Python: Use new taint-tracking query in unsafe deserialization query.

Author: markshannon

python/ql/src/Security/CWE-502/UnsafeDeserialization.ql

@@ -24,7 +24,16 @@ import semmle.python.security.injection.Pickle
 import semmle.python.security.injection.Marshal
 import semmle.python.security.injection.Yaml
 
+class UnsafeDeserializationConfiguration  extends TaintTracking::Configuration {
 
-from TaintedPathSource src, TaintedPathSink sink
-where src.flowsTo(sink)
+    UnsafeDeserializationConfiguration() { this = "Unsafe deserialization configuration" }
+
+    override predicate isSource(TaintTracking::Source source) { source.isSourceOf(any(UntrustedStringKind u)) }
+
+    override predicate isSink(TaintTracking::Sink sink) { sink instanceof DeserializationSink }
+
+}
+
+from UnsafeDeserializationConfiguration config, TaintedPathSource src, TaintedPathSink sink
+where config.hasFlowPath(src, sink)
 select sink.getSink(), src, sink, "Deserializing of $@.", src.getSource(), "untrusted input"

python/ql/src/semmle/python/security/injection/Deserialization.qll

@@ -0,0 +1,14 @@
+
+import python
+import semmle.python.security.TaintTracking
+
+
+/** `pickle.loads(untrusted)` vulnerability. */
+abstract class DeserializationSink extends TaintSink {
+
+    bindingset[this]
+    DeserializationSink() {
+        this = this
+    }
+
+}

python/ql/src/semmle/python/security/injection/Marshal.qll

@@ -9,6 +9,7 @@ import python
 
 import semmle.python.security.TaintTracking
 import semmle.python.security.strings.Untrusted
+import semmle.python.security.injection.Deserialization
 
 
 private FunctionObject marshalLoads() {
@@ -18,7 +19,7 @@ private FunctionObject marshalLoads() {
 
 /** A taint sink that is potentially vulnerable to malicious marshaled objects.
  * The `vuln` in `marshal.loads(vuln)`. */
-class UnmarshalingNode extends TaintSink {
+class UnmarshalingNode extends DeserializationSink {
 
     override string toString() { result = "unmarshaling vulnerability" }
 

python/ql/src/semmle/python/security/injection/Pickle.qll

@@ -9,6 +9,7 @@ import python
 
 import semmle.python.security.TaintTracking
 import semmle.python.security.strings.Untrusted
+import semmle.python.security.injection.Deserialization
 
 
 private ModuleObject pickleModule() {

python/ql/src/semmle/python/security/injection/Xml.qll

@@ -8,6 +8,7 @@ import python
 
 import semmle.python.security.TaintTracking
 import semmle.python.security.strings.Untrusted
+import semmle.python.security.injection.Deserialization
 
 
 private ModuleObject xmlElementTreeModule() {
@@ -73,7 +74,7 @@ class ExternalXmlString extends ExternalStringKind {
 /** A call to an XML library function that is potentially vulnerable to a
  * specially crafted XML string.
  */
-class XmlLoadNode extends TaintSink {
+class XmlLoadNode extends DeserializationSink {
 
     override string toString() { result = "xml.load vulnerability" }
 

python/ql/src/semmle/python/security/injection/Yaml.qll

@@ -10,14 +10,15 @@ import python
 
 import semmle.python.security.TaintTracking
 import semmle.python.security.strings.Untrusted
+import semmle.python.security.injection.Deserialization
 
 
 private FunctionObject yamlLoad() {
     result = ModuleObject::named("yaml").attr("load")
 }
 
 /** `yaml.load(untrusted)` vulnerability. */
-class YamlLoadNode extends TaintSink {
+class YamlLoadNode extends DeserializationSink {
 
     override string toString() { result = "yaml.load vulnerability" }