|
2 | 2 | * Provides taint-tracking configurations for detecting "path injection" vulnerabilities. |
3 | 3 | * |
4 | 4 | * Note, for performance reasons: only import this file if |
5 | | - * the Configurations or the `pathInjection` predicate are needed, otherwise |
| 5 | + * `PathInjection::Configuration` is needed, otherwise |
6 | 6 | * `PathInjectionCustomizations` should be imported instead. |
7 | 7 | */ |
8 | 8 |
|
9 | 9 | private import python |
10 | 10 | private import semmle.python.Concepts |
11 | | -private import semmle.python.dataflow.new.DataFlow |
12 | | -private import semmle.python.dataflow.new.DataFlow2 |
13 | | -private import semmle.python.dataflow.new.TaintTracking |
14 | | -private import semmle.python.dataflow.new.TaintTracking2 |
15 | | -import ChainedConfigs12 |
16 | | -import PathInjectionCustomizations::PathInjection |
17 | | - |
18 | | -// --------------------------------------------------------------------------- |
19 | | -// Case 1. The path is never normalized. |
20 | | -// --------------------------------------------------------------------------- |
21 | | -/** Configuration to find paths from sources to sinks that contain no normalization. */ |
22 | | -class PathNotNormalizedConfiguration extends TaintTracking::Configuration { |
23 | | - PathNotNormalizedConfiguration() { this = "PathNotNormalizedConfiguration" } |
24 | | - |
25 | | - override predicate isSource(DataFlow::Node source) { source instanceof Source } |
26 | | - |
27 | | - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } |
28 | | - |
29 | | - override predicate isSanitizer(DataFlow::Node node) { |
30 | | - node instanceof Sanitizer |
31 | | - or |
32 | | - node instanceof Path::PathNormalization |
33 | | - } |
34 | | - |
35 | | - override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { |
36 | | - guard instanceof SanitizerGuard |
37 | | - } |
38 | | -} |
| 11 | +import semmle.python.dataflow.new.DataFlow |
| 12 | +import semmle.python.dataflow.new.TaintTracking |
39 | 13 |
|
40 | 14 | /** |
41 | | - * Holds if there is a path injection from source to sink, where the (python) path is |
42 | | - * not normalized. |
| 15 | + * Provides a taint-tracking configuration for detecting "path injection" vulnerabilities. |
43 | 16 | */ |
44 | | -predicate pathNotNormalized(CustomPathNode source, CustomPathNode sink) { |
45 | | - any(PathNotNormalizedConfiguration config).hasFlowPath(source.asNode1(), sink.asNode1()) |
46 | | -} |
47 | | - |
48 | | -// --------------------------------------------------------------------------- |
49 | | -// Case 2. The path is normalized at least once, but never checked afterwards. |
50 | | -// --------------------------------------------------------------------------- |
51 | | -/** Configuration to find paths from sources to normalizations that contain no prior normalizations. */ |
52 | | -class FirstNormalizationConfiguration extends TaintTracking::Configuration { |
53 | | - FirstNormalizationConfiguration() { this = "FirstNormalizationConfiguration" } |
54 | | - |
55 | | - override predicate isSource(DataFlow::Node source) { source instanceof Source } |
56 | | - |
57 | | - override predicate isSink(DataFlow::Node sink) { sink instanceof Path::PathNormalization } |
58 | | - |
59 | | - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } |
60 | | - |
61 | | - override predicate isSanitizerOut(DataFlow::Node node) { node instanceof Path::PathNormalization } |
62 | | - |
63 | | - override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { |
64 | | - guard instanceof SanitizerGuard |
| 17 | +module PathInjection { |
| 18 | + import PathInjectionCustomizations::PathInjection |
| 19 | + |
| 20 | + /** |
| 21 | + * A taint-tracking configuration for detecting "path injection" vulnerabilities. |
| 22 | + * |
| 23 | + * This configuration uses two flow states, `NotNormalized` and `NormalizedUnchecked`, |
| 24 | + * to track the requirement that a file path must be first normalized and then checked |
| 25 | + * before it is safe to use. |
| 26 | + * |
| 27 | + * At sources, paths are assumed not normalized. At normalization points, they change |
| 28 | + * state to `NormalizedUnchecked` after which they can be made safe by an appropriate |
