Python: Port py/clear-text-storage-sensitive-data

Author: RasmusWL

python/ql/src/Security/CWE-312/CleartextStorage.ql

@@ -14,25 +14,13 @@
  */
 
 import python
-import semmle.python.security.Paths
-import semmle.python.dataflow.TaintTracking
-import semmle.python.security.SensitiveData
-import semmle.python.security.ClearText
+private import semmle.python.dataflow.new.DataFlow
+import DataFlow::PathGraph
+import semmle.python.security.dataflow.CleartextStorage::CleartextStorage
 
-class CleartextStorageConfiguration extends TaintTracking::Configuration {
-  CleartextStorageConfiguration() { this = "ClearTextStorage" }
-
-  override predicate isSource(DataFlow::Node src, TaintKind kind) {
-    src.asCfgNode().(SensitiveData::Source).isSourceOf(kind)
-  }
-
-  override predicate isSink(DataFlow::Node sink, TaintKind kind) {
-    sink.asCfgNode() instanceof ClearTextStorage::Sink and
-    kind instanceof SensitiveData
-  }
-}
-
-from CleartextStorageConfiguration config, TaintedPathSource source, TaintedPathSink sink
-where config.hasFlowPath(source, sink)
-select sink.getSink(), source, sink, "Sensitive data from $@ is stored here.", source.getSource(),
-  source.getCfgNode().(SensitiveData::Source).repr()
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, string classification
+where
+  config.hasFlowPath(source, sink) and
+  classification = source.getNode().(Source).getClassification()
+select sink.getNode(), source, sink, "$@ is stored here.", source.getNode(),
+  "Sensitive data (" + classification + ")"

python/ql/src/experimental/Security-old-dataflow/CWE-312/CleartextLogging.ql

@@ -0,0 +1,33 @@
+/**
+ * @name Clear-text logging of sensitive information
+ * @description OLD QUERY: Logging sensitive information without encryption or hashing can
+ *              expose it to an attacker.
+ * @kind path-problem
+ * @problem.severity error
+ * @id py/old/clear-text-logging-sensitive-data
+ * @deprecated
+ */
+
+import python
+import semmle.python.security.Paths
+import semmle.python.dataflow.TaintTracking
+import semmle.python.security.SensitiveData
+import semmle.python.security.ClearText
+
+class CleartextLoggingConfiguration extends TaintTracking::Configuration {
+  CleartextLoggingConfiguration() { this = "ClearTextLogging" }
+
+  override predicate isSource(DataFlow::Node src, TaintKind kind) {
+    src.asCfgNode().(SensitiveData::Source).isSourceOf(kind)
+  }
+
+  override predicate isSink(DataFlow::Node sink, TaintKind kind) {
+    sink.asCfgNode() instanceof ClearTextLogging::Sink and
+    kind instanceof SensitiveData
+  }
+}
+
+from CleartextLoggingConfiguration config, TaintedPathSource source, TaintedPathSink sink
+where config.hasFlowPath(source, sink)
+select sink.getSink(), source, sink, "Sensitive data returned by $@ is logged here.",
+  source.getSource(), source.getCfgNode().(SensitiveData::Source).repr()

python/ql/src/experimental/Security-old-dataflow/CWE-312/CleartextStorage.ql

@@ -0,0 +1,33 @@
+/**
+ * @name Clear-text storage of sensitive information
+ * @description OLD QUERY: Sensitive information stored without encryption or hashing can expose it to an
+ *              attacker.
+ * @kind path-problem
+ * @problem.severity error
+ * @id py/old/clear-text-storage-sensitive-data
+ * @deprecated
+ */
+
+import python
+import semmle.python.security.Paths
+import semmle.python.dataflow.TaintTracking
+import semmle.python.security.SensitiveData
+import semmle.python.security.ClearText
+
+class CleartextStorageConfiguration extends TaintTracking::Configuration {
+  CleartextStorageConfiguration() { this = "ClearTextStorage" }
+
+  override predicate isSource(DataFlow::Node src, TaintKind kind) {
+    src.asCfgNode().(SensitiveData::Source).isSourceOf(kind)
+  }
+
+  override predicate isSink(DataFlow::Node sink, TaintKind kind) {
+    sink.asCfgNode() instanceof ClearTextStorage::Sink and
+    kind instanceof SensitiveData
+  }
+}
+
+from CleartextStorageConfiguration config, TaintedPathSource source, TaintedPathSink sink
+where config.hasFlowPath(source, sink)
+select sink.getSink(), source, sink, "Sensitive data from $@ is stored here.", source.getSource(),
+  source.getCfgNode().(SensitiveData::Source).repr()

