Merge pull request github#5251 from tausbn/python-port-missing-host-key-validation-query

yoff · web-flow · commit c3d2001e8583 · 2021-02-24T08:43:52.000+01:00
Python: Port missing host key validation query
diff --git a/python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql b/python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql
@@ -10,25 +10,24 @@
  */
 
 import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.ApiGraphs
 
-private ModuleValue theParamikoClientModule() { result = Value::named("paramiko.client") }
-
-private ClassValue theParamikoSSHClientClass() {
-  result = theParamikoClientModule().attr("SSHClient")
+private API::Node unsafe_paramiko_policy(string name) {
+  name in ["AutoAddPolicy", "WarningPolicy"] and
+  result = API::moduleImport("paramiko").getMember("client").getMember(name)
 }
 
-private ClassValue unsafe_paramiko_policy(string name) {
-  (name = "AutoAddPolicy" or name = "WarningPolicy") and
-  result = theParamikoClientModule().attr(name)
+private API::Node paramikoSSHClientInstance() {
+  result = API::moduleImport("paramiko").getMember("client").getMember("SSHClient").getReturn()
 }
 
-from CallNode call, ControlFlowNode arg, string name
+from DataFlow::CallCfgNode call, DataFlow::Node arg, string name
 where
-  call =
-    theParamikoSSHClientClass().lookup("set_missing_host_key_policy").(FunctionValue).getACall() and
+  call = paramikoSSHClientInstance().getMember("set_missing_host_key_policy").getACall() and
   arg = call.getAnArg() and
   (
-    arg.pointsTo(unsafe_paramiko_policy(name)) or
-    arg.pointsTo().getClass() = unsafe_paramiko_policy(name)
+    arg = unsafe_paramiko_policy(name).getAUse() or
+    arg = unsafe_paramiko_policy(name).getReturn().getAUse()
   )
 select call, "Setting missing host key policy to " + name + " may be unsafe."
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
@@ -193,6 +193,13 @@ class CallCfgNode extends CfgNode {
 
   /** Gets the data-flow node corresponding to the named argument of the call corresponding to this data-flow node */
   Node getArgByName(string name) { result.asCfgNode() = node.getArgByName(name) }
+
+  /** Gets the data-flow node corresponding to an argument of the call corresponding to this data-flow node */
+  Node getAnArg() {
+    exists(int n | result = this.getArg(n))
+    or
+    exists(string name | result = this.getArgByName(name))
+  }
 }
 
 /**
