Merge pull request github#6264 from RasmusWL/customization-files-for-path-problems

Python: Provide proper source/sink customization for most path queries

Author: tausbn

python/change-notes/2021-07-13-path-problem-customization.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Changed the way to provide extra sources/sinks for `@kind path-problem` queries, to avoid a potential performance problem due to re-evaluation of data-flow configurations. Please use the new `<query>Customization.qll` files and extend their classes instead (such as extending the `Sink` class from `python/ql/src/semmle/python/security/dataflow/SqlInjectionCustomizations.qll`). This is relevant for the queries: `py/sql-injection`, `py/code-injection`, `py/command-line-injection`, `py/reflective-xss`, `py/url-redirection`, `py/unsafe-deserialization`, `py/stack-trace-exposure`, `py/path-injection`.

python/ql/src/Security/CWE-078/CommandInjection.ql

@@ -19,7 +19,7 @@ import python
 import semmle.python.security.dataflow.CommandInjection
 import DataFlow::PathGraph
 
-from CommandInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
+from CommandInjection::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "This command depends on $@.", source.getNode(),
   "a user-provided value"

python/ql/src/Security/CWE-079/ReflectedXss.ql

@@ -17,7 +17,7 @@ import python
 import semmle.python.security.dataflow.ReflectedXSS
 import DataFlow::PathGraph
 
-from ReflectedXssConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
+from ReflectedXSS::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
   source.getNode(), "a user-provided value"

python/ql/src/Security/CWE-089/SqlInjection.ql

@@ -16,7 +16,7 @@ import python
 import semmle.python.security.dataflow.SqlInjection
 import DataFlow::PathGraph
 
-from SQLInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
+from SqlInjection::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "This SQL query depends on $@.", source.getNode(),
   "a user-provided value"

python/ql/src/Security/CWE-094/CodeInjection.ql

@@ -19,7 +19,7 @@ import python
 import semmle.python.security.dataflow.CodeInjection
 import DataFlow::PathGraph
 
-from CodeInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
+from CodeInjection::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "$@ flows to here and is interpreted as code.",
   source.getNode(), "A user-provided value"

python/ql/src/Security/CWE-209/StackTraceExposure.ql

@@ -17,7 +17,7 @@ import python
 import semmle.python.security.dataflow.StackTraceExposure
 import DataFlow::PathGraph
 
-from StackTraceExposureConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
+from StackTraceExposure::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "$@ may be exposed to an external user", source.getNode(),
   "Error information"

python/ql/src/Security/CWE-502/UnsafeDeserialization.ql

@@ -16,6 +16,6 @@ import python
 import semmle.python.security.dataflow.UnsafeDeserialization
 import DataFlow::PathGraph
 
-from UnsafeDeserializationConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
+from UnsafeDeserialization::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Deserializing of $@.", source.getNode(), "untrusted input"

python/ql/src/Security/CWE-601/UrlRedirect.ql

@@ -16,7 +16,7 @@ import python
 import semmle.python.security.dataflow.UrlRedirect
 import DataFlow::PathGraph
 
-from UrlRedirectConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
+from UrlRedirect::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Untrusted URL redirection due to $@.", source.getNode(),
   "A user-provided value"

python/ql/src/Security/CWE-730/PolynomialReDoS.ql

@@ -17,8 +17,8 @@ import semmle.python.security.dataflow.PolynomialReDoS
 import DataFlow::PathGraph
 
 from
-  PolynomialReDoSConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink,
-  PolynomialReDoSSink sinkNode, PolynomialBackTrackingTerm regexp
+  PolynomialReDoS::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink,
+  PolynomialReDoS::Sink sinkNode, PolynomialBackTrackingTerm regexp
 where
   config.hasFlowPath(source, sink) and
   sinkNode = sink.getNode() and

python/ql/src/semmle/python/security/dataflow/CodeInjection.qll

@@ -1,26 +1,42 @@
 /**
- * Provides a taint-tracking configuration for detecting code injection
- * vulnerabilities.
+ * Provides a taint-tracking configuration for detecting "code injection" vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `CodeInjection::Configuration` is needed, otherwise
+ * `CodeInjectionCustomizations` should be imported instead.
  */
 
-import python
+private import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
-import semmle.python.Concepts
-import semmle.python.dataflow.new.RemoteFlowSources
-import semmle.python.dataflow.new.BarrierGuards
 
 /**
- * A taint-tracking configuration for detecting code injection vulnerabilities.
+ * Provides a taint-tracking configuration for detecting "code injection" vulnerabilities.
  */
-class CodeInjectionConfiguration extends TaintTracking::Configuration {
-  CodeInjectionConfiguration() { this = "CodeInjectionConfiguration" }
+module CodeInjection {
+  import CodeInjectionCustomizations::CodeInjection
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  /**
+   * A taint-tracking configuration for detecting "code injection" vulnerabilities.
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "CodeInjection" }
 
-  override predicate isSink(DataFlow::Node sink) { sink = any(CodeExecution e).getCode() }
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
 
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-    guard instanceof StringConstCompare
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+      guard instanceof SanitizerGuard
+    }
   }
 }
+
+/**
+ * DEPRECATED: Don't extend this class for customization, since this will lead to bad
+ * performance, instead use the new `CodeInjectionCustomizations.qll` file, and extend
+ * its' classes.
+ */
+deprecated class CodeInjectionConfiguration = CodeInjection::Configuration;