Add Unicode DoS (CWE-770)

Sim4n6 · yoff · commit 342465057c34 · 2024-03-15T14:17:23.000+01:00
diff --git a/python/ql/src/experimental/Security/CWE-770/UnicodeDoS.qhelp b/python/ql/src/experimental/Security/CWE-770/UnicodeDoS.qhelp
@@ -0,0 +1,38 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>When a remote user-controlled data can reach a costly Unicode normalization with either form, NFKC or NFKD, an attack such as the One Million Unicode Characters, could lead to a denial of service on Windows OS.</p> 
+
+<p>And, with the use of special Unicode characters, like U+2100 (℀) or U+2105 (℅), the payload size could be tripled after the compatibility normalization.
+
+</overview>
+<recommendation>
+
+<p>Ensure limiting the size of any incoming data that would go through a costly operations, including a Windows Unicode normalization with NFKC or NFKD. Such a recommandation would avoid a potential denial of service.</p>
+
+</recommendation>
+
+<example>
+<p>
+In this example a simple user-controlled data reaches a Unicode normalization with the form "NFKC".
+</p>
+
+<sample src="bad.py" />
+
+<p>To fix this vulnerability, we need restrain the size of the user input.</p> 
+
+<p>For example, we can use the <code>len()</code> builtin function to limit the size of the user input.</p> 
+
+<sample src="good.py" />
+
+</example>
+<references>
+
+<li>
+  <a href="https://hackerone.com/reports/2258758">CVE-2023-46695: Potential denial of service vulnerability in Django UsernameField on Windows.</a>
+  </li>
+</references>
+</qhelp>
diff --git a/python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql b/python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql
@@ -0,0 +1,104 @@
+/**
+ * @name Denial of Service using Unicode Characters
+ * @description A remote user-controlled data can reach a costly Unicode normalization with either form NFKC or NFKD. On Windows OS, with an attack such as the One Million Unicode Characters, this could lead to a denial of service. And, with the use of special Unicode characters, like U+2100 (℀) or U+2105 (℅), the payload size could be tripled.
+ * @kind path-problem
+ * @id py/unicode-dos
+ * @precision high
+ * @problem.severity error
+ * @tags security
+ *       experimental
+ *       external/cwe/cwe-770
+ */
+
+import python
+import semmle.python.ApiGraphs
+import semmle.python.Concepts
+import semmle.python.dataflow.new.TaintTracking
+import semmle.python.dataflow.new.internal.DataFlowPublic
+import semmle.python.dataflow.new.RemoteFlowSources
+
+class UnicodeCompatibilityNormalize extends API::CallNode {
+  int argIdx;
+
+  UnicodeCompatibilityNormalize() {
+    exists(API::CallNode cn, DataFlow::Node form |
+      cn = API::moduleImport("unicodedata").getMember("normalize").getACall() and
+      form.asExpr().(StrConst).getS() in ["NFKC", "NFKD"] and
+      TaintTracking::localTaint(form, cn.getArg(0)) and
+      this = cn and
+      argIdx = 1
+    )
+    or
+    exists(API::CallNode cn |
+      cn = API::moduleImport("unidecode").getMember("unidecode").getACall() and
+      this = cn and
+      argIdx = 0
+    )
+    or
+    exists(API::CallNode cn |
+      cn = API::moduleImport("pyunormalize").getMember(["NFKC", "NFKD"]).getACall() and
+      this = cn and
+      argIdx = 0
+    )
+    or
+    exists(API::CallNode cn, DataFlow::Node form |
+      cn = API::moduleImport("pyunormalize").getMember("normalize").getACall() and
+      form.asExpr().(StrConst).getS() in ["NFKC", "NFKD"] and
+      TaintTracking::localTaint(form, cn.getArg(0)) and
+      this = cn and
+      argIdx = 1
+    )
+    or
+    exists(API::CallNode cn, DataFlow::Node form |
+      cn = API::moduleImport("textnorm").getMember("normalize_unicode").getACall() and
+      form.asExpr().(StrConst).getS() in ["NFKC", "NFKD"] and
