Python: Remove flow out of CommandInjection sinks

RasmusWL · RasmusWL · commit 9c1253c8af93 · 2020-09-30T13:29:40.000+02:00
diff --git a/python/ql/src/experimental/Security-new-dataflow/CWE-078/CommandInjection.ql b/python/ql/src/experimental/Security-new-dataflow/CWE-078/CommandInjection.ql
@@ -29,6 +29,17 @@ class CommandInjectionConfiguration extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) {
     sink = any(SystemCommandExecution e).getCommand()
   }
+
+  // Since the implementation of os.popen looks like
+  // ```py
+  // def popen(cmd, mode="r", buffering=-1):
+  //     ...
+  //     proc = subprocess.Popen(cmd, ...)
+  // ```
+  // any time we would report flow to the `os.popen` sink, we can ALSO report the flow
+  // from the `cmd` parameter to the `subprocess.Popen` sink -- obviously we don't want
+  // that, so to prevent that we remove any taint edges out of a sink.
+  override predicate isSanitizerOut(DataFlow::Node node) { isSink(node) }
 }
 
 from CommandInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
diff --git a/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-078/CommandInjection.expected b/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-078/CommandInjection.expected
@@ -2,24 +2,14 @@ edges
 | command_injection.py:10:13:10:24 | ControlFlowNode for Attribute | command_injection.py:12:15:12:27 | ControlFlowNode for BinaryExpr |
 | command_injection.py:24:11:24:22 | ControlFlowNode for Attribute | command_injection.py:25:23:25:25 | ControlFlowNode for cmd |
 | command_injection.py:30:13:30:24 | ControlFlowNode for Attribute | command_injection.py:32:14:32:26 | ControlFlowNode for BinaryExpr |
-| command_injection.py:30:13:30:24 | ControlFlowNode for Attribute | command_injection.py:32:14:32:26 | ControlFlowNode for BinaryExpr |
-| command_injection.py:32:14:32:26 | ControlFlowNode for BinaryExpr | file:///home/rasmus/.pyenv/versions/3.8.0/lib/python3.8/os.py:972:11:972:13 | SSA variable cmd |
-| file:///home/rasmus/.pyenv/versions/3.8.0/lib/python3.8/os.py:972:11:972:13 | SSA variable cmd | file:///home/rasmus/.pyenv/versions/3.8.0/lib/python3.8/os.py:981:33:981:35 | ControlFlowNode for cmd |
-| file:///home/rasmus/.pyenv/versions/3.8.0/lib/python3.8/os.py:972:11:972:13 | SSA variable cmd | file:///home/rasmus/.pyenv/versions/3.8.0/lib/python3.8/os.py:987:33:987:35 | ControlFlowNode for cmd |
 nodes
 | command_injection.py:10:13:10:24 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | command_injection.py:12:15:12:27 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
 | command_injection.py:24:11:24:22 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | command_injection.py:25:23:25:25 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
 | command_injection.py:30:13:30:24 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | command_injection.py:32:14:32:26 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
-| command_injection.py:32:14:32:26 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
-| file:///home/rasmus/.pyenv/versions/3.8.0/lib/python3.8/os.py:972:11:972:13 | SSA variable cmd | semmle.label | SSA variable cmd |
-| file:///home/rasmus/.pyenv/versions/3.8.0/lib/python3.8/os.py:981:33:981:35 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
-| file:///home/rasmus/.pyenv/versions/3.8.0/lib/python3.8/os.py:987:33:987:35 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
 #select
 | command_injection.py:12:15:12:27 | ControlFlowNode for BinaryExpr | command_injection.py:10:13:10:24 | ControlFlowNode for Attribute | command_injection.py:12:15:12:27 | ControlFlowNode for BinaryExpr | This command depends on $@. | command_injection.py:10:13:10:24 | ControlFlowNode for Attribute | a user-provided value |
 | command_injection.py:25:23:25:25 | ControlFlowNode for cmd | command_injection.py:24:11:24:22 | ControlFlowNode for Attribute | command_injection.py:25:23:25:25 | ControlFlowNode for cmd | This command depends on $@. | command_injection.py:24:11:24:22 | ControlFlowNode for Attribute | a user-provided value |
 | command_injection.py:32:14:32:26 | ControlFlowNode for BinaryExpr | command_injection.py:30:13:30:24 | ControlFlowNode for Attribute | command_injection.py:32:14:32:26 | ControlFlowNode for BinaryExpr | This command depends on $@. | command_injection.py:30:13:30:24 | ControlFlowNode for Attribute | a user-provided value |
-| file:///home/rasmus/.pyenv/versions/3.8.0/lib/python3.8/os.py:981:33:981:35 | ControlFlowNode for cmd | command_injection.py:30:13:30:24 | ControlFlowNode for Attribute | file:///home/rasmus/.pyenv/versions/3.8.0/lib/python3.8/os.py:981:33:981:35 | ControlFlowNode for cmd | This command depends on $@. | command_injection.py:30:13:30:24 | ControlFlowNode for Attribute | a user-provided value |
-| file:///home/rasmus/.pyenv/versions/3.8.0/lib/python3.8/os.py:987:33:987:35 | ControlFlowNode for cmd | command_injection.py:30:13:30:24 | ControlFlowNode for Attribute | file:///home/rasmus/.pyenv/versions/3.8.0/lib/python3.8/os.py:987:33:987:35 | ControlFlowNode for cmd | This command depends on $@. | command_injection.py:30:13:30:24 | ControlFlowNode for Attribute | a user-provided value |
