Merge pull request #775 from taus-semmle/python-dill-pickle-support

markshannon · web-flow · commit 4398670ecc4e · 2019-01-18T10:01:22.000Z
Python: dill pickle support.
diff --git a/change-notes/1.20/analysis-python.md b/change-notes/1.20/analysis-python.md
@@ -23,4 +23,4 @@
 
  ## Changes to QL libraries
 
- * *Series of bullet points*
+ * Added support for the `dill` pickle library.
diff --git a/python/ql/src/semmle/python/security/injection/Pickle.qll b/python/ql/src/semmle/python/security/injection/Pickle.qll
@@ -15,6 +15,8 @@ private ModuleObject pickleModule() {
     result.getName() = "pickle"
     or
     result.getName() = "cPickle"
+    or
+    result.getName() = "dill"
 }
 
 private FunctionObject pickleLoads() {
diff --git a/python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected b/python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected
@@ -3,10 +3,12 @@ edges
 | test.py:11:15:11:41 | externally controlled string | test.py:12:18:12:24 | externally controlled string |
 | test.py:11:15:11:41 | externally controlled string | test.py:13:15:13:21 | externally controlled string |
 | test.py:11:15:11:41 | externally controlled string | test.py:14:19:14:25 | externally controlled string |
+| test.py:11:15:11:41 | externally controlled string | test.py:16:16:16:22 | externally controlled string |
 | test.py:13:15:13:21 | externally controlled string | ../lib/yaml.py:1:10:1:10 | externally controlled string |
 parents
 | ../lib/yaml.py:1:10:1:10 | externally controlled string | test.py:13:15:13:21 | externally controlled string |
 #select
 | test.py:12:18:12:24 | unpickling untrusted data | test.py:11:15:11:26 | dict of externally controlled string | test.py:12:18:12:24 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
 | test.py:13:15:13:21 | yaml.load vulnerability | test.py:11:15:11:26 | dict of externally controlled string | test.py:13:15:13:21 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
 | test.py:14:19:14:25 | unmarshaling vulnerability | test.py:11:15:11:26 | dict of externally controlled string | test.py:14:19:14:25 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
+| test.py:16:16:16:22 | unpickling untrusted data | test.py:11:15:11:26 | dict of externally controlled string | test.py:16:16:16:22 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
diff --git a/python/ql/test/query-tests/Security/CWE-502/test.py b/python/ql/test/query-tests/Security/CWE-502/test.py
@@ -12,5 +12,7 @@ def hello():
     pickle.loads(payload)
     yaml.load(payload)
     marshal.loads(payload)
+    import dill
+    dill.loads(payload)
 
 
diff --git a/python/ql/test/query-tests/Security/lib/dill.py b/python/ql/test/query-tests/Security/lib/dill.py
@@ -0,0 +1,2 @@
+def loads(*args, **kwargs):
+    return None

Original file line number	Diff line number	Diff line change
`@@ -23,4 +23,4 @@`
`23`	`23`
`24`	`24`	`## Changes to QL libraries`
`25`	`25`
`26`		`- * Series of bullet points`
	`26`	+ * Added support for the `dill` pickle library.
Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,8 @@ private ModuleObject pickleModule() {`
`15`	`15`	`result.getName() = "pickle"`
`16`	`16`	`or`
`17`	`17`	`result.getName() = "cPickle"`
	`18`	`+ or`
	`19`	`+ result.getName() = "dill"`
`18`	`20`	`}`
`19`	`21`
`20`	`22`	`private FunctionObject pickleLoads() {`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+def loads(args, *kwargs):`
	`2`	`+ return None`