Skip to content

Commit 46ec7fb

Browse files
committed
Python: Make builtin compile function additional taint step
1 parent c69a61b commit 46ec7fb

File tree

3 files changed

+22
-4
lines changed

3 files changed

+22
-4
lines changed

python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -347,7 +347,7 @@ private module Stdlib {
347347
* WARNING: Only holds for a few predefined attributes.
348348
*/
349349
private DataFlow::Node builtins_attr(DataFlow::TypeTracker t, string attr_name) {
350-
attr_name in ["exec", "eval"] and
350+
attr_name in ["exec", "eval", "compile"] and
351351
(
352352
t.start() and
353353
result = DataFlow::importMember(["builtins", "__builtin__"], attr_name)
@@ -419,6 +419,21 @@ private module Stdlib {
419419

420420
override DataFlow::Node getCode() { result.asCfgNode() = call.getArg(0) }
421421
}
422+
423+
/** An additional taint step for calls to the builtin function `compile` */
424+
private class BuiltinsCompileCallAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
425+
override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
426+
exists(CallNode call |
427+
nodeTo.asCfgNode() = call and
428+
call.getFunction() = builtins_attr("compile").asCfgNode() and
429+
(
430+
call.getArg(0) = nodeFrom.asCfgNode()
431+
or
432+
call.getArgByName("source") = nodeFrom.asCfgNode()
433+
)
434+
)
435+
}
436+
}
422437
}
423438

424439
/**
Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
11
| CodeExecution.py:35 | ok | test_additional_taint | src |
2-
| CodeExecution.py:36 | fail | test_additional_taint | cmd1 |
3-
| CodeExecution.py:37 | fail | test_additional_taint | cmd2 |
4-
| CodeExecution.py:38 | fail | test_additional_taint | cmd3 |
2+
| CodeExecution.py:36 | ok | test_additional_taint | cmd1 |
3+
| CodeExecution.py:37 | ok | test_additional_taint | cmd2 |
4+
| CodeExecution.py:38 | ok | test_additional_taint | cmd3 |
Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,13 @@
11
edges
22
| code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | code_injection.py:7:10:7:13 | ControlFlowNode for code |
33
| code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | code_injection.py:8:10:8:13 | ControlFlowNode for code |
4+
| code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | code_injection.py:10:10:10:12 | ControlFlowNode for cmd |
45
nodes
56
| code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
67
| code_injection.py:7:10:7:13 | ControlFlowNode for code | semmle.label | ControlFlowNode for code |
78
| code_injection.py:8:10:8:13 | ControlFlowNode for code | semmle.label | ControlFlowNode for code |
9+
| code_injection.py:10:10:10:12 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
810
#select
911
| code_injection.py:7:10:7:13 | ControlFlowNode for code | code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | code_injection.py:7:10:7:13 | ControlFlowNode for code | $@ flows to here and is interpreted as code. | code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | A user-provided value |
1012
| code_injection.py:8:10:8:13 | ControlFlowNode for code | code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | code_injection.py:8:10:8:13 | ControlFlowNode for code | $@ flows to here and is interpreted as code. | code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | A user-provided value |
13+
| code_injection.py:10:10:10:12 | ControlFlowNode for cmd | code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | code_injection.py:10:10:10:12 | ControlFlowNode for cmd | $@ flows to here and is interpreted as code. | code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | A user-provided value |

0 commit comments

Comments
 (0)