Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Python: Add Server-side Request Forgery sinks #8275

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
RasmusWL merged 13 commits into from
Mar 8, 2022
Merged

Python: Add Server-side Request Forgery sinks #8275

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
b23e28a
add Server-side Request Forgery sinks
haby0 Feb 28, 2022
be40b54
add test
haby0 Feb 28, 2022
40feb1f
Python: SPURIOUS results for httpx
RasmusWL Mar 4, 2022
56901ea
Python: Make new SSRF sink modules private
RasmusWL Mar 4, 2022
7d6d8be
Python: Fix httpx modeling
RasmusWL Mar 4, 2022
c65839b
Python: improve urllib3 modeling
RasmusWL Mar 4, 2022
02a97b0
Python: Move `urllib` and `urllib2` to be part of stdlib modeling
RasmusWL Mar 4, 2022
866e615
Python: Add PyPI links in qldocs
RasmusWL Mar 4, 2022
75bc532
Python: Avoid `toString` usage :O
RasmusWL Mar 4, 2022
d86284b
Python: Update frameworks.rst
RasmusWL Mar 4, 2022
e47f726
Python: Add change-note
RasmusWL Mar 4, 2022
f620e25
Merge branch 'main' into py/add-ssrf-sinks
RasmusWL Mar 4, 2022
7e6666b
Merge branch 'main' into py/add-ssrf-sinks
haby0 Mar 7, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
add test
  • Loading branch information
@haby0
haby0 committed Feb 28, 2022
commit be40b54b9fd02b674504a0e92f50c34d30ee60d0
7 changes: 3 additions & 4 deletions python/ql/lib/semmle/python/frameworks/Aiohttp.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -644,7 +644,7 @@ module AiohttpWebModel {
* Provides models for the web server part (`aiohttp.client`) of the `aiohttp` PyPI package.
* See https://docs.aiohttp.org/en/stable/client.html
*/
module AiohttpClientModel {
private module AiohttpClientModel {
/**
* Provides models for the `aiohttp.ClientSession` class
*
Expand All @@ -668,7 +668,7 @@ module AiohttpClientModel {
this = instance().getMember(methodName).getACall()
}

DataFlow::Node getUrlArg() {
override DataFlow::Node getAUrlPart() {
result = this.getArgByName("url")
or
not methodName = "request" and
Expand All @@ -678,13 +678,12 @@ module AiohttpClientModel {
result = this.getArg(1)
}

override DataFlow::Node getAUrlPart() { result = this.getUrlArg() }

override string getFramework() { result = "aiohttp.ClientSession" }

override predicate disablesCertificateValidation(
DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
) {
// TODO: Look into disabling certificate validation
none()
Comment thread
RasmusWL marked this conversation as resolved.
}
}
Expand Down
10 changes: 4 additions & 6 deletions python/ql/lib/semmle/python/frameworks/Httpx.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ module HttpxModel {
this = API::moduleImport("httpx").getMember(methodName).getACall()
}

DataFlow::Node getUrlArg() {
override DataFlow::Node getAUrlPart() {
result = this.getArgByName("url")
or
not methodName = "request" and
Expand All @@ -30,13 +30,12 @@ module HttpxModel {
result = this.getArg(1)
}

override DataFlow::Node getAUrlPart() { result = this.getUrlArg() }

override string getFramework() { result = "httpx" }

override predicate disablesCertificateValidation(
DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
) {
// TODO: Look into disabling certificate validation
none()
}
}
Expand Down Expand Up @@ -64,7 +63,7 @@ module HttpxModel {
this = instance().getMember(methodName).getACall()
}

DataFlow::Node getUrlArg() {
override DataFlow::Node getAUrlPart() {
result = this.getArgByName("url")
or
not methodName = "request" and
Expand All @@ -74,13 +73,12 @@ module HttpxModel {
result = this.getArg(1)
}

override DataFlow::Node getAUrlPart() { result = this.getUrlArg() }

override string getFramework() { result = "httpx.[Async]Client" }

override predicate disablesCertificateValidation(
DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
) {
// TODO: Look into disabling certificate validation
none()
}
}
Expand Down
5 changes: 2 additions & 3 deletions python/ql/lib/semmle/python/frameworks/Libtaxii.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,15 +22,14 @@ module Libtaxii {
this.getArgByName("allow_url").asExpr().toString() = "True"
}

