getArg ( 0 ) and
108+ nodeTo = mcn
109+ )
110+ or
111111 //Use of join of filename
112112 exists ( API:: CallNode mcn |
113113 mcn = API:: moduleImport ( "os" ) .getMember ( "path" ) .getMember ( "join" ) .getACall ( ) and
@@ -120,26 +120,19 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
120120 nodeFrom = mc .getObject ( ) and mc .getMethodName ( ) = "chunks" and mc .flowsTo ( nodeTo )
121121 )
122122 or
123- // Considering the use of closing()
124- exists ( API :: CallNode closing |
125- closing = API :: moduleImport ( "contextlib" ) . getMember ( "closing" ) . getACall ( ) and
126- closing . flowsTo ( nodeTo ) and
127- nodeFrom = closing .getArg ( 0 )
123+ // Write access
124+ exists ( MethodCallNode cn |
125+ nodeTo = cn . getObject ( ) and
126+ cn . getMethodName ( ) = "write" and
127+ nodeFrom = cn .getArg ( 0 )
128128 )
129129 or
130- // Considering the use of "fs"
131- exists ( API:: CallNode fs , MethodCallNode mcn |
132- fs =
133- API:: moduleImport ( "django" )
134- .getMember ( "core" )
135- .getMember ( "files" )
136- .getMember ( "storage" )
137- .getMember ( "FileSystemStorage" )
138- .getACall ( ) and
139- fs .flowsTo ( mcn .getObject ( ) ) and
140- mcn .getMethodName ( ) = [ "save" , "path" ] and
141- nodeFrom = mcn .getArg ( 0 ) and
142- nodeTo = mcn
130+ // Writing the response data to the archive
131+ exists ( Stdlib:: FileLikeObject:: InstanceSource is , Node f , MethodCallNode mc |
132+ is .flowsTo ( f ) and
133+ mc .calls ( f , "write" ) and
134+ nodeFrom = mc .getArg ( 0 ) and
135+ nodeTo = is .( CallCfgNode ) .getArg ( 0 )
143136 )
144137 }
145138}
0 commit comments