diff --git a/python/ql/src/Security/CWE-022/PathInjection.ql b/python/ql/src/Security/CWE-022/PathInjection.ql index 5d5561e49c35..1b1eb33a5073 100644 --- a/python/ql/src/Security/CWE-022/PathInjection.ql +++ b/python/ql/src/Security/CWE-022/PathInjection.ql @@ -1,7 +1,7 @@ /** * @name Uncontrolled data used in path expression * @description Accessing paths influenced by users can allow an attacker to access unexpected resources. - * @kind problem + * @kind path-problem * @problem.severity error * @sub-severity high * @precision high @@ -17,6 +17,7 @@ */ import python +import semmle.python.security.Paths /* Sources */ import semmle.python.web.HttpRequest @@ -25,7 +26,6 @@ import semmle.python.web.HttpRequest import semmle.python.security.injection.Path -from TaintSource src, TaintSink sink -where src.flowsToSink(sink) - -select sink, "This path depends on $@.", src, "a user-provided value" +from TaintedPathSource src, TaintedPathSink sink +where src.flowsTo(sink) +select sink.getSink(), src, sink, "This path depends on $@.", src.getSource(), "a user-provided value" \ No newline at end of file diff --git a/python/ql/src/Security/CWE-078/CommandInjection.ql b/python/ql/src/Security/CWE-078/CommandInjection.ql index 44e9d56dda36..639aab3725fe 100755 --- a/python/ql/src/Security/CWE-078/CommandInjection.ql +++ b/python/ql/src/Security/CWE-078/CommandInjection.ql @@ -2,7 +2,7 @@ * @name Uncontrolled command line * @description Using externally controlled strings in a command line may allow a malicious * user to change the meaning of the command. - * @kind problem + * @kind path-problem * @problem.severity error * @sub-severity high * @precision high @@ -15,6 +15,7 @@ */ import python +import semmle.python.security.Paths /* Sources */ import semmle.python.web.HttpRequest @@ -22,7 +23,6 @@ import semmle.python.web.HttpRequest /* Sinks */ import semmle.python.security.injection.Command -from TaintSource src, TaintSink sink -where src.flowsToSink(sink) - -select sink, "This command depends on $@.", src, "a user-provided value" +from TaintedPathSource src, TaintedPathSink sink +where src.flowsTo(sink) +select sink.getSink(), src, sink, "This command depends on $@.", src.getSource(), "a user-provided value" diff --git a/python/ql/src/Security/CWE-079/ReflectedXss.ql b/python/ql/src/Security/CWE-079/ReflectedXss.ql index dff7657a7184..3a77e0559f63 100644 --- a/python/ql/src/Security/CWE-079/ReflectedXss.ql +++ b/python/ql/src/Security/CWE-079/ReflectedXss.ql @@ -2,7 +2,7 @@ * @name Reflected server-side cross-site scripting * @description Writing user input directly to a web page * allows for a cross-site scripting vulnerability. - * @kind problem + * @kind path-problem * @problem.severity error * @sub-severity high * @precision high @@ -13,6 +13,7 @@ */ import python +import semmle.python.security.Paths /* Sources */ import semmle.python.web.HttpRequest @@ -24,9 +25,6 @@ import semmle.python.web.HttpResponse /* Flow */ import semmle.python.security.strings.Untrusted -from TaintSource src, TaintSink sink -where src.flowsToSink(sink) - -select sink, "Cross-site scripting vulnerability due to $@.", - src, "user-provided value" - +from TaintedPathSource src, TaintedPathSink sink +where src.flowsTo(sink) +select sink.getSink(), src, sink, "Cross-site scripting vulnerability due to $@.", src.getSource(), "user-provided value" diff --git a/python/ql/src/Security/CWE-089/SqlInjection.ql b/python/ql/src/Security/CWE-089/SqlInjection.ql index 0513bb6ba1f3..35274729418d 100755 --- a/python/ql/src/Security/CWE-089/SqlInjection.ql +++ b/python/ql/src/Security/CWE-089/SqlInjection.ql @@ -2,7 +2,7 @@ * @name SQL query built from user-controlled sources * @description Building a SQL query from user-controlled sources is vulnerable to insertion of * malicious SQL code by the user. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id py/sql-injection @@ -12,6 +12,7 @@ */ import python +import semmle.python.security.Paths /* Sources */ import semmle.python.web.HttpRequest @@ -22,7 +23,6 @@ import semmle.python.web.django.Db import semmle.python.web.django.Model -from TaintSource src, TaintSink sink -where src.flowsToSink(sink) - -select sink, "This SQL query depends on $@.", src, "a user-provided value" +from TaintedPathSource src, TaintedPathSink sink +where src.flowsTo(sink) +select sink.getSink(), src, sink, "This SQL query depends on $@.", src.getSource(), "a user-provided value" diff --git a/python/ql/src/Security/CWE-094/CodeInjection.ql b/python/ql/src/Security/CWE-094/CodeInjection.ql index 12b816736eb3..2d511a5dae41 100644 --- a/python/ql/src/Security/CWE-094/CodeInjection.ql +++ b/python/ql/src/Security/CWE-094/CodeInjection.ql @@ -2,7 +2,7 @@ * @name Code injection * @description Interpreting unsanitized user input as code allows a malicious user arbitrary * code execution. - * @kind problem + * @kind path-problem * @problem.severity error * @sub-severity