Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Python: enable diff-informed data flow queries #18341

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
asgerf merged 7 commits into from
Feb 11, 2025
Merged

Python: enable diff-informed data flow queries #18341

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
e4a1847
Python: mass enable diff-informed data flow
asgerf Jan 23, 2025
9dfd1cc
Python: Fixup broken patch
asgerf Jan 23, 2025
15c2ccb
Python: ignore experimental for now
asgerf Jan 23, 2025
975ce06
Python: implement for polynomial redos
asgerf Jan 23, 2025
d3ee658
Python: resolve remaining TODOs
asgerf Dec 20, 2024
7d6abb4
JS: Disable diff-informedness for full SSRF
asgerf Feb 6, 2025
d3b9d1d
JS: Partial SSRF does not select the sink location
asgerf Feb 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Python: implement for polynomial redos
  • Loading branch information
@asgerf
asgerf committed Feb 6, 2025
commit 975ce064fc30b83667e96ef9bc023479e05ebe23
5 changes: 5 additions & 0 deletions python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSCustomizations.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,11 @@ module PolynomialReDoS {
/** Gets the regex that is being executed by this node. */
abstract RegExpTerm getRegExp();

/** Gets a term within the regexp that may perform polynomial back-tracking. */
final PolynomialBackTrackingTerm getABacktrackingTerm() {
result.getRootTerm() = this.getRegExp()
}

/**
* Gets the node to highlight in the alert message.
*/
Expand Down
11 changes: 6 additions & 5 deletions python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,12 @@ private module PolynomialReDoSConfig implements DataFlow::ConfigSig {

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() {
// TODO(diff-informed): Manually verify if config can be diff-informed.
// ql/src/Security/CWE-730/PolynomialReDoS.ql:31: Column 1 selects sink.getHighlight
// ql/src/Security/CWE-730/PolynomialReDoS.ql:33: Column 5 does not select a source or sink originating from the flow call on line 24
none()
predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.(Sink).getHighlight().getLocation()
or
result = sink.(Sink).getABacktrackingTerm().getLocation()
}
}

Expand Down
2 changes: 1 addition & 1 deletion python/ql/src/Security/CWE-730/PolynomialReDoS.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ from
where
PolynomialReDoSFlow::flowPath(source, sink) and
sinkNode = sink.getNode() and
regexp.getRootTerm() = sinkNode.getRegExp()
regexp = sinkNode.getABacktrackingTerm()
// not (
// source.getNode().(Source).getKind() = "url" and
// regexp.isAtEndLine()
Expand Down