Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 9b5b0c6

Browse files
Sim4n6Sim4n6
committed
Handle the download of a tarball using wget pkg.
1 parent 22af6f5 commit 9b5b0c6

2 files changed

Lines changed: 28 additions & 3 deletions

File tree

python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpack.ql

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -46,8 +46,14 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
4646
)
4747
or
4848
// A source download a file using wget
49-
exists(MethodCallNode mcn |
50-
mcn = API::moduleImport("wget").getMember("download").getACall() and source = mcn.getArg(1)
49+
// see wget: https://pypi.org/project/wget/
50+
exists(API::CallNode mcn |
51+
mcn = API::moduleImport("wget").getMember("download").getACall() and
52+
(
53+
source = mcn.getArg(1)
54+
or
55+
source = mcn.getReturn().asSource() and not exists(Node arg | arg = mcn.getArg(1))
56+
)
5157
)
5258
or
5359
// catch the uploaded files as a source

python/ql/test/experimental/query-tests/Security/CWE-022/UnsafeUnpack.py

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,7 @@
5959
# A source catching an S3 filename download
6060
# see boto3: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html#S3.Client.download_file
6161
import boto3
62+
import os
6263

6364
remote_ziped_name = "remote_name.tar.gz"
6465
base_dir = "/tmp/basedir"
@@ -67,4 +68,22 @@
6768

6869
s3 = boto3.client('s3')
6970
s3.download_file(bucket_name, remote_ziped_name, local_ziped_path)
70-
shutil.unpack_archive(local_ziped_path, base_dir) # $result=BAD
71+
shutil.unpack_archive(local_ziped_path, base_dir) # $result=BAD
72+
73+
74+
# wget
75+
# see wget: https://pypi.org/project/wget/
76+
import wget
77+
import os
78+
79+
url = "https://some.remote/location/remote_name.tar.xz"
80+
compressed_file = "/tmp/basedir/local_name.tar.xz"
81+
base_dir = "/tmp/basedir"
82+
83+
# download(url, out, bar) contains out parameter
84+
wget.download(url, compressed_file)
85+
shutil.unpack_archive(compressed_file, base_dir) # $result=BAD
86+
87+
# download(url) returns filename
88+
compressed_file = wget.download(url)
89+
shutil.unpack_archive(compressed_file, base_dir) # $result=BAD

0 commit comments

Comments
 (0)