high * @precision high @@ -15,6 +15,7 @@ */ import python +import semmle.python.security.Paths /* Sources */ import semmle.python.web.HttpRequest @@ -23,7 +24,6 @@ import semmle.python.web.HttpRequest import semmle.python.security.injection.Exec -from TaintSource src, TaintSink sink -where src.flowsToSink(sink) - -select sink, "$@ flows to here and is interpreted as code.", src, "User-provided value" +from TaintedPathSource src, TaintedPathSink sink +where src.flowsTo(sink) +select sink.getSink(), src, sink, "$@ flows to here and is interpreted as code.", src.getSource(), "User-provided value" diff --git a/python/ql/src/Security/CWE-209/StackTraceExposure.ql b/python/ql/src/Security/CWE-209/StackTraceExposure.ql index f389cb6cc305..4a1452655ed9 100644 --- a/python/ql/src/Security/CWE-209/StackTraceExposure.ql +++ b/python/ql/src/Security/CWE-209/StackTraceExposure.ql @@ -3,7 +3,7 @@ * @description Leaking information about an exception, such as messages and stack traces, to an * external user can expose implementation details that are useful to an attacker for * developing a subsequent exploit. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id py/stack-trace-exposure @@ -13,10 +13,11 @@ */ import python +import semmle.python.security.Paths import semmle.python.security.Exceptions import semmle.python.web.HttpResponse -from TaintSource src, TaintSink sink -where src.flowsToSink(sink) -select sink, "$@ may be exposed to an external user", src, "Error information" +from TaintedPathSource src, TaintedPathSink sink +where src.flowsTo(sink) +select sink.getSink(), src, sink, "$@ may be exposed to an external user", src.getSource(), "Error information" diff --git a/python/ql/src/Security/CWE-502/UnsafeDeserialization.ql b/python/ql/src/Security/CWE-502/UnsafeDeserialization.ql index af7a906691db..fa48c63db9d8 100644 --- a/python/ql/src/Security/CWE-502/UnsafeDeserialization.ql +++ b/python/ql/src/Security/CWE-502/UnsafeDeserialization.ql @@ -1,7 +1,7 @@ /** * @name Deserializing untrusted input * @description Deserializing user-controlled data may allow attackers to execute arbitrary code. - * @kind problem + * @kind path-problem * @id py/unsafe-deserialization * @problem.severity error * @sub-severity high @@ -14,6 +14,7 @@ import python // Sources -- Any untrusted input import semmle.python.web.HttpRequest +import semmle.python.security.Paths // Flow -- untrusted string import semmle.python.security.strings.Untrusted @@ -23,8 +24,7 @@ import semmle.python.security.injection.Pickle import semmle.python.security.injection.Marshal import semmle.python.security.injection.Yaml -from TaintSource src, TaintSink sink -where src.flowsToSink(sink) - -select sink, "Deserializing of $@.", src, "untrusted input" +from TaintedPathSource src, TaintedPathSink sink +where src.flowsTo(sink) +select sink.getSink(), src, sink, "Deserializing of $@.", src.getSource(), "untrusted input" diff --git a/python/ql/src/Security/CWE-601/UrlRedirect.ql b/python/ql/src/Security/CWE-601/UrlRedirect.ql index 6a412813bc09..4734c540bc38 100644 --- a/python/ql/src/Security/CWE-601/UrlRedirect.ql +++ b/python/ql/src/Security/CWE-601/UrlRedirect.ql @@ -2,7 +2,7 @@ * @name URL redirection from remote source * @description URL redirection based on unvalidated user input * may cause redirection to malicious web sites. - * @kind problem + * @kind path-problem * @problem.severity error * @sub-severity low * @id py/url-redirection @@ -12,7 +12,7 @@ */ import python - +import semmle.python.security.Paths import semmle.python.web.HttpRedirect import semmle.python.web.HttpRequest @@ -28,8 +28,7 @@ class UntrustedPrefixStringKind extends UntrustedStringKind { } -from TaintSource src, TaintSink sink -where src.flowsToSink(sink) - -select sink, "Untrusted URL redirection due to $@.", src, "a user-provided value" +from TaintedPathSource src, TaintedPathSink sink +where src.flowsTo(sink) +select sink.getSink(), src, sink, "Untrusted URL redirection due to $@.", src.getSource(), "a user-provided value" diff --git a/python/ql/src/semmle/python/security/Exceptions.qll b/python/ql/src/semmle/python/security/Exceptions.qll index a321c9df839d..d0ecee350d58 100644 --- a/python/ql/src/semmle/python/security/Exceptions.qll +++ b/python/ql/src/semmle/python/security/Exceptions.qll @@ -24,6 +24,11 @@ class ExceptionInfo extends StringKind { ExceptionInfo() { this = "exception.info" } + + override string repr() { + result = "exception info" + } + } @@ -36,6 +41,10 @@ class ExceptionKind extends TaintKind { this = "exception.kind" } + override string repr() { + result = "exception" + } + override TaintKind getTaintOfAttribute(string name) { name = "args" and result instanceof ExceptionInfoSequence or diff --git a/python/ql/src/semmle/python/security/Paths.qll b/python/ql/src/semmle/python/security/Paths.qll new file mode 100644 index 000000000000..09f88ecf5f35 --- /dev/null +++ b/python/ql/src/semmle/python/security/Paths.qll @@ -0,0 +1,25 @@ +import python + +import semmle.python.security.TaintTracking + +query predicate edges(TaintedNode fromnode, TaintedNode tonode) { + fromnode.getASuccessor() = tonode +} + +private TaintedNode first_child(TaintedNode parent) { + result.getContext().getCaller() = parent.getContext() and + parent.getASuccessor() = result +} + +private TaintedNode next_sibling(TaintedNode child) { + child.getASuccessor() = result and + child.getContext() = result.getContext() +} + +query predicate parents(TaintedNode child, TaintedNode parent) { + child = first_child(parent) or + exists(TaintedNode prev | + parents(prev, parent) and + child = next_sibling(child) + ) +} diff --git a/python/ql/src/semmle/python/security/TaintTracking.qll b/python/ql/src/semmle/python/security/TaintTracking.qll index 90620ca14ba8..928806d7f822 100755 --- a/python/ql/src/semmle/python/security/TaintTracking.qll +++ b/python/ql/src/semmle/python/security/TaintTracking.qll @@ -148,6 +148,8 @@ abstract class TaintKind extends string { none() } + string repr() { result = this } + } /** Taint kinds representing collections of other taint kind. @@ -208,6 +210,10 @@ class SequenceKind extends CollectionKind { name = "pop" and result = this.getItem() } + override string repr() { + result = "sequence of " + itemKind + } + } /* Helper for getTaintForStep() */ @@ -281,6 +287,10 @@ class DictKind extends CollectionKind { name = "itervalues" and result.(SequenceKind).getItem() = valueKind } + override string repr() { + result = "dict of " + valueKind + } + } @@ -603,7 +613,9 @@ private predicate user_tainted_def(TaintedDefinition def, TaintFlowImplementatio */ class TaintedNode extends TTaintedNode { - string toString() { result = this.getTrackedValue().toString() + " at " + this.getLocation() } + string toString() { result = this.getTrackedValue().repr() } + + string debug() { result = this.getTrackedValue().toString() + " at " + this.getNode().getLocation() } TaintedNode getASuccessor() { exists(TaintFlowImplementation::TrackedValue tokind, CallContext tocontext, ControlFlowNode tonode | @@ -675,6 +687,35 @@ class TaintedNode extends TTaintedNode { } +class TaintedPathSource extends TaintedNode { + + TaintedPathSource() { + this.getNode().(TaintSource).isSourceOf(this.getTaintKind(), this.getContext()) + } + + /** Holds if taint can flow from this source to sink `sink` */ + final predicate flowsTo(TaintedPathSink sink) { + this.getASuccessor*() = sink + } + + TaintSource getSource() { + result = this.getNode() + } + +} + +class TaintedPathSink extends TaintedNode { + + TaintedPathSink() { + this.getNode().(TaintSink).sinks(this.getTaintKind()) + } + + TaintSink getSink() { + result = this.getNode() + } + +} + /** This module contains the implementation of taint-flow. * It is recommended that users use the `TaintedNode` class, rather than using this module directly * as the interface of this module may change without warning. @@ -718,12 +759,18 @@ library module TaintFlowImplementation { abstract string toString(); + abstract string repr(); + abstract TrackedValue toKind(TaintKind kind); } class TrackedTaint extends TrackedValue, TTrackedTaint { + override string repr() { + result = this.getKind().repr() + } + override string toString() { result = "Taint " + this.getKind() } @@ -740,6 +787,13 @@ library module TaintFlowImplementation { class TrackedAttribute extends TrackedValue, TTrackedAttribute { + override string repr() { + exists(string name, TaintKind kind | + this = TTrackedAttribute(name, kind) and + result = "." + name + "=" + kind.repr() + ) + } + override string toString() { exists(string name, TaintKind kind | this = TTrackedAttribute(name, kind) and diff --git a/python/ql/src/semmle/python/security/injection/Command.qll b/python/ql/src/semmle/python/security/injection/Command.qll index 11ff52a053a1..7bfdb987bfbe 100644 --- a/python/ql/src/semmle/python/security/injection/Command.qll +++ b/python/ql/src/semmle/python/security/injection/Command.qll @@ -36,6 +36,9 @@ class FirstElementKind extends TaintKind { this = "sequence[" + any(ExternalStringKind key) + "][0]" } + override string repr() { + result = "first item in sequence of " + this.getItem().repr() + } /** Gets the taint kind for item in this sequence. */ ExternalStringKind getItem() { diff --git a/python/ql/src/semmle/python/security/injection/Path.qll b/python/ql/src/semmle/python/security/injection/Path.qll index bd318c7f1e6a..cee8c12fc162 100644 --- a/python/ql/src/semmle/python/security/injection/Path.qll +++ b/python/ql/src/semmle/python/security/injection/Path.qll @@ -36,6 +36,10 @@ class NormalizedPath extends TaintKind { this = "normalized.path.injection" } + override string repr() { + result = "normalized path" + } + } private predicate abspath_call(CallNode call, ControlFlowNode arg) { diff --git a/python/ql/test/query-tests/Security/CWE-022/PathInjection.expected