Merge pull request github#6155 from RasmusWL/port-cleartext-queries

Python: Port cleartext queries

Author: yoff

python/change-notes/2021-06-24-add-CookieWrite-concept.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added `HTTP::Server::CookieWrite` concept for statements that sets a cookie in an HTTP response, along with modeling of this in supported web frameworks (aiohttp/flask/django/tornado/twisted).

python/ql/src/Security/CWE-312/CleartextLogging.ql

@@ -14,25 +14,13 @@
  */
 
 import python
-import semmle.python.security.Paths
-import semmle.python.dataflow.TaintTracking
-import semmle.python.security.SensitiveData
-import semmle.python.security.ClearText
+private import semmle.python.dataflow.new.DataFlow
+import DataFlow::PathGraph
+import semmle.python.security.dataflow.CleartextLogging::CleartextLogging
 
-class CleartextLoggingConfiguration extends TaintTracking::Configuration {
-  CleartextLoggingConfiguration() { this = "ClearTextLogging" }
-
-  override predicate isSource(DataFlow::Node src, TaintKind kind) {
-    src.asCfgNode().(SensitiveData::Source).isSourceOf(kind)
-  }
-
-  override predicate isSink(DataFlow::Node sink, TaintKind kind) {
-    sink.asCfgNode() instanceof ClearTextLogging::Sink and
-    kind instanceof SensitiveData
-  }
-}
-
-from CleartextLoggingConfiguration config, TaintedPathSource source, TaintedPathSink sink
-where config.hasFlowPath(source, sink)
-select sink.getSink(), source, sink, "Sensitive data returned by $@ is logged here.",
-  source.getSource(), source.getCfgNode().(SensitiveData::Source).repr()
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, string classification
+where
+  config.hasFlowPath(source, sink) and
+  classification = source.getNode().(Source).getClassification()
+select sink.getNode(), source, sink, "$@ is logged here.", source.getNode(),
+  "Sensitive data (" + classification + ")"

python/ql/src/Security/CWE-312/CleartextStorage.ql

@@ -14,25 +14,13 @@
  */
 
 import python
-import semmle.python.security.Paths
-import semmle.python.dataflow.TaintTracking
-import semmle.python.security.SensitiveData
-import semmle.python.security.ClearText
+private import semmle.python.dataflow.new.DataFlow
+import DataFlow::PathGraph
+import semmle.python.security.dataflow.CleartextStorage::CleartextStorage
 
-class CleartextStorageConfiguration extends TaintTracking::Configuration {
-  CleartextStorageConfiguration() { this = "ClearTextStorage" }
-
-  override predicate isSource(DataFlow::Node src, TaintKind kind) {
-    src.asCfgNode().(SensitiveData::Source).isSourceOf(kind)
-  }
-
-  override predicate isSink(DataFlow::Node sink, TaintKind kind) {
-    sink.asCfgNode() instanceof ClearTextStorage::Sink and
-    kind instanceof SensitiveData
-  }
-}
-
-from CleartextStorageConfiguration config, TaintedPathSource source, TaintedPathSink sink
-where config.hasFlowPath(source, sink)
-select sink.getSink(), source, sink, "Sensitive data from $@ is stored here.", source.getSource(),
-  source.getCfgNode().(SensitiveData::Source).repr()
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, string classification
+where
+  config.hasFlowPath(source, sink) and
+  classification = source.getNode().(Source).getClassification()
+select sink.getNode(), source, sink, "$@ is stored here.", source.getNode(),
+  "Sensitive data (" + classification + ")"

python/ql/src/experimental/Security-old-dataflow/CWE-312/CleartextLogging.ql

@@ -0,0 +1,33 @@
+/**
+ * @name Clear-text logging of sensitive information
+ * @description OLD QUERY: Logging sensitive information without encryption or hashing can
+ *              expose it to an attacker.
+ * @kind path-problem
+ * @problem.severity error
+ * @id py/old/clear-text-logging-sensitive-data
+ * @deprecated
+ */
+
+import python
+import semmle.python.security.Paths
+import semmle.python.dataflow.TaintTracking
+import semmle.python.security.SensitiveData
+import semmle.python.security.ClearText
+
+class CleartextLoggingConfiguration extends TaintTracking::Configuration {
+  CleartextLoggingConfiguration() { this = "ClearTextLogging" }
+
+  override predicate isSource(DataFlow::Node src, TaintKind kind) {
+    src.asCfgNode().(SensitiveData::Source).isSourceOf(kind)
+  }
+
+  override predicate isSink(DataFlow::Node sink, TaintKind kind) {
+    sink.asCfgNode() instanceof ClearTextLogging::Sink and
+    kind instanceof SensitiveData
+  }
+}
+
+from CleartextLoggingConfiguration config, TaintedPathSource source, TaintedPathSink sink
+where config.hasFlowPath(source, sink)
+select sink.getSink(), source, sink, "Sensitive data returned by $@ is logged here.",
+  source.getSource(), source.getCfgNode().(SensitiveData::Source).repr()

