|
| 1 | +/** |
| 2 | + * @name Remote flow sources reach |
| 3 | + * @description Nodes that can be reached with taint tracking from sources of |
| 4 | + * remote user input. |
| 5 | + * @kind problem |
| 6 | + * @problem.severity recommendation |
| 7 | + * @id py/meta/alerts/remote-flow-sources-reach |
| 8 | + * @tags meta |
| 9 | + * @precision very-low |
| 10 | + */ |
| 11 | + |
| 12 | +private import python |
| 13 | +private import semmle.python.dataflow.new.DataFlow |
| 14 | +private import semmle.python.dataflow.new.TaintTracking |
| 15 | +private import semmle.python.dataflow.new.RemoteFlowSources |
| 16 | +private import meta.MetaMetrics |
| 17 | + |
| 18 | +class RemoteFlowSourceReach extends TaintTracking::Configuration { |
| 19 | + RemoteFlowSourceReach() { this = "RemoteFlowSourceReach" } |
| 20 | + |
| 21 | + override predicate isSource(DataFlow::Node node) { |
| 22 | + node instanceof RemoteFlowSource and |
| 23 | + not node.getLocation().getFile() instanceof IgnoredFile |
| 24 | + } |
| 25 | + |
| 26 | + override predicate isSink(DataFlow::Node node) { |
| 27 | + not node.getLocation().getFile() instanceof IgnoredFile and |
| 28 | + ( |
| 29 | + node instanceof RemoteFlowSource |
| 30 | + or |
| 31 | + this.isAdditionalFlowStep(_, node) |
| 32 | + ) and |
| 33 | + // we used to do `obj -> obj.meth` and `obj.meth -> obj.meth()` in two separate |
| 34 | + // steps, and now do them in one `obj -> obj.meth()`. So we're going to ignore the |
| 35 | + // fact that we no longer taint the node in the middle. |
| 36 | + not exists(DataFlow::MethodCallNode c | |
| 37 | + node = c.getFunction() and |
| 38 | + this.isAdditionalFlowStep(c.getObject(), node) and |
| 39 | + this.isAdditionalFlowStep(node, c) |
| 40 | + ) |
| 41 | + } |
| 42 | +} |
| 43 | + |
| 44 | +from RemoteFlowSourceReach cfg, DataFlow::Node reachable |
| 45 | +where cfg.hasFlow(_, reachable) |
| 46 | +select reachable, "reachable with taint-tracking from RemoteFlowSource" |
0 commit comments