Merge pull request #1747 from markshannon/python-extend-taint-tracking-config

Python: Extend taint-tracking configuration to match API of Javascript implementation.

Author: taus-semmle

python/ql/src/Security/CWE-022/TarSlip.ql

@@ -187,6 +187,18 @@ class TarSlipConfiguration extends TaintTracking::Configuration {
         sanitizer instanceof ExcludeTarFilePy
     }
 
+    override predicate isBarrier(DataFlow::Node node) {
+        // Avoid flow into the tarfile module
+        exists(ParameterDefinition def |
+            node.asVariable().getDefinition() = def
+            or
+            node.asCfgNode() = def.getDefiningNode()
+            |
+            def.getScope() = Value::named("tarfile.open").(CallableValue).getScope()
+            or
+            def.isSelf() and def.getScope().getEnclosingModule().getName() = "tarfile"
+        )
+    }
 }
 
 

python/ql/src/Security/CWE-089/SqlInjection.ql

@@ -32,6 +32,18 @@ class SQLInjectionConfiguration extends TaintTracking::Configuration {
 
 }
 
+/* Additional configuration to support tracking of DB objects. Connections, cursors, etc. */
+class DbConfiguration extends TaintTracking::Configuration {
+
+    DbConfiguration() { this = "DB configuration" }
+
+    override predicate isSource(TaintTracking::Source source) {
+        source instanceof DjangoModelObjects or
+        source instanceof DbConnectionSource
+    }
+
+}
+
 from SQLInjectionConfiguration config, TaintedPathSource src, TaintedPathSink sink
 where config.hasFlowPath(src, sink)
 select sink.getSink(), src, sink, "This SQL query depends on $@.", src.getSource(), "a user-provided value"

python/ql/src/Variables/Undefined.qll

@@ -9,44 +9,6 @@ class Uninitialized extends TaintKind {
 
 }
 
-/** A source of an uninitialized variable.
- * Either the start of the scope or a deletion. 
- */
-class UninitializedSource extends TaintedDefinition {
-
-    UninitializedSource() {
-        exists(FastLocalVariable var |
-            this.getSourceVariable() = var and
-            not var.escapes() |
-            this instanceof ScopeEntryDefinition
-            or
-            this instanceof DeletionDefinition
-        )
-    }
-
-    override predicate isSourceOf(TaintKind kind) {
-        kind instanceof Uninitialized
-    }
-
-}
-
-/** A loop where we are guaranteed (or is at least likely) to execute the body at least once. 
- */
-class AtLeastOnceLoop extends DataFlowExtension::DataFlowVariable {
-
-    AtLeastOnceLoop() {
-        loop_entry_variables(this, _)
-    }
-
-    /* If we are guaranteed to iterate over a loop at least once, then we can prune any edges that
-     * don't pass through the body.
-     */
-    override predicate prunedSuccessor(EssaVariable succ) {
-        loop_entry_variables(this, succ)
-    }
-
-}
-
 private predicate loop_entry_variables(EssaVariable pred, EssaVariable succ) {
     exists(PhiFunction phi, BasicBlock pb |
         loop_entry_edge(pb, phi.getBasicBlock()) and
@@ -64,43 +26,6 @@ private predicate loop_entry_edge(BasicBlock pred, BasicBlock loop) {
     )
 }
 
-class UnitializedSanitizer extends Sanitizer {
-
-    UnitializedSanitizer() { this = "use of variable" }
-
-    override
-    predicate sanitizingDefinition(TaintKind taint, EssaDefinition def) {
-        // An assignment cannot leave a variable uninitialized
-        taint instanceof Uninitialized and
-        (
-            def instanceof AssignmentDefinition
-            or
-            def instanceof ExceptionCapture
-            or
-            def instanceof ParameterDefinition
-            or
-            /* A use is a "sanitizer" of "uninitialized", as any use of an undefined
-             * variable will raise, making the subsequent code unreacahable.
-             */
-            exists(def.(EssaNodeRefinement).getInput().getASourceUse())
-            or
-            exists(def.(PhiFunction).getAnInput().getASourceUse())
-            or
-            exists(def.(EssaEdgeRefinement).getInput().getASourceUse())
-        )
-    }
-
-    override
-    predicate sanitizingNode(TaintKind taint, ControlFlowNode node) {
-        taint instanceof Uninitialized and
-        exists(EssaVariable v |
-            v.getASourceUse() = node and
-            not first_use(node, v)
-        )
-    }
-
-}
-
 /** Since any use of a local will raise if it is uninitialized, then
  * any use dominated by another use of the same variable must be defined, or is unreachable.
  */
@@ -124,15 +49,75 @@ private predicate maybe_call_to_exiting_function(CallNode call) {
     )
 }
 
