Skip to content

Commit a0d2674

Browse files
RasmusWLRasmusWL
committed
Python: Move experimental TarSlipImprov to new dataflow API
1 parent 3cdd875 commit a0d2674

2 files changed

Lines changed: 13 additions & 10 deletions

File tree

python/ql/src/experimental/Security/CWE-022bis/TarSlipImprov.ql

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@
1616
import python
1717
import semmle.python.dataflow.new.DataFlow
1818
import semmle.python.dataflow.new.TaintTracking
19-
import DataFlow::PathGraph
19+
import TarSlipImprovFlow::PathGraph
2020
import semmle.python.ApiGraphs
2121
import semmle.python.dataflow.new.internal.Attributes
2222
import semmle.python.dataflow.new.BarrierGuards
@@ -54,12 +54,10 @@ class AllTarfileOpens extends API::CallNode {
5454
/**
5555
* A taint-tracking configuration for detecting more "TarSlip" vulnerabilities.
5656
*/
57-
class Configuration extends TaintTracking::Configuration {
58-
Configuration() { this = "TarSlip" }
57+
private module TarSlipImprovConfig implements DataFlow::ConfigSig {
58+
predicate isSource(DataFlow::Node source) { source = tarfileOpen().getACall() }
5959

60-
override predicate isSource(DataFlow::Node source) { source = tarfileOpen().getACall() }
61-
62-
override predicate isSink(DataFlow::Node sink) {
60+
predicate isSink(DataFlow::Node sink) {
6361
(
6462
// A sink capturing method calls to `extractall` without `members` argument.
6563
// For a call to `file.extractall` without `members` argument, `file` is considered a sink.
@@ -100,7 +98,7 @@ class Configuration extends TaintTracking::Configuration {
10098
not sink.getScope().getLocation().getFile().inStdlib()
10199
}
102100

103-
override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
101+
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
104102
nodeTo.(MethodCallNode).calls(nodeFrom, "getmembers") and
105103
nodeFrom instanceof AllTarfileOpens
106104
or
@@ -113,7 +111,10 @@ class Configuration extends TaintTracking::Configuration {
113111
}
114112
}
115113

116-
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
117-
where config.hasFlowPath(source, sink)
114+
/** Global taint-tracking for detecting more "TarSlip" vulnerabilities. */
115+
module TarSlipImprovFlow = TaintTracking::Global<TarSlipImprovConfig>;
116+
117+
from TarSlipImprovFlow::PathNode source, TarSlipImprovFlow::PathNode sink
118+
where TarSlipImprovFlow::flowPath(source, sink)
118119
select sink, source, sink, "Extraction of tarfile from $@ to a potentially untrusted source $@.",
119120
source.getNode(), source.getNode().toString(), sink.getNode(), sink.getNode().toString()

python/ql/test/experimental/query-tests/Security/CWE-022-TarSlip/TarSlip.expected

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,8 @@ edges
3333
| TarSlipImprov.py:141:34:141:36 | GSSA Variable tar | TarSlipImprov.py:142:9:142:13 | GSSA Variable entry |
3434
| TarSlipImprov.py:142:9:142:13 | GSSA Variable entry | TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry |
3535
| TarSlipImprov.py:159:9:159:14 | SSA variable tar_cm | TarSlipImprov.py:162:20:162:23 | SSA variable tarc |
36-
| TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:159:9:159:14 | SSA variable tar_cm |
36+
| TarSlipImprov.py:159:18:159:52 | ControlFlowNode for closing() | TarSlipImprov.py:159:9:159:14 | SSA variable tar_cm |
37+
| TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:159:18:159:52 | ControlFlowNode for closing() |
3738
| TarSlipImprov.py:162:20:162:23 | SSA variable tarc | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc |
3839
| TarSlipImprov.py:176:6:176:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:176:36:176:38 | GSSA Variable tar |
3940
| TarSlipImprov.py:176:36:176:38 | GSSA Variable tar | TarSlipImprov.py:177:9:177:13 | GSSA Variable entry |
@@ -122,6 +123,7 @@ nodes
122123
| TarSlipImprov.py:142:9:142:13 | GSSA Variable entry | semmle.label | GSSA Variable entry |
123124
| TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry |
124125
| TarSlipImprov.py:159:9:159:14 | SSA variable tar_cm | semmle.label | SSA variable tar_cm |
126+
| TarSlipImprov.py:159:18:159:52 | ControlFlowNode for closing() | semmle.label | ControlFlowNode for closing() |
125127
| TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
126128
| TarSlipImprov.py:162:20:162:23 | SSA variable tarc | semmle.label | SSA variable tarc |
127129
| TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | semmle.label | ControlFlowNode for tarc |

0 commit comments

Comments
 (0)