b/python/ql/test/query-tests/Security/CWE-022/PathInjection.expected index 68979df27ed6..861c4d09ad12 100644 --- a/python/ql/test/query-tests/Security/CWE-022/PathInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-022/PathInjection.expected @@ -1,3 +1,34 @@ -| path_injection.py:10:14:10:44 | argument to open() | This path depends on $@. | path_injection.py:9:12:9:23 | flask.request.args | a user-provided value | -| path_injection.py:17:14:17:18 | argument to open() | This path depends on $@. | path_injection.py:15:12:15:23 | flask.request.args | a user-provided value | -| path_injection.py:28:14:28:18 | argument to open() | This path depends on $@. | path_injection.py:24:12:24:23 | flask.request.args | a user-provided value | +edges +| ../lib/os/path.py:4:14:4:14 | externally controlled string | ../lib/os/path.py:5:12:5:12 | externally controlled string | +| ../lib/os/path.py:4:14:4:14 | externally controlled string | ../lib/os/path.py:5:12:5:12 | externally controlled string | +| ../lib/os/path.py:4:14:4:14 | externally controlled string | ../lib/os/path.py:5:12:5:12 | externally controlled string | +| path_injection.py:9:12:9:23 | dict of externally controlled string | path_injection.py:9:12:9:39 | externally controlled string | +| path_injection.py:9:12:9:39 | externally controlled string | path_injection.py:10:40:10:43 | externally controlled string | +| path_injection.py:10:40:10:43 | externally controlled string | path_injection.py:10:14:10:44 | externally controlled string | +| path_injection.py:15:12:15:23 | dict of externally controlled string | path_injection.py:15:12:15:39 | externally controlled string | +| path_injection.py:15:12:15:39 | externally controlled string | path_injection.py:16:56:16:59 | externally controlled string | +| path_injection.py:16:13:16:61 | normalized path | path_injection.py:17:14:17:18 | normalized path | +| path_injection.py:16:30:16:60 | externally controlled string | ../lib/os/path.py:4:14:4:14 | externally controlled string | +| path_injection.py:16:30:16:60 | externally controlled string | path_injection.py:16:13:16:61 | normalized path | +| path_injection.py:16:56:16:59 | externally controlled string | path_injection.py:16:30:16:60 | externally controlled string | +| path_injection.py:24:12:24:23 | dict of externally controlled string | path_injection.py:24:12:24:39 | externally controlled string | +| path_injection.py:24:12:24:39 | externally controlled string | path_injection.py:25:56:25:59 | externally controlled string | +| path_injection.py:25:13:25:61 | normalized path | path_injection.py:26:8:26:12 | normalized path | +| path_injection.py:25:13:25:61 | normalized path | path_injection.py:28:14:28:18 | normalized path | +| path_injection.py:25:30:25:60 | externally controlled string | ../lib/os/path.py:4:14:4:14 | externally controlled string | +| path_injection.py:25:30:25:60 | externally controlled string | path_injection.py:25:13:25:61 | normalized path | +| path_injection.py:25:56:25:59 | externally controlled string | path_injection.py:25:30:25:60 | externally controlled string | +| path_injection.py:33:12:33:23 | dict of externally controlled string | path_injection.py:33:12:33:39 | externally controlled string | +| path_injection.py:33:12:33:39 | externally controlled string | path_injection.py:34:56:34:59 | externally controlled string | +| path_injection.py:34:13:34:61 | normalized path | path_injection.py:35:8:35:12 | normalized path | +| path_injection.py:34:30:34:60 | externally controlled string | ../lib/os/path.py:4:14:4:14 | externally controlled string | +| path_injection.py:34:30:34:60 | externally controlled string | path_injection.py:34:13:34:61 | normalized path | +| path_injection.py:34:56:34:59 | externally controlled string | path_injection.py:34:30:34:60 | externally controlled string | +parents +| ../lib/os/path.py:4:14:4:14 | externally controlled string | path_injection.py:16:30:16:60 | externally controlled string | +| ../lib/os/path.py:4:14:4:14 | externally controlled string | path_injection.py:25:30:25:60 | externally controlled string | +| ../lib/os/path.py:4:14:4:14 | externally controlled string | path_injection.py:34:30:34:60 | externally controlled string | +#select +| path_injection.py:10:14:10:44 | argument to open() | path_injection.py:9:12:9:23 | dict of externally controlled string | path_injection.py:10:14:10:44 | externally controlled string | This path depends on $@. | path_injection.py:9:12:9:23 | flask.request.args | a user-provided value | +| path_injection.py:17:14:17:18 | argument to open() | path_injection.py:15:12:15:23 | dict of externally controlled string | path_injection.py:17:14:17:18 | normalized path | This path depends on $@. | path_injection.py:15:12:15:23 | flask.request.args | a user-provided value | +| path_injection.py:28:14:28:18 | argument to open() | path_injection.py:24:12:24:23 | dict of externally controlled