-/** Prune edges where the predecessor block looks like it might contain a call to an exit function. */
-class ExitFunctionGuardedEdge extends DataFlowExtension::DataFlowVariable {
 
-    override predicate prunedSuccessor(EssaVariable succ) {
-        exists(CallNode exit_call |
-            succ.(PhiFunction).getInput(exit_call.getBasicBlock()) = this and
-            maybe_call_to_exiting_function(exit_call)
+predicate exitFunctionGuardedEdge(EssaVariable pred, EssaVariable succ) {
+    exists(CallNode exit_call |
+        succ.(PhiFunction).getInput(exit_call.getBasicBlock()) = pred and
+        maybe_call_to_exiting_function(exit_call)
+    )
+}
+
+class UninitializedConfig extends TaintTracking::Configuration {
+
+    UninitializedConfig() {
+        this = "Unitialized local config"
+    }
+
+    override predicate isSource(DataFlow::Node source, TaintKind kind) {
+        kind instanceof Uninitialized and
+        exists(EssaVariable var |
+            source.asVariable() = var and
+            var.getSourceVariable() instanceof FastLocalVariable and
+            not var.getSourceVariable().(Variable).escapes() |
+            var instanceof ScopeEntryDefinition
+            or
+            var instanceof DeletionDefinition
         )
     }
 
+    override predicate isBarrier(DataFlow::Node node, TaintKind kind) {
+        kind instanceof Uninitialized and
+        (
+            definition(node.asVariable())
+            or
+            use(node.asVariable())
+            or
+            sanitizingNode(node.asCfgNode())
+        )
+    }
+
+    private predicate definition(EssaDefinition def) {
+        def instanceof AssignmentDefinition
+        or
+        def instanceof ExceptionCapture
+        or
+        def instanceof ParameterDefinition
+    }
+
+    private predicate use(EssaDefinition def) {
+        exists(def.(EssaNodeRefinement).getInput().getASourceUse())
+        or
+        exists(def.(PhiFunction).getAnInput().getASourceUse())
+        or
+        exists(def.(EssaEdgeRefinement).getInput().getASourceUse())
+    }
+
+    private predicate sanitizingNode(ControlFlowNode node) {
+        exists(EssaVariable v |
+            v.getASourceUse() = node and
+            not first_use(node, v)
+        )
+    }
+
+    override predicate isBarrierEdge(DataFlow::Node src, DataFlow::Node dest) {
+        /* If we are guaranteed to iterate over a loop at least once, then we can prune any edges that
+         * don't pass through the body.
+         */
+        loop_entry_variables(src.asVariable(), dest.asVariable())
+        or
+        exitFunctionGuardedEdge(src.asVariable(), dest.asVariable())
+    }
+
 }
 
