Merge pull request github#12220 from amammad/amammad-python-paramiko

add some python sinks for paramiko ssh clients

Author: yoff

python/ql/src/experimental/Security/CWE-074/paramiko/paramiko.qhelp

@@ -0,0 +1,17 @@
+<!DOCTYPE qhelp SYSTEM "qhelp.dtd">
+<qhelp>
+    <overview>
+        <p>
+            Processing an unvalidated user input can allow an attacker to inject arbitrary command in your local and remote servers when creating a ssh connection.
+        </p>
+    </overview>
+    <recommendation>
+        <p>
+            This vulnerability can be prevented by not allowing untrusted user input to be passed as ProxyCommand or exec_command.
+        </p>
+    </recommendation>
+    <example>
+        <p>In the example below, the ProxyCommand and exec_command are controlled by the user and hence leads to a vulnerability.</p>
+        <sample src="paramikoBad.py" />
+    </example>
+</qhelp>

python/ql/src/experimental/Security/CWE-074/paramiko/paramiko.ql

@@ -0,0 +1,57 @@
+/**
+ * @name RCE with user provided command with paramiko ssh client
+ * @description user provided command can lead to execute code on a external server that can be belong to other users or admins
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9.3
+ * @precision high
+ * @id py/command-injection
+ * @tags security
+ *       experimental
+ *       external/cwe/cwe-074
+ */
+
+import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import semmle.python.dataflow.new.RemoteFlowSources
+import semmle.python.ApiGraphs
+import DataFlow::PathGraph
+
+private API::Node paramikoClient() {
+  result = API::moduleImport("paramiko").getMember("SSHClient").getReturn()
+}
+
+class ParamikoCmdInjectionConfiguration extends TaintTracking::Configuration {
+  ParamikoCmdInjectionConfiguration() { this = "ParamikoCMDInjectionConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  /**
+   * exec_command of `paramiko.SSHClient` class execute command on ssh target server
+   * the `paramiko.ProxyCommand` is equivalent of `ssh -o ProxyCommand="CMD"`
+   *  and it run CMD on current system that running the ssh command
+   * the Sink related to proxy command is the `connect` method of `paramiko.SSHClient` class
+   */
+  override predicate isSink(DataFlow::Node sink) {
+    sink = paramikoClient().getMember("exec_command").getACall().getParameter(0, "command").asSink()
+    or
+    sink = paramikoClient().getMember("connect").getACall().getParameter(11, "sock").asSink()
+  }
+
+  /**
+   * this additional taint step help taint tracking to find the vulnerable `connect` method of `paramiko.SSHClient` class
+   */
+  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    exists(API::CallNode call |
+      call = API::moduleImport("paramiko").getMember("ProxyCommand").getACall() and
+      nodeFrom = call.getParameter(0, "command_line").asSink() and
+      nodeTo = call
+    )
+  }
+}
+
+from ParamikoCmdInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This code execution depends on a $@.", source.getNode(),
+  "a user-provided value"

python/ql/src/experimental/Security/CWE-074/paramiko/paramikoBad.py

@@ -0,0 +1,36 @@
+#!/usr/bin/env python
+
+from flask import request, Flask
+import paramiko
+from paramiko import SSHClient
+
+app = Flask(__name__)
+paramiko_ssh_client = SSHClient()
+paramiko_ssh_client.load_system_host_keys()
+paramiko_ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+paramiko_ssh_client.connect(hostname="127.0.0.1", port="22", username="ssh_user_name", pkey="k", timeout=11, banner_timeout=200)
+
+
+@app.route('/external_exec_command_1')
+def bad1():
+    user_cmd = request.args.get('command')
+    stdin, stdout, stderr = paramiko_ssh_client.exec_command(user_cmd)
+    return stdout
+
+@app.route('/external_exec_command_2')
+def bad2():
+    user_cmd = request.args.get('command')
+    stdin, stdout, stderr = paramiko_ssh_client.exec_command(command=user_cmd)
+    return stdout
+
+
+@app.route('/proxycommand')
+def bad2():
+    user_cmd = request.args.get('command')
+    stdin, stdout, stderr = paramiko_ssh_client.connect('hostname', username='user',password='yourpassword',sock=paramiko.ProxyCommand(user_cmd))
+    return stdout
+
+if __name__ == '__main__':
+    app.debug = False
+    app.run()
+

python/ql/test/experimental/query-tests/Security/CWE-074/paramiko/paramiko.expected

