Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit ce23db2

Browse files
jorgectfjorgectf
committed
Move Sanitizer to ReEscapeCall
1 parent b5ea41f commit ce23db2

2 files changed

Lines changed: 17 additions & 6 deletions

File tree

python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ private module Stdlib {
3232
* WARNING: Only holds for a few predefined attributes.
3333
*/
3434
private DataFlow::Node re_attr(DataFlow::TypeTracker t, string attr_name) {
35-
attr_name in ["match", "fullmatch", "search", "split", "findall", "finditer", "sub", "subn", "compile"] and
35+
attr_name in ["match", "fullmatch", "search", "split", "findall", "finditer", "sub", "subn", "compile", "escape"] and
3636
(
3737
t.start() and
3838
result = DataFlow::importNode("re" + "." + attr_name)
@@ -181,6 +181,19 @@ private module Stdlib {
181181
override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
182182
}
183183

184+
/**
185+
* A call to `re.escape`
186+
* See https://docs.python.org/3/library/re.html#re.escape
187+
*/
188+
private class ReEscapeCall extends RegexExecution::Range, DataFlow::CfgNode {
189+
override CallNode node;
190+
191+
ReEscapeCall() { node.getFunction() = re_attr("escape").asCfgNode() }
192+
193+
override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
194+
override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
195+
}
196+
184197
/**
185198
* A call to `re.compile`
186199
* See https://docs.python.org/3/library/re.html#re.match

python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55

66
import python
77
import experimental.semmle.python.Concepts
8+
import experimental.semmle.python.frameworks.Stdlib
89
import semmle.python.dataflow.new.DataFlow
910
import semmle.python.dataflow.new.TaintTracking
1011
import semmle.python.dataflow.new.RemoteFlowSources
@@ -18,10 +19,7 @@ class RegexInjectionFlowConfig extends TaintTracking::Configuration {
1819

1920
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
2021

21-
override predicate isSink(DataFlow::Node sink) { sink = any(RegexExecution re).getRegexNode() }
22+
override predicate isSink(DataFlow::Node sink) { sink = any(RegexExecution re).getRegexNode() }
2223

23-
override predicate isSanitizer(DataFlow::Node sanitizer) {
24-
sanitizer =
25-
API::moduleImport("re").getMember("escape").getACall().(DataFlow::CallCfgNode).getArg(0)
26-
}
24+
override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof ReEscapeCall }
2725
}

0 commit comments

Comments
 (0)