Merge pull request #516 from markshannon/python-path-queries

Python path queries

Author: taus-semmle

python/ql/src/Security/CWE-022/PathInjection.ql

@@ -1,7 +1,7 @@
 /**
  * @name Uncontrolled data used in path expression
  * @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @sub-severity high
  * @precision high
@@ -17,6 +17,7 @@
  */
 
 import python
+import semmle.python.security.Paths
 
 /* Sources */
 import semmle.python.web.HttpRequest
@@ -25,7 +26,6 @@ import semmle.python.web.HttpRequest
 import semmle.python.security.injection.Path
 
 
-from TaintSource src, TaintSink sink
-where src.flowsToSink(sink)
-
-select sink, "This path depends on $@.", src, "a user-provided value"
+from TaintedPathSource src, TaintedPathSink sink
+where src.flowsTo(sink)
+select sink.getSink(), src, sink, "This path depends on $@.", src.getSource(), "a user-provided value"

python/ql/src/Security/CWE-078/CommandInjection.ql

@@ -2,7 +2,7 @@
  * @name Uncontrolled command line
  * @description Using externally controlled strings in a command line may allow a malicious
  *              user to change the meaning of the command.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @sub-severity high
  * @precision high
@@ -15,14 +15,14 @@
  */
 
 import python
+import semmle.python.security.Paths
 
 /* Sources */
 import semmle.python.web.HttpRequest
 
 /* Sinks */
 import semmle.python.security.injection.Command
 
-from TaintSource src, TaintSink sink
-where src.flowsToSink(sink)
-
-select sink, "This command depends on $@.", src, "a user-provided value"
+from TaintedPathSource src, TaintedPathSink sink
+where src.flowsTo(sink)
+select sink.getSink(), src, sink, "This command depends on $@.", src.getSource(), "a user-provided value"

python/ql/src/Security/CWE-079/ReflectedXss.ql

@@ -2,7 +2,7 @@
  * @name Reflected server-side cross-site scripting
  * @description Writing user input directly to a web page
  *              allows for a cross-site scripting vulnerability.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @sub-severity high
  * @precision high
@@ -13,6 +13,7 @@
  */
 
 import python
+import semmle.python.security.Paths
 
 /* Sources */
 import semmle.python.web.HttpRequest
@@ -24,9 +25,6 @@ import semmle.python.web.HttpResponse
 /* Flow */
 import semmle.python.security.strings.Untrusted
 
-from TaintSource src, TaintSink sink
-where src.flowsToSink(sink)
-
-select sink, "Cross-site scripting vulnerability due to $@.",
-       src, "user-provided value"
-
+from TaintedPathSource src, TaintedPathSink sink
+where src.flowsTo(sink)
+select sink.getSink(), src, sink, "Cross-site scripting vulnerability due to $@.", src.getSource(), "user-provided value"

python/ql/src/Security/CWE-089/SqlInjection.ql

@@ -2,7 +2,7 @@
  * @name SQL query built from user-controlled sources
  * @description Building a SQL query from user-controlled sources is vulnerable to insertion of
  *              malicious SQL code by the user.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision high
  * @id py/sql-injection
@@ -12,6 +12,7 @@
  */
 
 import python
+import semmle.python.security.Paths
 
 /* Sources */
 import semmle.python.web.HttpRequest
@@ -22,7 +23,6 @@ import semmle.python.web.django.Db
 import semmle.python.web.django.Model
 
 
-from TaintSource src, TaintSink sink
-where src.flowsToSink(sink)
-
-select sink, "This SQL query depends on $@.", src, "a user-provided value"
+from TaintedPathSource src, TaintedPathSink sink
+where src.flowsTo(sink)
+select sink.getSink(), src, sink, "This SQL query depends on $@.", src.getSource(), "a user-provided value"

python/ql/src/Security/CWE-094/CodeInjection.ql

@@ -2,7 +2,7 @@
  * @name Code injection
  * @description Interpreting unsanitized user input as code allows a malicious user arbitrary
  *              code execution.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @sub-severity high
  * @precision high
@@ -15,6 +15,7 @@
  */
 
 import python
+import semmle.python.security.Paths
 
 /* Sources */
 import semmle.python.web.HttpRequest
@@ -23,7 +24,6 @@ import semmle.python.web.HttpRequest
 import semmle.python.security.injection.Exec
 
