Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 9eda84d

Browse files
yoffyoff
committed
Python: PathCheck -> Path::SafeAccessCheck
1 parent cf8462f commit 9eda84d

3 files changed

Lines changed: 36 additions & 37 deletions

File tree

python/ql/src/experimental/Security-new-dataflow/CWE-022/PathInjection.ql

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@ class PathNotNormalizedConfiguration extends TaintTracking::Configuration {
5656
sink = any(FileSystemAccess e).getAPathArgument()
5757
}
5858

59-
override predicate isSanitizer(DataFlow::Node node) { node instanceof PathNormalization }
59+
override predicate isSanitizer(DataFlow::Node node) { node instanceof Path::PathNormalization }
6060
}
6161

6262
predicate pathNotNormalized(CustomPathNode source, CustomPathNode sink) {
@@ -72,22 +72,24 @@ class FirstNormalizationConfiguration extends TaintTracking::Configuration {
7272

7373
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
7474

75-
override predicate isSink(DataFlow::Node sink) { sink instanceof PathNormalization }
75+
override predicate isSink(DataFlow::Node sink) { sink instanceof Path::PathNormalization }
7676

77-
override predicate isSanitizerOut(DataFlow::Node node) { node instanceof PathNormalization }
77+
override predicate isSanitizerOut(DataFlow::Node node) { node instanceof Path::PathNormalization }
7878
}
7979

8080
/** Configuration to find paths from normalizations to sinks that do not go through a check. */
8181
class NormalizedPathNotCheckedConfiguration extends TaintTracking2::Configuration {
8282
NormalizedPathNotCheckedConfiguration() { this = "NormalizedPathNotCheckedConfiguration" }
8383

84-
override predicate isSource(DataFlow::Node source) { source instanceof PathNormalization }
84+
override predicate isSource(DataFlow::Node source) { source instanceof Path::PathNormalization }
8585

8686
override predicate isSink(DataFlow::Node sink) {
8787
sink = any(FileSystemAccess e).getAPathArgument()
8888
}
8989

90-
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { guard instanceof PathCheck }
90+
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
91+
guard instanceof Path::SafeAccessCheck
92+
}
9193
}
9294

9395
predicate pathNotCheckedAfterNormalization(CustomPathNode source, CustomPathNode sink) {

python/ql/src/experimental/semmle/python/Concepts.qll

Lines changed: 27 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -71,44 +71,41 @@ module FileSystemAccess {
7171
}
7272
}
7373

74-
/**
75-
* A data-flow node that performs path normlization. This is often needed in oder
76-
* to safely access paths.
77-
*/
78-
class PathNormalization extends DataFlow::Node {
79-
PathNormalization::Range range;
80-
81-
PathNormalization() { this = range }
82-
}
83-
84-
/** Provides a class for modeling new path normalization APIs. */
85-
module PathNormalization {
74+
/** Provides classes for modeling path-related APIs. */
75+
module Path {
8676
/**
8777
* A data-flow node that performs path normlization. This is often needed in oder
8878
* to safely access paths.
8979
*/
90-
abstract class Range extends DataFlow::Node { }
91-
}
80+
class PathNormalization extends DataFlow::Node {
81+
PathNormalization::Range range;
9282

93-
/**
94-
* A data-flow node that checks validates a path, for instance checking that it exists
95-
* or that it is safe to access.
96-
*/
97-
class PathCheck extends DataFlow::BarrierGuard {
98-
PathCheck::Range range;
83+
PathNormalization() { this = range }
84+
}
9985

100-
PathCheck() { this = range }
86+
/** Provides a class for modeling new path normalization APIs. */
87+
module PathNormalization {
88+
/**
89+
* A data-flow node that performs path normlization. This is often needed in oder
90+
* to safely access paths.
91+
*/
92+
abstract class Range extends DataFlow::Node { }
93+
}
10194

102-
override predicate checks(ControlFlowNode node, boolean branch) { range.checks(node, branch) }
103-
}
95+
/** A data-flow node that checks that a path is safe to access. */
96+
class SafeAccessCheck extends DataFlow::BarrierGuard {
97+
SafeAccessCheck::Range range;
10498

105-
/** Provides a class for modeling new path normalization APIs. */
106-
module PathCheck {
107-
/**
108-
* A data-flow node that checks validates a path, for instance checking that it exists
109-
* or that it is safe to access.
110-
*/
111-
abstract class Range extends DataFlow::BarrierGuard { }
99+
SafeAccessCheck() { this = range }
100+
101+
override predicate checks(ControlFlowNode node, boolean branch) { range.checks(node, branch) }
102+
}
103+
104+
/** Provides a class for modeling new path safety checks. */
105+
module SafeAccessCheck {
106+
/** A data-flow node that checks that a path is safe to access. */
107+
abstract class Range extends DataFlow::BarrierGuard { }
108+
}
112109
}
113110

114111
/**

python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -135,7 +135,7 @@ private module Stdlib {
135135
* A call to `os.path.normpath`.
136136
* See https://docs.python.org/3/library/os.path.html#os.path.normpath
137137
*/
138-
private class NormpathCall extends PathNormalization::Range, DataFlow::CfgNode {
138+
private class NormpathCall extends Path::PathNormalization::Range, DataFlow::CfgNode {
139139
override CallNode node;
140140

141141
NormpathCall() { node.getFunction() = os::path::path_attr("normpath").asCfgNode() }
@@ -735,7 +735,7 @@ private class OpenCall extends FileSystemAccess::Range, DataFlow::CfgNode {
735735
}
736736
}
737737

738-
private class StartswithCall extends PathCheck::Range {
738+
private class StartswithCall extends Path::SafeAccessCheck::Range {
739739
StartswithCall() { this.(CallNode).getFunction().(AttrNode).getName() = "startswith" }
740740

741741
override predicate checks(ControlFlowNode node, boolean branch) {

0 commit comments

Comments
 (0)