python: fix alerts

yoff · yoff · commit 0608d4d2f991 · 2022-06-15T14:18:29.000+02:00
Also, remove the `toLowerCase` again,
as I do not know what effect it will have.
diff --git a/python/ql/lib/semmle/python/security/dataflow/TarSlipCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/TarSlipCustomizations.qll
@@ -51,6 +51,8 @@ module TarSlip {
   }
 
   /**
+   * A sanitizer based on file name. This beacuse we extract the standard library.
+   *
    * For efficiency we don't want to track the flow of taint
    * around the tarfile module.
    */
@@ -59,6 +61,8 @@ module TarSlip {
   }
 
   /**
+   * A sink capturing method calls to `extractall`.
+   *
    * For a call to `file.extractall` without arguments, `file` is considered a sink.
    */
   class ExtractAllSink extends Sink {
@@ -106,7 +110,9 @@ module TarSlip {
   }
 
   /**
-   * For a "check-like function name" (matching `"%path"`), `checkPath`,
+   * A sanitizer guard heuristic.
+   *
+   * For a "check-like function-name" (matching `"%path"`), `checkPath`,
    * and a call `checkPath(info.name)`, the variable `info` is considered checked.
    */
   class TarFileInfoSanitizer extends SanitizerGuard {
@@ -121,9 +127,9 @@ module TarSlip {
         attr.getObject() = tarInfo
       |
         // Assume that any test with "path" in it is a sanitizer
-        call.getAChild*().(AttrNode).getName().toLowerCase().matches("%path")
+        call.getAChild*().(AttrNode).getName().matches("%path")
         or
-        call.getAChild*().(NameNode).getId().toLowerCase().matches("%path")
+        call.getAChild*().(NameNode).getId().matches("%path")
       )
     }
 

Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,8 @@ module TarSlip {`
`51`	`51`	`}`
`52`	`52`
`53`	`53`	`/**`
	`54`	`+ * A sanitizer based on file name. This beacuse we extract the standard library.`
	`55`	`+ *`
`54`	`56`	`* For efficiency we don't want to track the flow of taint`
`55`	`57`	`* around the tarfile module.`
`56`	`58`	`*/`
`@@ -59,6 +61,8 @@ module TarSlip {`
`59`	`61`	`}`
`60`	`62`
`61`	`63`	`/**`
	`64`	+ * A sink capturing method calls to `extractall`.
	`65`	`+ *`
`62`	`66`	* For a call to `file.extractall` without arguments, `file` is considered a sink.
`63`	`67`	`*/`
`64`	`68`	`class ExtractAllSink extends Sink {`
`@@ -106,7 +110,9 @@ module TarSlip {`
`106`	`110`	`}`
`107`	`111`
`108`	`112`	`/**`
`109`		- * For a "check-like function name" (matching `"%path"`), `checkPath`,
	`113`	`+ * A sanitizer guard heuristic.`
	`114`	`+ *`
	`115`	+ * For a "check-like function-name" (matching `"%path"`), `checkPath`,
`110`	`116`	* and a call `checkPath(info.name)`, the variable `info` is considered checked.
`111`	`117`	`*/`
`112`	`118`	`class TarFileInfoSanitizer extends SanitizerGuard {`
`@@ -121,9 +127,9 @@ module TarSlip {`
`121`	`127`	`attr.getObject() = tarInfo`
`122`	`128`	`\|`
`123`	`129`	`// Assume that any test with "path" in it is a sanitizer`
`124`		`- call.getAChild*().(AttrNode).getName().toLowerCase().matches("%path")`
	`130`	`+ call.getAChild*().(AttrNode).getName().matches("%path")`
`125`	`131`	`or`
`126`		`- call.getAChild*().(NameNode).getId().toLowerCase().matches("%path")`
	`132`	`+ call.getAChild*().(NameNode).getId().matches("%path")`
`127`	`133`	`)`
`128`	`134`	`}`
`129`	`135`