Python: Model exec and eval calls as CodeExecution

RasmusWL · RasmusWL · commit c69a61bac544 · 2020-10-07T21:14:19.000+02:00
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -327,6 +327,98 @@ private module Stdlib {
       )
     }
   }
+
+  // ---------------------------------------------------------------------------
+  // builtins
+  // ---------------------------------------------------------------------------
+  /** Gets a reference to the `builtins` module (called `__builtin__` in Python 2). */
+  private DataFlow::Node builtins(DataFlow::TypeTracker t) {
+    t.start() and
+    result = DataFlow::importModule(["builtins", "__builtin__"])
+    or
+    exists(DataFlow::TypeTracker t2 | result = builtins(t2).track(t2, t))
+  }
+
+  /** Gets a reference to the `builtins` module. */
+  DataFlow::Node builtins() { result = builtins(DataFlow::TypeTracker::end()) }
+
+  /**
+   * Gets a reference to the attribute `attr_name` of the `builtins` module.
+   * WARNING: Only holds for a few predefined attributes.
+   */
+  private DataFlow::Node builtins_attr(DataFlow::TypeTracker t, string attr_name) {
+    attr_name in ["exec", "eval"] and
+    (
+      t.start() and
+      result = DataFlow::importMember(["builtins", "__builtin__"], attr_name)
+      or
+      t.startInAttr(attr_name) and
+      result = DataFlow::importModule(["builtins", "__builtin__"])
+      or
+      // special handling of builtins, that are in scope without any imports
+      // TODO: Take care of overrides, either `def eval: ...`, `eval = ...`, or `builtins.eval = ...`
+      t.start() and
+      exists(NameNode ref | result.asCfgNode() = ref |
+        ref.isGlobal() and
+        ref.getId() = attr_name and
+        ref.isLoad()
+      )
+    )
+    or
+    // Due to bad performance when using normal setup with `builtins_attr(t2, attr_name).track(t2, t)`
+    // we have inlined that code and forced a join
+    exists(DataFlow::TypeTracker t2 |
+      exists(DataFlow::StepSummary summary |
+        builtins_attr_first_join(t2, attr_name, result, summary) and
+        t = t2.append(summary)
+      )
+    )
+  }
+
+  pragma[nomagic]
+  private predicate builtins_attr_first_join(
+    DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
+  ) {
+    DataFlow::StepSummary::step(builtins_attr(t2, attr_name), res, summary)
+  }
+
+  /**
+   * Gets a reference to the attribute `attr_name` of the `builtins` module.
+   * WARNING: Only holds for a few predefined attributes.
+   */
+  private DataFlow::Node builtins_attr(string attr_name) {
+    result = builtins_attr(DataFlow::TypeTracker::end(), attr_name)
+  }
+
+  /**
+   * A call to the builtin `exec` function.
+   * See https://docs.python.org/3/library/functions.html#exec
+   */
+  private class BuiltinsExecCall extends CodeExecution::Range {
+    CallNode call;
+
+    BuiltinsExecCall() {
+      this.asCfgNode() = call and
+      call.getFunction() = builtins_attr("exec").asCfgNode()
+    }
+
+    override DataFlow::Node getCode() { result.asCfgNode() = call.getArg(0) }
+  }
+
+  /**
+   * A call to the builtin `eval` function.
+   * See https://docs.python.org/3/library/functions.html#eval
+   */
+  private class BuiltinsEvalCall extends CodeExecution::Range {
+    CallNode call;
+
+    BuiltinsEvalCall() {
+      this.asCfgNode() = call and
+      call.getFunction() = builtins_attr("eval").asCfgNode()
+    }
+
+    override DataFlow::Node getCode() { result.asCfgNode() = call.getArg(0) }
+  }
 }
 
 /**
diff --git a/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/ConceptsTest.expected b/python/ql/test/experimental/library-tests/frameworks/stdlib-py3/ConceptsTest.expected
@@ -1 +0,0 @@
-| CodeExecution.py:4:29:4:50 | Comment # $getCode="print(42)" | Missing result:getCode="print(42)" |
diff --git a/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecutionPossibleFP1.py b/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecutionPossibleFP1.py
@@ -8,4 +8,4 @@ def eval(*args, **kwargs):
 
 
 # This function call might be marked as a code execution, but it actually isn't.
-eval("print(42)")
+eval("print(42)")  # $f+:getCode="print(42)"
diff --git a/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecutionPossibleFP2.py b/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecutionPossibleFP2.py
@@ -10,4 +10,4 @@ def foo(*args, **kwargs):
 eval = foo
 
 # This function call might be marked as a code execution, but it actually isn't.
-eval("print(42)")
+eval("print(42)")  # $f+:getCode="print(42)"
diff --git a/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecutionPossibleFP3.py b/python/ql/test/experimental/library-tests/frameworks/stdlib/CodeExecutionPossibleFP3.py
@@ -16,4 +16,4 @@ def foo(*args, **kwargs):
 builtins.eval = foo
 
 # This function call might be marked as a code execution, but it actually isn't.
-eval("print(42)")
+eval("print(42)")  # $f+:getCode="print(42)"
diff --git a/python/ql/test/experimental/library-tests/frameworks/stdlib/ConceptsTest.expected b/python/ql/test/experimental/library-tests/frameworks/stdlib/ConceptsTest.expected
@@ -1,5 +0,0 @@
-| CodeExecution.py:12:20:12:41 | Comment # $getCode="print(42)" | Missing result:getCode="print(42)" |
-| CodeExecution.py:13:20:13:41 | Comment # $getCode="print(42)" | Missing result:getCode="print(42)" |
-| CodeExecution.py:15:29:15:50 | Comment # $getCode="print(42)" | Missing result:getCode="print(42)" |
-| CodeExecution.py:18:12:18:25 | Comment # $getCode=cmd | Missing result:getCode=cmd |
-| CodeExecution.py:21:12:21:25 | Comment # $getCode=cmd | Missing result:getCode=cmd |
diff --git a/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-094/CodeInjection.expected b/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-094/CodeInjection.expected
@@ -1,3 +1,10 @@
 edges
+| code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | code_injection.py:7:10:7:13 | ControlFlowNode for code |
+| code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | code_injection.py:8:10:8:13 | ControlFlowNode for code |
 nodes
+| code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| code_injection.py:7:10:7:13 | ControlFlowNode for code | semmle.label | ControlFlowNode for code |
+| code_injection.py:8:10:8:13 | ControlFlowNode for code | semmle.label | ControlFlowNode for code |
 #select
+| code_injection.py:7:10:7:13 | ControlFlowNode for code | code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | code_injection.py:7:10:7:13 | ControlFlowNode for code | $@ flows to here and is interpreted as code. | code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | A user-provided value |
+| code_injection.py:8:10:8:13 | ControlFlowNode for code | code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | code_injection.py:8:10:8:13 | ControlFlowNode for code | $@ flows to here and is interpreted as code. | code_injection.py:6:12:6:23 | ControlFlowNode for Attribute | A user-provided value |

Original file line number	Diff line number	Diff line change
`@@ -1 +0,0 @@`
`1`		`-\| CodeExecution.py:4:29:4:50 \| Comment # $getCode="print(42)" \| Missing result:getCode="print(42)" \|`
Original file line number	Diff line number	Diff line change
`@@ -8,4 +8,4 @@ def eval(args, *kwargs):`
`8`	`8`
`9`	`9`
`10`	`10`	`# This function call might be marked as a code execution, but it actually isn't.`
`11`		`-eval("print(42)")`
	`11`	`+eval("print(42)") # $f+:getCode="print(42)"`