DataFlow::Node getUrlArg() { result in [this.getArg(0), this.getArgByName("s")] }

override DataFlow::Node getAUrlPart() { result = this.getUrlArg() }
override DataFlow::Node getAUrlPart() { result in [this.getArg(0), this.getArgByName("s")] }

override string getFramework() { result = "libtaxii.common.parse" }

override predicate disablesCertificateValidation(
DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
) {
// TODO: Look into disabling certificate validation
none()
}
}
Expand Down
9 changes: 5 additions & 4 deletions python/ql/lib/semmle/python/frameworks/Pycurl.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ module Pycurl {
private API::Node instance() { result = classRef().getReturn() }

/**
* When the first parameter value of the `setopt` function is set to `pycurl.URL`,
* When the first parameter value of the `setopt` function is set to `pycurl.URL`,
* the second parameter value is the request resource link.
*
* See https://pycurl.io/docs/latest/curl.html#set_option.
Expand All @@ -36,15 +36,16 @@ module Pycurl {
this.getArg(0).asCfgNode().(AttrNode).getName() = "URL"
}

DataFlow::Node getUrlArg() { result in [this.getArg(1), this.getArgByName("value")] }

override DataFlow::Node getAUrlPart() { result = this.getUrlArg() }
override DataFlow::Node getAUrlPart() {
result in [this.getArg(1), this.getArgByName("value")]
}

override string getFramework() { result = "pycurl.Curl" }

override predicate disablesCertificateValidation(
DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
) {
// TODO: Look into disabling certificate validation
none()
}
}
Expand Down
10 changes: 4 additions & 6 deletions python/ql/lib/semmle/python/frameworks/Urllib.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,15 +27,14 @@ module Urllib {
this = API::moduleImport("urllib").getMember("request").getMember("Request").getACall()
}

DataFlow::Node getUrlArg() { result in [this.getArg(0), this.getArgByName("url")] }

override DataFlow::Node getAUrlPart() { result = this.getUrlArg() }
override DataFlow::Node getAUrlPart() { result in [this.getArg(0), this.getArgByName("url")] }

override string getFramework() { result = "urllib.request.Request" }

override predicate disablesCertificateValidation(
DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
) {
// TODO: Look into disabling certificate validation
none()
}
}
Expand All @@ -49,15 +48,14 @@ module Urllib {
this = API::moduleImport("urllib").getMember("request").getMember("urlopen").getACall()
}

DataFlow::Node getUrlArg() { result in [this.getArg(0), this.getArgByName("url")] }

override DataFlow::Node getAUrlPart() { result = this.getUrlArg() }
override DataFlow::Node getAUrlPart() { result in [this.getArg(0), this.getArgByName("url")] }

override string getFramework() { result = "urllib.request.urlopen" }

override predicate disablesCertificateValidation(
DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
) {
// TODO: Look into disabling certificate validation
none()
}
}
Expand Down
14 changes: 5 additions & 9 deletions python/ql/lib/semmle/python/frameworks/Urllib2.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,19 +17,16 @@ module Urllib2 {
* - https://docs.python.org/2/library/urllib2.html#urllib2.Request
*/
private class RequestCall extends HTTP::Client::Request::Range, DataFlow::CallCfgNode {
RequestCall() {
this = API::moduleImport("urllib2").getMember("Request").getACall()
}

