Seperate the dataflow config from the query

Sim4n6 · Sim4n6 · commit aaa004061252 · 2023-01-26T08:53:47.000+01:00
diff --git a/python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpack.ql b/python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpack.ql
@@ -10,141 +10,13 @@
  * @security-severity 7.5
  * @precision high
  * @tags security
+ *       experimental
  *       external/cwe/cwe-022
  */
 
 import python
-import semmle.python.Concepts
-import semmle.python.dataflow.new.internal.DataFlowPublic
-import semmle.python.ApiGraphs
+import UnsafeUnpackQuery
 import DataFlow::PathGraph
-import semmle.python.dataflow.new.TaintTracking
-import semmle.python.frameworks.Stdlib
-
-class UnsafeUnpackingConfig extends TaintTracking::Configuration {
-  UnsafeUnpackingConfig() { this = "UnsafeUnpackingConfig" }
-
-  override predicate isSource(DataFlow::Node source) {
-    // A source coming from a remote location
-    exists(Http::Client::Request request | source = request)
-    or
-    // A source coming from a CLI argparse module
-    // see argparse: https://docs.python.org/3/library/argparse.html
-    exists(MethodCallNode args |
-      args = source.(AttrRead).getObject().getALocalSource() and
-      args =
-        API::moduleImport("argparse")
-            .getMember("ArgumentParser")
-            .getACall()
-            .getReturn()
-            .getMember("parse_args")
-            .getACall()
-    )
-    or
-    // A source catching an S3 filename download
-    // see boto3: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html#S3.Client.download_file
-    exists(MethodCallNode mcn, Node s3, Node bc |
-      bc = API::moduleImport("boto3").getMember("client").getACall() and
-      bc = s3.getALocalSource() and
-      mcn.calls(s3, "download_file") and
-      source = mcn.getArg(2)
-    )
-    or
-    // A source download a file using wget
-    // see wget: https://pypi.org/project/wget/
-    exists(API::CallNode mcn |
-      mcn = API::moduleImport("wget").getMember("download").getACall() and
-      (
-        source = mcn.getArg(1)
-        or
-        source = mcn.getReturn().asSource() and not exists(Node arg | arg = mcn.getArg(1))
-      )
-    )
-    or
-    // catch the uploaded files as a source
-    exists(Subscript s, Attribute at |
-      at = s.getObject() and at.getAttr() = "FILES" and source.asExpr() = s
-    )
-    or
-    exists(Node obj, AttrRead ar |
-      ar.getAMethodCall("get").flowsTo(source) and
-      ar.accesses(obj, "FILES")
-    )
-    or
-    exists(Node obj, AttrRead ar |
-      ar.getAMethodCall("getlist").flowsTo(source) and
-      ar.accesses(obj, "FILES")
-    )
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    // A sink capturing method calls to `unpack_archive`.
