Upgrade taint-tracking security queries to path-problem queries.

Author: Mark Shannon

python/ql/src/Security/CWE-022/PathInjection.ql

@@ -1,7 +1,7 @@
 /**
  * @name Uncontrolled data used in path expression
  * @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @sub-severity high
  * @precision high
@@ -17,6 +17,7 @@
  */
 
 import python
+import semmle.python.security.Paths
 
 /* Sources */
 import semmle.python.web.HttpRequest
@@ -25,7 +26,8 @@ import semmle.python.web.HttpRequest
 import semmle.python.security.injection.Path
 
 
-from TaintSource src, TaintSink sink
-where src.flowsToSink(sink)
 
-select sink, "This path depends on $@.", src, "a user-provided value"
+from TaintedNode srcnode, TaintedNode sinknode, TaintSource src, TaintSink sink
+where src.flowsToSink(sink) and srcnode.getNode() = src and sinknode.getNode() = sink
+
+select sink, srcnode, sinknode, "This path depends on $@.", src, "a user-provided value"

python/ql/src/Security/CWE-078/CommandInjection.ql

@@ -2,7 +2,7 @@
  * @name Uncontrolled command line
  * @description Using externally controlled strings in a command line may allow a malicious
  *              user to change the meaning of the command.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @sub-severity high
  * @precision high
@@ -15,14 +15,15 @@
  */
 
 import python
+import semmle.python.security.Paths
 
 /* Sources */
 import semmle.python.web.HttpRequest
 
 /* Sinks */
 import semmle.python.security.injection.Command
 
-from TaintSource src, TaintSink sink
-where src.flowsToSink(sink)
+from TaintedNode srcnode, TaintedNode sinknode, TaintSource src, TaintSink sink
+where src.flowsToSink(sink) and srcnode.getNode() = src and sinknode.getNode() = sink
 
-select sink, "This command depends on $@.", src, "a user-provided value"
+select sink, srcnode, sinknode, "This command depends on $@.", src, "a user-provided value"

python/ql/src/Security/CWE-079/ReflectedXss.ql

@@ -2,7 +2,7 @@
  * @name Reflected server-side cross-site scripting
  * @description Writing user input directly to a web page
  *              allows for a cross-site scripting vulnerability.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @sub-severity high
  * @precision high
@@ -13,6 +13,7 @@
  */
 
 import python
+import semmle.python.security.Paths
 
 /* Sources */
 import semmle.python.web.HttpRequest
@@ -24,9 +25,9 @@ import semmle.python.web.HttpResponse
 /* Flow */
 import semmle.python.security.strings.Untrusted
 
-from TaintSource src, TaintSink sink
-where src.flowsToSink(sink)
+from TaintedNode srcnode, TaintedNode sinknode, TaintSource src, TaintSink sink
+where src.flowsToSink(sink) and srcnode.getNode() = src and sinknode.getNode() = sink
 
-select sink, "Cross-site scripting vulnerability due to $@.",
+select sink, srcnode, sinknode, "Cross-site scripting vulnerability due to $@.",
        src, "user-provided value"
 

python/ql/src/Security/CWE-089/SqlInjection.ql

@@ -2,7 +2,7 @@
  * @name SQL query built from user-controlled sources
  * @description Building a SQL query from user-controlled sources is vulnerable to insertion of
  *              malicious SQL code by the user.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision high
  * @id py/sql-injection
@@ -12,6 +12,7 @@
  */
 
 import python
+import semmle.python.security.Paths
 
 /* Sources */
 import semmle.python.web.HttpRequest
@@ -22,7 +23,7 @@ import semmle.python.web.django.Db
 import semmle.python.web.django.Model
 
 
-from TaintSource src, TaintSink sink
-where src.flowsToSink(sink)
+from TaintedNode srcnode, TaintedNode sinknode, TaintSource src, TaintSink sink
+where src.flowsToSink(sink) and srcnode.getNode() = src and sinknode.getNode() = sink
 
-select sink, "This SQL query depends on $@.", src, "a user-provided value"
+select sink, srcnode, sinknode, "This SQL query depends on $@.", src, "a user-provided value"

python/ql/src/Security/CWE-094/CodeInjection.ql

@@ -2,7 +2,7 @@
  * @name Code injection
  * @description Interpreting unsanitized user input as code allows a malicious user arbitrary
  *              code execution.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @sub-severity high
  * @precision high
@@ -15,6 +15,7 @@
  */
 
 import python
+import semmle.python.security.Paths
 
 /* Sources */
 import semmle.python.web.HttpRequest
@@ -23,7 +24,7 @@ import semmle.python.web.HttpRequest
 import semmle.python.security.injection.Exec
 
 
-from TaintSource src, TaintSink sink
-where src.flowsToSink(sink)
+from TaintedNode srcnode, TaintedNode sinknode, TaintSource src, TaintSink sink
+where src.flowsToSink(sink) and srcnode.getNode() = src and sinknode.getNode() = sink
 