@@ -0,0 +1,16 @@
+edges
+| paramiko.py:15:21:15:23 | ControlFlowNode for cmd | paramiko.py:16:62:16:64 | ControlFlowNode for cmd |
+| paramiko.py:20:21:20:23 | ControlFlowNode for cmd | paramiko.py:21:70:21:72 | ControlFlowNode for cmd |
+| paramiko.py:25:21:25:23 | ControlFlowNode for cmd | paramiko.py:26:114:26:139 | ControlFlowNode for Attribute() |
+nodes
+| paramiko.py:15:21:15:23 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| paramiko.py:16:62:16:64 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| paramiko.py:20:21:20:23 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| paramiko.py:21:70:21:72 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| paramiko.py:25:21:25:23 | ControlFlowNode for cmd | semmle.label | ControlFlowNode for cmd |
+| paramiko.py:26:114:26:139 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+subpaths
+#select
+| paramiko.py:16:62:16:64 | ControlFlowNode for cmd | paramiko.py:15:21:15:23 | ControlFlowNode for cmd | paramiko.py:16:62:16:64 | ControlFlowNode for cmd | This code execution depends on a $@. | paramiko.py:15:21:15:23 | ControlFlowNode for cmd | a user-provided value |
+| paramiko.py:21:70:21:72 | ControlFlowNode for cmd | paramiko.py:20:21:20:23 | ControlFlowNode for cmd | paramiko.py:21:70:21:72 | ControlFlowNode for cmd | This code execution depends on a $@. | paramiko.py:20:21:20:23 | ControlFlowNode for cmd | a user-provided value |
+| paramiko.py:26:114:26:139 | ControlFlowNode for Attribute() | paramiko.py:25:21:25:23 | ControlFlowNode for cmd | paramiko.py:26:114:26:139 | ControlFlowNode for Attribute() | This code execution depends on a $@. | paramiko.py:25:21:25:23 | ControlFlowNode for cmd | a user-provided value |

python/ql/test/experimental/query-tests/Security/CWE-074/paramiko/paramiko.py

@@ -0,0 +1,27 @@
+#!/usr/bin/env python
+
+from fastapi import FastAPI
+import paramiko
+from paramiko import SSHClient
+paramiko_ssh_client = SSHClient()
+paramiko_ssh_client.load_system_host_keys()
+paramiko_ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+paramiko_ssh_client.connect(hostname="127.0.0.1", port="22", username="ssh_user_name", pkey="k", timeout=11, banner_timeout=200)
+
+app = FastAPI()
+
+
+@app.get("/bad1")
+async def read_item(cmd: str):
+    stdin, stdout, stderr = paramiko_ssh_client.exec_command(cmd)
+    return {"success": stdout}
+
+@app.get("/bad2")
+async def read_item(cmd: str):
+    stdin, stdout, stderr = paramiko_ssh_client.exec_command(command=cmd)
+    return {"success": "OK"}
+
+@app.get("/bad3")
+async def read_item(cmd: str):
+    stdin, stdout, stderr = paramiko_ssh_client.connect('hostname', username='user',password='yourpassword',sock=paramiko.ProxyCommand(cmd))
+    return {"success": "OK"}

python/ql/test/experimental/query-tests/Security/CWE-074/paramiko/paramiko.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE-074/paramiko/paramiko.ql