Merge pull request github#11555 from pwntester/new_python_cmdi_sinks

yoff · web-flow · commit 557a5b469fdb · 2022-12-13T09:00:34.000+01:00
Added two new CMDi sinks for python's stdlib
diff --git a/python/ql/lib/change-notes/2022-12-03-new-stdlib-cmdi-sinks.md b/python/ql/lib/change-notes/2022-12-03-new-stdlib-cmdi-sinks.md
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+- Added `subprocess.getoutput` and `subprocess.getoutputstatus` as new command injection sinks for the StdLib.
+
diff --git a/python/ql/lib/semmle/python/frameworks/Stdlib.qll b/python/ql/lib/semmle/python/frameworks/Stdlib.qll
@@ -1163,13 +1163,16 @@ private module StdlibPrivate {
   API::Node subprocess() { result = API::moduleImport("subprocess") }
 
   /**
-   * A call to `subprocess.Popen` or helper functions (call, check_call, check_output, run)
+   * A call to `subprocess.Popen` or helper functions (call, check_call, check_output, run, getoutput, getstatusoutput)
    * See https://docs.python.org/3.8/library/subprocess.html#subprocess.Popen
+   * ref: https://docs.python.org/3/library/subprocess.html#legacy-shell-invocation-functions
    */
   private class SubprocessPopenCall extends SystemCommandExecution::Range, DataFlow::CallCfgNode {
     SubprocessPopenCall() {
       exists(string name |
-        name in ["Popen", "call", "check_call", "check_output", "run"] and
+        name in [
+            "Popen", "call", "check_call", "check_output", "run", "getoutput", "getstatusoutput"
+          ] and
         this = subprocess().getMember(name).getACall()
       )
     }

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +category: minorAnalysis
 +---
 +- Added `subprocess.getoutput` and `subprocess.getoutputstatus` as new command injection sinks for the StdLib.
++