Python: Port py/unsafe-deserialization to use proper source/sink customization

Author: RasmusWL

python/ql/src/Security/CWE-502/UnsafeDeserialization.ql

@@ -16,6 +16,6 @@ import python
 import semmle.python.security.dataflow.UnsafeDeserialization
 import DataFlow::PathGraph
 
-from UnsafeDeserializationConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
+from UnsafeDeserialization::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Deserializing of $@.", source.getNode(), "untrusted input"

python/ql/src/semmle/python/security/dataflow/UnsafeDeserialization.qll

@@ -1,32 +1,42 @@
 /**
- * Provides a taint-tracking configuration for detecting arbitrary code execution
- * vulnerabilities due to deserializing user-controlled data.
+ * Provides a taint-tracking configuration for detecting "code execution from deserialization" vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `UnsafeDeserialization::Configuration` is needed, otherwise
+ * `UnsafeDeserializationCustomizations` should be imported instead.
  */
 
-import python
+private import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
-import semmle.python.Concepts
-import semmle.python.dataflow.new.RemoteFlowSources
-import semmle.python.dataflow.new.BarrierGuards
 
 /**
- * A taint-tracking configuration for detecting arbitrary code execution
- * vulnerabilities due to deserializing user-controlled data.
+ * Provides a taint-tracking configuration for detecting "code execution from deserialization" vulnerabilities.
  */
-class UnsafeDeserializationConfiguration extends TaintTracking::Configuration {
-  UnsafeDeserializationConfiguration() { this = "UnsafeDeserializationConfiguration" }
+module UnsafeDeserialization {
+  import UnsafeDeserializationCustomizations::UnsafeDeserialization
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  /**
+   * A taint-tracking configuration for detecting "code execution from deserialization" vulnerabilities.
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "UnsafeDeserialization" }
 
-  override predicate isSink(DataFlow::Node sink) {
-    exists(Decoding d |
-      d.mayExecuteInput() and
-      sink = d.getAnInput()
-    )
-  }
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
 
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-    guard instanceof StringConstCompare
+    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+      guard instanceof SanitizerGuard
+    }
   }
 }
+
+/**
+ * DEPRECATED: Don't extend this class for customization, since this will lead to bad
+ * performance, instead use the new `UnsafeDeserializationCustomizations.qll` file, and extend
+ * its' classes.
+ */
+deprecated class UnsafeDeserializationConfiguration = UnsafeDeserialization::Configuration;

python/ql/src/semmle/python/security/dataflow/UnsafeDeserializationCustomizations.qll

@@ -0,0 +1,60 @@
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "code execution from deserialization"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.dataflow.new.BarrierGuards
+
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "code execution from deserialization"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+module UnsafeDeserialization {
+  /**
+   * A data flow source for "code execution from deserialization" vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for "code execution from deserialization" vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for "code execution from deserialization" vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A sanitizer guard for "code execution from deserialization" vulnerabilities.
+   */
+  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+
+  /**
+   * A source of remote user input, considered as a flow source.
+   */
+  class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
+
+  /**
+   * An insecure decoding, considered as a flow sink.
+   */
+  class InsecureDecodingAsSink extends Sink {
+    InsecureDecodingAsSink() {
+      exists(Decoding d |
+        d.mayExecuteInput() and
+        this = d.getAnInput()
+      )
+    }
+  }
+
+  /**
+   * A comparison with a constant string, considered as a sanitizer-guard.
+   */
+  class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
+}