Python: Don't record taint past sinks.

This commit is contained in:
Mark Shannon 2019-06-18 16:34:23 +01:00
Родитель 83ec5f1ae9
Коммит 918bdecba5
4 изменённых файлов: 5 добавлений и 11 удалений

Просмотреть файл

@ -3,16 +3,18 @@ import python
import semmle.python.security.TaintTracking import semmle.python.security.TaintTracking
query predicate edges(TaintedNode fromnode, TaintedNode tonode) { query predicate edges(TaintedNode fromnode, TaintedNode tonode) {
fromnode.getASuccessor() = tonode fromnode.getASuccessor() = tonode and
/* Don't record flow past sinks */
not fromnode.isVulnerableSink()
} }
private TaintedNode first_child(TaintedNode parent) { private TaintedNode first_child(TaintedNode parent) {
result.getContext().getCaller() = parent.getContext() and result.getContext().getCaller() = parent.getContext() and
parent.getASuccessor() = result edges(parent, result)
} }
private TaintedNode next_sibling(TaintedNode child) { private TaintedNode next_sibling(TaintedNode child) {
child.getASuccessor() = result and edges(child, result) and
child.getContext() = result.getContext() child.getContext() = result.getContext()
} }

Просмотреть файл

@ -1,7 +1,6 @@
edges edges
| command_injection.py:10:13:10:24 | dict of externally controlled string | command_injection.py:10:13:10:41 | externally controlled string | | command_injection.py:10:13:10:24 | dict of externally controlled string | command_injection.py:10:13:10:41 | externally controlled string |
| command_injection.py:10:13:10:41 | externally controlled string | command_injection.py:12:23:12:27 | externally controlled string | | command_injection.py:10:13:10:41 | externally controlled string | command_injection.py:12:23:12:27 | externally controlled string |
| command_injection.py:12:15:12:27 | externally controlled string | ../lib/os/__init__.py:1:12:1:14 | externally controlled string |
| command_injection.py:12:23:12:27 | externally controlled string | command_injection.py:12:15:12:27 | externally controlled string | | command_injection.py:12:23:12:27 | externally controlled string | command_injection.py:12:15:12:27 | externally controlled string |
| command_injection.py:17:13:17:24 | dict of externally controlled string | command_injection.py:17:13:17:41 | externally controlled string | | command_injection.py:17:13:17:24 | dict of externally controlled string | command_injection.py:17:13:17:41 | externally controlled string |
| command_injection.py:17:13:17:41 | externally controlled string | command_injection.py:19:29:19:33 | externally controlled string | | command_injection.py:17:13:17:41 | externally controlled string | command_injection.py:19:29:19:33 | externally controlled string |
@ -12,11 +11,8 @@ edges
| command_injection.py:25:23:25:25 | externally controlled string | command_injection.py:25:22:25:36 | sequence of externally controlled string | | command_injection.py:25:23:25:25 | externally controlled string | command_injection.py:25:22:25:36 | sequence of externally controlled string |
| command_injection.py:30:13:30:24 | dict of externally controlled string | command_injection.py:30:13:30:41 | externally controlled string | | command_injection.py:30:13:30:24 | dict of externally controlled string | command_injection.py:30:13:30:41 | externally controlled string |
| command_injection.py:30:13:30:41 | externally controlled string | command_injection.py:32:22:32:26 | externally controlled string | | command_injection.py:30:13:30:41 | externally controlled string | command_injection.py:32:22:32:26 | externally controlled string |
| command_injection.py:32:14:32:26 | externally controlled string | ../lib/os/__init__.py:4:11:4:13 | externally controlled string |
| command_injection.py:32:22:32:26 | externally controlled string | command_injection.py:32:14:32:26 | externally controlled string | | command_injection.py:32:22:32:26 | externally controlled string | command_injection.py:32:14:32:26 | externally controlled string |
parents parents
| ../lib/os/__init__.py:1:12:1:14 | externally controlled string | command_injection.py:12:15:12:27 | externally controlled string |
| ../lib/os/__init__.py:4:11:4:13 | externally controlled string | command_injection.py:32:14:32:26 | externally controlled string |
#select #select
| command_injection.py:12:15:12:27 | shell command | command_injection.py:10:13:10:24 | dict of externally controlled string | command_injection.py:12:15:12:27 | externally controlled string | This command depends on $@. | command_injection.py:10:13:10:24 | flask.request.args | a user-provided value | | command_injection.py:12:15:12:27 | shell command | command_injection.py:10:13:10:24 | dict of externally controlled string | command_injection.py:12:15:12:27 | externally controlled string | This command depends on $@. | command_injection.py:10:13:10:24 | flask.request.args | a user-provided value |
| command_injection.py:19:22:19:34 | shell command | command_injection.py:17:13:17:24 | dict of externally controlled string | command_injection.py:19:22:19:34 | sequence of externally controlled string | This command depends on $@. | command_injection.py:17:13:17:24 | flask.request.args | a user-provided value | | command_injection.py:19:22:19:34 | shell command | command_injection.py:17:13:17:24 | dict of externally controlled string | command_injection.py:19:22:19:34 | sequence of externally controlled string | This command depends on $@. | command_injection.py:17:13:17:24 | flask.request.args | a user-provided value |

