Python: Update all remaining taint-tracking queries to use configurations.

Author: markshannon

python/ql/src/Security/CWE-022/PathInjection.ql

@@ -25,7 +25,26 @@ import semmle.python.web.HttpRequest
 /* Sinks */
 import semmle.python.security.injection.Path
 
+class PathInjectionConfiguration extends TaintTracking::Configuration {
 
-from TaintedPathSource src, TaintedPathSink sink
-where src.flowsTo(sink)
+    PathInjectionConfiguration() { this = "Path injection configuration" }
+
+    override predicate isSource(TaintTracking::Source source) { source instanceof HttpRequestTaintSource }
+
+    override predicate isSink(TaintTracking::Sink sink) { sink instanceof OpenNode }
+
+    override predicate isSanitizer(Sanitizer sanitizer) {
+        sanitizer instanceof PathSanitizer or
+        sanitizer instanceof NormalizedPathSanitizer
+    }
+
+    override predicate isExtension(TaintTracking::Extension extension) {
+        extension instanceof AbsPath
+    }
+
+}
+
+
+from PathInjectionConfiguration config, TaintedPathSource src, TaintedPathSink sink
+where config.hasFlowPath(src, sink)
 select sink.getSink(), src, sink, "This path depends on $@.", src.getSource(), "a user-provided value"

python/ql/src/Security/CWE-078/CommandInjection.ql

@@ -23,6 +23,23 @@ import semmle.python.web.HttpRequest
 /* Sinks */
 import semmle.python.security.injection.Command
 
-from TaintedPathSource src, TaintedPathSink sink
-where src.flowsTo(sink)
+class CommandInjectionConfiguration extends TaintTracking::Configuration {
+
+    CommandInjectionConfiguration() { this = "Command injection configuration" }
+
+    override predicate isSource(TaintTracking::Source source) { source instanceof HttpRequestTaintSource }
+
+    override predicate isSink(TaintTracking::Sink sink) {
+        sink instanceof OsCommandFirstArgument or
+        sink instanceof ShellCommand
+    }
+
+    override predicate isExtension(TaintTracking::Extension extension) {
+        extension instanceof FirstElementFlow
+    }
+
+}
+
+from CommandInjectionConfiguration config, TaintedPathSource src, TaintedPathSink sink
+where config.hasFlowPath(src, sink)
 select sink.getSink(), src, sink, "This command depends on $@.", src.getSource(), "a user-provided value"

python/ql/src/Security/CWE-209/StackTraceExposure.ql

@@ -18,6 +18,18 @@ import semmle.python.security.Paths
 import semmle.python.security.Exceptions
 import semmle.python.web.HttpResponse
 
-from TaintedPathSource src, TaintedPathSink sink
-where src.flowsTo(sink) and src.getSource() instanceof ErrorInfoSource
+class StackTraceExposureConfiguration extends TaintTracking::Configuration {
+
+    StackTraceExposureConfiguration() { this = "Stack trace exposure configuration" }
+
+    override predicate isSource(TaintTracking::Source source) { source instanceof ErrorInfoSource }
+
+    override predicate isSink(TaintTracking::Sink sink) {
+        sink instanceof HttpResponseTaintSink
+    }
+
+}
+
+from StackTraceExposureConfiguration config, TaintedPathSource src, TaintedPathSink sink
+where config.hasFlowPath(src, sink)
 select sink.getSink(), src, sink, "$@ may be exposed to an external user", src.getSource(), "Error information"

python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql

@@ -12,7 +12,20 @@ import python
 import semmle.python.security.SensitiveData
 import semmle.python.security.Crypto
 