python/ql/src/semmle/python/security/dataflow/CleartextStorage.qll

@@ -0,0 +1,40 @@
+/**
+ * Provides a taint-tracking configuration for "Clear-text storage of sensitive information".
+ *
+ * Note, for performance reasons: only import this file if
+ * `CleartextStorage::Configuration` is needed, otherwise
+ * `CleartextStorageCustomizations` should be imported instead.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.dataflow.new.BarrierGuards
+private import semmle.python.dataflow.new.SensitiveDataSources
+
+/**
+ * Provides a taint-tracking configuration for detecting "Clear-text storage of sensitive information".
+ */
+module CleartextStorage {
+  import CleartextStorageCustomizations::CleartextStorage
+
+  /**
+   * A taint-tracking configuration for detecting use of a broken or weak
+   * cryptographic hashing algorithm on sensitive data.
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "CleartextStorage" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isSanitizer(DataFlow::Node node) {
+      super.isSanitizer(node)
+      or
+      node instanceof Sanitizer
+    }
+  }
+}

python/ql/src/semmle/python/security/dataflow/CleartextStorageCustomizations.qll

@@ -0,0 +1,62 @@
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "Clear-text storage of sensitive information"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.SensitiveDataSources
+private import semmle.python.dataflow.new.BarrierGuards
+
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "Clear-text storage of sensitive information"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+module CleartextStorage {
+  /**
+   * A data flow source for "Clear-text storage of sensitive information" vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node {
+    /** Gets the classification of the sensitive data. */
+    abstract string getClassification();
+  }
+
+  /**
+   * A data flow sink for "Clear-text storage of sensitive information" vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for "Clear-text storage of sensitive information" vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A source of sensitive data, considered as a flow source.
+   */
+  class SensitiveDataSourceAsSource extends Source, SensitiveDataSource {
+    override SensitiveDataClassification getClassification() {
+      result = SensitiveDataSource.super.getClassification()
+    }
+  }
+
+  /** The data written to a file, considered as a flow sink. */
+  class FileWriteDataAsSink extends Sink {
+    FileWriteDataAsSink() { this = any(FileSystemWriteAccess write).getADataNode() }
+  }
+
+  /** The data written to a cookie on a HTTP response, considered as a flow sink. */
+  class CookieWriteAsSink extends Sink {
+    CookieWriteAsSink() {
+      exists(HTTP::Server::CookieWrite write |
+        this = write.getValueArg()
+        or
+        this = write.getHeaderArg()
+      )
+    }
+  }
+}

python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.expected

@@ -1,2 +1,13 @@
 edges
+| test.py:9:12:9:21 | ControlFlowNode for get_cert() | test.py:12:21:12:24 | ControlFlowNode for cert |
+| test.py:9:12:9:21 | ControlFlowNode for get_cert() | test.py:13:22:13:41 | ControlFlowNode for Attribute() |
+| test.py:9:12:9:21 | ControlFlowNode for get_cert() | test.py:15:26:15:29 | ControlFlowNode for cert |
+nodes
+| test.py:9:12:9:21 | ControlFlowNode for get_cert() | semmle.label | ControlFlowNode for get_cert() |
+| test.py:12:21:12:24 | ControlFlowNode for cert | semmle.label | ControlFlowNode for cert |
+| test.py:13:22:13:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| test.py:15:26:15:29 | ControlFlowNode for cert | semmle.label | ControlFlowNode for cert |
 #select
+| test.py:12:21:12:24 | ControlFlowNode for cert | test.py:9:12:9:21 | ControlFlowNode for get_cert() | test.py:12:21:12:24 | ControlFlowNode for cert | $@ is stored here. | test.py:9:12:9:21 | ControlFlowNode for get_cert() | Sensitive data (certificate) |
+| test.py:13:22:13:41 | ControlFlowNode for Attribute() | test.py:9:12:9:21 | ControlFlowNode for get_cert() | test.py:13:22:13:41 | ControlFlowNode for Attribute() | $@ is stored here. | test.py:9:12:9:21 | ControlFlowNode for get_cert() | Sensitive data (certificate) |
+| test.py:15:26:15:29 | ControlFlowNode for cert | test.py:9:12:9:21 | ControlFlowNode for get_cert() | test.py:15:26:15:29 | ControlFlowNode for cert | $@ is stored here. | test.py:9:12:9:21 | ControlFlowNode for get_cert() | Sensitive data (certificate) |

