Incorporate Sink & Source as steps from TarSlipQry

Sim4n6 · Sim4n6 · commit 1a8c9abee232 · 2023-02-02T21:09:40.000+01:00
diff --git a/python/ql/src/experimental/Security/UnsafeUnpackQuery.qll b/python/ql/src/experimental/Security/UnsafeUnpackQuery.qll
@@ -10,6 +10,35 @@ import semmle.python.dataflow.new.TaintTracking
 import semmle.python.frameworks.Stdlib
 import semmle.python.dataflow.new.RemoteFlowSources
 
+/**
+ * Handle those three cases of Tarfile opens:
+ *  - `tarfile.open()`
+ *  - `tarfile.TarFile()`
+ *  - `MKtarfile.Tarfile.open()`
+ */
+API::Node tarfileOpen() {
+  result in [
+      API::moduleImport("tarfile").getMember(["open", "TarFile"]),
+      API::moduleImport("tarfile").getMember("TarFile").getASubclass().getMember("open")
+    ]
+}
+
+/**
+ * Handle the previous three cases, plus the use of `closing` in the previous cases
+ */
+class AllTarfileOpens extends API::CallNode {
+  AllTarfileOpens() {
+    this = tarfileOpen().getACall()
+    or
+    exists(API::Node closing, Node arg |
+      closing = API::moduleImport("contextlib").getMember("closing") and
+      this = closing.getACall() and
+      arg = this.getArg(0) and
+      arg = tarfileOpen().getACall()
+    )
+  }
+}
+
 class UnsafeUnpackingConfig extends TaintTracking::Configuration {
   UnsafeUnpackingConfig() { this = "UnsafeUnpackingConfig" }
 
@@ -68,8 +97,47 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
   }
 
   override predicate isSink(DataFlow::Node sink) {
-    // A sink capturing method calls to `unpack_archive`.
-    sink = API::moduleImport("shutil").getMember("unpack_archive").getACall().getArg(0)
+    (
+      // A sink capturing method calls to `unpack_archive`.
+      sink = API::moduleImport("shutil").getMember("unpack_archive").getACall().getArg(0)
+      or
+      // A sink capturing method calls to `extractall` without `members` argument.
+      // For a call to `file.extractall` without `members` argument, `file` is considered a sink.
+      exists(MethodCallNode call, AllTarfileOpens atfo |
+        call = atfo.getReturn().getMember("extractall").getACall() and
+        not exists(Node arg | arg = call.getArgByName("members")) and
+        sink = call.getObject()
+      )
+      or
+      // A sink capturing method calls to `extractall` with `members` argument.
+      // For a call to `file.extractall` with `members` argument, `file` is considered a sink if not
+      // a the `members` argument contains a NameConstant as None, a List or call to the method `getmembers`.
+      // Otherwise, the argument of `members` is considered a sink.
+      exists(MethodCallNode call, Node arg, AllTarfileOpens atfo |
+        call = atfo.getReturn().getMember("extractall").getACall() and
+        arg = call.getArgByName("members") and
+        if
+          arg.asCfgNode() instanceof NameConstantNode or
+          arg.asCfgNode() instanceof ListNode
+        then sink = call.getObject()
+        else
+          if arg.(MethodCallNode).getMethodName() = "getmembers"
+          then sink = arg.(MethodCallNode).getObject()
+          else sink = call.getArgByName("members")
+      )
+      or
+      // An argument to `extract` is considered a sink.
+      exists(AllTarfileOpens atfo |
+        sink = atfo.getReturn().getMember("extract").getACall().getArg(0)
+      )
+      or
+      //An argument to `_extract_member` is considered a sink.
+      exists(MethodCallNode call, AllTarfileOpens atfo |
+        call = atfo.getReturn().getMember("_extract_member").getACall() and
+        call.getArg(1).(AttrRead).accesses(sink, "name")
+      )
+    ) and
+    not sink.getScope().getLocation().getFile().inStdlib()
   }
 
