Skip to content

Commit 3edb9d1

Browse files
RasmusWLRasmusWL
committed
Python: Move experimental TokenBuiltFromUUID to new dataflow API
1 parent acde192 commit 3edb9d1

File tree

1 file changed

+11
-9
lines changed

1 file changed

+11
-9
lines changed

python/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql

Lines changed: 11 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,6 @@ import python
1616
import semmle.python.dataflow.new.DataFlow
1717
import semmle.python.ApiGraphs
1818
import semmle.python.dataflow.new.TaintTracking
19-
import DataFlow::PathGraph
2019

2120
class PredictableResultSource extends DataFlow::Node {
2221
PredictableResultSource() {
@@ -40,14 +39,12 @@ class TokenAssignmentValueSink extends DataFlow::Node {
4039
}
4140
}
4241

43-
class TokenBuiltFromUuidConfig extends TaintTracking::Configuration {
44-
TokenBuiltFromUuidConfig() { this = "TokenBuiltFromUuidConfig" }
42+
private module TokenBuiltFromUUIDConfig implements DataFlow::ConfigSig {
43+
predicate isSource(DataFlow::Node source) { source instanceof PredictableResultSource }
4544

46-
override predicate isSource(DataFlow::Node source) { source instanceof PredictableResultSource }
45+
predicate isSink(DataFlow::Node sink) { sink instanceof TokenAssignmentValueSink }
4746

48-
override predicate isSink(DataFlow::Node sink) { sink instanceof TokenAssignmentValueSink }
49-
50-
override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
47+
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
5148
exists(DataFlow::CallCfgNode call |
5249
call = API::builtin("str").getACall() and
5350
nodeFrom = call.getArg(0) and
@@ -56,6 +53,11 @@ class TokenBuiltFromUuidConfig extends TaintTracking::Configuration {
5653
}
5754
}
5855

59-
from DataFlow::PathNode source, DataFlow::PathNode sink, TokenBuiltFromUuidConfig config
60-
where config.hasFlowPath(source, sink)
56+
/** Global taint-tracking for detecting "TokenBuiltFromUUID" vulnerabilities. */
57+
module TokenBuiltFromUUIDFlow = TaintTracking::Global<TokenBuiltFromUUIDConfig>;
58+
59+
import TokenBuiltFromUUIDFlow::PathGraph
60+
61+
from TokenBuiltFromUUIDFlow::PathNode source, TokenBuiltFromUUIDFlow::PathNode sink
62+
where TokenBuiltFromUUIDFlow::flowPath(source, sink)
6163
select sink.getNode(), source, sink, "Token built from $@.", source.getNode(), "predictable value"

0 commit comments

Comments
 (0)