+      TaintTracking::localTaint(form, cn.getArg(1)) and
+      this = cn and
+      argIdx = 0
+    )
+  }
+
+  DataFlow::Node getPathArg() { result = this.getArg(argIdx) }
+}
+
+predicate underAValue(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
+  exists(CompareNode cn | cn = g |
+    exists(API::CallNode lenCall, Cmpop op_gt, Cmpop op_lt, Node n |
+      lenCall = n.getALocalSource() and
+      (
+        (op_lt = any(LtE lte) or op_lt = any(Lt lt)) and
+        branch = true and
+        cn.operands(n.asCfgNode(), op_lt, _)
+        or
+        (op_gt = any(GtE gte) or op_gt = any(Gt gt)) and
+        branch = true and
+        cn.operands(_, op_gt, n.asCfgNode())
+      )
+    |
+      lenCall = API::builtin("len").getACall() and
+      node = lenCall.getArg(0).asCfgNode()
+    ) //and
+    //not cn.getLocation().getFile().inStdlib()
+  )
+}
+
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "RemoteSourcesReachUnicodeCharacters" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer = DataFlow::BarrierGuard<underAValue/3>::getABarrierNode()
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink = any(UnicodeCompatibilityNormalize ucn).getPathArg()
+  }
+}
+
+import DataFlow::PathGraph
+
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This $@ can reach a $@.", source.getNode(),
+  "user-provided value", sink.getNode(), "costly Unicode normalization operation"
diff --git a/python/ql/src/experimental/Security/CWE-770/bad.py b/python/ql/src/experimental/Security/CWE-770/bad.py
@@ -0,0 +1,17 @@
+from flask import Flask, jsonify, request
+import unicodedata
+
+app = Flask(__name__)
+
+
+@app.route("/bad_1")
+def bad_1():
+    # User controlled data
+    file_path = request.args.get("file_path", "")
+
+    # Normalize the file path using NFKC Unicode normalization
+    return (
+        unicodedata.normalize("NFKC", file_path),
+        200,
+        {"Content-Type": "application/octet-stream"},
+    )
diff --git a/python/ql/src/experimental/Security/CWE-770/good.py b/python/ql/src/experimental/Security/CWE-770/good.py
@@ -0,0 +1,16 @@
+from flask import Flask, jsonify, request
+import unicodedata
+
+app = Flask(__name__)
+
+
+@app.route("/good_1")
+def good_1():
+    r = request.args.get("r", "")
+
+    if len(r) <= 1_000:
+        # Normalize the r using NFKD Unicode normalization
+        r = unicodedata.normalize("NFKD", r)
+        return r, 200, {"Content-Type": "application/octet-stream"}
+    else:
+        return jsonify({"error": "File not found"}), 404
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-770/UnicodeDoS.expected b/python/ql/test/experimental/query-tests/Security/CWE-770/UnicodeDoS.expected
@@ -0,0 +1,55 @@
+WARNING: Module PathGraph has been deprecated and may be removed in future (C:/Users/ab/Desktop/GhSec/Pull-Requests/codeql-PUN/python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql:99,8-27)
+WARNING: Type Configuration has been deprecated and may be removed in future (C:/Users/ab/Desktop/GhSec/Pull-Requests/codeql-PUN/python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql:85,29-57)
+WARNING: Type PathNode has been deprecated and may be removed in future (C:/Users/ab/Desktop/GhSec/Pull-Requests/codeql-PUN/python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql:101,28-46)
+WARNING: Type PathNode has been deprecated and may be removed in future (C:/Users/ab/Desktop/GhSec/Pull-Requests/codeql-PUN/python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql:101,55-73)
+edges
+| tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:1:35:1:41 | ControlFlowNode for request |
+| tests.py:1:35:1:41 | ControlFlowNode for request | tests.py:12:17:12:23 | ControlFlowNode for request |
+| tests.py:1:35:1:41 | ControlFlowNode for request | tests.py:24:9:24:15 | ControlFlowNode for request |
