feat(python): add new sinks and utils for enhanced data flow analysis

GeekMasher · GeekMasher · commit ca43d0abe762 · 2025-04-18T09:59:10.000+01:00
diff --git a/python/lib/ghsl.qll b/python/lib/ghsl.qll
@@ -0,0 +1,3 @@
+// Utils
+import ghsl.Utils
+import ghsl.Sinks
diff --git a/python/lib/ghsl/Helpers.qll b/python/lib/ghsl/Helpers.qll
diff --git a/python/lib/ghsl/Sinks.qll b/python/lib/ghsl/Sinks.qll
@@ -0,0 +1,72 @@
+private import python
+private import semmle.python.ApiGraphs
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.DataFlow
+
+private import semmle.python.security.dataflow.SqlInjectionCustomizations
+private import semmle.python.security.dataflow.CodeInjectionCustomizations
+private import semmle.python.security.dataflow.CommandInjectionCustomizations
+private import semmle.python.security.dataflow.LdapInjectionCustomizations
+private import semmle.python.security.dataflow.NoSqlInjectionCustomizations
+private import semmle.python.security.dataflow.ReflectedXSSCustomizations
+private import semmle.python.security.dataflow.UnsafeDeserializationCustomizations
+private import semmle.python.security.dataflow.XpathInjectionCustomizations
+private import semmle.python.security.dataflow.XxeCustomizations
+// Fields Sinks
+private import ghsl.HardcodedSecretSinks
+private import ghsl.MassAssignment
+
+
+/**
+ * List of all the sinks that we want to check.
+ */
+class AllSinks extends DataFlow::Node {
+  private string sink;
+
+  AllSinks() {
+    this instanceof MassAssignment::Sinks and
+    sink = "mass-assignment"
+    or
+    this instanceof CredentialSink and
+    sink = "credential"
+    or
+    this instanceof SqlInjection::Sink and
+    sink = "sql-injection"
+    or
+    this instanceof CodeInjection::Sink and
+    sink = "code-injection"
+    or
+    this instanceof CommandInjection::Sink and
+    sink = "command-injection"
+    or
+    (
+      this instanceof LdapInjection::DnSink
+      or
+      this instanceof LdapInjection::FilterSink
+    ) and
+    sink = "ldap-injection"
+    or
+    (
+      this instanceof NoSqlInjection::NoSqlExecutionAsDictSink and
+      this instanceof NoSqlInjection::NoSqlExecutionAsStringSink
+    ) and
+    sink = "nosql-injection"
+    or
+    this instanceof ReflectedXss::Sink and
+    sink = "reflected-xss"
+    or
+    this instanceof UnsafeDeserialization::Sink and
+    sink = "unsafe-deserialization"
+    or
+    this instanceof XpathInjection::Sink and
+    sink = "xpath-injection"
+    or
+    this instanceof Xxe::Sink and
+    sink = "xxe"
+  }
+
+  /**
+   * Gets the sink sink type.
+   */
+  string sinkType() { result = sink }
+}
diff --git a/python/lib/ghsl/Utils.qll b/python/lib/ghsl/Utils.qll
@@ -1,8 +1,59 @@
-import python
+private import python
 private import semmle.python.ApiGraphs
 private import semmle.python.Concepts
 private import semmle.python.dataflow.new.DataFlow
-private import semmle.python.dataflow.new.internal.TaintTrackingPrivate
+private import ghsl.LocalSources
+/**
+ * Find Node at Location
+ */
+predicate filterByLocation(DataFlow::Node node, string relative_path, int linenumber) {
+  node.getLocation().getFile().getRelativePath() = relative_path and
+  node.getLocation().getStartLine() = linenumber
+}
+
+/**
+ * Check if the source node is a method parameter
+ */
+predicate functionParameters(DataFlow::Node node) {
+  (
+    // // Function Call Parameters
+    node instanceof DataFlow::ParameterNode
+    or
+    // Function Call Arguments
+    node instanceof DataFlow::ArgumentNode
+  ) and
+  not dangerousSinks(node) and
+  node.getScope().inSource()
+}
+
+
+/**
+ * List of all the souces
+ */
+class AllSources extends DataFlow::Node {
+  private string threatmodel;
+
+  AllSources() {
+    exists(ThreatModelSource tms |
+      threatmodel = tms.getThreatModel() and
+      this = tms
+    )
+    or
+    this instanceof LocalSources::Range and
+    threatmodel = "local"
+  }
+
+  /**
+   * Gets the source threat model.
+   */
+  string getThreatModel() { result = threatmodel }
+}
+
+/**
+ * Local sources
+ */
+class LocalSources = LocalSources::Range;
+
 
 // List of all the format strings
 // - python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll
@@ -23,11 +74,11 @@ class DynamicStrings extends DataFlow::Node {
       exists(BinaryExpr expr |
         (
           // q = "WHERE name = %s" % username
-          expr.getOp() instanceof Mod or
+          expr.getOp() instanceof Mod
+          or
           // q = "WHERE name = " + username
           expr.getOp() instanceof Add
-        )
-        and
+        ) and
         expr.getLeft().getParent() = this.asExpr()
       )
     ) and

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+// Utils`
	`2`	`+import ghsl.Utils`
	`3`	`+import ghsl.Sinks`