Python path queries#516
Conversation
| * @kind problem | ||
| * @problem.severity error | ||
| * @precision medium | ||
| * @precision high |
There was a problem hiding this comment.
This is going to change the behaviour of this query on LGTM. Please add a change note.
| * @name Uncontrolled data used in path expression | ||
| * @description Accessing paths influenced by users can allow an attacker to access unexpected resources. | ||
| * @kind problem | ||
| * @kind path-problem |
There was a problem hiding this comment.
We should probably have a change note about the conversion of some queries to path queries.
4bf5c7c to
c01db23
Compare
taus-semmle
left a comment
There was a problem hiding this comment.
Generally LGTM. I have a few comments/questions, but nothing that must be addressed before merging.
| | command_injection.py:12:15:12:27 | shell command | command_injection.py:10:13:10:24 | Taint {externally controlled string} at command_injection.py:10 | command_injection.py:12:15:12:27 | Taint externally controlled string at command_injection.py:12 | This command depends on $@. | command_injection.py:10:13:10:24 | flask.request.args | a user-provided value | | ||
| | command_injection.py:19:22:19:34 | shell command | command_injection.py:17:13:17:24 | Taint {externally controlled string} at command_injection.py:17 | command_injection.py:19:22:19:34 | Taint [externally controlled string] at command_injection.py:19 | This command depends on $@. | command_injection.py:17:13:17:24 | flask.request.args | a user-provided value | | ||
| | command_injection.py:25:22:25:36 | OS command first argument | command_injection.py:24:11:24:22 | Taint {externally controlled string} at command_injection.py:24 | command_injection.py:25:22:25:36 | Taint [externally controlled string] at command_injection.py:25 | This command depends on $@. | command_injection.py:24:11:24:22 | flask.request.args | a user-provided value | | ||
| | command_injection.py:25:22:25:36 | OS command first argument | command_injection.py:24:11:24:22 | Taint {externally controlled string} at command_injection.py:24 | command_injection.py:25:22:25:36 | Taint sequence[externally controlled string][0] at command_injection.py:25 | This command depends on $@. | command_injection.py:24:11:24:22 | flask.request.args | a user-provided value | |
There was a problem hiding this comment.
I wonder why this final result was duplicated.
There was a problem hiding this comment.
Ah, I see the difference. One has [0] appended to the taint.
|
|
||
| select sink, "This path depends on $@.", src, "a user-provided value" | ||
| from TaintedNode srcnode, TaintedNode sinknode, TaintSource src, TaintSink sink | ||
| where src.flowsToSink(sink) and srcnode.getNode() = src and sinknode.getNode() = sink |
There was a problem hiding this comment.
I feel like the srcnode.getNode() = src and sinknode.getNode() = sink construction is a bit clunky. Could we make this into a method (.getSource()) on TaintedNodes, etc. and then simply use srcnode.getSource() in the select statement?
There was a problem hiding this comment.
That makes sense. I've changed the general form from
from TaintedNode srcnode, TaintedNode sinknode, TaintSource src, TaintSink sink
where src.flowsToSink(sink) and srcnode.getNode() = src and sinknode.getNode() = sink
select sink, srcnode, sinknode, ..., src, ...
to
from TaintedPathSource src, TaintedPathSink sink
where src.flowsTo(sink)
select sink.getSink(), src, sink,..., src.getSource(), ...
…e queries and tests accordingly.
6ca032d to
61bd868
Compare
| child = first_child(parent) or | ||
| exists(TaintedNode prev | | ||
| parents(prev, parent) and | ||
| child = next_sibling(child) |
There was a problem hiding this comment.
Post-merge drive-by comment: This looks wrong.
…review-workflow Actions: Remove docs-review workflow
No description provided.