Update ZipSlip.qll

ahmed-farid-dev · web-flow · commit ddba3b7784f6 · 2022-03-28T00:59:56.000Z
diff --git a/python/ql/src/experimental/semmle/python/security/ZipSlip.qll b/python/ql/src/experimental/semmle/python/security/ZipSlip.qll
@@ -8,7 +8,8 @@ class ZipSlipConfig extends TaintTracking::Configuration {
   ZipSlipConfig() { this = "ZipSlipConfig" }
 
   override predicate isSource(DataFlow::Node source) { 
-    source = API::moduleImport("zipfile").getMember("ZipFile").getACall() or 
+    source.asCfgNode().(CallNode).getFunction().(AttrNode).getObject("open").pointsTo().getClass() = Module::named("zipfile").attr("ZipFile") or 
+    source.asCfgNode().(CallNode).getFunction().(AttrNode).getObject("namelist").pointsTo().getClass() = Module::named("zipfile").attr("ZipFile") or
     source = API::moduleImport("tarfile").getMember("open").getACall() or 
     source = API::moduleImport("tarfile").getMember("TarFile").getACall() or  
     source = API::moduleImport("bz2").getMember("open").getACall() or
@@ -20,6 +21,7 @@ class ZipSlipConfig extends TaintTracking::Configuration {
   }
   
   override predicate isSink(DataFlow::Node sink) { 
-     sink = any(CopyFile copyfile).getAPathArgument()
+     sink = any(CopyFile copyfile).getAPathArgument() or
+     sink = any(CopyFile copyfile).getfsrcArgument()
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,8 @@ class ZipSlipConfig extends TaintTracking::Configuration {`
`8`	`8`	`ZipSlipConfig() { this = "ZipSlipConfig" }`
`9`	`9`
`10`	`10`	`override predicate isSource(DataFlow::Node source) {`
`11`		`- source = API::moduleImport("zipfile").getMember("ZipFile").getACall() or`
	`11`	`+ source.asCfgNode().(CallNode).getFunction().(AttrNode).getObject("open").pointsTo().getClass() = Module::named("zipfile").attr("ZipFile") or`
	`12`	`+ source.asCfgNode().(CallNode).getFunction().(AttrNode).getObject("namelist").pointsTo().getClass() = Module::named("zipfile").attr("ZipFile") or`
`12`	`13`	`source = API::moduleImport("tarfile").getMember("open").getACall() or`
`13`	`14`	`source = API::moduleImport("tarfile").getMember("TarFile").getACall() or`
`14`	`15`	`source = API::moduleImport("bz2").getMember("open").getACall() or`
`@@ -20,6 +21,7 @@ class ZipSlipConfig extends TaintTracking::Configuration {`
`20`	`21`	`}`
`21`	`22`
`22`	`23`	`override predicate isSink(DataFlow::Node sink) {`
`23`		`- sink = any(CopyFile copyfile).getAPathArgument()`
	`24`	`+ sink = any(CopyFile copyfile).getAPathArgument() or`
	`25`	`+ sink = any(CopyFile copyfile).getfsrcArgument()`
`24`	`26`	`}`
`25`	`27`	`}`