Add shlex.quote as sanitizer

jorgectf · jorgectf · commit 55648ac4dec4 · 2023-07-20T15:34:54.000+02:00
diff --git a/python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
@@ -9,6 +9,7 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.TaintTracking
 private import CommandInjectionCustomizations::CommandInjection as CommandInjection
 private import semmle.python.Concepts as Concepts
+private import semmle.python.ApiGraphs
 
 /**
  * Module containing sources, sinks, and sanitizers for shell command constructed from library input.
@@ -17,6 +18,9 @@ module UnsafeShellCommandConstruction {
   /** A source for shell command constructed from library input vulnerabilities. */
   abstract class Source extends DataFlow::Node { }
 
+  /** A sanitizer for shell command constructed from library input vulnerabilities. */
+  abstract class Sanitizer extends DataFlow::Node { }
+
   private import semmle.python.frameworks.Setuptools
 
   /** An input parameter to a gem seen as a source. */
@@ -156,4 +160,13 @@ module UnsafeShellCommandConstruction {
 
     override DataFlow::Node getStringConstruction() { result = formatCall }
   }
+
+  /**
+   * A call to `shlex.quote`, considered as a sanitizer.
+   */
+  class ShlexQuoteAsSanitizer extends Sanitizer, DataFlow::Node {
+    ShlexQuoteAsSanitizer() {
+      this = API::moduleImport("shlex").getMember("quote").getACall().getArg(0)
+    }
+  }
 }
diff --git a/python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionQuery.qll
@@ -24,7 +24,8 @@ class Configuration extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   override predicate isSanitizer(DataFlow::Node node) {
-    node instanceof CommandInjection::Sanitizer // using all sanitizers from `rb/command-injection`
+    node instanceof Sanitizer or
+    node instanceof CommandInjection::Sanitizer // using all sanitizers from `py/command-injection`
   }
 
   // override to require the path doesn't have unmatched return steps
diff --git a/python/ql/test/query-tests/Security/CWE-078-UnsafeShellCommandConstruction/src/unsafe_shell_test.py b/python/ql/test/query-tests/Security/CWE-078-UnsafeShellCommandConstruction/src/unsafe_shell_test.py
@@ -1,9 +1,13 @@
 import os
 import subprocess
+import shlex
 
 def unsafe_shell_one(name):
     os.system("ping " + name) # $result=BAD
 
+    # shlex.quote sanitizer
+    os.system("ping " + shlex.quote(name)) # $result=OK
+
     # f-strings
     os.system(f"ping {name}") # $result=BAD
 

Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,8 @@ class Configuration extends TaintTracking::Configuration {`
`24`	`24`	`override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`25`	`25`
`26`	`26`	`override predicate isSanitizer(DataFlow::Node node) {`
`27`		- node instanceof CommandInjection::Sanitizer // using all sanitizers from `rb/command-injection`
	`27`	`+ node instanceof Sanitizer or`
	`28`	+ node instanceof CommandInjection::Sanitizer // using all sanitizers from `py/command-injection`
`28`	`29`	`}`
`29`	`30`
`30`	`31`	`// override to require the path doesn't have unmatched return steps`