Python: Fix modelling in ZipSlip.qll

tausbn · web-flow · commit ab81247b7c4c · 2022-04-08T23:19:41.000+02:00
- Remove use of points-to.
- Exclude sources and sinks in the standard library (to prevent test brittleness).
diff --git a/python/ql/src/experimental/semmle/python/security/ZipSlip.qll b/python/ql/src/experimental/semmle/python/security/ZipSlip.qll
@@ -7,21 +7,33 @@ import semmle.python.dataflow.new.TaintTracking
 class ZipSlipConfig extends TaintTracking::Configuration {
   ZipSlipConfig() { this = "ZipSlipConfig" }
 
-  override predicate isSource(DataFlow::Node source) { 
-    source.asCfgNode().(CallNode).getFunction().(AttrNode).getObject("open").pointsTo().getClass() = Module::named("zipfile").attr("ZipFile") or 
-    source.asCfgNode().(CallNode).getFunction().(AttrNode).getObject("namelist").pointsTo().getClass() = Module::named("zipfile").attr("ZipFile") or
-    source = API::moduleImport("tarfile").getMember("open").getACall() or 
-    source = API::moduleImport("tarfile").getMember("TarFile").getACall() or  
-    source = API::moduleImport("bz2").getMember("open").getACall() or
-    source = API::moduleImport("bz2").getMember("BZ2File").getACall() or 
-    source = API::moduleImport("gzip").getMember("GzipFile").getACall() or
-    source = API::moduleImport("gzip").getMember("open").getACall() or
-    source = API::moduleImport("lzma").getMember("open").getACall() or
-    source = API::moduleImport("lzma").getMember("LZMAFile").getACall()
+  override predicate isSource(DataFlow::Node source) {
+    (
+      source =
+        API::moduleImport("zipfile").getMember("ZipFile").getReturn().getMember("open").getACall() or
+      source =
+        API::moduleImport("zipfile")
+            .getMember("ZipFile")
+            .getReturn()
+            .getMember("namelist")
+            .getACall() or
+      source = API::moduleImport("tarfile").getMember("open").getACall() or
+      source = API::moduleImport("tarfile").getMember("TarFile").getACall() or
+      source = API::moduleImport("bz2").getMember("open").getACall() or
+      source = API::moduleImport("bz2").getMember("BZ2File").getACall() or
+      source = API::moduleImport("gzip").getMember("GzipFile").getACall() or
+      source = API::moduleImport("gzip").getMember("open").getACall() or
+      source = API::moduleImport("lzma").getMember("open").getACall() or
+      source = API::moduleImport("lzma").getMember("LZMAFile").getACall()
+    ) and
+    not source.getScope().getLocation().getFile().inStdlib()
   }
-  
-  override predicate isSink(DataFlow::Node sink) { 
-     sink = any(CopyFile copyfile).getAPathArgument() or
-     sink = any(CopyFile copyfile).getfsrcArgument()
+
+  override predicate isSink(DataFlow::Node sink) {
+    (
+      sink = any(CopyFile copyfile).getAPathArgument() or
+      sink = any(CopyFile copyfile).getfsrcArgument()
+    ) and
+    not sink.getScope().getLocation().getFile().inStdlib()
   }
 }