python/ql/src/experimental/Security-old-dataflow/CWE-312/CleartextStorage.ql

@@ -0,0 +1,33 @@
+/**
+ * @name Clear-text storage of sensitive information
+ * @description OLD QUERY: Sensitive information stored without encryption or hashing can expose it to an
+ *              attacker.
+ * @kind path-problem
+ * @problem.severity error
+ * @id py/old/clear-text-storage-sensitive-data
+ * @deprecated
+ */
+
+import python
+import semmle.python.security.Paths
+import semmle.python.dataflow.TaintTracking
+import semmle.python.security.SensitiveData
+import semmle.python.security.ClearText
+
+class CleartextStorageConfiguration extends TaintTracking::Configuration {
+  CleartextStorageConfiguration() { this = "ClearTextStorage" }
+
+  override predicate isSource(DataFlow::Node src, TaintKind kind) {
+    src.asCfgNode().(SensitiveData::Source).isSourceOf(kind)
+  }
+
+  override predicate isSink(DataFlow::Node sink, TaintKind kind) {
+    sink.asCfgNode() instanceof ClearTextStorage::Sink and
+    kind instanceof SensitiveData
+  }
+}
+
+from CleartextStorageConfiguration config, TaintedPathSource source, TaintedPathSink sink
+where config.hasFlowPath(source, sink)
+select sink.getSink(), source, sink, "Sensitive data from $@ is stored here.", source.getSource(),
+  source.getCfgNode().(SensitiveData::Source).repr()

python/ql/src/semmle/python/Concepts.qll

@@ -72,6 +72,39 @@ module FileSystemAccess {
   }
 }
 
+/**
+ * A data flow node that writes data to the file system access.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `FileSystemWriteAccess::Range` instead.
+ */
+class FileSystemWriteAccess extends FileSystemAccess {
+  override FileSystemWriteAccess::Range range;
+
+  /**
+   * Gets a node that represents data to be written to the file system (possibly with
+   * some transformation happening before it is written, like JSON encoding).
+   */
+  DataFlow::Node getADataNode() { result = range.getADataNode() }
+}
+
+/** Provides a class for modeling new file system writes. */
+module FileSystemWriteAccess {
+  /**
+   * A data flow node that writes data to the file system access.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `FileSystemWriteAccess` instead.
+   */
+  abstract class Range extends FileSystemAccess::Range {
+    /**
+     * Gets a node that represents data to be written to the file system (possibly with
+     * some transformation happening before it is written, like JSON encoding).
+     */
+    abstract DataFlow::Node getADataNode();
+  }
+}
+
 /** Provides classes for modeling path-related APIs. */
 module Path {
   /**
@@ -235,6 +268,35 @@ private class EncodingAdditionalTaintStep extends TaintTracking::AdditionalTaint
   }
 }
 
+/**
+ * A data-flow node that logs data.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `Logging::Range` instead.
+ */
+class Logging extends DataFlow::Node {
+  Logging::Range range;
+
+  Logging() { this = range }
+
+  /** Gets an input that is logged. */
+  DataFlow::Node getAnInput() { result = range.getAnInput() }
+}
+
+/** Provides a class for modeling new logging mechanisms. */
+module Logging {
+  /**
+   * A data-flow node that logs data.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `Logging` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /** Gets an input that is logged. */
+    abstract DataFlow::Node getAnInput();
+  }
+}
+
 /**
  * A data-flow node that dynamically executes Python code.
  *
@@ -594,6 +656,62 @@ module HTTP {
         abstract DataFlow::Node getRedirectLocation();
       }
     }
+
+    /**
+     * A data-flow node that sets a cookie in an HTTP response.
+     *
+     * Extend this class to refine existing API models. If you want to model new APIs,
+     * extend `HTTP::CookieWrite::Range` instead.
+     */
+    class CookieWrite extends DataFlow::Node {
+      CookieWrite::Range range;
+
+      CookieWrite() { this = range }
+
+      /**
+       * Gets the argument, if any, specifying the raw cookie header.
+       */
+      DataFlow::Node getHeaderArg() { result = range.getHeaderArg() }
+
+      /**
+       * Gets the argument, if any, specifying the cookie name.
+       */
+      DataFlow::Node getNameArg() { result = range.getNameArg() }
+
+      /**
+       * Gets the argument, if any, specifying the cookie value.
+       */
+      DataFlow::Node getValueArg() { result = range.getValueArg() }
+    }
+
+    /** Provides a class for modeling new cookie writes on HTTP responses. */
+    module CookieWrite {
+      /**
+       * A data-flow node that sets a cookie in an HTTP response.
+       *
+       * Note: we don't require that this redirect must be sent to a client (a kind of
+       * "if a tree falls in a forest and nobody hears it" situation).
+       *
+       * Extend this class to model new APIs. If you want to refine existing API models,
+       * extend `HttpResponse` instead.
+       */
+      abstract class Range extends DataFlow::Node {
+        /**
+         * Gets the argument, if any, specifying the raw cookie header.
+         */
+        abstract DataFlow::Node getHeaderArg();
+
+        /**
+         * Gets the argument, if any, specifying the cookie name.
+         */
+        abstract DataFlow::Node getNameArg();
+
+        /**
+         * Gets the argument, if any, specifying the cookie value.
+         */
+        abstract DataFlow::Node getValueArg();
+      }
+    }
   }
 }