Added Sanitizer Guard

Author: haby0

python/ql/src/experimental/Security/CWE-1236/CsvInjection.qhelp

@@ -5,7 +5,7 @@
 <overview>
 <p>CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files.</p>
 <p>When a CSV format file is opened with a spreadsheet program such as Microsoft Excel or LibreOffice Calc. 
-this software interprets entries beginning with <code>=</code> as formulas. may attempt information exfiltration 
+this software interprets entries beginning with <code>=</code> as formulas, which may attempt information exfiltration  
 or other malicious activity when automatically executed by the spreadsheet software.</p>
 </overview>
 <recommendation>
@@ -18,7 +18,7 @@ Risky characters include <code>=</code>(equal), <code>+</code>(plus), <code>-</c
 
 <p>The following examples show the bad case and the good case respectively.
 In <code>bad1</code> method, the data provided by the user is directly stored in the CSV file, which may be attacked. 
-But in the <code>good1</code> method,, the program will check the data provided by the user, and process the data starting with <code>=</code>(equal), <code>+</code>(plus), <code>-</code>(minus), and <code>@</code>(at) characters safely.</p>
+But in the <code>good1</code> method, the program will check the data provided by the user, and process the data starting with <code>=</code>(equal), <code>+</code>(plus), <code>-</code>(minus), and <code>@</code>(at) characters safely.</p>
 
 <sample src="CsvInjection.py" />
 

python/ql/src/experimental/semmle/python/Concepts.qll

@@ -294,6 +294,9 @@ class CsvWriter extends DataFlow::Node {
 
   CsvWriter() { this = range }
 
+  /**
+   * Get the parameter value of the csv writer function.
+   */
   DataFlow::Node getAnInput() { result = range.getAnInput() }
 }
 

python/ql/src/experimental/semmle/python/security/injection/CsvInjection.qll

@@ -2,6 +2,7 @@ import python
 import experimental.semmle.python.Concepts
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
+import semmle.python.dataflow.new.BarrierGuards
 import semmle.python.dataflow.new.RemoteFlowSources
 
 /**
@@ -10,11 +11,21 @@ import semmle.python.dataflow.new.RemoteFlowSources
 class CsvInjectionFlowConfig extends TaintTracking::Configuration {
   CsvInjectionFlowConfig() { this = "CsvInjectionFlowConfig" }
 
-  override predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink = any(CsvWriter cw).getAnInput() }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof StartsWithCheck or
+    guard instanceof StringConstCompare
   }
+}
+
+class StartsWithCheck extends DataFlow::BarrierGuard {
+  StartsWithCheck() { this.(CallNode).getNode().getFunc().(Attribute).getName() = "startswith" }
 
-  override predicate isSink(DataFlow::Node sink) {
-    exists(CsvWriter csvwriter | sink = csvwriter.getAnInput())
+  override predicate checks(ControlFlowNode node, boolean branch) {
+    node = this.(CallNode).getNode().getFunc().(Attribute).getObject().getAFlowNode() and
+    branch = true
   }
 }