python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/options

@@ -1,11 +1,20 @@
 edges
-| password_in_cookie.py:7:16:7:43 | a password | password_in_cookie.py:9:33:9:40 | a password |
-| password_in_cookie.py:7:16:7:43 | a password | password_in_cookie.py:9:33:9:40 | a password |
-| password_in_cookie.py:14:16:14:43 | a password | password_in_cookie.py:16:33:16:40 | a password |
-| password_in_cookie.py:14:16:14:43 | a password | password_in_cookie.py:16:33:16:40 | a password |
-| test.py:6:12:6:21 | a certificate or key | test.py:8:20:8:23 | a certificate or key |
-| test.py:6:12:6:21 | a certificate or key | test.py:8:20:8:23 | a certificate or key |
+| password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | password_in_cookie.py:9:33:9:40 | ControlFlowNode for password |
+| password_in_cookie.py:14:16:14:43 | ControlFlowNode for Attribute() | password_in_cookie.py:16:33:16:40 | ControlFlowNode for password |
+| test.py:6:12:6:21 | ControlFlowNode for get_cert() | test.py:8:20:8:23 | ControlFlowNode for cert |
+| test.py:6:12:6:21 | ControlFlowNode for get_cert() | test.py:9:17:9:29 | ControlFlowNode for List |
+| test.py:9:17:9:29 | ControlFlowNode for List | test.py:10:25:10:29 | ControlFlowNode for lines |
+nodes
+| password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| password_in_cookie.py:9:33:9:40 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
+| password_in_cookie.py:14:16:14:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| password_in_cookie.py:16:33:16:40 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
+| test.py:6:12:6:21 | ControlFlowNode for get_cert() | semmle.label | ControlFlowNode for get_cert() |
+| test.py:8:20:8:23 | ControlFlowNode for cert | semmle.label | ControlFlowNode for cert |
+| test.py:9:17:9:29 | ControlFlowNode for List | semmle.label | ControlFlowNode for List |
+| test.py:10:25:10:29 | ControlFlowNode for lines | semmle.label | ControlFlowNode for lines |
 #select
-| password_in_cookie.py:9:33:9:40 | password | password_in_cookie.py:7:16:7:43 | a password | password_in_cookie.py:9:33:9:40 | a password | Sensitive data from $@ is stored here. | password_in_cookie.py:7:16:7:43 | Attribute() | a request parameter containing a password |
-| password_in_cookie.py:16:33:16:40 | password | password_in_cookie.py:14:16:14:43 | a password | password_in_cookie.py:16:33:16:40 | a password | Sensitive data from $@ is stored here. | password_in_cookie.py:14:16:14:43 | Attribute() | a request parameter containing a password |
-| test.py:8:20:8:23 | cert | test.py:6:12:6:21 | a certificate or key | test.py:8:20:8:23 | a certificate or key | Sensitive data from $@ is stored here. | test.py:6:12:6:21 | get_cert() | a call returning a certificate or key |
+| password_in_cookie.py:9:33:9:40 | ControlFlowNode for password | password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | password_in_cookie.py:9:33:9:40 | ControlFlowNode for password | $@ is stored here. | password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | Sensitive data (password) |
+| password_in_cookie.py:16:33:16:40 | ControlFlowNode for password | password_in_cookie.py:14:16:14:43 | ControlFlowNode for Attribute() | password_in_cookie.py:16:33:16:40 | ControlFlowNode for password | $@ is stored here. | password_in_cookie.py:14:16:14:43 | ControlFlowNode for Attribute() | Sensitive data (password) |
+| test.py:8:20:8:23 | ControlFlowNode for cert | test.py:6:12:6:21 | ControlFlowNode for get_cert() | test.py:8:20:8:23 | ControlFlowNode for cert | $@ is stored here. | test.py:6:12:6:21 | ControlFlowNode for get_cert() | Sensitive data (certificate) |
+| test.py:10:25:10:29 | ControlFlowNode for lines | test.py:6:12:6:21 | ControlFlowNode for get_cert() | test.py:10:25:10:29 | ControlFlowNode for lines | $@ is stored here. | test.py:6:12:6:21 | ControlFlowNode for get_cert() | Sensitive data (certificate) |

python/ql/test/query-tests/Security/CWE-312-CleartextStorage/CleartextStorage.expected

@@ -6,12 +6,12 @@
 def index():
     password = request.args.get("password")
     resp = make_response(render_template(...))
-    resp.set_cookie("password", password)
+    resp.set_cookie("password", password) # NOT OK
     return resp
 
 @app.route('/')
 def index2():
     password = request.args.get("password")
     resp = Response(...)
-    resp.set_cookie("password", password)
+    resp.set_cookie("password", password) # NOT OK
     return resp