Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 99c1b20

Browse files
RasmusWLRasmusWL
committed
Pyhton: Extract vulnerable hostnames into own predicate
Which makes the code a bit cleaner (and made testing out back-tracking easier).
1 parent 4804a0a commit 99c1b20

1 file changed

Lines changed: 19 additions & 16 deletions

File tree

python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql

Lines changed: 19 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -14,47 +14,50 @@ import python
1414
import semmle.python.dataflow.new.DataFlow
1515
import semmle.python.ApiGraphs
1616

17+
/** Gets a hostname that can be used to bind to all interfaces. */
18+
private string vulnerableHostname() {
19+
result in [
20+
// IPv4
21+
"0.0.0.0", "",
22+
// IPv6
23+
"::", "::0"
24+
]
25+
}
26+
1727
/** Gets a reference to a hostname that can be used to bind to all interfaces. */
18-
private DataFlow::LocalSourceNode vulnerableHostname(DataFlow::TypeTracker t, string hostname) {
28+
private DataFlow::LocalSourceNode vulnerableHostnameRef(DataFlow::TypeTracker t, string hostname) {
1929
t.start() and
20-
exists(StrConst allInterfacesStrConst |
21-
hostname in [
22-
// IPv4
23-
"0.0.0.0", "",
24-
// IPv6
25-
"::", "::0"
26-
]
27-
|
30+
exists(StrConst allInterfacesStrConst | hostname = vulnerableHostname() |
2831
allInterfacesStrConst.getText() = hostname and
2932
result.asExpr() = allInterfacesStrConst
3033
)
3134
or
32-
// Due to bad performance when using normal setup with `vulnerableHostname(t2, hostname).track(t2, t)`
35+
// Due to bad performance when using normal setup with `vulnerableHostnameRef(t2, hostname).track(t2, t)`
3336
// we have inlined that code and forced a join
3437
exists(DataFlow::TypeTracker t2 |
3538
exists(DataFlow::StepSummary summary |
36-
vulnerableHostname_first_join(t2, hostname, result, summary) and
39+
vulnerableHostnameRef_first_join(t2, hostname, result, summary) and
3740
t = t2.append(summary)
3841
)
3942
)
4043
}
4144

4245
pragma[nomagic]
43-
private predicate vulnerableHostname_first_join(
46+
private predicate vulnerableHostnameRef_first_join(
4447
DataFlow::TypeTracker t2, string hostname, DataFlow::Node res, DataFlow::StepSummary summary
4548
) {
46-
DataFlow::StepSummary::step(vulnerableHostname(t2, hostname), res, summary)
49+
DataFlow::StepSummary::step(vulnerableHostnameRef(t2, hostname), res, summary)
4750
}
4851

4952
/** Gets a reference to a hostname that can be used to bind to all interfaces. */
50-
DataFlow::Node vulnerableHostname(string hostname) {
51-
vulnerableHostname(DataFlow::TypeTracker::end(), hostname).flowsTo(result)
53+
DataFlow::Node vulnerableHostnameRef(string hostname) {
54+
vulnerableHostnameRef(DataFlow::TypeTracker::end(), hostname).flowsTo(result)
5255
}
5356

5457
/** Gets a reference to tuple containing a hostname as the first element, that can be used to bind to all interfaces. */
5558
private DataFlow::LocalSourceNode vulnerableAddressTuple(DataFlow::TypeTracker t, string hostname) {
5659
t.start() and
57-
result.asExpr() = any(Tuple tup | tup.getElt(0) = vulnerableHostname(hostname).asExpr())
60+
result.asExpr() = any(Tuple tup | tup.getElt(0) = vulnerableHostnameRef(hostname).asExpr())
5861
or
5962
// Due to bad performance when using normal setup with `vulnerableAddressTuple(t2, hostname).track(t2, t)`
6063
// we have inlined that code and forced a join

0 commit comments

Comments
 (0)