DataFlow::Node getUrlArg() { result in [this.getArg(0), this.getArgByName("url")] }
RequestCall() { this = API::moduleImport("urllib2").getMember("Request").getACall() }

override DataFlow::Node getAUrlPart() { result = this.getUrlArg() }
override DataFlow::Node getAUrlPart() { result in [this.getArg(0), this.getArgByName("url")] }

override string getFramework() { result = "urllib2.Request" }

override predicate disablesCertificateValidation(
DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
) {
// TODO: Look into disabling certificate validation
none()
}
}
Expand All @@ -41,15 +38,14 @@ module Urllib2 {
private class UrlOpenCall extends HTTP::Client::Request::Range, DataFlow::CallCfgNode {
UrlOpenCall() { this = API::moduleImport("urllib2").getMember("urlopen").getACall() }

DataFlow::Node getUrlArg() { result in [this.getArg(0), this.getArgByName("url")] }

override DataFlow::Node getAUrlPart() { result = this.getUrlArg() }
override DataFlow::Node getAUrlPart() { result in [this.getArg(0), this.getArgByName("url")] }

override string getFramework() { result = "urllib2.urlopen" }

override predicate disablesCertificateValidation(
DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
) {
// TODO: Look into disabling certificate validation
none()
}
}
Expand Down
10 changes: 4 additions & 6 deletions python/ql/lib/semmle/python/frameworks/Urllib3.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,31 +30,29 @@ module Urllib3 {
instance().getMember(["request", "request_encode_url", "request_encode_body"]).getACall()
}

DataFlow::Node getUrlArg() { result in [this.getArg(1), this.getArgByName("url")] }

override DataFlow::Node getAUrlPart() { result = this.getUrlArg() }
override DataFlow::Node getAUrlPart() { result in [this.getArg(1), this.getArgByName("url")] }

override string getFramework() { result = "urllib3.PoolManager" }

override predicate disablesCertificateValidation(
DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
) {
// TODO: Look into disabling certificate validation
none()
}
}

private class UrlOpenCall extends HTTP::Client::Request::Range, DataFlow::CallCfgNode {
UrlOpenCall() { this = instance().getMember("urlopen").getACall() }

DataFlow::Node getUrlArg() { result in [this.getArg(1), this.getArgByName("url")] }

override DataFlow::Node getAUrlPart() { result = this.getUrlArg() }
override DataFlow::Node getAUrlPart() { result in [this.getArg(1), this.getArgByName("url")] }

override string getFramework() { result = "urllib3.PoolManager" }

override predicate disablesCertificateValidation(
DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
) {
// TODO: Look into disabling certificate validation
none()
}
}
Expand Down
16 changes: 16 additions & 0 deletions python/ql/test/library-tests/frameworks/aiohttp/client_request.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
import aiohttp
import asyncio

s = aiohttp.ClientSession()
resp = s.request("method", "url") # $ clientRequestUrlPart="url"
resp = s.request("method", url="url") # $ clientRequestUrlPart="url"

with aiohttp.ClientSession() as session:
resp = session.get("url") # $ clientRequestUrlPart="url"
resp = session.request(method="GET", url="url") # $ clientRequestUrlPart="url"

# other methods than GET
s = aiohttp.ClientSession()
resp = s.post("url") # $ clientRequestUrlPart="url"
resp = s.patch("url") # $ clientRequestUrlPart="url"
resp = s.options("url") # $ clientRequestUrlPart="url"
Empty file added python/ql/test/library-tests/frameworks/httpx/ConceptsTest.expected
View file
Open in desktop
Empty file.
2 changes: 2 additions & 0 deletions python/ql/test/library-tests/frameworks/httpx/ConceptsTest.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
import python
import experimental.meta.ConceptsTest
24 changes: 24 additions & 0 deletions python/ql/test/library-tests/frameworks/httpx/test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
import httpx

httpx.get("url") # $ clientRequestUrlPart="url"
httpx.post("url") # $ clientRequestUrlPart="url"
httpx.patch("url") # $ clientRequestUrlPart="url"
httpx.options("url") # $ clientRequestUrlPart="url"
httpx.request("method", url="url") # $ clientRequestUrlPart="url"
httpx.stream("method", url="url") # $ clientRequestUrlPart="url"

