github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Python: Exlucde only command injection sinks in os and subprocess

This commit is contained in:
Rasmus Wriedt Larsen 2020-10-02 14:11:07 +02:00
Родитель 68eacef23c
Коммит eb67986916
1 изменённых файлов: 10 добавлений и 9 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

19
python/ql/src/experimental/Security-new-dataflow/CWE-078/CommandInjection.ql
Просмотреть файл

@ -35,25 +35,26 @@ class CommandInjectionConfiguration extends TaintTracking::Configuration {
// proc = subprocess.Popen(cmd, ...)
// ```
// any time we would report flow to the `os.popen` sink, we can ALSO report the flow
// from the `cmd` parameter to the `subprocess.Popen` sink -- obviously we don't want
// that.
// from the `cmd` parameter to the `subprocess.Popen` sink -- obviously we don't
// want that.
//
// However, simply removing taint edges out of a sink is not a good enough solution,
// since we would only flag one of the `os.system` calls in the following example due
// to use-use flow
// since we would only flag one of the `os.system` calls in the following example
// due to use-use flow
// ```py
// os.system(cmd)
// os.system(cmd)
// ```
//
// Best solution I could come up with is to exclude all sinks inside the standard
// library -- this does have a downside: If we have overlooked a function in the
// standard library that internally runs a command, we no longer give an alert :|
// Best solution I could come up with is to exclude all sinks inside the `os` and
// `subprocess` modules. This does have a downside: If we have overlooked a function
// in any of these, that internally runs a command, we no longer give an alert :|
//
// This does not only affect `os.popen`, but also the helper functions in `subprocess`. See
// This does not only affect `os.popen`, but also the helper functions in
// `subprocess`. See:
// https://github.com/python/cpython/blob/fa7ce080175f65d678a7d5756c94f82887fc9803/Lib/os.py#L974
// https://github.com/python/cpython/blob/fa7ce080175f65d678a7d5756c94f82887fc9803/Lib/subprocess.py#L341
not sink.getLocation().getFile().inStdlib()
not sink.getScope().getEnclosingModule().getName() in ["os", "subprocess"]
}
}