зеркало из https://github.com/github/codeql.git
Python: Don't record taint past sinks.
This commit is contained in:
Родитель
83ec5f1ae9
Коммит
918bdecba5
|
@ -3,16 +3,18 @@ import python
|
||||||
import semmle.python.security.TaintTracking
|
import semmle.python.security.TaintTracking
|
||||||
|
|
||||||
query predicate edges(TaintedNode fromnode, TaintedNode tonode) {
|
query predicate edges(TaintedNode fromnode, TaintedNode tonode) {
|
||||||
fromnode.getASuccessor() = tonode
|
fromnode.getASuccessor() = tonode and
|
||||||
|
/* Don't record flow past sinks */
|
||||||
|
not fromnode.isVulnerableSink()
|
||||||
}
|
}
|
||||||
|
|
||||||
private TaintedNode first_child(TaintedNode parent) {
|
private TaintedNode first_child(TaintedNode parent) {
|
||||||
result.getContext().getCaller() = parent.getContext() and
|
result.getContext().getCaller() = parent.getContext() and
|
||||||
parent.getASuccessor() = result
|
edges(parent, result)
|
||||||
}
|
}
|
||||||
|
|
||||||
private TaintedNode next_sibling(TaintedNode child) {
|
private TaintedNode next_sibling(TaintedNode child) {
|
||||||
child.getASuccessor() = result and
|
edges(child, result) and
|
||||||
child.getContext() = result.getContext()
|
child.getContext() = result.getContext()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
edges
|
edges
|
||||||
| command_injection.py:10:13:10:24 | dict of externally controlled string | command_injection.py:10:13:10:41 | externally controlled string |
|
| command_injection.py:10:13:10:24 | dict of externally controlled string | command_injection.py:10:13:10:41 | externally controlled string |
|
||||||
| command_injection.py:10:13:10:41 | externally controlled string | command_injection.py:12:23:12:27 | externally controlled string |
|
| command_injection.py:10:13:10:41 | externally controlled string | command_injection.py:12:23:12:27 | externally controlled string |
|
||||||
| command_injection.py:12:15:12:27 | externally controlled string | ../lib/os/__init__.py:1:12:1:14 | externally controlled string |
|
|
||||||
| command_injection.py:12:23:12:27 | externally controlled string | command_injection.py:12:15:12:27 | externally controlled string |
|
| command_injection.py:12:23:12:27 | externally controlled string | command_injection.py:12:15:12:27 | externally controlled string |
|
||||||
| command_injection.py:17:13:17:24 | dict of externally controlled string | command_injection.py:17:13:17:41 | externally controlled string |
|
| command_injection.py:17:13:17:24 | dict of externally controlled string | command_injection.py:17:13:17:41 | externally controlled string |
|
||||||
| command_injection.py:17:13:17:41 | externally controlled string | command_injection.py:19:29:19:33 | externally controlled string |
|
| command_injection.py:17:13:17:41 | externally controlled string | command_injection.py:19:29:19:33 | externally controlled string |
|
||||||
|
@ -12,11 +11,8 @@ edges
|
||||||
| command_injection.py:25:23:25:25 | externally controlled string | command_injection.py:25:22:25:36 | sequence of externally controlled string |
|
| command_injection.py:25:23:25:25 | externally controlled string | command_injection.py:25:22:25:36 | sequence of externally controlled string |
|
||||||
| command_injection.py:30:13:30:24 | dict of externally controlled string | command_injection.py:30:13:30:41 | externally controlled string |
|
| command_injection.py:30:13:30:24 | dict of externally controlled string | command_injection.py:30:13:30:41 | externally controlled string |
|
||||||
| command_injection.py:30:13:30:41 | externally controlled string | command_injection.py:32:22:32:26 | externally controlled string |
|
| command_injection.py:30:13:30:41 | externally controlled string | command_injection.py:32:22:32:26 | externally controlled string |
|
||||||
| command_injection.py:32:14:32:26 | externally controlled string | ../lib/os/__init__.py:4:11:4:13 | externally controlled string |
|
|
||||||
| command_injection.py:32:22:32:26 | externally controlled string | command_injection.py:32:14:32:26 | externally controlled string |
|
| command_injection.py:32:22:32:26 | externally controlled string | command_injection.py:32:14:32:26 | externally controlled string |
|
||||||
parents
|
parents
|
||||||
| ../lib/os/__init__.py:1:12:1:14 | externally controlled string | command_injection.py:12:15:12:27 | externally controlled string |
|
|
||||||
| ../lib/os/__init__.py:4:11:4:13 | externally controlled string | command_injection.py:32:14:32:26 | externally controlled string |
|
|
||||||
#select
|
#select
|
||||||
| command_injection.py:12:15:12:27 | shell command | command_injection.py:10:13:10:24 | dict of externally controlled string | command_injection.py:12:15:12:27 | externally controlled string | This command depends on $@. | command_injection.py:10:13:10:24 | flask.request.args | a user-provided value |
