move path-injection MaD to PathInjectionCustomizations.qll

erik-krogh · erik-krogh · commit efe306733e68 · 2022-05-05T16:51:39.000+02:00
diff --git a/python/ql/lib/semmle/python/Concepts.qll b/python/ql/lib/semmle/python/Concepts.qll
@@ -62,14 +62,6 @@ module FileSystemAccess {
     /** Gets an argument to this file system access that is interpreted as a path. */
     abstract DataFlow::Node getAPathArgument();
   }
-
-  private import semmle.python.frameworks.data.ModelsAsData
-
-  private class DataAsFileAccess extends Range {
-    DataAsFileAccess() { this = ModelOutput::getASinkNode("file-access").getARhs() }
-
-    override DataFlow::Node getAPathArgument() { result = this }
-  }
 }
 
 /**
diff --git a/python/ql/lib/semmle/python/frameworks/Asyncpg.qll b/python/ql/lib/semmle/python/frameworks/Asyncpg.qll
@@ -38,8 +38,8 @@ private module Asyncpg {
           "asyncpg;~Connection;Member[copy_from_query,execute,fetch,fetchrow,fetchval].Argument[0,query:];sql-injection",
           "asyncpg;~Connection;Member[executemany].Argument[0,command:];sql-injection",
           // A model of `Connection` and `ConnectionPool`, which provide some methods that access the file system.
-          "asyncpg;~Connection;Member[copy_from_query,copy_from_table].Argument[output:];file-access",
-          "asyncpg;~Connection;Member[copy_to_table].Argument[source:];file-access",
+          "asyncpg;~Connection;Member[copy_from_query,copy_from_table].Argument[output:];path-injection",
+          "asyncpg;~Connection;Member[copy_to_table].Argument[source:];path-injection",
           // the `PreparedStatement` class in `asyncpg`.
           "asyncpg;Connection;Member[prepare].Argument[0,query:];sql-injection",
         ]
diff --git a/python/ql/lib/semmle/python/security/dataflow/PathInjectionCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/PathInjectionCustomizations.qll
@@ -59,6 +59,12 @@ module PathInjection {
     FileSystemAccessAsSink() { this = any(FileSystemAccess e).getAPathArgument() }
   }
 
+  private import semmle.python.frameworks.data.ModelsAsData
+
+  private class DataAsFileSink extends Sink {
+    DataAsFileSink() { this = ModelOutput::getASinkNode("path-injection").getARhs() }
+  }
+
   /**
    * A comparison with a constant string, considered as a sanitizer-guard.
    */
diff --git a/python/ql/test/library-tests/frameworks/asyncpg/test.py b/python/ql/test/library-tests/frameworks/asyncpg/test.py
@@ -7,11 +7,11 @@ async def test_connection():
     try:
         # The file-like object is passed in as a keyword-only argument.
         # See https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.connection.Connection.copy_from_query
-        await conn.copy_from_query("sql", output="filepath")  # $ mad-sink__sql-injection="sql" mad-sink__file-access="filepath" getAPathArgument="filepath"
-        await conn.copy_from_query("sql", "arg1", "arg2", output="filepath")  # $ mad-sink__sql-injection="sql" mad-sink__file-access="filepath" getAPathArgument="filepath"
+        await conn.copy_from_query("sql", output="filepath")  # $ mad-sink__sql-injection="sql" mad-sink__path-injection="filepath"
+        await conn.copy_from_query("sql", "arg1", "arg2", output="filepath")  # $ mad-sink__sql-injection="sql" mad-sink__path-injection="filepath"
 
-        await conn.copy_from_table("table", output="filepath")  # $ mad-sink__file-access="filepath" getAPathArgument="filepath"
-        await conn.copy_to_table("table", source="filepath")  # $ mad-sink__file-access="filepath" getAPathArgument="filepath"
+        await conn.copy_from_table("table", output="filepath")  # $ mad-sink__path-injection="filepath"
+        await conn.copy_to_table("table", source="filepath")  # $ mad-sink__path-injection="filepath"
 
         await conn.execute("sql")  # $ mad-sink__sql-injection="sql"
         await conn.executemany("sql")  # $ mad-sink__sql-injection="sql"
@@ -69,10 +69,10 @@ async def test_connection_pool():
     pool = await asyncpg.create_pool()
 
     try:
-        await pool.copy_from_query("sql", output="filepath")  # $ mad-sink__sql-injection="sql" mad-sink__file-access="filepath" getAPathArgument="filepath"
-        await pool.copy_from_query("sql", "arg1", "arg2", output="filepath")  # $ mad-sink__sql-injection="sql" mad-sink__file-access="filepath" getAPathArgument="filepath"
-        await pool.copy_from_table("table", output="filepath")  # $ mad-sink__file-access="filepath" getAPathArgument="filepath"
-        await pool.copy_to_table("table", source="filepath")  # $ mad-sink__file-access="filepath" getAPathArgument="filepath"
+        await pool.copy_from_query("sql", output="filepath")  # $ mad-sink__sql-injection="sql" mad-sink__path-injection="filepath"
+        await pool.copy_from_query("sql", "arg1", "arg2", output="filepath")  # $ mad-sink__sql-injection="sql" mad-sink__path-injection="filepath"
+        await pool.copy_from_table("table", output="filepath")  # $ mad-sink__path-injection="filepath"
+        await pool.copy_to_table("table", source="filepath")  # $ mad-sink__path-injection="filepath"
 
         await pool.execute("sql")  # $ mad-sink__sql-injection="sql"
         await pool.executemany("sql")  # $ mad-sink__sql-injection="sql"

Original file line number	Diff line number	Diff line change
`@@ -62,14 +62,6 @@ module FileSystemAccess {`
`62`	`62`	`/** Gets an argument to this file system access that is interpreted as a path. */`
`63`	`63`	`abstract DataFlow::Node getAPathArgument();`
`64`	`64`	`}`
`65`		`-`
`66`		`- private import semmle.python.frameworks.data.ModelsAsData`
`67`		`-`
`68`		`- private class DataAsFileAccess extends Range {`
`69`		`- DataAsFileAccess() { this = ModelOutput::getASinkNode("file-access").getARhs() }`
`70`		`-`
`71`		`- override DataFlow::Node getAPathArgument() { result = this }`
`72`		`- }`
`73`	`65`	`}`
`74`	`66`
`75`	`67`	`/**`