Merge pull request #22 from GitHubSecurityLab/py-weak-prng

Python - Update Weak PRNG query

Author: GeekMasher

python/lib/ghsl/cryptography/RandomNumberGenerator.qll

@@ -0,0 +1,40 @@
+private import semmle.python.ApiGraphs
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.DataFlow
+
+module RandomNumberGenerator {
+  abstract class Sinks extends DataFlow::Node { }
+
+  class OsRandom extends Sinks {
+    OsRandom() {
+      exists(DataFlow::Node call |
+        // https://docs.python.org/3/library/os.html#os.getrandom
+        call = API::moduleImport("os").getMember("getrandom").getACall() and
+        this = call
+      )
+    }
+  }
+
+  class PyRandom extends Sinks {
+    PyRandom() {
+      exists(DataFlow::Node call |
+        // TODO: does `random.seed(_)` need to be static?
+        // https://docs.python.org/3/library/random.html#random.random
+        call =
+          API::moduleImport("random")
+              .getMember(["random", "randrange", "randint", "randbytes"])
+              .getACall() and
+        this = call
+      )
+    }
+  }
+
+  class PyUuid extends Sinks {
+    PyUuid() {
+      exists(DataFlow::Node call |
+        call = API::moduleImport("uuid").getMember(["uuid1", "uuid3"]).getACall() and
+        this = call
+      )
+    }
+  }
+}

python/src/security/CWE-338/WeakPRNG.ql

@@ -12,34 +12,7 @@
  */
 
 import python
-import semmle.python.ApiGraphs
+import ghsl.cryptography.RandomNumberGenerator
 
-abstract class RandomNumberGeneratorSinks extends DataFlow::Node { }
-
-class OSRandom extends RandomNumberGeneratorSinks {
-  OSRandom() {
-    exists(DataFlow::Node call |
-      // https://docs.python.org/3/library/os.html#os.getrandom
-      call = API::moduleImport("os").getMember("getrandom").getACall() and
-      this = call
-    )
-  }
-}
-
-class PyRandom extends RandomNumberGeneratorSinks {
-  PyRandom() {
-    exists(DataFlow::Node call |
-      (
-        // https://docs.python.org/3/library/random.html#random.random
-        call = API::moduleImport("random").getMember("random").getACall()
-        or
-        // https://docs.python.org/3/library/random.html#random.randbytes
-        call = API::moduleImport("random").getMember("randbytes").getACall()
-      ) and
-      this = call
-    )
-  }
-}
-
-from RandomNumberGeneratorSinks rngs
-select rngs.asExpr(), "Using weak PRNG"
+from RandomNumberGenerator::Sinks rngs
+select rngs, "Using weak PRNG"

python/test/security/CWE-338/WeakPRNG.expected

@@ -0,0 +1,7 @@
+| app.py:6:1:6:16 | ControlFlowNode for Attribute() | Using weak PRNG |
+| app.py:11:1:11:15 | ControlFlowNode for Attribute() | Using weak PRNG |
+| app.py:12:1:12:23 | ControlFlowNode for Attribute() | Using weak PRNG |
+| app.py:13:1:13:21 | ControlFlowNode for Attribute() | Using weak PRNG |
+| app.py:15:1:15:20 | ControlFlowNode for Attribute() | Using weak PRNG |
+| app.py:18:1:18:12 | ControlFlowNode for Attribute() | Using weak PRNG |
+| app.py:19:1:19:44 | ControlFlowNode for Attribute() | Using weak PRNG |

python/test/security/CWE-338/WeakPRNG.qlref

@@ -0,0 +1 @@
+security/CWE-338/WeakPRNG.ql

python/test/security/CWE-338/app.py

@@ -0,0 +1,21 @@
+import os
+import random
+import uuid
+
+# os module
+os.getrandom(10)
+
+# random module
+random.seed("8")
+
+random.random()
+random.randrange(0, 10)
+random.randint(0, 10)
+
+random.randbytes(10)
+
+# uuid module
+uuid.uuid1()
+uuid.uuid3(uuid.NAMESPACE_DNS, 'python.org')
+uuid.uuid4()
+uuid.uuid5(uuid.NAMESPACE_DNS, 'python.org')

python/test/security/CWE-338/options

@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=0