Merge pull request github#7455 from haby0/py/add-shutil-module-path-injection-sinks

RasmusWL · web-flow · commit 301318020fa0 · 2022-01-24T20:06:36.000+01:00
Python: Add shutil module sinks for path injection query
diff --git a/python/ql/lib/semmle/python/frameworks/Stdlib.qll b/python/ql/lib/semmle/python/frameworks/Stdlib.qll
@@ -2942,6 +2942,90 @@ private module StdlibPrivate {
         ]
     }
   }
+
+  // ---------------------------------------------------------------------------
+  // shutil
+  // ---------------------------------------------------------------------------
+  /** Gets a reference to the `shutil` module. */
+  private API::Node shutil() { result = API::moduleImport("shutil") }
+
+  /**
+   * A call to the `shutil.rmtree` function.
+   *
+   * See https://docs.python.org/3/library/shutil.html#shutil.rmtree
+   */
+  private class ShutilRmtreeCall extends FileSystemAccess::Range, DataFlow::CallCfgNode {
+    ShutilRmtreeCall() { this = shutil().getMember("rmtree").getACall() }
+
+    override DataFlow::Node getAPathArgument() {
+      result in [this.getArg(0), this.getArgByName("path")]
+    }
+  }
+
+  /**
+   * The `shutil` module provides methods to copy, move files or copy file attributes.
+   * See:
+   * - https://docs.python.org/3/library/shutil.html#shutil.copyfile
+   * - https://docs.python.org/3/library/shutil.html#shutil.copymode
+   * - https://docs.python.org/3/library/shutil.html#shutil.copystat
+   * - https://docs.python.org/3/library/shutil.html#shutil.copy
+   * - https://docs.python.org/3/library/shutil.html#shutil.copy2
+   * - https://docs.python.org/3/library/shutil.html#shutil.copytree
+   * - https://docs.python.org/3/library/shutil.html#shutil.move
+   */
+  private class ShutilCopyCall extends FileSystemAccess::Range, DataFlow::CallCfgNode {
+    ShutilCopyCall() {
+      this =
+        shutil()
+            .getMember([
+                // these are used to copy files
+                "copyfile", "copy", "copy2", "copytree",
+                // these are used to move files
+                "move",
+                // these are used to copy some attributes of the file
+                "copymode", "copystat"
+              ])
+            .getACall()
+    }
+
+    override DataFlow::Node getAPathArgument() {
+      result in [this.getArg(0), this.getArgByName("src"), this.getArg(1), this.getArgByName("dst")]
+    }
+  }
+
+  // TODO: once we have flow summaries, model `shutil.copyfileobj` which copies the content between its' file-like arguments.
+  // See https://docs.python.org/3/library/shutil.html#shutil.copyfileobj
+  private class ShutilCopyfileobjCall extends FileSystemAccess::Range, DataFlow::CallCfgNode {
+    ShutilCopyfileobjCall() { this = shutil().getMember("copyfileobj").getACall() }
+
+    override DataFlow::Node getAPathArgument() { none() }
+  }
+
+  /**
+   * A call to the `shutil.disk_usage` function.
+   *
+   * See https://docs.python.org/3/library/shutil.html#shutil.disk_usage
+   */
+  private class ShutilDiskUsageCall extends FileSystemAccess::Range, DataFlow::CallCfgNode {
+    ShutilDiskUsageCall() { this = shutil().getMember("disk_usage").getACall() }
+
+    override DataFlow::Node getAPathArgument() {
+      result in [this.getArg(0), this.getArgByName("path")]
+    }
+  }
+
+  /**
+   * A call to the `shutil.chown` function.
+   *
+   * See https://docs.python.org/3/library/shutil.html#shutil.chown
+   */
+  private class ShutilChownCall extends FileSystemAccess::Range, DataFlow::CallCfgNode {
+    ShutilChownCall() { this = shutil().getMember("chown").getACall() }
+
+    override DataFlow::Node getAPathArgument() {
+      result in [this.getArg(0), this.getArgByName("path")]
+    }
+  }
 }
 
 // ---------------------------------------------------------------------------
diff --git a/python/ql/test/library-tests/frameworks/stdlib/FileSystemAccess.py b/python/ql/test/library-tests/frameworks/stdlib/FileSystemAccess.py
@@ -3,6 +3,7 @@
 import os
 import stat
 import tempfile
+import shutil
 
 open("file")  # $ getAPathArgument="file"
 open(file="file")  # $ getAPathArgument="file"
@@ -238,3 +239,34 @@ def test_fspath():
 
 tempfile.TemporaryDirectory("suffix", "prefix", "dir") # $ getAPathArgument="suffix" getAPathArgument="prefix" getAPathArgument="dir"
 tempfile.TemporaryDirectory(suffix="suffix", prefix="prefix", dir="dir") # $ getAPathArgument="suffix" getAPathArgument="prefix" getAPathArgument="dir"
+
+# ------------------------------------------------------------------------------
+# shutil
+# ------------------------------------------------------------------------------
+
+shutil.rmtree("path") # $ getAPathArgument="path"
+shutil.rmtree(path="path") # $ getAPathArgument="path"
+
+shutil.copyfile("src", "dst") # $ getAPathArgument="src" getAPathArgument="dst"
+shutil.copyfile(src="src", dst="dst") # $ getAPathArgument="src" getAPathArgument="dst"
+
+shutil.copy("src", "dst") # $ getAPathArgument="src" getAPathArgument="dst"
+shutil.copy(src="src", dst="dst") # $ getAPathArgument="src" getAPathArgument="dst"
+
+shutil.copy2("src", "dst") # $ getAPathArgument="src" getAPathArgument="dst"
+shutil.copy2(src="src", dst="dst") # $ getAPathArgument="src" getAPathArgument="dst"
+
+shutil.copytree("src", "dst") # $ getAPathArgument="src" getAPathArgument="dst"
+shutil.copytree(src="src", dst="dst") # $ getAPathArgument="src" getAPathArgument="dst"
+
+shutil.move("src", "dst") # $ getAPathArgument="src" getAPathArgument="dst"
+shutil.move(src="src", dst="dst") # $ getAPathArgument="src" getAPathArgument="dst"
+
+shutil.copymode("src", "dst") # $ getAPathArgument="src" getAPathArgument="dst"
+shutil.copymode(src="src", dst="dst") # $ getAPathArgument="src" getAPathArgument="dst"
+
+shutil.copystat("src", "dst") # $ getAPathArgument="src" getAPathArgument="dst"
+shutil.copystat(src="src", dst="dst") # $ getAPathArgument="src" getAPathArgument="dst"
+
+shutil.disk_usage("path") # $ getAPathArgument="path"
+shutil.disk_usage(path="path") # $ getAPathArgument="path"