+| tests.py:1:35:1:41 | ControlFlowNode for request | tests.py:36:9:36:15 | ControlFlowNode for request |
+| tests.py:1:35:1:41 | ControlFlowNode for request | tests.py:48:9:48:15 | ControlFlowNode for request |
+| tests.py:12:5:12:13 | ControlFlowNode for file_path | tests.py:16:39:16:47 | ControlFlowNode for file_path |
+| tests.py:12:17:12:23 | ControlFlowNode for request | tests.py:12:17:12:28 | ControlFlowNode for Attribute |
+| tests.py:12:17:12:28 | ControlFlowNode for Attribute | tests.py:12:17:12:49 | ControlFlowNode for Attribute() |
+| tests.py:12:17:12:49 | ControlFlowNode for Attribute() | tests.py:12:5:12:13 | ControlFlowNode for file_path |
+| tests.py:24:5:24:5 | ControlFlowNode for r | tests.py:28:43:28:43 | ControlFlowNode for r |
+| tests.py:24:9:24:15 | ControlFlowNode for request | tests.py:24:9:24:20 | ControlFlowNode for Attribute |
+| tests.py:24:9:24:20 | ControlFlowNode for Attribute | tests.py:24:9:24:33 | ControlFlowNode for Attribute() |
+| tests.py:24:9:24:33 | ControlFlowNode for Attribute() | tests.py:24:5:24:5 | ControlFlowNode for r |
+| tests.py:36:5:36:5 | ControlFlowNode for r | tests.py:40:43:40:43 | ControlFlowNode for r |
+| tests.py:36:9:36:15 | ControlFlowNode for request | tests.py:36:9:36:20 | ControlFlowNode for Attribute |
+| tests.py:36:9:36:20 | ControlFlowNode for Attribute | tests.py:36:9:36:33 | ControlFlowNode for Attribute() |
+| tests.py:36:9:36:33 | ControlFlowNode for Attribute() | tests.py:36:5:36:5 | ControlFlowNode for r |
+| tests.py:48:5:48:5 | ControlFlowNode for r | tests.py:52:43:52:43 | ControlFlowNode for r |
+| tests.py:48:9:48:15 | ControlFlowNode for request | tests.py:48:9:48:20 | ControlFlowNode for Attribute |
+| tests.py:48:9:48:20 | ControlFlowNode for Attribute | tests.py:48:9:48:33 | ControlFlowNode for Attribute() |
+| tests.py:48:9:48:33 | ControlFlowNode for Attribute() | tests.py:48:5:48:5 | ControlFlowNode for r |
+nodes
+| tests.py:1:35:1:41 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
+| tests.py:1:35:1:41 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| tests.py:12:5:12:13 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path |
+| tests.py:12:17:12:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| tests.py:12:17:12:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| tests.py:12:17:12:49 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| tests.py:16:39:16:47 | ControlFlowNode for file_path | semmle.label | ControlFlowNode for file_path |
+| tests.py:24:5:24:5 | ControlFlowNode for r | semmle.label | ControlFlowNode for r |
+| tests.py:24:9:24:15 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| tests.py:24:9:24:20 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| tests.py:24:9:24:33 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| tests.py:28:43:28:43 | ControlFlowNode for r | semmle.label | ControlFlowNode for r |
+| tests.py:36:5:36:5 | ControlFlowNode for r | semmle.label | ControlFlowNode for r |
+| tests.py:36:9:36:15 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| tests.py:36:9:36:20 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| tests.py:36:9:36:33 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| tests.py:40:43:40:43 | ControlFlowNode for r | semmle.label | ControlFlowNode for r |
+| tests.py:48:5:48:5 | ControlFlowNode for r | semmle.label | ControlFlowNode for r |
+| tests.py:48:9:48:15 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| tests.py:48:9:48:20 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| tests.py:48:9:48:33 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| tests.py:52:43:52:43 | ControlFlowNode for r | semmle.label | ControlFlowNode for r |
+subpaths
+#select
