Python: Add abstract class CommandSink

RasmusWL · RasmusWL · commit d475bb998e41 · 2020-03-23T17:04:08.000+01:00
I'm going to add more in a sec, and listing *all* of them in CommandInjection.ql
started to be silly
diff --git a/python/ql/src/Security/CWE-078/CommandInjection.ql b/python/ql/src/Security/CWE-078/CommandInjection.ql
@@ -29,8 +29,7 @@ class CommandInjectionConfiguration extends TaintTracking::Configuration {
     }
 
     override predicate isSink(TaintTracking::Sink sink) {
-        sink instanceof OsCommandFirstArgument or
-        sink instanceof ShellCommand
+        sink instanceof CommandSink
     }
 
     override predicate isExtension(TaintTracking::Extension extension) {
diff --git a/python/ql/src/semmle/python/security/injection/Command.qll b/python/ql/src/semmle/python/security/injection/Command.qll
@@ -10,6 +10,8 @@ import python
 import semmle.python.security.TaintTracking
 import semmle.python.security.strings.Untrusted
 
+/** Abstract taint sink that is potentially vulnerable to malicious shell commands. */
+abstract class CommandSink extends TaintSink { }
 
 private ModuleObject osOrPopenModule() {
     result.getName() = "os" or
@@ -20,7 +22,7 @@ private Object makeOsCall() {
     exists(string name |
         result = ModuleObject::named("subprocess").attr(name) |
         name = "Popen" or
-        name = "call" or 
+        name = "call" or
         name = "check_call" or
         name = "check_output" or
         name = "run"
@@ -61,7 +63,7 @@ class FirstElementFlow extends DataFlowExtension::DataFlowNode {
 /** A taint sink that is potentially vulnerable to malicious shell commands.
  * The `vuln` in `subprocess.call(shell=vuln)` and similar calls.
  */
-class ShellCommand extends TaintSink {
+class ShellCommand extends CommandSink {
 
     override string toString() { result = "shell command" }
 
@@ -100,7 +102,7 @@ class ShellCommand extends TaintSink {
 /** A taint sink that is potentially vulnerable to malicious shell commands.
  * The `vuln` in `subprocess.call(vuln, ...)` and similar calls.
  */
-class OsCommandFirstArgument extends TaintSink {
+class OsCommandFirstArgument extends CommandSink {
 
     override string toString() { result = "OS command first argument" }
 

Original file line number	Diff line number	Diff line change
`@@ -29,8 +29,7 @@ class CommandInjectionConfiguration extends TaintTracking::Configuration {`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	`override predicate isSink(TaintTracking::Sink sink) {`
`32`		`- sink instanceof OsCommandFirstArgument or`
`33`		`- sink instanceof ShellCommand`
	`32`	`+ sink instanceof CommandSink`
`34`	`33`	`}`
`35`	`34`
`36`	`35`	`override predicate isExtension(TaintTracking::Extension extension) {`