Skip to content

Commit 3c1a5bb

Browse files
committed
Python: Use new taint-tracking query in code-injection query.
1 parent 64e8be6 commit 3c1a5bb

File tree

1 file changed

+12
-2
lines changed

1 file changed

+12
-2
lines changed

python/ql/src/Security/CWE-094/CodeInjection.ql

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,17 @@ import semmle.python.web.HttpRequest
2323
/* Sinks */
2424
import semmle.python.security.injection.Exec
2525

26+
class CodeInjectionConfiguration extends TaintTracking::Configuration {
2627

27-
from TaintedPathSource src, TaintedPathSink sink
28-
where src.flowsTo(sink)
28+
CodeInjectionConfiguration() { this = "Code injection configuration" }
29+
30+
override predicate isSource(TaintTracking::Source source) { source.isSourceOf(any(UntrustedStringKind u)) }
31+
32+
override predicate isSink(TaintTracking::Sink sink) { sink instanceof StringEvaluationNode }
33+
34+
}
35+
36+
37+
from CodeInjectionConfiguration config, TaintedPathSource src, TaintedPathSink sink
38+
where config.hasFlowPath(src, sink)
2939
select sink.getSink(), src, sink, "$@ flows to here and is interpreted as code.", src.getSource(), "User-provided value"

0 commit comments

Comments
 (0)