Skip to content

Commit 70ebc58

Browse files
Sim4n6yoff
Sim4n6
authored and
yoff
committed
Refactor Unicode normalization code
1 parent 3d8868a commit 70ebc58

File tree

1 file changed

+18
-35
lines changed

1 file changed

+18
-35
lines changed

python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql

Lines changed: 18 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -23,41 +23,24 @@ class UnicodeCompatibilityNormalize extends API::CallNode {
2323
int argIdx;
2424

2525
UnicodeCompatibilityNormalize() {
26-
exists(API::CallNode cn, DataFlow::Node form |
27-
cn = API::moduleImport("unicodedata").getMember("normalize").getACall() and
28-
form.asExpr().(StrConst).getS() in ["NFKC", "NFKD"] and
29-
TaintTracking::localTaint(form, cn.getArg(0)) and
30-
this = cn and
31-
argIdx = 1
32-
)
26+
(
27+
this = API::moduleImport("unicodedata").getMember("normalize").getACall() and
28+
this.getParameter(0).getAValueReachingSink().asExpr().(StrConst).getText() in ["NFKC", "NFKD"]
29+
or
30+
this = API::moduleImport("pyunormalize").getMember("normalize").getACall() and
31+
this.getParameter(0).getAValueReachingSink().asExpr().(StrConst).getText() in ["NFKC", "NFKD"]
32+
) and
33+
argIdx = 1
3334
or
34-
exists(API::CallNode cn |
35-
cn = API::moduleImport("unidecode").getMember("unidecode").getACall() and
36-
this = cn and
37-
argIdx = 0
38-
)
39-
or
40-
exists(API::CallNode cn |
41-
cn = API::moduleImport("pyunormalize").getMember(["NFKC", "NFKD"]).getACall() and
42-
this = cn and
43-
argIdx = 0
44-
)
45-
or
46-
exists(API::CallNode cn, DataFlow::Node form |
47-
cn = API::moduleImport("pyunormalize").getMember("normalize").getACall() and
48-
form.asExpr().(StrConst).getS() in ["NFKC", "NFKD"] and
49-
TaintTracking::localTaint(form, cn.getArg(0)) and
50-
this = cn and
51-
argIdx = 1
52-
)
53-
or
54-
exists(API::CallNode cn, DataFlow::Node form |
55-
cn = API::moduleImport("textnorm").getMember("normalize_unicode").getACall() and
56-
form.asExpr().(StrConst).getS() in ["NFKC", "NFKD"] and
57-
TaintTracking::localTaint(form, cn.getArg(1)) and
58-
this = cn and
59-
argIdx = 0
60-
)
35+
(
36+
this = API::moduleImport("textnorm").getMember("normalize_unicode").getACall() and
37+
this.getParameter(1).getAValueReachingSink().asExpr().(StrConst).getText() in ["NFKC", "NFKD"]
38+
or
39+
this = API::moduleImport("unidecode").getMember("unidecode").getACall()
40+
or
41+
this = API::moduleImport("pyunormalize").getMember(["NFKC", "NFKD"]).getACall()
42+
) and
43+
argIdx = 0
6144
}
6245

6346
DataFlow::Node getPathArg() { result = this.getArg(argIdx) }
@@ -73,7 +56,7 @@ predicate underAValue(DataFlow::GuardNode g, ControlFlowNode node, boolean branc
7356
branch = true and
7457
cn.operands(n.asCfgNode(), op_lt, _)
7558
or
76-
// LIMIT >= arg OR LIMIT > arg
59+
// LIMIT >= arg OR LIMIT > arg
7760
(op_gt = any(GtE gte) or op_gt = any(Gt gt)) and
7861
branch = true and
7962
cn.operands(_, op_gt, n.asCfgNode())

0 commit comments

Comments
 (0)