Skip to content

Commit 39b7a69

Browse files
markshannonmarkshannon
committed
Python: Tarslip query: Fix up sanitizers.
1 parent a15a892 commit 39b7a69

File tree

3 files changed

+5
-5
lines changed

3 files changed

+5
-5
lines changed

python/ql/src/Security/CWE-022/TarSlip.ql

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -90,6 +90,8 @@ class ExcludeTarFilePy extends Sanitizer {
9090
taint instanceof OpenTarFile
9191
or
9292
taint instanceof TarFileInfo
93+
or
94+
taint.(SequenceKind).getItem() instanceof TarFileInfo
9395
)
9496
}
9597

@@ -162,9 +164,9 @@ class TarFileInfoSanitizer extends Sanitizer {
162164

163165
private predicate path_sanitizing_test(ControlFlowNode test) {
164166
/* Assume that any test with "path" in it is a sanitizer */
165-
test.getAChild+().(AttrNode).getName() = "path"
167+
test.getAChild+().(AttrNode).getName().matches("%path")
166168
or
167-
test.getAChild+().(NameNode).getId() = "path"
169+
test.getAChild+().(NameNode).getId().matches("%path")
168170
}
169171

170172
class TarSlipConfiguration extends TaintTracking::Configuration {

python/ql/src/semmle/python/security/Paths.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ import semmle.python.security.TaintTracking
55
query predicate edges(TaintedNode fromnode, TaintedNode tonode) {
66
fromnode.getASuccessor() = tonode and
77
/* Don't record flow past sinks */
8-
not fromnode.isVulnerableSink()
8+
not fromnode.isSink()
99
}
1010

1111
private TaintedNode first_child(TaintedNode parent) {

python/ql/test/query-tests/Security/CWE-022/TarSlip.expected

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,6 @@ edges
2020
| tarslip.py:40:7:40:39 | tarfile.open | tarslip.py:41:24:41:26 | tarfile.open |
2121
| tarslip.py:45:17:45:23 | tarfile.open | tarslip.py:46:17:46:23 | tarfile.open |
2222
| tarslip.py:46:9:46:12 | tarfile.entry | tarslip.py:47:20:47:23 | tarfile.entry |
23-
| tarslip.py:46:9:46:12 | tarfile.entry | tarslip.py:49:15:49:18 | tarfile.entry |
2423
| tarslip.py:46:17:46:23 | tarfile.open | tarslip.py:46:9:46:12 | tarfile.entry |
2524
| tarslip.py:51:7:51:39 | tarfile.open | tarslip.py:52:1:52:3 | tarfile.open |
2625
| tarslip.py:51:7:51:39 | tarfile.open | tarslip.py:52:36:52:38 | tarfile.open |
@@ -30,7 +29,6 @@ parents
3029
| tarslip.py:46:9:46:12 | tarfile.entry | tarslip.py:52:36:52:38 | tarfile.open |
3130
| tarslip.py:46:17:46:23 | tarfile.open | tarslip.py:52:36:52:38 | tarfile.open |
3231
| tarslip.py:47:20:47:23 | tarfile.entry | tarslip.py:52:36:52:38 | tarfile.open |
33-
| tarslip.py:49:15:49:18 | tarfile.entry | tarslip.py:52:36:52:38 | tarfile.open |
3432
#select
3533
| tarslip.py:13:1:13:3 | Taint sink | tarslip.py:12:7:12:39 | tarfile.open | tarslip.py:13:1:13:3 | tarfile.open | Extraction of tarfile from $@ | tarslip.py:12:7:12:39 | Taint source | a potentially untrusted source |
3634
| tarslip.py:18:17:18:21 | Taint sink | tarslip.py:16:7:16:39 | tarfile.open | tarslip.py:18:17:18:21 | tarfile.entry | Extraction of tarfile from $@ | tarslip.py:16:7:16:39 | Taint source | a potentially untrusted source |

0 commit comments

Comments
 (0)