-from SensitiveDataSource src, WeakCryptoSink sink
-where src.flowsToSink(sink)
+class BrokenCryptoConfiguration extends TaintTracking::Configuration {
+
+    BrokenCryptoConfiguration() { this = "Broken crypto configuration" }
+
+    override predicate isSource(TaintTracking::Source source) { source instanceof SensitiveDataSource }
+
+    override predicate isSink(TaintTracking::Sink sink) {
+        sink instanceof WeakCryptoSink
+    }
+
+}
+
+
+from BrokenCryptoConfiguration config, SensitiveDataSource src, WeakCryptoSink sink
+where config.hasFlow(src, sink)
 
 select sink, "Sensitive data from $@ is used in a broken or weak cryptographic algorithm.", src , src.toString()

python/ql/src/Security/CWE-601/UrlRedirect.ql

@@ -28,7 +28,19 @@ class UntrustedPrefixStringKind extends UntrustedStringKind {
 
 }
 
-from TaintedPathSource src, TaintedPathSink sink
-where src.flowsTo(sink)
+class UrlRedirectConfiguration extends TaintTracking::Configuration {
+
+    UrlRedirectConfiguration() { this = "URL redirect configuration" }
+
+    override predicate isSource(TaintTracking::Source source) { source instanceof HttpRequestTaintSource }
+
+    override predicate isSink(TaintTracking::Sink sink) {
+        sink instanceof HttpRedirectTaintSink
+    }
+
+}
+
+from UrlRedirectConfiguration config, TaintedPathSource src, TaintedPathSink sink
+where config.hasFlowPath(src, sink)
 select sink.getSink(), src, sink, "Untrusted URL redirection due to $@.", src.getSource(), "a user-provided value"
 

python/ql/src/Security/CWE-798/HardcodedCredentials.ql

@@ -140,9 +140,23 @@ private string getACredentialRegex() {
   result = "(?i).*(cert)(?!.*(format|name)).*"
 }
 
-from TaintSource src, TaintSink sink
+class HardcodedCredentialsConfiguration extends TaintTracking::Configuration {
 
-where src.flowsToSink(sink) and
+    HardcodedCredentialsConfiguration() { this = "Hardcoded coredentials configuration" }
+
+    override predicate isSource(TaintTracking::Source source) { source instanceof HardcodedValueSource }
+
+    override predicate isSink(TaintTracking::Sink sink) {
+        sink instanceof CredentialSink
+    }
+
+}
+
+
+
+from HardcodedCredentialsConfiguration config, TaintSource src, TaintSink sink
+
+where config.hasFlow(src, sink) and
 not any(TestScope test).contains(src.(ControlFlowNode).getNode())
 
 select sink, "Use of hardcoded credentials from $@.", src, src.toString()

python/ql/src/semmle/python/security/injection/Path.qll

@@ -6,7 +6,7 @@ import semmle.python.security.strings.Untrusted
 /** Prevents taint flowing through ntpath.normpath()
  * NormalizedPath below handles that case.
  */
-private class PathSanitizer extends Sanitizer {
+class PathSanitizer extends Sanitizer {
 
     PathSanitizer() {
         this = "path.sanitizer"

python/ql/src/semmle/python/web/Http.qll

@@ -81,3 +81,12 @@ abstract class HttpResponseTaintSink extends TaintSink {
     }
 
 }
+
+abstract class HttpRedirectTaintSink extends TaintSink {
+
+    override predicate sinks(TaintKind kind) { 
+        kind instanceof ExternalStringKind
+    }
+
+}
+

python/ql/src/semmle/python/web/django/Redirect.qll

@@ -7,12 +7,13 @@ import python
 import semmle.python.security.TaintTracking
 import semmle.python.security.strings.Basic
 private import semmle.python.web.django.Shared
+private import semmle.python.web.Http
 
 
 /**
  * Represents an argument to the `django.redirect` function.
  */
-class DjangoRedirect extends TaintSink {
+class DjangoRedirect extends HttpRedirectTaintSink {
 
     override string toString() {
         result = "django.redirect"
@@ -25,8 +26,4 @@ class DjangoRedirect extends TaintSink {
         )
     }
 
-    override predicate sinks(TaintKind kind) {
-        kind instanceof StringKind
-    }
-
 }

python/ql/src/semmle/python/web/flask/Redirect.qll

@@ -15,7 +15,7 @@ FunctionObject flask_redirect() {
 /**
  * Represents an argument to the `flask.redirect` function.
  */
-class FlaskRedirect extends TaintSink {
+class FlaskRedirect extends HttpRedirectTaintSink {
 
     override string toString() {
         result = "flask.redirect"
@@ -28,8 +28,4 @@ class FlaskRedirect extends TaintSink {
         )
     }
 
-    override predicate sinks(TaintKind kind) {
-        kind instanceof StringKind
-    }
-
 }