 
-from TaintSource src, TaintSink sink
-where src.flowsToSink(sink)
-
-select sink, "$@ flows to here and is interpreted as code.", src, "User-provided value"
+from TaintedPathSource src, TaintedPathSink sink
+where src.flowsTo(sink)
+select sink.getSink(), src, sink, "$@ flows to here and is interpreted as code.", src.getSource(), "User-provided value"

python/ql/src/Security/CWE-209/StackTraceExposure.ql

@@ -3,7 +3,7 @@
  * @description Leaking information about an exception, such as messages and stack traces, to an
  *              external user can expose implementation details that are useful to an attacker for
  *              developing a subsequent exploit. 
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision high
  * @id py/stack-trace-exposure
@@ -13,10 +13,11 @@
  */
 
 import python
+import semmle.python.security.Paths
 
 import semmle.python.security.Exceptions
 import semmle.python.web.HttpResponse
 
-from TaintSource src, TaintSink sink
-where src.flowsToSink(sink)
-select sink, "$@ may be exposed to an external user", src, "Error information"
+from TaintedPathSource src, TaintedPathSink sink
+where src.flowsTo(sink)
+select sink.getSink(), src, sink, "$@ may be exposed to an external user", src.getSource(), "Error information"

python/ql/src/Security/CWE-502/UnsafeDeserialization.ql

@@ -1,7 +1,7 @@
 /**
  * @name Deserializing untrusted input
  * @description Deserializing user-controlled data may allow attackers to execute arbitrary code.
- * @kind problem
+ * @kind path-problem
  * @id py/unsafe-deserialization
  * @problem.severity error
  * @sub-severity high
@@ -14,6 +14,7 @@ import python
 
 // Sources -- Any untrusted input
 import semmle.python.web.HttpRequest
+import semmle.python.security.Paths
 
 // Flow -- untrusted string
 import semmle.python.security.strings.Untrusted
@@ -23,8 +24,7 @@ import semmle.python.security.injection.Pickle
 import semmle.python.security.injection.Marshal
 import semmle.python.security.injection.Yaml
 
-from TaintSource src, TaintSink sink
 
-where src.flowsToSink(sink)
-
-select sink, "Deserializing of $@.", src, "untrusted input"
+from TaintedPathSource src, TaintedPathSink sink
+where src.flowsTo(sink)
+select sink.getSink(), src, sink, "Deserializing of $@.", src.getSource(), "untrusted input"

python/ql/src/Security/CWE-601/UrlRedirect.ql

@@ -2,7 +2,7 @@
  * @name URL redirection from remote source
  * @description URL redirection based on unvalidated user input
  *              may cause redirection to malicious web sites.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @sub-severity low
  * @id py/url-redirection
@@ -12,7 +12,7 @@
  */
 
 import python
-
+import semmle.python.security.Paths
 
 import semmle.python.web.HttpRedirect
 import semmle.python.web.HttpRequest
@@ -28,8 +28,7 @@ class UntrustedPrefixStringKind extends UntrustedStringKind {
 
 }
 
-from TaintSource src, TaintSink sink
-where src.flowsToSink(sink)
-
-select sink, "Untrusted URL redirection due to $@.", src, "a user-provided value"
+from TaintedPathSource src, TaintedPathSink sink
+where src.flowsTo(sink)
+select sink.getSink(), src, sink, "Untrusted URL redirection due to $@.", src.getSource(), "a user-provided value"
 

python/ql/src/semmle/python/security/Exceptions.qll

@@ -24,6 +24,11 @@ class ExceptionInfo extends StringKind {
     ExceptionInfo() {
         this = "exception.info"
     }
+
+    override string repr() {
+        result = "exception info"
+    }
+
 }
 
 
@@ -36,6 +41,10 @@ class ExceptionKind extends TaintKind {
         this = "exception.kind"
     }
 
+    override string repr() {
+        result = "exception"
+    }
+
     override TaintKind getTaintOfAttribute(string name) {
         name = "args" and result instanceof ExceptionInfoSequence
         or

python/ql/src/semmle/python/security/Paths.qll

@@ -0,0 +1,25 @@
+import python
+
+import semmle.python.security.TaintTracking
+
+query predicate edges(TaintedNode fromnode, TaintedNode tonode) {
+    fromnode.getASuccessor() = tonode
+}
+
+private TaintedNode first_child(TaintedNode parent) {
+    result.getContext().getCaller() = parent.getContext() and
+    parent.getASuccessor() = result
+}
+
+private TaintedNode next_sibling(TaintedNode child) {
+    child.getASuccessor() = result and
+    child.getContext() = result.getContext()
+}
+
+query predicate parents(TaintedNode child, TaintedNode parent) {
+    child = first_child(parent) or
+    exists(TaintedNode prev |
+        parents(prev, parent) and
+        child = next_sibling(child)
+    )
+}