Python: Move PamAuthorization to new dataflow API

RasmusWL · RasmusWL · commit cca78f31ff03 · 2023-08-28T15:27:50.000+02:00
diff --git a/python/ql/lib/semmle/python/security/dataflow/PamAuthorizationQuery.qll b/python/ql/lib/semmle/python/security/dataflow/PamAuthorizationQuery.qll
@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import PamAuthorizationCustomizations::PamAuthorizationCustomizations
 
 /**
+ * DEPRECATED: Use `PamAuthorizationFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "PAM Authorization" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "PamAuthorization" }
 
   override predicate isSource(DataFlow::Node node) { node instanceof Source }
@@ -37,3 +39,28 @@ class Configuration extends TaintTracking::Configuration {
     exists(VulnPamAuthCall c | c.getArg(0) = node1 | node2 = c)
   }
 }
+
+private module PamAuthorizationConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    // Models flow from a remotely supplied username field to a PAM `handle`.
+    // `retval = pam_start(service, username, byref(conv), byref(handle))`
+    exists(API::CallNode pamStart, DataFlow::Node handle, API::CallNode pointer |
+      pointer = API::moduleImport("ctypes").getMember(["pointer", "byref"]).getACall() and
+      pamStart = libPam().getMember("pam_start").getACall() and
+      pointer = pamStart.getArg(3) and
+      handle = pointer.getArg(0) and
+      pamStart.getArg(1) = node1 and
+      handle = node2
+    )
+    or
+    // Flow from handle to the authenticate call in the final step
+    exists(VulnPamAuthCall c | c.getArg(0) = node1 | node2 = c)
+  }
+}
+
+/** Global taint-tracking for detecting "PAM Authorization" vulnerabilities. */
+module PamAuthorizationFlow = TaintTracking::Global<PamAuthorizationConfig>;
diff --git a/python/ql/src/Security/CWE-285/PamAuthorization.ql b/python/ql/src/Security/CWE-285/PamAuthorization.ql
@@ -11,12 +11,12 @@
  */
 
 import python
-import DataFlow::PathGraph
+import PamAuthorizationFlow::PathGraph
 import semmle.python.ApiGraphs
 import semmle.python.security.dataflow.PamAuthorizationQuery
 
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from PamAuthorizationFlow::PathNode source, PamAuthorizationFlow::PathNode sink
+where PamAuthorizationFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
   "This PAM authentication depends on a $@, and 'pam_acct_mgmt' is not called afterwards.",
   source.getNode(), "user-provided value"
diff --git a/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.expected b/python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.expected
@@ -1,18 +1,24 @@
 edges
 | pam_test.py:4:26:4:32 | ControlFlowNode for ImportMember | pam_test.py:4:26:4:32 | GSSA Variable request |
 | pam_test.py:4:26:4:32 | GSSA Variable request | pam_test.py:71:16:71:22 | ControlFlowNode for request |
-| pam_test.py:71:5:71:12 | SSA variable username | pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() |
+| pam_test.py:71:5:71:12 | SSA variable username | pam_test.py:74:33:74:40 | ControlFlowNode for username |
 | pam_test.py:71:16:71:22 | ControlFlowNode for request | pam_test.py:71:16:71:27 | ControlFlowNode for Attribute |
 | pam_test.py:71:16:71:27 | ControlFlowNode for Attribute | pam_test.py:71:16:71:47 | ControlFlowNode for Attribute() |
 | pam_test.py:71:16:71:47 | ControlFlowNode for Attribute() | pam_test.py:71:5:71:12 | SSA variable username |
+| pam_test.py:74:33:74:40 | ControlFlowNode for username | pam_test.py:74:62:74:67 | ControlFlowNode for handle |
+| pam_test.py:74:62:74:67 | ControlFlowNode for handle | pam_test.py:76:31:76:36 | ControlFlowNode for handle |
+| pam_test.py:76:31:76:36 | ControlFlowNode for handle | pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() |
 nodes
 | pam_test.py:4:26:4:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
 | pam_test.py:4:26:4:32 | GSSA Variable request | semmle.label | GSSA Variable request |
 | pam_test.py:71:5:71:12 | SSA variable username | semmle.label | SSA variable username |
 | pam_test.py:71:16:71:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | pam_test.py:71:16:71:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | pam_test.py:71:16:71:47 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| pam_test.py:74:33:74:40 | ControlFlowNode for username | semmle.label | ControlFlowNode for username |
+| pam_test.py:74:62:74:67 | ControlFlowNode for handle | semmle.label | ControlFlowNode for handle |
 | pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() | semmle.label | ControlFlowNode for pam_authenticate() |
+| pam_test.py:76:31:76:36 | ControlFlowNode for handle | semmle.label | ControlFlowNode for handle |
 subpaths
 #select
 | pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() | pam_test.py:4:26:4:32 | ControlFlowNode for ImportMember | pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() | This PAM authentication depends on a $@, and 'pam_acct_mgmt' is not called afterwards. | pam_test.py:4:26:4:32 | ControlFlowNode for ImportMember | user-provided value |
