16
16
import python
17
17
import semmle.python.dataflow.new.DataFlow
18
18
import semmle.python.dataflow.new.TaintTracking
19
- import DataFlow :: PathGraph
19
+ import TarSlipImprovFlow :: PathGraph
20
20
import semmle.python.ApiGraphs
21
21
import semmle.python.dataflow.new.internal.Attributes
22
22
import semmle.python.dataflow.new.BarrierGuards
@@ -54,12 +54,10 @@ class AllTarfileOpens extends API::CallNode {
54
54
/**
55
55
* A taint-tracking configuration for detecting more "TarSlip" vulnerabilities.
56
56
*/
57
- class Configuration extends TaintTracking :: Configuration {
58
- Configuration ( ) { this = "TarSlip" }
57
+ private module TarSlipImprovConfig implements DataFlow :: ConfigSig {
58
+ predicate isSource ( DataFlow :: Node source ) { source = tarfileOpen ( ) . getACall ( ) }
59
59
60
- override predicate isSource ( DataFlow:: Node source ) { source = tarfileOpen ( ) .getACall ( ) }
61
-
62
- override predicate isSink ( DataFlow:: Node sink ) {
60
+ predicate isSink ( DataFlow:: Node sink ) {
63
61
(
64
62
// A sink capturing method calls to `extractall` without `members` argument.
65
63
// For a call to `file.extractall` without `members` argument, `file` is considered a sink.
@@ -100,7 +98,7 @@ class Configuration extends TaintTracking::Configuration {
100
98
not sink .getScope ( ) .getLocation ( ) .getFile ( ) .inStdlib ( )
101
99
}
102
100
103
- override predicate isAdditionalTaintStep ( DataFlow:: Node nodeFrom , DataFlow:: Node nodeTo ) {
101
+ predicate isAdditionalFlowStep ( DataFlow:: Node nodeFrom , DataFlow:: Node nodeTo ) {
104
102
nodeTo .( MethodCallNode ) .calls ( nodeFrom , "getmembers" ) and
105
103
nodeFrom instanceof AllTarfileOpens
106
104
or
@@ -113,7 +111,10 @@ class Configuration extends TaintTracking::Configuration {
113
111
}
114
112
}
115
113
116
- from Configuration config , DataFlow:: PathNode source , DataFlow:: PathNode sink
117
- where config .hasFlowPath ( source , sink )
114
+ /** Global taint-tracking for detecting more "TarSlip" vulnerabilities. */
115
+ module TarSlipImprovFlow = TaintTracking:: Global< TarSlipImprovConfig > ;
116
+
117
+ from TarSlipImprovFlow:: PathNode source , TarSlipImprovFlow:: PathNode sink
118
+ where TarSlipImprovFlow:: flowPath ( source , sink )
118
119
select sink , source , sink , "Extraction of tarfile from $@ to a potentially untrusted source $@." ,
119
120
source .getNode ( ) , source .getNode ( ) .toString ( ) , sink .getNode ( ) , sink .getNode ( ) .toString ( )
0 commit comments