|
| command_injection.py:12:15:12:27 | shell command | command_injection.py:10:13:10:24 | dict of externally controlled string | command_injection.py:12:15:12:27 | externally controlled string | This command depends on $@. | command_injection.py:10:13:10:24 | flask.request.args | a user-provided value |
|
||||||
| command_injection.py:19:22:19:34 | shell command | command_injection.py:17:13:17:24 | dict of externally controlled string | command_injection.py:19:22:19:34 | sequence of externally controlled string | This command depends on $@. | command_injection.py:17:13:17:24 | flask.request.args | a user-provided value |
|
| command_injection.py:19:22:19:34 | shell command | command_injection.py:17:13:17:24 | dict of externally controlled string | command_injection.py:19:22:19:34 | sequence of externally controlled string | This command depends on $@. | command_injection.py:17:13:17:24 | flask.request.args | a user-provided value |
|
||||||
|
|
|
@ -4,9 +4,7 @@ edges
|
||||||
| test.py:11:15:11:41 | externally controlled string | test.py:13:15:13:21 | externally controlled string |
|
| test.py:11:15:11:41 | externally controlled string | test.py:13:15:13:21 | externally controlled string |
|
||||||
| test.py:11:15:11:41 | externally controlled string | test.py:14:19:14:25 | externally controlled string |
|
| test.py:11:15:11:41 | externally controlled string | test.py:14:19:14:25 | externally controlled string |
|
||||||
| test.py:11:15:11:41 | externally controlled string | test.py:16:16:16:22 | externally controlled string |
|
| test.py:11:15:11:41 | externally controlled string | test.py:16:16:16:22 | externally controlled string |
|
||||||
| test.py:13:15:13:21 | externally controlled string | ../lib/yaml.py:1:10:1:10 | externally controlled string |
|
|
||||||
parents
|
parents
|
||||||
| ../lib/yaml.py:1:10:1:10 | externally controlled string | test.py:13:15:13:21 | externally controlled string |
|
|
||||||
#select
|
#select
|
||||||
| test.py:12:18:12:24 | unpickling untrusted data | test.py:11:15:11:26 | dict of externally controlled string | test.py:12:18:12:24 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
|
| test.py:12:18:12:24 | unpickling untrusted data | test.py:11:15:11:26 | dict of externally controlled string | test.py:12:18:12:24 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
|
||||||
| test.py:13:15:13:21 | yaml.load vulnerability | test.py:11:15:11:26 | dict of externally controlled string | test.py:13:15:13:21 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
|
| test.py:13:15:13:21 | yaml.load vulnerability | test.py:11:15:11:26 | dict of externally controlled string | test.py:13:15:13:21 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
|
||||||
|
|
|
@ -1,10 +1,8 @@
|
||||||
edges
|
edges
|
||||||
| test.py:7:22:7:33 | dict of externally controlled string | test.py:7:22:7:51 | externally controlled string |
|
| test.py:7:22:7:33 | dict of externally controlled string | test.py:7:22:7:51 | externally controlled string |
|
||||||
| test.py:7:22:7:51 | externally controlled string | test.py:8:21:8:26 | externally controlled string |
|
| test.py:7:22:7:51 | externally controlled string | test.py:8:21:8:26 | externally controlled string |
|
||||||
| test.py:8:21:8:26 | externally controlled string | ../lib/flask/__init__.py:11:14:11:21 | externally controlled string |
|
|
||||||
| test.py:15:17:15:28 | dict of externally controlled string | test.py:15:17:15:42 | externally controlled string |
|
| test.py:15:17:15:28 | dict of externally controlled string | test.py:15:17:15:42 | externally controlled string |
|
||||||
| test.py:15:17:15:42 | externally controlled string | test.py:17:13:17:21 | externally controlled string |
|
| test.py:15:17:15:42 | externally controlled string | test.py:17:13:17:21 | externally controlled string |
|
||||||
parents
|
parents
|
||||||
| ../lib/flask/__init__.py:11:14:11:21 | externally controlled string | test.py:8:21:8:26 | externally controlled string |
|
|
||||||
#select
|
#select
|
||||||
| test.py:8:21:8:26 | flask.redirect | test.py:7:22:7:33 | dict of externally controlled string | test.py:8:21:8:26 | externally controlled string | Untrusted URL redirection due to $@. | test.py:7:22:7:33 | flask.request.args | a user-provided value |
|
| test.py:8:21:8:26 | flask.redirect | test.py:7:22:7:33 | dict of externally controlled string | test.py:8:21:8:26 | externally controlled string | Untrusted URL redirection due to $@. | test.py:7:22:7:33 | flask.request.args | a user-provided value |
|
||||||
|
|
Загрузка…
Ссылка в новой задаче