string | path_injection.py:28:14:28:18 | normalized path | This path depends on $@. | path_injection.py:24:12:24:23 | flask.request.args | a user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-078/CommandInjection.expected b/python/ql/test/query-tests/Security/CWE-078/CommandInjection.expected index e48b14ad0aad..8bdfeac00027 100644 --- a/python/ql/test/query-tests/Security/CWE-078/CommandInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-078/CommandInjection.expected @@ -1,3 +1,18 @@ -| command_injection.py:12:15:12:27 | shell command | This command depends on $@. | command_injection.py:10:13:10:24 | flask.request.args | a user-provided value | -| command_injection.py:19:22:19:34 | shell command | This command depends on $@. | command_injection.py:17:13:17:24 | flask.request.args | a user-provided value | -| command_injection.py:25:22:25:36 | OS command first argument | This command depends on $@. | command_injection.py:24:11:24:22 | flask.request.args | a user-provided value | +edges +| command_injection.py:10:13:10:24 | dict of externally controlled string | command_injection.py:10:13:10:41 | externally controlled string | +| command_injection.py:10:13:10:41 | externally controlled string | command_injection.py:12:23:12:27 | externally controlled string | +| command_injection.py:12:15:12:27 | externally controlled string | ../lib/os/__init__.py:1:12:1:14 | externally controlled string | +| command_injection.py:12:23:12:27 | externally controlled string | command_injection.py:12:15:12:27 | externally controlled string | +| command_injection.py:17:13:17:24 | dict of externally controlled string | command_injection.py:17:13:17:41 | externally controlled string | +| command_injection.py:17:13:17:41 | externally controlled string | command_injection.py:19:29:19:33 | externally controlled string | +| command_injection.py:19:29:19:33 | externally controlled string | command_injection.py:19:22:19:34 | sequence of externally controlled string | +| command_injection.py:24:11:24:22 | dict of externally controlled string | command_injection.py:24:11:24:37 | externally controlled string | +| command_injection.py:24:11:24:37 | externally controlled string | command_injection.py:25:23:25:25 | externally controlled string | +| command_injection.py:25:23:25:25 | externally controlled string | command_injection.py:25:22:25:36 | first item in sequence of externally controlled string | +| command_injection.py:25:23:25:25 | externally controlled string | command_injection.py:25:22:25:36 | sequence of externally controlled string | +parents +| ../lib/os/__init__.py:1:12:1:14 | externally controlled string | command_injection.py:12:15:12:27 | externally controlled string | +#select +| command_injection.py:12:15:12:27 | shell command | command_injection.py:10:13:10:24 | dict of externally controlled string | command_injection.py:12:15:12:27 | externally controlled string | This command depends on $@. | command_injection.py:10:13:10:24 | flask.request.args | a user-provided value | +| command_injection.py:19:22:19:34 | shell command | command_injection.py:17:13:17:24 | dict of externally controlled string | command_injection.py:19:22:19:34 | sequence of externally controlled string | This command depends on $@. | command_injection.py:17:13:17:24 | flask.request.args | a user-provided value | +| command_injection.py:25:22:25:36 | OS command first argument | command_injection.py:24:11:24:22 | dict of externally controlled string | command_injection.py:25:22:25:36 | first item in sequence of externally controlled string | This command depends on $@. | command_injection.py:24:11:24:22 | flask.request.args | a user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected b/python/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected index d9d226b62482..f53b054990a5 100644 --- a/python/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected +++ b/python/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected @@ -1 +1,13 @@ -| ../lib/flask/__init__.py:16:25:16:26 | flask.response.argument | Cross-site scripting vulnerability due to $@. | reflected_xss.py:7:18:7:29 | flask.request.args | user-provided value | +edges +| ../lib/flask/__init__.py:14:19:14:20 | externally controlled string | ../lib/flask/__init__.py:15:19:15:20 | externally controlled string | +| ../lib/flask/__init__.py:14:19:14:20 | externally controlled string | ../lib/flask/__init__.py:16:25:16:26 | externally controlled string | +| reflected_xss.py:7:18:7:29 | dict of externally controlled string | reflected_xss.py:7:18:7:45 | externally controlled string | +| reflected_xss.py:7:18:7:45 | externally controlled string | reflected_xss.py:8:44:8:53 | externally controlled string | +| reflected_xss.py:8:26:8:53 | externally controlled string | ../lib/flask/__init__.py:14:19:14:20 | externally controlled string | +| reflected_xss.py:8:44:8:53 | externally controlled string | reflected_xss.py:8:26:8:53 | externally controlled string | +| reflected_xss.py:12:18:12:29 | dict of externally controlled string | reflected_xss.py:12:18:12:45 | externally controlled string | +| reflected_xss.py:12:18:12:45 | externally controlled string | reflected_xss.py:13:51:13:60 | externally controlled string | +parents +| ../lib/flask/__init__.py:14:19:14:20 | externally controlled string | reflected_xss.py:8:26:8:53 | externally controlled string | +#select +| ../lib/flask/__init__.py:16:25:16:26 | flask.response.argument | reflected_xss.py:7:18:7:29 | dict of externally controlled string | ../lib/flask/__init__.py:16:25:16:26 | externally controlled string | Cross-site scripting vulnerability due to $@. | reflected_xss.py:7:18:7:29 | flask.request.args | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-089/SqlInjection.expected b/python/ql/test/query-tests/Security/CWE-089/SqlInjection.expected index 01a1f6f0b43f..1555b7cd7793 100644 --- a/python/ql/test/query-tests/Security/CWE-089/SqlInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-089/SqlInjection.expected @@ -1,4 +1,25 @@ -| sql_injection.py:19:13:19:66 | db.connection.execute | This SQL query depends on $@. | sql_injection.py:9:15:9:21 | Django request source | a user-provided value | -| sql_injection.py:22:38:22:91 | django.db.models.expressions.RawSQL(sink,...) | This SQL query depends on $@. | sql_injection.py:9:15:9:21 | Django request source | a user-provided value | -| sql_injection.py:23:26:23:79 | django.models.QuerySet.raw(sink,...) | This SQL query depends on $@. | sql_injection.py:9:15:9:21 | Django request source | a user-provided value | -| sql_injection.py:24:28:24:81 | django.models.QuerySet.extra(sink,...) | This SQL query depends on $@. | sql_injection.py:9:15:9:21 | Django request source | a user-provided value | +edges +| sql_injection.py:9:15:9:21 | django.request.HttpRequest | sql_injection.py:11:8:11:14 | django.request.HttpRequest | +| sql_injection.py:9:15:9:21 | django.request.HttpRequest | sql_injection.py:12:16:12:22 | django.request.HttpRequest | +| sql_injection.py:12:16:12:22 | django.request.HttpRequest | sql_injection.py:12:16:12:27 | django.http.request.QueryDict | +| sql_injection.py:12:16:12:27 | django.http.request.QueryDict | sql_injection.py:12:16:12:39 | externally controlled string | +| sql_injection.py:12:16:12:39 | externally controlled string | sql_injection.py:16:62:16:65 | externally controlled string | +| sql_injection.py:12:16:12:39 | externally controlled string | sql_injection.py:19:63:19:66 | externally controlled string | +| sql_injection.py:12:16:12:39 | externally controlled string | sql_injection.py:22:88:22:91 | externally controlled string | +| sql_injection.py:12:16:12:39 | externally controlled string | sql_injection.py:23:76:23:79 | externally controlled string | +| sql_injection.py:12:16:12:39 | externally controlled string | sql_injection.py:24:78:24:81 | externally controlled string | +| sql_injection.py:13:16:13:34 | django.db.connection.cursor | sql_injection.py:15:9:15:12 | django.db.connection.cursor | +| sql_injection.py:13:16:13:34 | django.db.connection.cursor | sql_injection.py:18:9:18:12 | django.db.connection.cursor | +| sql_injection.py:19:63:19:66 | externally controlled string | sql_injection.py:19:13:19:66 | externally controlled string | +| sql_injection.py:22:9:22:20 | django.db.models.Model.objects | sql_injection.py:22:9:22:93 | django.db.models.Model.objects | +| sql_injection.py:22:88:22:91 | externally controlled string | sql_injection.py:22:38:22:91 | externally controlled string | +| sql_injection.py:23:9:23:20 | django.db.models.Model.objects | sql_injection.py:23:9:23:80 | django.db.models.Model.objects | +| sql_injection.py:23:76:23:79 | externally controlled string | sql_injection.py:23:26:23:79 | externally controlled string | +| sql_injection.py:24:9:24:20 | django.db.models.Model.objects | sql_injection.py:24:9:24:82 | django.db.models.Model.objects | +| sql_injection.py:24:78:24:81 | externally controlled string | sql_injection.py:24:28:24:81 | externally controlled string | +parents +#select +| sql_injection.py:19:13:19:66 | db.connection.execute | sql_injection.py:9:15:9:21 | django.request.HttpRequest | sql_injection.py:19:13:19:66 | externally controlled string | This SQL query depends on $@. | sql_injection.py:9:15:9:21 | Django request source | a user-provided value | +| sql_injection.py:22:38:22:91 | django.db.models.expressions.RawSQL(sink,...) | sql_injection.py:9:15:9:21 | django.request.HttpRequest | sql_injection.py:22:38:22:91 | externally controlled string | This SQL query depends on $@. | sql_injection.py:9:15:9:21 | Django request source | a user-provided value | +| sql_injection.py:23:26:23:79 | django.models.QuerySet.raw(sink,...) | sql_injection.py:9:15:9:21 | django.request.HttpRequest | sql_injection.py:23:26:23:79 | externally controlled string | This