Skip to content

Commit 9e63aa9

Browse files
haby0haby0
committed
Update query
1 parent e8d0827 commit 9e63aa9

File tree

2 files changed

+11
-6
lines changed

2 files changed

+11
-6
lines changed

python/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@
1313
import python
1414
import semmle.python.dataflow.new.DataFlow
1515
import semmle.python.dataflow.new.TaintTracking
16+
import semmle.python.ApiGraphs
1617
import ClientSuppliedIpUsedInSecurityCheckLib
1718
import DataFlow::PathGraph
1819

@@ -30,6 +31,14 @@ class ClientSuppliedIpUsedInSecurityCheckConfig extends TaintTracking::Configura
3031
sink instanceof ClientSuppliedIpUsedInSecurityCheckSink
3132
}
3233

34+
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
35+
exists(DataFlow::CallCfgNode ccn |
36+
ccn = API::moduleImport("netaddr").getMember("IPAddress").getACall() and
37+
ccn.getArg(0) = pred and
38+
ccn = succ
39+
)
40+
}
41+
3342
override predicate isSanitizer(DataFlow::Node node) {
3443
exists(Subscript ss |
3544
not ss.getIndex().(IntegerLiteral).getText() = "0" and

python/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheckLib.qll

Lines changed: 2 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -123,14 +123,10 @@ private class CompareSink extends ClientSuppliedIpUsedInSecurityCheckSink {
123123
(
124124
compare.getLeft() = this.asExpr()
125125
or
126-
compare.getComparator(0) = this.asExpr()
126+
compare.getComparator(0) = this.asExpr() and
127+
not compare.getLeft().(StrConst).getText() in ["%", ","]
127128
)
128129
)
129-
or
130-
exists(Call call |
131-
call.getFunc().(Attribute).getName() = "add" and
132-
call.getArg(0) = this.asExpr()
133-
)
134130
}
135131
}
136132

0 commit comments

Comments
 (0)