Skip to content

Commit 0608d4d

Browse files
committed
python: fix alerts
Also, remove the `toLowerCase` again, as I do not know what effect it will have.
1 parent 40b61fa commit 0608d4d

File tree

1 file changed

+9
-3
lines changed

1 file changed

+9
-3
lines changed

python/ql/lib/semmle/python/security/dataflow/TarSlipCustomizations.qll

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,8 @@ module TarSlip {
5151
}
5252

5353
/**
54+
* A sanitizer based on file name. This beacuse we extract the standard library.
55+
*
5456
* For efficiency we don't want to track the flow of taint
5557
* around the tarfile module.
5658
*/
@@ -59,6 +61,8 @@ module TarSlip {
5961
}
6062

6163
/**
64+
* A sink capturing method calls to `extractall`.
65+
*
6266
* For a call to `file.extractall` without arguments, `file` is considered a sink.
6367
*/
6468
class ExtractAllSink extends Sink {
@@ -106,7 +110,9 @@ module TarSlip {
106110
}
107111

108112
/**
109-
* For a "check-like function name" (matching `"%path"`), `checkPath`,
113+
* A sanitizer guard heuristic.
114+
*
115+
* For a "check-like function-name" (matching `"%path"`), `checkPath`,
110116
* and a call `checkPath(info.name)`, the variable `info` is considered checked.
111117
*/
112118
class TarFileInfoSanitizer extends SanitizerGuard {
@@ -121,9 +127,9 @@ module TarSlip {
121127
attr.getObject() = tarInfo
122128
|
123129
// Assume that any test with "path" in it is a sanitizer
124-
call.getAChild*().(AttrNode).getName().toLowerCase().matches("%path")
130+
call.getAChild*().(AttrNode).getName().matches("%path")
125131
or
126-
call.getAChild*().(NameNode).getId().toLowerCase().matches("%path")
132+
call.getAChild*().(NameNode).getId().matches("%path")
127133
)
128134
}
129135

0 commit comments

Comments
 (0)