SQL query depends on $@. | sql_injection.py:9:15:9:21 | Django request source | a user-provided value | +| sql_injection.py:24:28:24:81 | django.models.QuerySet.extra(sink,...) | sql_injection.py:9:15:9:21 | django.request.HttpRequest | sql_injection.py:24:28:24:81 | externally controlled string | This SQL query depends on $@. | sql_injection.py:9:15:9:21 | Django request source | a user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/python/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index 02a6bc6255d8..8c621808c14d 100644 --- a/python/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -1 +1,12 @@ -| code_injection.py:7:14:7:44 | exec or eval | $@ flows to here and is interpreted as code. | code_injection.py:4:20:4:26 | Django request source | User-provided value | +edges +| code_injection.py:4:20:4:26 | django.request.HttpRequest | code_injection.py:5:8:5:14 | django.request.HttpRequest | +| code_injection.py:4:20:4:26 | django.request.HttpRequest | code_injection.py:6:22:6:28 | django.request.HttpRequest | +| code_injection.py:6:22:6:28 | django.request.HttpRequest | code_injection.py:6:22:6:33 | django.http.request.QueryDict | +| code_injection.py:6:22:6:33 | django.http.request.QueryDict | code_injection.py:6:22:6:55 | externally controlled string | +| code_injection.py:6:22:6:55 | externally controlled string | code_injection.py:7:34:7:43 | externally controlled string | +| code_injection.py:7:34:7:43 | externally controlled string | ../lib/base64.py:1:18:1:18 | externally controlled string | +| code_injection.py:7:34:7:43 | externally controlled string | code_injection.py:7:14:7:44 | externally controlled string | +parents +| ../lib/base64.py:1:18:1:18 | externally controlled string | code_injection.py:7:34:7:43 | externally controlled string | +#select +| code_injection.py:7:14:7:44 | exec or eval | code_injection.py:4:20:4:26 | django.request.HttpRequest | code_injection.py:7:14:7:44 | externally controlled string | $@ flows to here and is interpreted as code. | code_injection.py:4:20:4:26 | Django request source | User-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-209/StackTraceExposure.expected b/python/ql/test/query-tests/Security/CWE-209/StackTraceExposure.expected index 7c16a2d95f81..8a4074a332cb 100644 --- a/python/ql/test/query-tests/Security/CWE-209/StackTraceExposure.expected +++ b/python/ql/test/query-tests/Security/CWE-209/StackTraceExposure.expected @@ -1 +1,11 @@ -| test.py:16:16:16:37 | flask.routed.response | $@ may be exposed to an external user | test.py:16:16:16:37 | exception.info.source | Error information | +edges +| test.py:33:15:33:36 | exception info | test.py:34:29:34:31 | exception info | +| test.py:34:29:34:31 | exception info | test.py:36:18:36:20 | exception info | +| test.py:36:18:36:20 | exception info | test.py:37:25:37:27 | exception info | +| test.py:37:12:37:27 | exception info | test.py:34:16:34:32 | exception info | +| test.py:37:25:37:27 | exception info | test.py:37:12:37:27 | exception info | +parents +| test.py:36:18:36:20 | exception info | test.py:34:29:34:31 | exception info | +#select +| test.py:16:16:16:37 | flask.routed.response | test.py:16:16:16:37 | exception info | test.py:16:16:16:37 | exception info | $@ may be exposed to an external user | test.py:16:16:16:37 | exception.info.source | Error information | +| test.py:34:16:34:32 | flask.routed.response | test.py:33:15:33:36 | exception info | test.py:34:16:34:32 | exception info | $@ may be exposed to an external user | test.py:33:15:33:36 | exception.info.source | Error information | diff --git a/python/ql/test/query-tests/Security/CWE-209/test.py b/python/ql/test/query-tests/Security/CWE-209/test.py index 169dc091dddd..6e96cba15c57 100644 --- a/python/ql/test/query-tests/Security/CWE-209/test.py +++ b/python/ql/test/query-tests/Security/CWE-209/test.py @@ -23,3 +23,15 @@ def server_good(): except Exception as e: log(traceback.format_exc()) return "An internal error has occurred!" + +#BAD +@app.route('/bad/with-flow') +def server_bad_flow(): + try: + do_computation() + except Exception as e: + err = traceback.format_exc() + return format_error(err) + +def format_error(msg): + return "[ERROR] " + msg diff --git a/python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected b/python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected index a0d1a9f8b4e9..79dee42edb4e 100644 --- a/python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected +++ b/python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected @@ -1,3 +1,12 @@ -| test.py:12:18:12:24 | unpickling untrusted data | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input | -| test.py:13:15:13:21 | yaml.load vulnerability | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input | -| test.py:14:19:14:25 | unmarshaling vulnerability | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input | +edges +| test.py:11:15:11:26 | dict of externally controlled string | test.py:11:15:11:41 | externally controlled string | +| test.py:11:15:11:41 | externally controlled string | test.py:12:18:12:24 | externally controlled string | +| test.py:11:15:11:41 | externally controlled string | test.py:13:15:13:21 | externally controlled string | +| test.py:11:15:11:41 | externally controlled string | test.py:14:19:14:25 | externally controlled string | +| test.py:13:15:13:21 | externally controlled string | ../lib/yaml.py:1:10:1:10 | externally controlled string | +parents +| ../lib/yaml.py:1:10:1:10 | externally controlled string | test.py:13:15:13:21 | externally controlled string | +#select +| test.py:12:18:12:24 | unpickling untrusted data | test.py:11:15:11:26 | dict of externally controlled string | test.py:12:18:12:24 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input | +| test.py:13:15:13:21 | yaml.load vulnerability | test.py:11:15:11:26 | dict of externally controlled string | test.py:13:15:13:21 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input | +| test.py:14:19:14:25 | unmarshaling vulnerability | test.py:11:15:11:26 | dict of externally controlled string | test.py:14:19:14:25 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input | diff --git a/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected b/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected index a62664e2918c..5de71ec5ee56 100644 --- a/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected +++ b/python/ql/test/query-tests/Security/CWE-601/UrlRedirect.expected @@ -1 +1,10 @@ -| test.py:8:21:8:26 | flask.redirect | Untrusted URL redirection due to $@. | test.py:7:22:7:33 | flask.request.args | a user-provided value | +edges +| test.py:7:22:7:33 | dict of externally controlled string | test.py:7:22:7:51 | externally controlled string | +| test.py:7:22:7:51 | externally controlled string | test.py:8:21:8:26 | externally controlled string | +| test.py:8:21:8:26 | externally controlled string | ../lib/flask/__init__.py:11:14:11:21 | externally controlled string | +| test.py:15:17:15:28 | dict of externally controlled string | test.py:15:17:15:42 | externally controlled string | +| test.py:15:17:15:42 | externally controlled string | test.py:17:13:17:21 | externally controlled string | +parents +| ../lib/flask/__init__.py:11:14:11:21 | externally controlled string | test.py:8:21:8:26 | externally controlled string | +#select +| test.py:8:21:8:26 | flask.redirect | test.py:7:22:7:33 | dict of externally controlled string | test.py:8:21:8:26 | externally controlled string | Untrusted URL redirection due to $@. | test.py:7:22:7:33 | flask.request.args | a user-provided value | diff --git a/python/ql/test/query-tests/Security/lib/base64.py b/python/ql/test/query-tests/Security/lib/base64.py new file mode 100644 index 000000000000..a2b97ca63acc --- /dev/null +++ b/python/ql/test/query-tests/Security/lib/base64.py @@ -0,0 +1,2 @@ +def decodestring(s): + return None diff --git a/python/ql/test/query-tests/Security/lib/marshall.py b/python/ql/test/query-tests/Security/lib/marshall.py new file mode 100644 index 000000000000..410fa21087e5 --- /dev/null +++ b/python/ql/test/query-tests/Security/lib/marshall.py @@ -0,0 +1,2 @@ +def loads(*args, **kwargs): + return None diff --git a/python/ql/test/query-tests/Security/lib/os/__init__.py b/python/ql/test/query-tests/Security/lib/os/__init__.py new file mode 100644 index 000000000000..84286e873b58 --- /dev/null +++ b/python/ql/test/query-tests/Security/lib/os/__init__.py @@ -0,0 +1,2 @@ +def system(cmd, *args, **kwargs): + return None \ No newline at end of file diff --git a/python/ql/test/query-tests/Security/lib/os/path.py b/python/ql/test/query-tests/Security/lib/os/path.py new file mode 100644 index 000000000000..d54092e80b0d --- /dev/null +++ b/python/ql/test/query-tests/Security/lib/os/path.py @@ -0,0 +1,5 @@ +def join(a, *b): + return a + "/" + "/".join(b) + +def normpath(x): + return x diff --git a/python/ql/test/query-tests/Security/lib/pickle.py b/python/ql/test/query-tests/Security/lib/pickle.py new file mode 100644 index 000000000000..410fa21087e5 --- /dev/null +++ b/python/ql/test/query-tests/Security/lib/pickle.py @@ -0,0 +1,2 @@ +def loads(*args, **kwargs): + return None diff --git a/python/ql/test/query-tests/Security/lib/subprocess.py b/python/ql/test/query-tests/Security/lib/subprocess.py new file mode 100644 index 000000000000..efb2ba183f09 --- /dev/null +++ b/python/ql/test/query-tests/Security/lib/subprocess.py @@ -0,0 +1,2 @@ +def Popen(*args, **kwargs): + return None \ No newline at end of file diff --git a/python/ql/test/query-tests/Security/lib/traceback.py b/python/ql/test/query-tests/Security/lib/traceback.py new file mode 100644 index 000000000000..2a7c5e58847a --- /dev/null +++ b/python/ql/test/query-tests/Security/lib/traceback.py @@ -0,0 +1,2 @@ +def format_exc(): + return None \ No newline at end of file