client = httpx.Client()
response = client.get("url") # $ clientRequestUrlPart="url"
response = client.post("url") # $ clientRequestUrlPart="url"
response = client.patch("url") # $ clientRequestUrlPart="url"
response = client.options("url") # $ clientRequestUrlPart="url"
response = client.request("method", url="url") # $ clientRequestUrlPart="url"
response = client.stream("method", url="url") # $ clientRequestUrlPart="url"

client = httpx.AsyncClient()
response = client.get("url") # $ clientRequestUrlPart="url"
response = client.post("url") # $ clientRequestUrlPart="url"
response = client.patch("url") # $ clientRequestUrlPart="url"
response = client.options("url") # $ clientRequestUrlPart="url"
response = client.request("method", url="url") # $ clientRequestUrlPart="url"
response = client.stream("method", url="url") # $ clientRequestUrlPart="url"
Empty file added python/ql/test/library-tests/frameworks/libtaxii/ConceptsTest.expected
View file
Open in desktop
Empty file.
2 changes: 2 additions & 0 deletions python/ql/test/library-tests/frameworks/libtaxii/ConceptsTest.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
import python
import experimental.meta.ConceptsTest
4 changes: 4 additions & 0 deletions python/ql/test/library-tests/frameworks/libtaxii/test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
from libtaxii.common import parse

result = parse("url", allow_url=True) # $ clientRequestUrlPart="url"
result = parse(s="url", allow_url=True) # $ clientRequestUrlPart="url"
Empty file added python/ql/test/library-tests/frameworks/pycurl/ConceptsTest.expected
View file
Open in desktop
Empty file.
2 changes: 2 additions & 0 deletions python/ql/test/library-tests/frameworks/pycurl/ConceptsTest.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
import python
import experimental.meta.ConceptsTest
4 changes: 4 additions & 0 deletions python/ql/test/library-tests/frameworks/pycurl/test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
import pycurl

c = pycurl.Curl()
c.setopt(pycurl.URL, "url") # $ clientRequestUrlPart="url"
Empty file added python/ql/test/library-tests/frameworks/urllib/ConceptsTest.expected
View file
Open in desktop
Empty file.
2 changes: 2 additions & 0 deletions python/ql/test/library-tests/frameworks/urllib/ConceptsTest.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
import python
import experimental.meta.ConceptsTest
7 changes: 7 additions & 0 deletions python/ql/test/library-tests/frameworks/urllib/test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
from urllib.request import Request, urlopen

Request("url") # $ clientRequestUrlPart="url"
Request(url="url") # $ clientRequestUrlPart="url"

urlopen("url") # $ clientRequestUrlPart="url"
urlopen(url="url") # $ clientRequestUrlPart="url"
Empty file added python/ql/test/library-tests/frameworks/urllib2/ConceptsTest.expected
View file
Open in desktop
Empty file.
2 changes: 2 additions & 0 deletions python/ql/test/library-tests/frameworks/urllib2/ConceptsTest.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
import python
import experimental.meta.ConceptsTest
7 changes: 7 additions & 0 deletions python/ql/test/library-tests/frameworks/urllib2/test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
import urllib2

resp = urllib2.Request("url") # $ clientRequestUrlPart="url"
resp = urllib2.Request(url="url") # $ clientRequestUrlPart="url"

resp = urllib2.urlopen("url") # $ clientRequestUrlPart="url"
resp = urllib2.urlopen(url="url") # $ clientRequestUrlPart="url"
Empty file added python/ql/test/library-tests/frameworks/urllib3/ConceptsTest.expected
View file
Open in desktop
Empty file.
2 changes: 2 additions & 0 deletions python/ql/test/library-tests/frameworks/urllib3/ConceptsTest.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
import python
import experimental.meta.ConceptsTest
8 changes: 8 additions & 0 deletions python/ql/test/library-tests/frameworks/urllib3/test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
import urllib3

http = urllib3.PoolManager()

resp = http.request("method", "url") # $ clientRequestUrlPart="url"
resp = http.request("method", url="url") # $ clientRequestUrlPart="url"
resp = http.urlopen("method", "url") # $ clientRequestUrlPart="url"
resp = http.urlopen("method", url="url") # $ clientRequestUrlPart="url"