Просмотреть файл

@ -4,9 +4,7 @@ edges
| test.py:11:15:11:41 | externally controlled string | test.py:13:15:13:21 | externally controlled string | | test.py:11:15:11:41 | externally controlled string | test.py:13:15:13:21 | externally controlled string |
| test.py:11:15:11:41 | externally controlled string | test.py:14:19:14:25 | externally controlled string | | test.py:11:15:11:41 | externally controlled string | test.py:14:19:14:25 | externally controlled string |
| test.py:11:15:11:41 | externally controlled string | test.py:16:16:16:22 | externally controlled string | | test.py:11:15:11:41 | externally controlled string | test.py:16:16:16:22 | externally controlled string |
| test.py:13:15:13:21 | externally controlled string | ../lib/yaml.py:1:10:1:10 | externally controlled string |
parents parents
| ../lib/yaml.py:1:10:1:10 | externally controlled string | test.py:13:15:13:21 | externally controlled string |
#select #select
| test.py:12:18:12:24 | unpickling untrusted data | test.py:11:15:11:26 | dict of externally controlled string | test.py:12:18:12:24 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input | | test.py:12:18:12:24 | unpickling untrusted data | test.py:11:15:11:26 | dict of externally controlled string | test.py:12:18:12:24 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
| test.py:13:15:13:21 | yaml.load vulnerability | test.py:11:15:11:26 | dict of externally controlled string | test.py:13:15:13:21 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input | | test.py:13:15:13:21 | yaml.load vulnerability | test.py:11:15:11:26 | dict of externally controlled string | test.py:13:15:13:21 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |

Просмотреть файл

@ -1,10 +1,8 @@
edges edges
| test.py:7:22:7:33 | dict of externally controlled string | test.py:7:22:7:51 | externally controlled string | | test.py:7:22:7:33 | dict of externally controlled string | test.py:7:22:7:51 | externally controlled string |
| test.py:7:22:7:51 | externally controlled string | test.py:8:21:8:26 | externally controlled string | | test.py:7:22:7:51 | externally controlled string | test.py:8:21:8:26 | externally controlled string |
| test.py:8:21:8:26 | externally controlled string | ../lib/flask/__init__.py:11:14:11:21 | externally controlled string |
| test.py:15:17:15:28 | dict of externally controlled string | test.py:15:17:15:42 | externally controlled string | | test.py:15:17:15:28 | dict of externally controlled string | test.py:15:17:15:42 | externally controlled string |
| test.py:15:17:15:42 | externally controlled string | test.py:17:13:17:21 | externally controlled string | | test.py:15:17:15:42 | externally controlled string | test.py:17:13:17:21 | externally controlled string |
parents parents
| ../lib/flask/__init__.py:11:14:11:21 | externally controlled string | test.py:8:21:8:26 | externally controlled string |
#select #select
| test.py:8:21:8:26 | flask.redirect | test.py:7:22:7:33 | dict of externally controlled string | test.py:8:21:8:26 | externally controlled string | Untrusted URL redirection due to $@. | test.py:7:22:7:33 | flask.request.args | a user-provided value | | test.py:8:21:8:26 | flask.redirect | test.py:7:22:7:33 | dict of externally controlled string | test.py:8:21:8:26 | externally controlled string | Untrusted URL redirection due to $@. | test.py:7:22:7:33 | flask.request.args | a user-provided value |