Python: make sure unsafe deserialization query is using correct sources and that pickle is included in sinks.

markshannon · markshannon · commit 8b01bac9005d · 2019-04-04T10:56:45.000+01:00
diff --git a/python/ql/src/Security/CWE-502/UnsafeDeserialization.ql b/python/ql/src/Security/CWE-502/UnsafeDeserialization.ql
@@ -28,7 +28,7 @@ class UnsafeDeserializationConfiguration  extends TaintTracking::Configuration {
 
     UnsafeDeserializationConfiguration() { this = "Unsafe deserialization configuration" }
 
-    override predicate isSource(TaintTracking::Source source) { source.isSourceOf(any(UntrustedStringKind u)) }
+    override predicate isSource(TaintTracking::Source source) { source instanceof HttpRequestTaintSource }
 
     override predicate isSink(TaintTracking::Sink sink) { sink instanceof DeserializationSink }
 
diff --git a/python/ql/src/semmle/python/security/injection/Pickle.qll b/python/ql/src/semmle/python/security/injection/Pickle.qll
@@ -25,7 +25,7 @@ private FunctionObject pickleLoads() {
 }
 
 /** `pickle.loads(untrusted)` vulnerability. */
-class UnpicklingNode extends TaintSink {
+class UnpicklingNode extends DeserializationSink {
 
     override string toString() { result = "unpickling untrusted data" }
 

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ private FunctionObject pickleLoads() {`
`25`	`25`	`}`
`26`	`26`
`27`	`27`	/** `pickle.loads(untrusted)` vulnerability. */
`28`		`-class UnpicklingNode extends TaintSink {`
	`28`	`+class UnpicklingNode extends DeserializationSink {`
`29`	`29`
`30`	`30`	`override string toString() { result = "unpickling untrusted data" }`
`31`	`31`