Python: Support the dill pickling library.

taus-semmle · taus-semmle · commit e8c092ad72a4 · 2019-01-16T14:53:42.000+01:00
diff --git a/python/ql/src/semmle/python/security/injection/Pickle.qll b/python/ql/src/semmle/python/security/injection/Pickle.qll
@@ -15,6 +15,8 @@ private ModuleObject pickleModule() {
     result.getName() = "pickle"
     or
     result.getName() = "cPickle"
+    or
+    result.getName() = "dill"
 }
 
 private FunctionObject pickleLoads() {
diff --git a/python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected b/python/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected
@@ -3,10 +3,12 @@ edges
 | test.py:11:15:11:41 | externally controlled string | test.py:12:18:12:24 | externally controlled string |
 | test.py:11:15:11:41 | externally controlled string | test.py:13:15:13:21 | externally controlled string |
 | test.py:11:15:11:41 | externally controlled string | test.py:14:19:14:25 | externally controlled string |
+| test.py:11:15:11:41 | externally controlled string | test.py:16:16:16:22 | externally controlled string |
 | test.py:13:15:13:21 | externally controlled string | ../lib/yaml.py:1:10:1:10 | externally controlled string |
 parents
 | ../lib/yaml.py:1:10:1:10 | externally controlled string | test.py:13:15:13:21 | externally controlled string |
 #select
 | test.py:12:18:12:24 | unpickling untrusted data | test.py:11:15:11:26 | dict of externally controlled string | test.py:12:18:12:24 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
 | test.py:13:15:13:21 | yaml.load vulnerability | test.py:11:15:11:26 | dict of externally controlled string | test.py:13:15:13:21 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
 | test.py:14:19:14:25 | unmarshaling vulnerability | test.py:11:15:11:26 | dict of externally controlled string | test.py:14:19:14:25 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
+| test.py:16:16:16:22 | unpickling untrusted data | test.py:11:15:11:26 | dict of externally controlled string | test.py:16:16:16:22 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | flask.request.args | untrusted input |
diff --git a/python/ql/test/query-tests/Security/CWE-502/test.py b/python/ql/test/query-tests/Security/CWE-502/test.py
@@ -12,5 +12,7 @@ def hello():
     pickle.loads(payload)
     yaml.load(payload)
     marshal.loads(payload)
+    import dill
+    dill.loads(payload)
 
 
diff --git a/python/ql/test/query-tests/Security/lib/dill.py b/python/ql/test/query-tests/Security/lib/dill.py
@@ -0,0 +1,2 @@
+def loads(*args, **kwargs):
+    return None

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,8 @@ private ModuleObject pickleModule() {`
`15`	`15`	`result.getName() = "pickle"`
`16`	`16`	`or`
`17`	`17`	`result.getName() = "cPickle"`
	`18`	`+ or`
	`19`	`+ result.getName() = "dill"`
`18`	`20`	`}`
`19`	`21`
`20`	`22`	`private FunctionObject pickleLoads() {`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+def loads(args, *kwargs):`
	`2`	`+ return None`