   override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
@@ -119,5 +187,19 @@ class UnsafeUnpackingConfig extends TaintTracking::Configuration {
     // Join the base_dir to the filename
     nodeTo = API::moduleImport("os").getMember("path").getMember("join").getACall() and
     nodeFrom = nodeTo.(API::CallNode).getArg(1)
+    or
+    // Go through an Open for a Tarfile
+    nodeTo = tarfileOpen().getACall() and nodeFrom = nodeTo.(MethodCallNode).getArg(0)
+    or 
+    // Handle the case where the getmembers is used.
+    nodeTo.(MethodCallNode).calls(nodeFrom, "getmembers") and
+    nodeFrom instanceof AllTarfileOpens
+    or
+    // To handle the case of `with closing(tarfile.open()) as file:`
+    // we add a step from the first argument of `closing` to the call to `closing`,
+    // whenever that first argument is a return of `tarfile.open()`.
+    nodeTo = API::moduleImport("contextlib").getMember("closing").getACall() and
+    nodeFrom = nodeTo.(API::CallNode).getArg(0) and
+    nodeFrom = tarfileOpen().getReturn().getAValueReachableFromSource()
   }
 }
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022/UnsafeUnpack.py b/python/ql/test/experimental/query-tests/Security/CWE-022/UnsafeUnpack.py
@@ -122,4 +122,80 @@ def simple_upload(request):
             return render(request, 'simple_upload.html')
 
       elif request.method == 'GET':
-            return render(request, 'simple_upload.html')
+            return render(request, 'simple_upload.html')
+
+
+import shutil
+import os 
+import tarfile
+import tempfile
+import argparse
+
+parser = argparse.ArgumentParser(description='Process some integers.')
+parser.add_argument('integers', metavar='N', type=int, nargs='+',
+                    help='an integer for the accumulator')
+parser.add_argument('filename', help='filename to be provided')
+
+args = parser.parse_args()
+unsafe_filename_tar = args.filename
+with tarfile.TarFile(unsafe_filename_tar, mode="r") as tar:
+    tar.extractall(path="/tmp/unpack/", members=tar) # $result=BAD
+tar = tarfile.open(unsafe_filename_tar)   
+
+
+from django.shortcuts import render
+from django.core.files.storage import FileSystemStorage
+import shutil
+
+def simple_upload(request):
+
+      base_dir = "/tmp/baase_dir"
+      if request.method == 'POST':
+            # Read uploaded files by chunks of data
+            # see chunks(): https://docs.djangoproject.com/en/4.1/ref/files/uploads/#django.core.files.uploadedfile.UploadedFile.chunks 
+            savepath = os.path.join(base_dir, "tarball_compressed.tar.gz")
+            with open(savepath, 'wb+') as wfile:
+                  for chunk in request.FILES["ufile1"].chunks():
+                        wfile.write(chunk)
+
+                  tar = tarfile.open(savepath)
+                  result = []
+                  for member in tar:      
+                      if member.issym():  
+                          raise ValueError("But it is a symlink")       
+                      result.append(member)     
+                  tar.extractall(path=tempfile.mkdtemp(), members=result) # $result=BAD   
+                  tar.close()
+
+
+response = requests.get(url_filename, stream=True)
+tarpath = "/tmp/tmp456/tarball.tar.gz"
+with open(tarpath, "wb") as f:
+      f.write(response.raw.read())
+target_dir = "/tmp/unpack"
+tarfile.TarFile(tarpath, mode="r").extractall(path=target_dir) # $result=BAD
+
+
+from pathlib import Path
+import tempfile
+import boto3
+
+def default_session() -> boto3.Session:
+    _SESSION = None
+    if _SESSION is None:
+        _SESSION = boto3.Session() 
+    return _SESSION
+
+cache = False
+cache_dir = "/tmp/artifacts"
+object_path = "/objects/obj1"
+s3 = default_session().client("s3")
+with tempfile.NamedTemporaryFile(suffix=".tar.gz") as tmp:
+      s3.download_fileobj(bucket_name, object_path, tmp)
+      tmp.seek(0)
+      if cache:
+          cache_dir.mkdir(exist_ok=True, parents=True)
+          target = cache_dir
+      else:
+          target = Path(tempfile.mkdtemp())
+      shutil.unpack_archive(tmp.name, target) # $result=BAD
