Skip to content

Commit 0c3bce1

Browse files
yoffyoff
committed
python: deprecation
I am slightly concerned that the test now generates many more intermediate results. I suppose that maes the analysis heavy. Should the new library get a new name instead, so the old code does not get evaluated?
1 parent 9aa4c4a commit 0c3bce1

3 files changed

Lines changed: 284 additions & 5 deletions

File tree

python/ql/lib/semmle/python/security/dataflow/ChainedConfigs12.qll

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -30,9 +30,11 @@ private newtype TCustomPathNode =
3030
CrossoverNode(DataFlow::Node node) { crossoverNode(node) }
3131

3232
/**
33+
* DEPRECATED: Use flow state instead
34+
*
3335
* A class representing the set of all the path nodes in either config.
3436
*/
35-
class CustomPathNode extends TCustomPathNode {
37+
deprecated class CustomPathNode extends TCustomPathNode {
3638
/** Gets the PathNode if it is in Config1. */
3739
DataFlow::PathNode asNode1() {
3840
this = Config1Node(result) or this = CrossoverNode(result.getNode())
@@ -66,17 +68,25 @@ class CustomPathNode extends TCustomPathNode {
6668
}
6769
}
6870

69-
/** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
70-
query predicate edges(CustomPathNode a, CustomPathNode b) {
71+
/**
72+
* DEPRECATED: Use flow state instead
73+
*
74+
* Holds if `(a,b)` is an edge in the graph of data flow path explanations.
75+
*/
76+
deprecated query predicate edges(CustomPathNode a, CustomPathNode b) {
7177
// Edge is in Config1 graph
7278
DataFlow::PathGraph::edges(a.asNode1(), b.asNode1())
7379
or
7480
// Edge is in Config2 graph
7581
DataFlow2::PathGraph::edges(a.asNode2(), b.asNode2())
7682
}
7783

78-
/** Holds if `n` is a node in the graph of data flow path explanations. */
79-
query predicate nodes(CustomPathNode n, string key, string val) {
84+
/**
85+
* DEPRECATED: Use flow state instead
86+
*
87+
* Holds if `n` is a node in the graph of data flow path explanations.
88+
*/
89+
deprecated query predicate nodes(CustomPathNode n, string key, string val) {
8090
// Node is in Config1 graph
8191
DataFlow::PathGraph::nodes(n.asNode1(), key, val)
8292
or

python/ql/lib/semmle/python/security/dataflow/PathInjection.qll

Lines changed: 120 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -80,3 +80,123 @@ module PathInjection {
8080
NormalizedUnchecked() { this = "NormalizedUnchecked" }
8181
}
8282
}
83+
84+
// ---------------------------------------------------------------------------
85+
// Old, deprecated code
86+
// ---------------------------------------------------------------------------
87+
private import semmle.python.dataflow.new.DataFlow2
88+
private import semmle.python.dataflow.new.TaintTracking2
89+
private import ChainedConfigs12
90+
import PathInjectionCustomizations::PathInjection
91+
92+
// ---------------------------------------------------------------------------
93+
// Case 1. The path is never normalized.
94+
// ---------------------------------------------------------------------------
95+
/**
96+
* DEPRECATED: Use `PathInjection::Configuration` instead
97+
*
98+
* Configuration to find paths from sources to sinks that contain no normalization.
99+
*/
100+
deprecated class PathNotNormalizedConfiguration extends TaintTracking::Configuration {
101+
PathNotNormalizedConfiguration() { this = "PathNotNormalizedConfiguration" }
102+
103+
override predicate isSource(DataFlow::Node source) { source instanceof Source }
104+
105+
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
106+
107+
override predicate isSanitizer(DataFlow::Node node) {
108+
node instanceof Sanitizer
109+
or
110+
node instanceof Path::PathNormalization
111+
}
112+
113+
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
114+
guard instanceof SanitizerGuard
115+
}
116+
}
117+
118+
/**
119+
* DEPRECATED: Use `PathInjection::Configuration` instead
120+
*
121+
* Holds if there is a path injection from source to sink, where the (python) path is
122+
* not normalized.
123+
*/
124+
deprecated predicate pathNotNormalized(CustomPathNode source, CustomPathNode sink) {
125+
any(PathNotNormalizedConfiguration config).hasFlowPath(source.asNode1(), sink.asNode1())
126+
}
127+
128+
// ---------------------------------------------------------------------------
129+
// Case 2. The path is normalized at least once, but never checked afterwards.
130+
// ---------------------------------------------------------------------------
131+
/**
132+
* DEPRECATED: Use `PathInjection::Configuration` instead
133+
*
134+
* Configuration to find paths from sources to normalizations that contain no prior normalizations.
135+
*/
136+
deprecated class FirstNormalizationConfiguration extends TaintTracking::Configuration {
137+
FirstNormalizationConfiguration() { this = "FirstNormalizationConfiguration" }
138+
139+
override predicate isSource(DataFlow::Node source) { source instanceof Source }
140+
141+
override predicate isSink(DataFlow::Node sink) { sink instanceof Path::PathNormalization }
142+
143+
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
144+
145+
override predicate isSanitizerOut(DataFlow::Node node) { node instanceof Path::PathNormalization }
146+
147+
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
148+
guard instanceof SanitizerGuard
149+
}
150+
}
151+
152+
/**
153+
* DEPRECATED: Use `PathInjection::Configuration` instead
154+
*
155+
* Configuration to find paths from normalizations to sinks that do not go through a check.
156+
*/
157+
deprecated class NormalizedPathNotCheckedConfiguration extends TaintTracking2::Configuration {
158+
NormalizedPathNotCheckedConfiguration() { this = "NormalizedPathNotCheckedConfiguration" }
159+
160+
override predicate isSource(DataFlow::Node source) { source instanceof Path::PathNormalization }
161+
162+
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
163+
164+
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
165+
166+
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
167+
guard instanceof Path::SafeAccessCheck
168+
or
169+
guard instanceof SanitizerGuard
170+
}
171+
}
172+
173+
/**
174+
* DEPRECATED: Use `PathInjection::Configuration` instead
175+
*
176+
* Holds if there is a path injection from source to sink, where the (python) path is
177+
* normalized at least once, but never checked afterwards.
178+
*/
179+
deprecated predicate pathNotCheckedAfterNormalization(CustomPathNode source, CustomPathNode sink) {
180+
exists(
181+
FirstNormalizationConfiguration config, DataFlow::PathNode mid1, DataFlow2::PathNode mid2,
182+
NormalizedPathNotCheckedConfiguration config2
183+
|
184+
config.hasFlowPath(source.asNode1(), mid1) and
185+
config2.hasFlowPath(mid2, sink.asNode2()) and
186+
mid1.getNode().asCfgNode() = mid2.getNode().asCfgNode()
187+
)
188+
}
189+
190+
// ---------------------------------------------------------------------------
191+
// Query: Either case 1 or case 2.
192+
// ---------------------------------------------------------------------------
193+
/**
194+
* DEPRECATED: Use `PathInjection::Configuration` instead
195+
*
196+
* Holds if there is a path injection from source to sink
197+
*/
198+
deprecated predicate pathInjection(CustomPathNode source, CustomPathNode sink) {
199+
pathNotNormalized(source, sink)
200+
or
201+
pathNotCheckedAfterNormalization(source, sink)
202+
}

0 commit comments

Comments
 (0)