+| tests.py:16:39:16:47 | ControlFlowNode for file_path | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:16:39:16:47 | ControlFlowNode for file_path | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:16:39:16:47 | ControlFlowNode for file_path | costly Unicode normalization operation |
+| tests.py:28:43:28:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:28:43:28:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:28:43:28:43 | ControlFlowNode for r | costly Unicode normalization operation |
+| tests.py:40:43:40:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:40:43:40:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:40:43:40:43 | ControlFlowNode for r | costly Unicode normalization operation |
+| tests.py:52:43:52:43 | ControlFlowNode for r | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | tests.py:52:43:52:43 | ControlFlowNode for r | This $@ can reach a $@. | tests.py:1:35:1:41 | ControlFlowNode for ImportMember | user-provided value | tests.py:52:43:52:43 | ControlFlowNode for r | costly Unicode normalization operation |
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-770/UnicodeDoS.qlref b/python/ql/test/experimental/query-tests/Security/CWE-770/UnicodeDoS.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-770/UnicodeDoS.ql
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-770/tests.py b/python/ql/test/experimental/query-tests/Security/CWE-770/tests.py
@@ -0,0 +1,80 @@
+from flask import Flask, jsonify, request
+import unicodedata
+
+app = Flask(__name__)
+
+STATIC_DIR = "/home/unknown/"
+
+
+@app.route("/bad_1")
+def bad_1():
+    # User controlled data
+    file_path = request.args.get("file_path", "")
+
+    # Normalize the file path using NFKC Unicode normalization
+    return (
+        unicodedata.normalize("NFKC", file_path),
+        200,
+        {"Content-Type": "application/octet-stream"},
+    )
+
+
+@app.route("/bad_2")
+def bad_2():
+    r = request.args.get("r", "")
+
+    if len(r) >= 10:
+        # Normalize the r using NFKD Unicode normalization
+        r = unicodedata.normalize("NFKD", r)
+        return r, 200, {"Content-Type": "application/octet-stream"}
+    else:
+        return jsonify({"error": "File not found"}), 404
+
+
+@app.route("/bad_3")
+def bad_3():
+    r = request.args.get("r", "")
+    length = len(r)
+    if length >= 1_000:
+        # Normalize the r using NFKD Unicode normalization
+        r = unicodedata.normalize("NFKD", r)
+        return r, 200, {"Content-Type": "application/octet-stream"}
+    else:
+        return jsonify({"error": "File not found"}), 404
+
+
+@app.route("/bad_4")
+def bad_4():
+    r = request.args.get("r", "")
+    length = len(r)
+    if 1_000 <= length:
+        # Normalize the r using NFKD Unicode normalization
+        r = unicodedata.normalize("NFKD", r)
+        return r, 200, {"Content-Type": "application/octet-stream"}
+    else:
+        return jsonify({"error": "File not found"}), 404
+
+
+@app.route("/good_1")
+def good_1():
+    r = request.args.get("r", "")
+
+    if len(r) <= 1_000:
+        # Normalize the r using NFKD Unicode normalization
+        r = unicodedata.normalize("NFKD", r)
+        return r, 200, {"Content-Type": "application/octet-stream"}
+    else:
+        return jsonify({"error": "File not found"}), 404
+
+
+@app.route("/good_2")
+def good_2():
+    r = request.args.get("r", "")
+    MAX_LENGTH = 1_000
+    length = len(r)
+    if length <= MAX_LENGTH:
+        # Normalize the r using NFKD Unicode normalization
+        r = unicodedata.normalize("NFKD", r)
+        return r, 200, {"Content-Type": "application/octet-stream"}
+    else:
+        return jsonify({"error": "File not found"}), 404

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+experimental/Security/CWE-770/UnicodeDoS.ql`