github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Python: Fix QL alerts

This commit is contained in:
Rasmus Lerchedahl Petersen 2023-09-28 13:35:29 +02:00
Родитель eb1be08bce
Коммит 2a7b593285
2 изменённых файлов: 24 добавлений и 22 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
python/ql/lib/semmle/python/frameworks/BSon.qll
Просмотреть файл

@ -7,7 +7,7 @@ private import semmle.python.dataflow.new.DataFlow
private import semmle.python.Concepts private import semmle.python.Concepts
private import semmle.python.ApiGraphs private import semmle.python.ApiGraphs
module BSon { private module BSon {
/** /**
* ObjectId returns a string representing an id. * ObjectId returns a string representing an id.
* If at any time ObjectId can't parse it's input (like when a tainted dict in passed in), * If at any time ObjectId can't parse it's input (like when a tainted dict in passed in),

44
python/ql/lib/semmle/python/frameworks/PyMongo.qll
Просмотреть файл

@ -144,7 +144,7 @@ private module PyMongo {
private class MongoMapReduceQuery extends API::CallNode, NoSqlExecution::Range { private class MongoMapReduceQuery extends API::CallNode, NoSqlExecution::Range {
MongoMapReduceQuery() { this = mongoCollection().getMember("map_reduce").getACall() } MongoMapReduceQuery() { this = mongoCollection().getMember("map_reduce").getACall() }
override DataFlow::Node getQuery() { result in [this.getArgByName("query")] } override DataFlow::Node getQuery() { result = this.getArgByName("query") }
override predicate interpretsDict() { any() } override predicate interpretsDict() { any() }
@ -178,19 +178,20 @@ private module PyMongo {
* See https://www.mongodb.com/docs/manual/reference/operator/aggregation/function/#mongodb-expression-exp.-function * See https://www.mongodb.com/docs/manual/reference/operator/aggregation/function/#mongodb-expression-exp.-function
*/ */
private class FunctionQueryOperator extends DataFlow::Node, Decoding::Range { private class FunctionQueryOperator extends DataFlow::Node, Decoding::Range {
API::Node dictionary;
DataFlow::Node query; DataFlow::Node query;
FunctionQueryOperator() { FunctionQueryOperator() {
dictionary = exists(API::Node dictionary |
mongoCollection() dictionary =
.getMember(mongoCollectionMethodName()) mongoCollection()
.getACall() .getMember(mongoCollectionMethodName())
.getParameter(0) .getACall()
.getASubscript*() .getParameter(0)
.getSubscript("$function") and .getASubscript*()
query = dictionary.getSubscript("body").asSink() and .getSubscript("$function") and
this = dictionary.asSink() query = dictionary.getSubscript("body").asSink() and
this = dictionary.asSink()
)
} }
override DataFlow::Node getAnInput() { result = query } override DataFlow::Node getAnInput() { result = query }
@ -208,19 +209,20 @@ private module PyMongo {
* See https://www.mongodb.com/docs/manual/reference/operator/aggregation/accumulator/#mongodb-group-grp.-accumulator * See https://www.mongodb.com/docs/manual/reference/operator/aggregation/accumulator/#mongodb-group-grp.-accumulator
*/ */
private class AccumulatorQueryOperator extends DataFlow::Node, Decoding::Range { private class AccumulatorQueryOperator extends DataFlow::Node, Decoding::Range {
API::Node dictionary;
DataFlow::Node query; DataFlow::Node query;
AccumulatorQueryOperator() { AccumulatorQueryOperator() {
dictionary = exists(API::Node dictionary |
mongoCollection() dictionary =
.getMember("aggregate") mongoCollection()
.getACall() .getMember("aggregate")
.getParameter(0) .getACall()
.getASubscript*() .getParameter(0)
.getSubscript("$accumulator") and .getASubscript*()
query = dictionary.getSubscript(["init", "accumulate", "merge", "finalize"]).asSink() and .getSubscript("$accumulator") and
this = dictionary.asSink() query = dictionary.getSubscript(["init", "accumulate", "merge", "finalize"]).asSink() and
this = dictionary.asSink()
)
} }
override DataFlow::Node getAnInput() { result = query } override DataFlow::Node getAnInput() { result = query }