-    sink = API::moduleImport("shutil").getMember("unpack_archive").getACall().getArg(0)
-  }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    // Writing the response data to the archive
-    exists(Stdlib::FileLikeObject::InstanceSource is, Node f, MethodCallNode mc |
-      is.flowsTo(f) and
-      mc.calls(f, "write") and
-      nodeFrom = mc.getArg(0) and
-      nodeTo = is.(CallCfgNode).getArg(0)
-    )
-    or
-    // Copying the response data to the archive
-    exists(Stdlib::FileLikeObject::InstanceSource is, Node f, MethodCallNode mc |
-      is.flowsTo(f) and
-      mc = API::moduleImport("shutil").getMember("copyfileobj").getACall() and
-      f = mc.getArg(1) and
-      nodeFrom = mc.getArg(0) and
-      nodeTo = is.(CallCfgNode).getArg(0)
-    )
-    or
-    // Reading the response
-    exists(MethodCallNode mc |
-      nodeFrom = mc.getObject() and
-      mc.getMethodName() = "read" and
-      mc.flowsTo(nodeTo)
-    )
-    or
-    // Accessing the name or raw content
-    exists(AttrRead ar | ar.accesses(nodeFrom, ["name", "raw"]) and ar.flowsTo(nodeTo))
-    or
-    //Use of join of filename
-    exists(API::CallNode mcn |
-      mcn = API::moduleImport("os").getMember("path").getMember("join").getACall() and
-      nodeFrom = mcn.getArg(1) and
-      mcn.flowsTo(nodeTo)
-    )
-    or
-    // Read by chunks
-    exists(MethodCallNode mc |
-      nodeFrom = mc.getObject() and mc.getMethodName() = "chunks" and mc.flowsTo(nodeTo)
-    )
-    or
-    // Considering the use of closing()
-    exists(API::CallNode closing |
-      closing = API::moduleImport("contextlib").getMember("closing").getACall() and
-      closing.flowsTo(nodeTo) and
-      nodeFrom = closing.getArg(0)
-    )
-    or
-    // Considering the use of "fs"
-    exists(API::CallNode fs, MethodCallNode mcn |
-      fs =
-        API::moduleImport("django")
-            .getMember("core")
-            .getMember("files")
-            .getMember("storage")
-            .getMember("FileSystemStorage")
-            .getACall() and
-      fs.flowsTo(mcn.getObject()) and
-      mcn.getMethodName() = ["save", "path"] and
-      nodeFrom = mcn.getArg(0) and
-      nodeTo = mcn
-    )
-  }
-}
 
 from UnsafeUnpackingConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
diff --git a/python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpackQuery.qll b/python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpackQuery.qll
@@ -0,0 +1,137 @@
+/**
+ * 
+ *  Provides a taint-tracking configuration for detecting "UnsafeUnpacking" vulnerabilities.
+ * 
+ */
+
+import python
+import semmle.python.Concepts
+import semmle.python.dataflow.new.internal.DataFlowPublic
+import semmle.python.ApiGraphs
+import semmle.python.dataflow.new.TaintTracking
+import semmle.python.frameworks.Stdlib
+
+class UnsafeUnpackingConfig extends TaintTracking::Configuration {
+  UnsafeUnpackingConfig() { this = "UnsafeUnpackingConfig" }
+
+  override predicate isSource(DataFlow::Node source) {
+    // A source coming from a remote location
+    exists(Http::Client::Request request | source = request)
+    or
+    // A source coming from a CLI argparse module
+    // see argparse: https://docs.python.org/3/library/argparse.html
+    exists(MethodCallNode args |
+      args = source.(AttrRead).getObject().getALocalSource() and
+      args =
+        API::moduleImport("argparse")
+            .getMember("ArgumentParser")
+            .getACall()
+            .getReturn()
+            .getMember("parse_args")
+            .getACall()
+    )
+    or
+    // A source catching an S3 filename download
+    // see boto3: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html#S3.Client.download_file
+    exists(MethodCallNode mcn, Node s3, Node bc |
+      bc = API::moduleImport("boto3").getMember("client").getACall() and
+      bc = s3.getALocalSource() and
+      mcn.calls(s3, "download_file") and
+      source = mcn.getArg(2)
+    )
+    or
+    // A source download a file using wget
+    // see wget: https://pypi.org/project/wget/
+    exists(API::CallNode mcn |
+      mcn = API::moduleImport("wget").getMember("download").getACall() and
+      (
+        source = mcn.getArg(1)
+        or
+        source = mcn.getReturn().asSource() and not exists(Node arg | arg = mcn.getArg(1))
+      )
+    )
+    or
+    // catch the uploaded files as a source
+    exists(Subscript s, Attribute at |
+      at = s.getObject() and at.getAttr() = "FILES" and source.asExpr() = s
+    )
+    or
+    exists(Node obj, AttrRead ar |
+      ar.getAMethodCall("get").flowsTo(source) and
+      ar.accesses(obj, "FILES")
+    )
+    or
+    exists(Node obj, AttrRead ar |
+      ar.getAMethodCall("getlist").flowsTo(source) and
+      ar.accesses(obj, "FILES")
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    // A sink capturing method calls to `unpack_archive`.
