python: Rewrite path injection to use flow state

This removes the FP cause by chaining
This PR also removes `ChainedConfigs12.qll`,
as we hope to solve future problems via flow states.

Author: yoff

python/ql/lib/semmle/python/Concepts.qll

@@ -115,6 +115,8 @@ module Path {
     PathNormalization::Range range;
 
     PathNormalization() { this = range }
+
+    DataFlow::Node getPathArg() { result = range.getPathArg() }
   }
 
   /** Provides a class for modeling new path normalization APIs. */
@@ -123,7 +125,10 @@ module Path {
      * A data-flow node that performs path normalization. This is often needed in order
      * to safely access paths.
      */
-    abstract class Range extends DataFlow::Node { }
+    abstract class Range extends DataFlow::Node {
+      /** Gets an argument to this path normalization that is interpreted as a path. */
+      abstract DataFlow::Node getPathArg();
+    }
   }
 
   /** A data-flow node that checks that a path is safe to access. */

python/ql/lib/semmle/python/frameworks/Stdlib.qll

@@ -970,7 +970,7 @@ private module StdlibPrivate {
   private class OsPathNormpathCall extends Path::PathNormalization::Range, DataFlow::CallCfgNode {
     OsPathNormpathCall() { this = os::path().getMember("normpath").getACall() }
 
-    DataFlow::Node getPathArg() { result in [this.getArg(0), this.getArgByName("path")] }
+    override DataFlow::Node getPathArg() { result in [this.getArg(0), this.getArgByName("path")] }
   }
 
   /**
@@ -980,7 +980,7 @@ private module StdlibPrivate {
   private class OsPathAbspathCall extends Path::PathNormalization::Range, DataFlow::CallCfgNode {
     OsPathAbspathCall() { this = os::path().getMember("abspath").getACall() }
 
-    DataFlow::Node getPathArg() { result in [this.getArg(0), this.getArgByName("path")] }
+    override DataFlow::Node getPathArg() { result in [this.getArg(0), this.getArgByName("path")] }
   }
 
   /**
@@ -990,7 +990,7 @@ private module StdlibPrivate {
   private class OsPathRealpathCall extends Path::PathNormalization::Range, DataFlow::CallCfgNode {
     OsPathRealpathCall() { this = os::path().getMember("realpath").getACall() }
 
-    DataFlow::Node getPathArg() { result in [this.getArg(0), this.getArgByName("path")] }
+    override DataFlow::Node getPathArg() { result in [this.getArg(0), this.getArgByName("path")] }
   }
 
   /**

python/ql/lib/semmle/python/security/dataflow/ChainedConfigs12.qll

@@ -2,107 +2,81 @@
  * Provides taint-tracking configurations for detecting "path injection" vulnerabilities.
  *
  * Note, for performance reasons: only import this file if
- * the Configurations or the `pathInjection` predicate are needed, otherwise
+ * `PathInjection::Configuration` is needed, otherwise
  * `PathInjectionCustomizations` should be imported instead.
  */
 
 private import python
 private import semmle.python.Concepts
-private import semmle.python.dataflow.new.DataFlow
-private import semmle.python.dataflow.new.DataFlow2
-private import semmle.python.dataflow.new.TaintTracking
-private import semmle.python.dataflow.new.TaintTracking2
-import ChainedConfigs12
-import PathInjectionCustomizations::PathInjection
-
-// ---------------------------------------------------------------------------
-// Case 1. The path is never normalized.
-// ---------------------------------------------------------------------------
-/** Configuration to find paths from sources to sinks that contain no normalization. */
-class PathNotNormalizedConfiguration extends TaintTracking::Configuration {
-  PathNotNormalizedConfiguration() { this = "PathNotNormalizedConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    node instanceof Sanitizer
-    or
-    node instanceof Path::PathNormalization
-  }
-
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-    guard instanceof SanitizerGuard
-  }
-}
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
 
