V2

Author: am0o0

python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/ConstantSecretKey.qhelp

@@ -15,11 +15,11 @@
     </p>
   </recommendation>
   <example>
-
-    <sample src="example_bad.py" />
-
-    <sample src="example_good.py" />
-
+    <sample src="examples/example_Django_safe.py" />
+    <sample src="examples/example_Django_snsafe.py" />
+    <sample src="examples/example_Flask_safe.py" />
+    <sample src="examples/example_Flask_unsafe.py" />
+    <sample src="examples/example_Flask_unsafe2.py" />
   </example>
   <references>
     <li>

python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/ConstantSecretKey.ql

@@ -0,0 +1,58 @@
+/**
+ * @name Initializing SECRET_KEY of Flask application with Constant value
+ * @description Initializing SECRET_KEY of Flask application with Constant value
+ * files can lead to Authentication bypass
+ * @kind path-problem
+ * @id py/flask-constant-secret-key
+ * @problem.severity error
+ * @security-severity 8.5
+ * @precision high
+ * @tags security
+ *       experimental
+ *       external/cwe/cwe-287
+ */
+
+import python
+import experimental.semmle.python.Concepts
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.ApiGraphs
+import semmle.python.dataflow.new.TaintTracking
+import WebAppConstantSecretKeyDjango
+import WebAppConstantSecretKeyFlask
+
+newtype TFrameWork =
+  Flask() or
+  Django()
+
+module WebAppConstantSecretKeyConfig implements DataFlow::StateConfigSig {
+  class FlowState = TFrameWork;
+
+  predicate isSource(DataFlow::Node source, FlowState state) {
+    state = Flask() and FlaskConstantSecretKeyConfig::isSource(source)
+    or
+    state = Django() and DjangoConstantSecretKeyConfig::isSource(source)
+  }
+
+  predicate isSink(DataFlow::Node sink, FlowState state) {
+    state = Flask() and FlaskConstantSecretKeyConfig::isSink(sink)
+    or
+    state = Django() and DjangoConstantSecretKeyConfig::isSink(sink)
+  }
+
+  predicate isBarrier(DataFlow::Node node, FlowState state) { none() }
+
+  predicate isAdditionalFlowStep(
+    DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2
+  ) {
+    none()
+  }
+}
+
+module WebAppConstantSecretKey = TaintTracking::GlobalWithState<WebAppConstantSecretKeyConfig>;
+
+import WebAppConstantSecretKey::PathGraph
+
+from WebAppConstantSecretKey::PathNode source, WebAppConstantSecretKey::PathNode sink
+where WebAppConstantSecretKey::flowPath(source, sink)
+select sink, source, sink, "The SECRET_KEY config variable is assigned by $@.", source,
+  " this constant String"

python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKey.ql

@@ -0,0 +1,95 @@
+import python
+import experimental.semmle.python.Concepts
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.ApiGraphs
+import semmle.python.dataflow.new.TaintTracking
+
+module DjangoConstantSecretKeyConfig {
+  /**
+   * Sources are Constants that without any Tainting reach the Sinks.
+   * Also Sources can be the default value of getenv or similar methods
+   * in a case that no value is assigned to Desired SECRET_KEY environment variable
+   */
+  predicate isSource(DataFlow::Node source) {
+    (
+      source.asExpr().isConstant()
+      or
+      exists(API::Node cn |
+        cn =
+          [
+            API::moduleImport("configparser")
+                .getMember(["ConfigParser", "RawConfigParser"])
+                .getReturn(),
+            // legacy API https://docs.python.org/3/library/configparser.html#legacy-api-examples
+            API::moduleImport("configparser")
+                .getMember(["ConfigParser", "RawConfigParser"])
+                .getReturn()
+                .getMember("get")
+                .getReturn()
+          ] and
+        source = cn.asSource()
+      )
+      or
+      exists(API::CallNode cn |
+        cn =
+          [
+            API::moduleImport("os").getMember("getenv").getACall(),
+            API::moduleImport("os").getMember("environ").getMember("get").getACall()
+          ] and
+        (
+          // this can be ideal if we assume that best security practice is that
+          // we don't get SECRET_KEY from env and we always assign a secure generated random string to it
+          cn.getNumArgument() = 1
+          or
+          cn.getNumArgument() = 2 and
+          DataFlow::localFlow(any(DataFlow::Node n | n.asExpr().isConstant()), cn.getArg(1))
+        ) and
+        source.asExpr() = cn.asExpr()
+      )
+      or
+      source.asExpr() =
+        API::moduleImport("os").getMember("environ").getASubscript().asSource().asExpr()
+    ) and
+    // followings will sanitize the get_random_secret_key of django.core.management.utils and similar random generators which we have their source code and some of them can be tracking by taint tracking because they are initilized by a constant!
+    exists(source.getScope().getLocation().getFile().getRelativePath()) and
+    // special case for get_random_secret_key
+    not source.getScope().getLocation().getFile().getBaseName() = "crypto.py"
+  }
+
+  /**
+   * A sink like following SECRET_KEY Assignments
+   * ```python
+   *from django.conf import settings
+   *settings.configure(
+   *    SECRET_KEY="constant",
+   *)
+   * # or
+   *settings.SECRET_KEY = "constant"
+   * ```
+   */
+  predicate isSink(DataFlow::Node sink) {
+    exists(API::moduleImport("django")) and
+    (
+      exists(AssignStmt e | e.getTarget(0).(Name).getId() = ["SECRET_KEY", "SECRET_KEY_FALLBACKS"] |
+        sink.asExpr() = e.getValue()
+      )
+      or
+      exists(API::Node settings |
+        settings =
+          API::moduleImport("django").getMember("conf").getMember(["global_settings", "settings"]) and
+        sink =
+          settings
+              .getMember("configure")
+              .getKeywordParameter(["SECRET_KEY_FALLBACKS", "SECRET_KEY"])
+              .asSink()
+      )
+      or
+      exists(API::Node n, DataFlow::AttrWrite attr |
+        attr.getObject().getALocalSource() = n.asSource() and
+        attr.getAttributeName() = ["SECRET_KEY_FALLBACKS", "SECRET_KEY"] and
+        sink = attr.getValue()
+      )
+    ) and
+    exists(sink.getScope().getLocation().getFile().getRelativePath())
+  }
+}