@@ -18,6 +18,7 @@ import semmle.python.ApiGraphs
18
18
import semmle.python.dataflow.new.RemoteFlowSources
19
19
import semmle.python.dataflow.new.internal.DataFlowPublic
20
20
import experimental.semmle.python.security.DecompressionBomb
21
+ import FileAndFormRemoteFlowSource:: FileAndFormRemoteFlowSource
21
22
22
23
/**
23
24
* `io.TextIOWrapper(ip, encoding='utf-8')` like following:
@@ -39,59 +40,12 @@ predicate isAdditionalTaintStepTextIOWrapper(DataFlow::Node nodeFrom, DataFlow::
39
40
)
40
41
}
41
42
42
- module FileAndFormRemoteFlowSource {
43
- class FastAPI extends RemoteFlowSource:: Range {
44
- FastAPI ( ) {
45
- exists ( API:: Node fastApiParam , Expr fastApiUploadFile |
46
- fastApiParam =
47
- API:: moduleImport ( "fastapi" )
48
- .getMember ( "FastAPI" )
49
- .getReturn ( )
50
- .getMember ( "post" )
51
- .getReturn ( )
52
- .getParameter ( 0 )
53
- .getKeywordParameter ( _) and
54
- fastApiUploadFile =
55
- API:: moduleImport ( "fastapi" )
56
- .getMember ( "UploadFile" )
57
- .getASubclass * ( )
58
- .getAValueReachableFromSource ( )
59
- .asExpr ( )
60
- |
61
- fastApiUploadFile =
62
- fastApiParam .asSource ( ) .asExpr ( ) .( Parameter ) .getAnnotation ( ) .getASubExpression * ( ) and
63
- // Multiple Uploaded files as list of fastapi.UploadFile
64
- exists ( For f , Attribute attr |
65
- fastApiParam .getAValueReachableFromSource ( ) .asExpr ( ) = f .getIter ( ) .getASubExpression * ( )
66
- |
67
- TaintTracking:: localExprTaint ( f .getIter ( ) , attr .getObject ( ) ) and
68
- attr .getName ( ) = [ "filename" , "content_type" , "headers" , "file" , "read" ] and
69
- this .asExpr ( ) = attr
70
- )
71
- or
72
- // one Uploaded file as fastapi.UploadFile
73
- this =
74
- [
75
- fastApiParam .getMember ( [ "filename" , "content_type" , "headers" ] ) .asSource ( ) ,
76
- fastApiParam
77
- .getMember ( "file" )
78
- .getMember ( [ "readlines" , "readline" , "read" ] )
79
- .getReturn ( )
80
- .asSource ( ) , fastApiParam .getMember ( "read" ) .getReturn ( ) .asSource ( )
81
- ]
82
- )
83
- }
84
-
85
- override string getSourceType ( ) { result = "fastapi HTTP FORM files" }
86
- }
87
- }
88
-
89
43
module BombsConfig implements DataFlow:: ConfigSig {
90
44
predicate isSource ( DataFlow:: Node source ) {
91
45
(
92
46
source instanceof RemoteFlowSource
93
47
or
94
- source instanceof FileAndFormRemoteFlowSource :: FastAPI
48
+ source instanceof FastAPI
95
49
) and
96
50
not source .getLocation ( ) .getFile ( ) .inStdlib ( ) and
97
51
not source .getLocation ( ) .getFile ( ) .getRelativePath ( ) .matches ( "%venv%" )
@@ -113,11 +67,11 @@ module BombsConfig implements DataFlow::ConfigSig {
113
67
}
114
68
}
115
69
116
- module Bombs = TaintTracking:: Global< BombsConfig > ;
70
+ module BombsFlow = TaintTracking:: Global< BombsConfig > ;
117
71
118
- import Bombs :: PathGraph
72
+ import BombsFlow :: PathGraph
119
73
120
- from Bombs :: PathNode source , Bombs :: PathNode sink
121
- where Bombs :: flowPath ( source , sink )
74
+ from BombsFlow :: PathNode source , BombsFlow :: PathNode sink
75
+ where BombsFlow :: flowPath ( source , sink )
122
76
select sink .getNode ( ) , source , sink , "This uncontrolled file extraction is $@." , source .getNode ( ) ,
123
77
"depends on this user controlled data"
0 commit comments