 /**
- * Holds if there is a path injection from source to sink, where the (python) path is
- * not normalized.
+ * Provides a taint-tracking configuration for detecting "path injection" vulnerabilities.
  */
-predicate pathNotNormalized(CustomPathNode source, CustomPathNode sink) {
-  any(PathNotNormalizedConfiguration config).hasFlowPath(source.asNode1(), sink.asNode1())
-}
-
-// ---------------------------------------------------------------------------
-// Case 2. The path is normalized at least once, but never checked afterwards.
-// ---------------------------------------------------------------------------
-/** Configuration to find paths from sources to normalizations that contain no prior normalizations. */
-class FirstNormalizationConfiguration extends TaintTracking::Configuration {
-  FirstNormalizationConfiguration() { this = "FirstNormalizationConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Path::PathNormalization }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-
-  override predicate isSanitizerOut(DataFlow::Node node) { node instanceof Path::PathNormalization }
-
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-    guard instanceof SanitizerGuard
+module PathInjection {
+  import PathInjectionCustomizations::PathInjection
+
+  /**
+   * A taint-tracking configuration for detecting "path injection" vulnerabilities.
+   *
+   * This configuration uses two flow states, `NotNormalized` and `NormalizedUnchecked`,
+   * to track the requirement that a file path must be first normalized and then checked
+   * before it is safe to use.
+   *
+   * At sources, paths are assumed not normalized. At normalization points, they change
+   * state to `NormalizedUnchecked` after which they can be made safe by an appropriate
+   * check of the prefix.
+   *
+   * Such checks are ineffective in the `NotNormalized` state.
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "PathInjection" }
+
+    override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
+      source instanceof Source and state instanceof NotNormalized
+    }
+
+    override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
+      sink instanceof Sink and
+      (
+        state instanceof NotNormalized or
+        state instanceof NormalizedUnchecked
+      )
+    }
+
+    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+    override predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) {
+      // Block `NotNormalized` paths here, since they change state to `NormalizedUnchecked`
+      node instanceof Path::PathNormalization and
+      state instanceof NotNormalized
+      or
+      node = any(Path::SafeAccessCheck c).getAGuardedNode() and
+      state instanceof NormalizedUnchecked
+    }
+
+    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+      guard instanceof SanitizerGuard
+    }
+
+    override predicate isAdditionalFlowStep(
+      DataFlow::Node nodeFrom, DataFlow::FlowState stateFrom, DataFlow::Node nodeTo,
+      DataFlow::FlowState stateTo
+    ) {
+      nodeFrom = nodeTo.(Path::PathNormalization).getPathArg() and
+      stateFrom instanceof NotNormalized and
+      stateTo instanceof NormalizedUnchecked
+    }
   }
-}
-
-/** Configuration to find paths from normalizations to sinks that do not go through a check. */
-class NormalizedPathNotCheckedConfiguration extends TaintTracking2::Configuration {
-  NormalizedPathNotCheckedConfiguration() { this = "NormalizedPathNotCheckedConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Path::PathNormalization }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
 
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-    guard instanceof Path::SafeAccessCheck
-    or
-    guard instanceof SanitizerGuard
+  /** A state signifying that the file path has not been normalized. */
+  class NotNormalized extends DataFlow::FlowState {
+    NotNormalized() { this = "NotNormalized" }
   }
-}
-
-/**
- * Holds if there is a path injection from source to sink, where the (python) path is
- * normalized at least once, but never checked afterwards.
- */
-predicate pathNotCheckedAfterNormalization(CustomPathNode source, CustomPathNode sink) {
-  exists(
-    FirstNormalizationConfiguration config, DataFlow::PathNode mid1, DataFlow2::PathNode mid2,
-    NormalizedPathNotCheckedConfiguration config2
-  |
-    config.hasFlowPath(source.asNode1(), mid1) and
-    config2.hasFlowPath(mid2, sink.asNode2()) and
-    mid1.getNode().asCfgNode() = mid2.getNode().asCfgNode()
-  )
-}
 
-// ---------------------------------------------------------------------------
-// Query: Either case 1 or case 2.
-// ---------------------------------------------------------------------------
-/** Holds if there is a path injection from source to sink */
-predicate pathInjection(CustomPathNode source, CustomPathNode sink) {
-  pathNotNormalized(source, sink)
-  or
-  pathNotCheckedAfterNormalization(source, sink)
+  /** A state signifying that the file path has been normalized, but not checked. */
+  class NormalizedUnchecked extends DataFlow::FlowState {
+    NormalizedUnchecked() { this = "NormalizedUnchecked" }
+  }
 }

python/ql/lib/semmle/python/security/dataflow/PathInjection.qll

@@ -18,7 +18,9 @@
 
 import python
 import semmle.python.security.dataflow.PathInjection
+import DataFlow::PathGraph
 
-from CustomPathNode source, CustomPathNode sink
-where pathInjection(source, sink)
-select sink, source, sink, "This path depends on $@.", source, "a user-provided value"
+from PathInjection::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This path depends on $@.", source.getNode(),
+  "a user-provided value"