+

python/ql/src/semmle/python/dataflow/Configuration.qll

@@ -0,0 +1,145 @@
+import python
+import semmle.python.security.TaintTracking
+private import semmle.python.objects.ObjectInternal
+private import semmle.python.dataflow.Implementation
+
+module TaintTracking {
+
+    class Source = TaintSource;
+
+    class Sink = TaintSink;
+
+    class Extension = DataFlowExtension::DataFlowNode;
+
+    class PathSource = TaintTrackingNode;
+
+    class PathSink = TaintTrackingNode;
+
+    abstract class Configuration extends string {
+
+        /* Required to prevent compiler warning */
+        bindingset[this]
+        Configuration() { this = this }
+
+        /* Old implementation API */
+
+        predicate isSource(Source source) { none() }
+
+        predicate isSink(Sink sink) { none() }
+
+        predicate isSanitizer(Sanitizer sanitizer) { none() }
+
+        predicate isExtension(Extension extension) { none() }
+
+        /* New implementation API */
+
+        /**
+         * Holds if `source` is a source of taint of `kind` that is relevant
+         * for this configuration.
+         */
+        predicate isSource(DataFlow::Node node, TaintKind kind) {
+            exists(TaintSource source |
+                this.isSource(source) and
+                node.asCfgNode() = source and
+                source.isSourceOf(kind)
+            )
+        }
+
+        /**
+         * Holds if `sink` is a sink of taint of `kind` that is relevant
+         * for this configuration.
+         */
+        predicate isSink(DataFlow::Node node, TaintKind kind) {
+            exists(TaintSink sink |
+                node.asCfgNode() = sink and
+                sink.sinks(kind)
+            )
+        }
+
+        /**
+         * Holds if `src -> dest` should be considered as a flow edge
+         * in addition to standard data flow edges.
+         */
+        predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node dest) { none() }
+
+        /**
+         * Holds if `src -> dest` is a flow edge converting taint from `srckind` to `destkind`.
+         */
+        predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node dest, TaintKind srckind, TaintKind destkind) {
+            none()
+        }
+
+        /**
+         * Holds if `node` should be considered as a barrier to flow of any kind.
+         */
+        predicate isBarrier(DataFlow::Node node) { none() }
+
+        /**
+         * Holds if `node` should be considered as a barrier to flow of `kind`.
+         */
+        predicate isBarrier(DataFlow::Node node, TaintKind kind) {
+            exists(Sanitizer sanitizer |
+                this.isSanitizer(sanitizer)
+                |
+                sanitizer.sanitizingNode(kind, node.asCfgNode())
+                or
+                sanitizer.sanitizingEdge(kind, node.asVariable())
+                or
+                sanitizer.sanitizingSingleEdge(kind, node.asVariable())
+                or
+                sanitizer.sanitizingDefinition(kind, node.asVariable())
+                or
+                exists(MethodCallsiteRefinement call, FunctionObject callee |
+                    call = node.asVariable().getDefinition() and
+                    callee.getACall() = call.getCall() and
+                    sanitizer.sanitizingCall(kind, callee)
+                )
+            )
+        }
+
+        /**
+         * Holds if flow from `src` to `dest` is prohibited.
+         */
+        predicate isBarrierEdge(DataFlow::Node src, DataFlow::Node dest) { none() }
+
+        /**
+         * Holds if control flow from `test` along the `isTrue` edge is prohibited.
+         */
+        predicate isBarrierTest(ControlFlowNode test, boolean isTrue) { none() }
+
+        /**
+         * Holds if flow from `src` to `dest` is prohibited when the incoming taint is `srckind` and the outgoing taint is `destkind`.
+         * Note that `srckind` and `destkind` can be the same.
+         */
+        predicate isBarrierEdge(DataFlow::Node src, DataFlow::Node dest, TaintKind srckind, TaintKind destkind) { none() }
+
+        /* Common query API */
+
+        predicate hasFlowPath(PathSource source, PathSink sink) {
+            this.(TaintTrackingImplementation).hasFlowPath(source, sink)
+        }
+
+        /* Old query API */
+
+        /* deprecated */
+        predicate hasFlow(Source source, Sink sink) {
+            exists(PathSource psource, PathSink psink |
+                this.hasFlowPath(psource, psink) and
+                source = psource.getNode().asCfgNode() and
+                sink = psink.getNode().asCfgNode()
+            )
+        }
+
+        /* New query API */
+
+        predicate hasSimpleFlow(DataFlow::Node source, DataFlow::Node sink) {
+            exists(PathSource psource, PathSink psink |
+                this.hasFlowPath(psource, psink) and
+                source = psource.getNode() and
+                sink = psink.getNode()
+            )
+        }
+
+    }
+
+}