Python: Move StackTraceExposure to new dataflow API

RasmusWL · RasmusWL · commit dcd96083e8d4 · 2023-08-28T15:27:50.000+02:00
diff --git a/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureQuery.qll b/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureQuery.qll
@@ -12,9 +12,11 @@ import semmle.python.dataflow.new.TaintTracking
 import StackTraceExposureCustomizations::StackTraceExposure
 
 /**
+ * DEPRECATED: Use `StackTraceExposureFlow` module instead.
+ *
  * A taint-tracking configuration for detecting "stack trace exposure" vulnerabilities.
  */
-class Configuration extends TaintTracking::Configuration {
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "StackTraceExposure" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -36,3 +38,23 @@ class Configuration extends TaintTracking::Configuration {
     )
   }
 }
+
+private module StackTraceExposureConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  // A stack trace is accessible as the `__traceback__` attribute of a caught exception.
+  //  see https://docs.python.org/3/reference/datamodel.html#traceback-objects
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    exists(DataFlow::AttrRead attr | attr.getAttributeName() = "__traceback__" |
+      nodeFrom = attr.getObject() and
+      nodeTo = attr
+    )
+  }
+}
+
+/** Global taint-tracking for detecting "stack trace exposure" vulnerabilities. */
+module StackTraceExposureFlow = TaintTracking::Global<StackTraceExposureConfig>;
diff --git a/python/ql/src/Security/CWE-209/StackTraceExposure.ql b/python/ql/src/Security/CWE-209/StackTraceExposure.ql
@@ -15,10 +15,10 @@
 
 import python
 import semmle.python.security.dataflow.StackTraceExposureQuery
-import DataFlow::PathGraph
+import StackTraceExposureFlow::PathGraph
 
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from StackTraceExposureFlow::PathNode source, StackTraceExposureFlow::PathNode sink
+where StackTraceExposureFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
   "$@ flows to this location and may be exposed to an external user.", source.getNode(),
   "Stack trace information"
diff --git a/python/ql/test/query-tests/Security/CWE-209-StackTraceExposure/StackTraceExposure.expected b/python/ql/test/query-tests/Security/CWE-209-StackTraceExposure/StackTraceExposure.expected
@@ -1,6 +1,7 @@
 edges
 | test.py:23:25:23:25 | SSA variable e | test.py:24:16:24:16 | ControlFlowNode for e |
-| test.py:31:25:31:25 | SSA variable e | test.py:32:16:32:30 | ControlFlowNode for Attribute |
+| test.py:31:25:31:25 | SSA variable e | test.py:32:16:32:16 | ControlFlowNode for e |
+| test.py:32:16:32:16 | ControlFlowNode for e | test.py:32:16:32:30 | ControlFlowNode for Attribute |
 | test.py:49:9:49:11 | SSA variable err | test.py:50:29:50:31 | ControlFlowNode for err |
 | test.py:49:15:49:36 | ControlFlowNode for Attribute() | test.py:49:9:49:11 | SSA variable err |
 | test.py:50:29:50:31 | ControlFlowNode for err | test.py:50:16:50:32 | ControlFlowNode for format_error() |
@@ -12,6 +13,7 @@ nodes
 | test.py:23:25:23:25 | SSA variable e | semmle.label | SSA variable e |
 | test.py:24:16:24:16 | ControlFlowNode for e | semmle.label | ControlFlowNode for e |
 | test.py:31:25:31:25 | SSA variable e | semmle.label | SSA variable e |
+| test.py:32:16:32:16 | ControlFlowNode for e | semmle.label | ControlFlowNode for e |
 | test.py:32:16:32:30 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | test.py:49:9:49:11 | SSA variable err | semmle.label | SSA variable err |
 | test.py:49:15:49:36 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