-select sink, "$@ flows to here and is interpreted as code.", src, "User-provided value"
+select sink, srcnode, sinknode, "$@ flows to here and is interpreted as code.", src, "User-provided value"

python/ql/src/Security/CWE-209/StackTraceExposure.ql

@@ -3,7 +3,7 @@
  * @description Leaking information about an exception, such as messages and stack traces, to an
  *              external user can expose implementation details that are useful to an attacker for
  *              developing a subsequent exploit. 
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision high
  * @id py/stack-trace-exposure
@@ -13,10 +13,11 @@
  */
 
 import python
+import semmle.python.security.Paths
 
 import semmle.python.security.Exceptions
 import semmle.python.web.HttpResponse
 
-from TaintSource src, TaintSink sink
-where src.flowsToSink(sink)
-select sink, "$@ may be exposed to an external user", src, "Error information"
+from TaintedNode srcnode, TaintedNode sinknode, TaintSource src, TaintSink sink
+where src.flowsToSink(sink) and srcnode.getNode() = src and sinknode.getNode() = sink
+select sink, srcnode, sinknode, "$@ may be exposed to an external user", src, "Error information"

python/ql/src/Security/CWE-502/UnsafeDeserialization.ql

@@ -1,7 +1,7 @@
 /**
  * @name Deserializing untrusted input
  * @description Deserializing user-controlled data may allow attackers to execute arbitrary code.
- * @kind problem
+ * @kind path-problem
  * @id py/unsafe-deserialization
  * @problem.severity error
  * @sub-severity high
@@ -14,6 +14,7 @@ import python
 
 // Sources -- Any untrusted input
 import semmle.python.web.HttpRequest
+import semmle.python.security.Paths
 
 // Flow -- untrusted string
 import semmle.python.security.strings.Untrusted
@@ -23,8 +24,8 @@ import semmle.python.security.injection.Pickle
 import semmle.python.security.injection.Marshal
 import semmle.python.security.injection.Yaml
 
-from TaintSource src, TaintSink sink
 
-where src.flowsToSink(sink)
+from TaintedNode srcnode, TaintedNode sinknode, TaintSource src, TaintSink sink
+where src.flowsToSink(sink) and srcnode.getNode() = src and sinknode.getNode() = sink
 
-select sink, "Deserializing of $@.", src, "untrusted input"
+select sink, srcnode, sinknode, "Deserializing of $@.", src, "untrusted input"

python/ql/src/Security/CWE-601/UrlRedirect.ql

@@ -2,7 +2,7 @@
  * @name URL redirection from remote source
  * @description URL redirection based on unvalidated user input
  *              may cause redirection to malicious web sites.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @sub-severity low
  * @id py/url-redirection
@@ -12,7 +12,7 @@
  */
 
 import python
-
+import semmle.python.security.Paths
 
 import semmle.python.web.HttpRedirect
 import semmle.python.web.HttpRequest
@@ -28,8 +28,8 @@ class UntrustedPrefixStringKind extends UntrustedStringKind {
 
 }
 
-from TaintSource src, TaintSink sink
-where src.flowsToSink(sink)
+from TaintedNode srcnode, TaintedNode sinknode, TaintSource src, TaintSink sink
+where src.flowsToSink(sink) and srcnode.getNode() = src and sinknode.getNode() = sink
 
-select sink, "Untrusted URL redirection due to $@.", src, "a user-provided value"
+select sink, srcnode, sinknode, "Untrusted URL redirection due to $@.", src, "a user-provided value"
 

python/ql/src/semmle/python/security/TaintTracking.qll

@@ -675,6 +675,27 @@ class TaintedNode extends TTaintedNode {
 
 }
 
+class TaintedNodeSource extends TaintedNode {
+
+    TaintedNodeSource() {
+        this.getNode().(TaintSource).isSourceOf(this.getTaintKind(), this.getContext())
+    }
+
+    /** Holds if taint can flow from this source to sink `sink` */
+    final predicate flowsTo(TaintedNodeSink sink) {
+        this.getASuccessor*() = sink
+    }
+
+}
+
+class TaintedNodeSink extends TaintedNode {
+
+    TaintedNodeSink() {
+        this.getNode().(TaintSink).sinks(this.getTaintKind())
+    }
+
+}
+
 /** This module contains the implementation of taint-flow.
  * It is recommended that users use the `TaintedNode` class, rather than using this module directly
  * as the interface of this module may change without warning.

semmlecode-python-queries/semmle/python/security/Paths.qll

@@ -0,0 +1,25 @@
+import python
+
+import semmle.python.security.TaintTracking
+
+query predicate edges(TaintedNode fromnode, TaintedNode tonode) {
+    fromnode.getASuccessor() = tonode
+}
+
+private TaintedNode first_child(TaintedNode parent) {
+    result.getContext().getCaller() = parent.getContext() and
+    parent.getASuccessor() = result
+}
+
+private TaintedNode next_sibling(TaintedNode child) {
+    child.getASuccessor() = result and
+    child.getContext() = result.getContext()
+}
+
+query predicate parents(TaintedNode child, TaintedNode parent) {
+    child = first_child(parent) or
+    exists(TaintedNode prev |
+        parents(prev, parent) and
+        child = next_sibling(child)
+    )
+}