| 29 | + * check of the prefix. |
| 30 | + * |
| 31 | + * Such checks are ineffective in the `NotNormalized` state. |
| 32 | + */ |
| 33 | + class Configuration extends TaintTracking::Configuration { |
| 34 | + Configuration() { this = "PathInjection" } |
| 35 | + |
| 36 | + override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) { |
| 37 | + source instanceof Source and state instanceof NotNormalized |
| 38 | + } |
| 39 | + |
| 40 | + override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) { |
| 41 | + sink instanceof Sink and |
| 42 | + ( |
| 43 | + state instanceof NotNormalized or |
| 44 | + state instanceof NormalizedUnchecked |
| 45 | + ) |
| 46 | + } |
| 47 | + |
| 48 | + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } |
| 49 | + |
| 50 | + override predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) { |
| 51 | + // Block `NotNormalized` paths here, since they change state to `NormalizedUnchecked` |
| 52 | + node instanceof Path::PathNormalization and |
| 53 | + state instanceof NotNormalized |
| 54 | + or |
| 55 | + node = any(Path::SafeAccessCheck c).getAGuardedNode() and |
| 56 | + state instanceof NormalizedUnchecked |
| 57 | + } |
| 58 | + |
| 59 | + override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { |
| 60 | + guard instanceof SanitizerGuard |
| 61 | + } |
| 62 | + |
| 63 | + override predicate isAdditionalFlowStep( |
| 64 | + DataFlow::Node nodeFrom, DataFlow::FlowState stateFrom, DataFlow::Node nodeTo, |
| 65 | + DataFlow::FlowState stateTo |
| 66 | + ) { |
| 67 | + nodeFrom = nodeTo.(Path::PathNormalization).getPathArg() and |
| 68 | + stateFrom instanceof NotNormalized and |
| 69 | + stateTo instanceof NormalizedUnchecked |
| 70 | + } |
65 | 71 | } |
66 | | -} |
67 | | - |
68 | | -/** Configuration to find paths from normalizations to sinks that do not go through a check. */ |
69 | | -class NormalizedPathNotCheckedConfiguration extends TaintTracking2::Configuration { |
70 | | - NormalizedPathNotCheckedConfiguration() { this = "NormalizedPathNotCheckedConfiguration" } |
71 | | - |
72 | | - override predicate isSource(DataFlow::Node source) { source instanceof Path::PathNormalization } |
73 | | - |
74 | | - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } |
75 | | - |
76 | | - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } |
77 | 72 |
|
78 | | - override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { |
79 | | - guard instanceof Path::SafeAccessCheck |
80 | | - or |
81 | | - guard instanceof SanitizerGuard |
| 73 | + /** A state signifying that the file path has not been normalized. */ |
| 74 | + class NotNormalized extends DataFlow::FlowState { |
| 75 | + NotNormalized() { this = "NotNormalized" } |
82 | 76 | } |
83 | | -} |
84 | | - |
85 | | -/** |
86 | | - * Holds if there is a path injection from source to sink, where the (python) path is |
87 | | - * normalized at least once, but never checked afterwards. |
88 | | - */ |
89 | | -predicate pathNotCheckedAfterNormalization(CustomPathNode source, CustomPathNode sink) { |
90 | | - exists( |
91 | | - FirstNormalizationConfiguration config, DataFlow::PathNode mid1, DataFlow2::PathNode mid2, |
92 | | - NormalizedPathNotCheckedConfiguration config2 |
93 | | - | |
94 | | - config.hasFlowPath(source.asNode1(), mid1) and |
95 | | - config2.hasFlowPath(mid2, sink.asNode2()) and |
96 | | - mid1.getNode().asCfgNode() = mid2.getNode().asCfgNode() |
97 | | - ) |
98 | | -} |
99 | 77 |
|
100 | | -// --------------------------------------------------------------------------- |
101 | | -// Query: Either case 1 or case 2. |
102 | | -// --------------------------------------------------------------------------- |
103 | | -/** Holds if there is a path injection from source to sink */ |
104 | | -predicate pathInjection(CustomPathNode source, CustomPathNode sink) { |
105 | | - pathNotNormalized(source, sink) |
106 | | - or |
107 | | - pathNotCheckedAfterNormalization(source, sink) |
| 78 | + /** A state signifying that the file path has been normalized, but not checked. */ |
| 79 | + class NormalizedUnchecked extends DataFlow::FlowState { |
| 80 | + NormalizedUnchecked() { this = "NormalizedUnchecked" } |
| 81 | + } |
108 | 82 | } |
0 commit comments