Python: Avoid cross-talk between unrelated sources in py/stack-trace-exposure query.

This commit is contained in:
Mark Shannon 2019-03-05 16:34:52 +00:00
Родитель b3d935063f
Коммит 38a5fb715a
3 изменённых файлов: 14 добавлений и 5 удалений

Просмотреть файл

@ -19,5 +19,5 @@ import semmle.python.security.Exceptions
import semmle.python.web.HttpResponse
from TaintedPathSource src, TaintedPathSink sink
where src.flowsTo(sink)
where src.flowsTo(sink) and src.getSource() instanceof ErrorInfoSource
select sink.getSink(), src, sink, "$@ may be exposed to an external user", src.getSource(), "Error information"

Просмотреть файл

@ -31,6 +31,10 @@ class ExceptionInfo extends StringKind {
}
/** A class representing sources of information about
* execution state exposed in tracebacks and the like.
*/
abstract class ErrorInfoSource extends TaintSource {}
/**
* This kind represents exceptions themselves.
@ -56,7 +60,7 @@ class ExceptionKind extends TaintKind {
* A source of exception objects, either explicitly created, or captured by an
* `except` statement.
*/
class ExceptionSource extends TaintSource {
class ExceptionSource extends ErrorInfoSource {
ExceptionSource() {
exists(ClassObject cls |
@ -91,7 +95,7 @@ class ExceptionInfoSequence extends SequenceKind {
* Represents calls to functions in the `traceback` module that return
* sequences of exception information.
*/
class CallToTracebackFunction extends TaintSource {
class CallToTracebackFunction extends ErrorInfoSource {
CallToTracebackFunction() {
exists(string name |
@ -120,7 +124,7 @@ class CallToTracebackFunction extends TaintSource {
* Represents calls to functions in the `traceback` module that return a single
* string of information about an exception.
*/
class FormattedTracebackSource extends TaintSource {
class FormattedTracebackSource extends ErrorInfoSource {
FormattedTracebackSource() {
this = traceback_function("format_exc").getACall()

Просмотреть файл

@ -1,4 +1,4 @@
from flask import Flask
from flask import Flask, request, make_response
app = Flask(__name__)
@ -35,3 +35,8 @@ def server_bad_flow():
def format_error(msg):
return "[ERROR] " + msg
#Unrelated error
@app.route('/maybe_xss')
def maybe_xss():
return make_response(request.args.get('name', ''))