Merge pull request #1203 from markshannon/python-taint-tracking-configuration-2

Python: Use taint tracking configuration for queries.

Author: taus-semmle

python/ql/src/Security/CWE-079/ReflectedXss.ql

@@ -25,6 +25,17 @@ import semmle.python.web.HttpResponse
 /* Flow */
 import semmle.python.security.strings.Untrusted
 
-from TaintedPathSource src, TaintedPathSink sink
-where src.flowsTo(sink)
+
+class ReflectedXssConfiguration extends TaintTracking::Configuration {
+
+    ReflectedXssConfiguration() { this = "Reflected XSS configuration" }
+
+    override predicate isSource(TaintTracking::Source source) { source instanceof HttpRequestTaintSource }
+
+    override predicate isSink(TaintTracking::Sink sink) { sink instanceof HttpResponseTaintSink }
+
+}
+
+from ReflectedXssConfiguration config, TaintedPathSource src, TaintedPathSink sink
+where config.hasFlowPath(src, sink)
 select sink.getSink(), src, sink, "Cross-site scripting vulnerability due to $@.", src.getSource(), "user-provided value"

python/ql/src/Security/CWE-089/SqlInjection.ql

@@ -22,7 +22,16 @@ import semmle.python.security.injection.Sql
 import semmle.python.web.django.Db
 import semmle.python.web.django.Model
 
+class SQLInjectionConfiguration extends TaintTracking::Configuration {
 
-from TaintedPathSource src, TaintedPathSink sink
-where src.flowsTo(sink)
+    SQLInjectionConfiguration() { this = "SQL injection configuration" }
+
+    override predicate isSource(TaintTracking::Source source) { source instanceof HttpRequestTaintSource }
+
+    override predicate isSink(TaintTracking::Sink sink) { sink instanceof SqlInjectionSink }
+
+}
+
+from SQLInjectionConfiguration config, TaintedPathSource src, TaintedPathSink sink
+where config.hasFlowPath(src, sink)
 select sink.getSink(), src, sink, "This SQL query depends on $@.", src.getSource(), "a user-provided value"

python/ql/src/Security/CWE-094/CodeInjection.ql

@@ -23,7 +23,17 @@ import semmle.python.web.HttpRequest
 /* Sinks */
 import semmle.python.security.injection.Exec
 
+class CodeInjectionConfiguration extends TaintTracking::Configuration {
 
-from TaintedPathSource src, TaintedPathSink sink
-where src.flowsTo(sink)
+    CodeInjectionConfiguration() { this = "Code injection configuration" }
+
+    override predicate isSource(TaintTracking::Source source) { source instanceof HttpRequestTaintSource }
+
+    override predicate isSink(TaintTracking::Sink sink) { sink instanceof StringEvaluationNode }
+
+}
+
+
+from CodeInjectionConfiguration config, TaintedPathSource src, TaintedPathSink sink
+where config.hasFlowPath(src, sink)
 select sink.getSink(), src, sink, "$@ flows to here and is interpreted as code.", src.getSource(), "User-provided value"

python/ql/src/Security/CWE-502/UnsafeDeserialization.ql

@@ -24,7 +24,16 @@ import semmle.python.security.injection.Pickle
 import semmle.python.security.injection.Marshal
 import semmle.python.security.injection.Yaml
 
+class UnsafeDeserializationConfiguration  extends TaintTracking::Configuration {
 
-from TaintedPathSource src, TaintedPathSink sink
-where src.flowsTo(sink)
+    UnsafeDeserializationConfiguration() { this = "Unsafe deserialization configuration" }
+
+    override predicate isSource(TaintTracking::Source source) { source instanceof HttpRequestTaintSource }
+
+    override predicate isSink(TaintTracking::Sink sink) { sink instanceof DeserializationSink }
+
+}
+
+from UnsafeDeserializationConfiguration config, TaintedPathSource src, TaintedPathSink sink
+where config.hasFlowPath(src, sink)
 select sink.getSink(), src, sink, "Deserializing of $@.", src.getSource(), "untrusted input"

python/ql/src/semmle/python/security/SQL.qll

@@ -0,0 +1,4 @@
+import python
+import semmle.python.security.TaintTracking
+
+abstract class SqlInjectionSink extends TaintSink {}

python/ql/src/semmle/python/security/TaintTracking.qll

@@ -1668,3 +1668,4 @@ private predicate sequence_call(ControlFlowNode fromnode, CallNode tonode) {
         cls.refersTo(theSetType())
     )
 }
+

python/ql/src/semmle/python/security/injection/Deserialization.qll

@@ -0,0 +1,14 @@
+
+import python
+import semmle.python.security.TaintTracking
+
+
+/** `pickle.loads(untrusted)` vulnerability. */
+abstract class DeserializationSink extends TaintSink {
+
+    bindingset[this]
+    DeserializationSink() {
+        this = this
+    }
+
+}

python/ql/src/semmle/python/security/injection/Marshal.qll

@@ -9,6 +9,7 @@ import python
 
 import semmle.python.security.TaintTracking
 import semmle.python.security.strings.Untrusted
+import semmle.python.security.injection.Deserialization
 
 
 private FunctionObject marshalLoads() {
@@ -18,7 +19,7 @@ private FunctionObject marshalLoads() {
 
 /** A taint sink that is potentially vulnerable to malicious marshaled objects.
  * The `vuln` in `marshal.loads(vuln)`. */
-class UnmarshalingNode extends TaintSink {
+class UnmarshalingNode extends DeserializationSink {
 
     override string toString() { result = "unmarshaling vulnerability" }
 

python/ql/src/semmle/python/security/injection/Pickle.qll

@@ -9,6 +9,7 @@ import python
 
 import semmle.python.security.TaintTracking
 import semmle.python.security.strings.Untrusted
+import semmle.python.security.injection.Deserialization
 
 
 private ModuleObject pickleModule() {
@@ -24,7 +25,7 @@ private FunctionObject pickleLoads() {
 }
 
 /** `pickle.loads(untrusted)` vulnerability. */
-class UnpicklingNode extends TaintSink {
+class UnpicklingNode extends DeserializationSink {
 
     override string toString() { result = "unpickling untrusted data" }
 

python/ql/src/semmle/python/security/injection/Sql.qll

@@ -9,6 +9,7 @@ import python
 
 import semmle.python.security.TaintTracking
 import semmle.python.security.strings.Untrusted
+import semmle.python.security.SQL
 
 
 private StringObject first_part(ControlFlowNode command) {
@@ -48,11 +49,10 @@ abstract class DbCursor extends TaintKind {
 
 }
 
-
 /** A part of a string that appears to be a SQL command and is thus
  * vulnerable to malicious input.
  */
-class SimpleSqlStringInjection extends TaintSink {
+class SimpleSqlStringInjection extends SqlInjectionSink {
 
     override string toString() { result = "simple SQL string injection" }
 
@@ -76,7 +76,7 @@ abstract class DbConnectionSource extends TaintSource {
 /** A taint sink that is vulnerable to malicious SQL queries.
  * The `vuln` in `db.connection.execute(vuln)` and similar.
  */
-class DbConnectionExecuteArgument extends TaintSink {
+class DbConnectionExecuteArgument extends SqlInjectionSink {
 
     override string toString() { result = "db.connection.execute" }