+    sink = API::moduleImport("shutil").getMember("unpack_archive").getACall().getArg(0)
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    // Writing the response data to the archive
+    exists(Stdlib::FileLikeObject::InstanceSource is, Node f, MethodCallNode mc |
+      is.flowsTo(f) and
+      mc.calls(f, "write") and
+      nodeFrom = mc.getArg(0) and
+      nodeTo = is.(CallCfgNode).getArg(0)
+    )
+    or
+    // Copying the response data to the archive
+    exists(Stdlib::FileLikeObject::InstanceSource is, Node f, MethodCallNode mc |
+      is.flowsTo(f) and
+      mc = API::moduleImport("shutil").getMember("copyfileobj").getACall() and
+      f = mc.getArg(1) and
+      nodeFrom = mc.getArg(0) and
+      nodeTo = is.(CallCfgNode).getArg(0)
+    )
+    or
+    // Reading the response
+    exists(MethodCallNode mc |
+      nodeFrom = mc.getObject() and
+      mc.getMethodName() = "read" and
+      mc.flowsTo(nodeTo)
+    )
+    or
+    // Accessing the name or raw content
+    exists(AttrRead ar | ar.accesses(nodeFrom, ["name", "raw"]) and ar.flowsTo(nodeTo))
+    or
+    //Use of join of filename
+    exists(API::CallNode mcn |
+      mcn = API::moduleImport("os").getMember("path").getMember("join").getACall() and
+      nodeFrom = mcn.getArg(1) and
+      mcn.flowsTo(nodeTo)
+    )
+    or
+    // Read by chunks
+    exists(MethodCallNode mc |
+      nodeFrom = mc.getObject() and mc.getMethodName() = "chunks" and mc.flowsTo(nodeTo)
+    )
+    or
+    // Considering the use of closing()
+    exists(API::CallNode closing |
+      closing = API::moduleImport("contextlib").getMember("closing").getACall() and
+      closing.flowsTo(nodeTo) and
+      nodeFrom = closing.getArg(0)
+    )
+    or
+    // Considering the use of "fs"
+    exists(API::CallNode fs, MethodCallNode mcn |
+      fs =
+        API::moduleImport("django")
+            .getMember("core")
+            .getMember("files")
+            .getMember("storage")
+            .getMember("FileSystemStorage")
+            .getACall() and
+      fs.flowsTo(mcn.getObject()) and
+      mcn.getMethodName() = ["save", "path"] and
+      nodeFrom = mcn.getArg(0) and
+      nodeTo = mcn
+    )
+  }
+}
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022/DataflowQueryTest.expected b/python/ql/test/experimental/query-tests/Security/CWE-022/DataflowQueryTest.expected
@@ -1,8 +1,2 @@
 missingAnnotationOnSink
 failures
-| UnsafeUnpack.py:12:46:12:58 | Comment # $result=BAD | Missing result:result=BAD |
-| UnsafeUnpack.py:55:53:55:65 | Comment # $result=BAD | Missing result:result=BAD |
-| UnsafeUnpack.py:71:51:71:63 | Comment # $result=BAD | Missing result:result=BAD |
-| UnsafeUnpack.py:85:50:85:62 | Comment # $result=BAD | Missing result:result=BAD |
-| UnsafeUnpack.py:89:50:89:62 | Comment # $result=BAD | Missing result:result=BAD |
-| UnsafeUnpack.py:103:50:103:62 | Comment # $result=BAD | Missing result:result=BAD |
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022/DataflowQueryTest.ql b/python/ql/test/experimental/query-tests/Security/CWE-022/DataflowQueryTest.ql
@@ -1,2 +1,3 @@
 import python
 import experimental.dataflow.TestUtil.DataflowQueryTest
+import UnsafeUnpackQuery

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`import python`
`2`	`2`	`import experimental.dataflow.TestUtil.DataflowQueryTest`
	`3`	`+import UnsafeUnpackQuery`