Merge pull request github#13561 from amammad/amammad-python-WebAppsConstatntSecretKeys

Python: Flask & Django Constant Secret Key initialization

Author: RasmusWL

python/ql/lib/semmle/python/frameworks/Stdlib.qll

@@ -4372,6 +4372,30 @@ private module StdlibPrivate {
       preservesValue = false
     }
   }
+
+  /**
+   * A flow summary for `os.getenv` / `os.getenvb`
+   *
+   * See https://devdocs.io/python~3.11/library/os#os.getenv
+   */
+  class OsGetEnv extends SummarizedCallable {
+    OsGetEnv() { this = "os.getenv" }
+
+    override DataFlow::CallCfgNode getACall() {
+      result = API::moduleImport("os").getMember(["getenv", "getenvb"]).getACall()
+    }
+
+    override DataFlow::ArgumentNode getACallback() {
+      result =
+        API::moduleImport("os").getMember(["getenv", "getenvb"]).getAValueReachableFromSource()
+    }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input in ["Argument[1]", "Argument[default:]"] and
+      output = "ReturnValue" and
+      preservesValue = true
+    }
+  }
 }
 
 // ---------------------------------------------------------------------------

python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKey.qhelp

@@ -0,0 +1,57 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+  <overview>
+    <p>
+      Flask and Django require a Securely signed key for singing the session cookies. most of the time developers rely on load hardcoded secret keys from a config file or python code. this proves that the way of hardcoded secret can make problems when you forgot to change the constant secret keys.
+    </p>
+  </overview>
+  <recommendation>
+    <p>
+      In Flask Consider using a secure random generator with <a href="https://docs.python.org/3/library/secrets.html#secrets.token_hex">Python standard secrets library</a> 
+    </p>
+    <p>
+      In Django Consider using a secure random generator with "get_random_secret_key()"" method from "django.core.management.utils".
+    </p>
+  </recommendation>
+  <example>
+    <p>Safe Django SECRET_KEY</p>
+    <sample src="examples/example_Django_safe.py" />
+    <p>Unsafe Django SECRET_KEY Example:</p>
+    <sample src="examples/example_Django_unsafe.py" />
+    <p>Safe Flask SECRET_KEY Example:</p>
+    <sample src="examples/example_Flask_safe.py" />
+    <sample src="examples/example_Flask_unsafe.py" />
+    <p>Unsafe Flask SECRET_KEY Example:</p>
+    <sample src="examples/example_Flask_unsafe2.py" />
+    <p>config1.py</p>
+    <sample src="examples/config1.py" />
+    <p>config2.py</p>
+    <sample src="examples/config2.py" />
+    <p>config3.py</p>
+    <sample src="examples/config3.py" />
+    <p>__init__.py</p>
+    <sample src="examples/settings/__init__.py" />
+  </example>
+  <references>
+    <li>
+      <a href="https://flask.palletsprojects.com/en/2.3.x/config/#SECRET_KEY">Flask Documentation</a>
+    </li>
+    <li>
+      <a href="https://docs.djangoproject.com/en/4.2/ref/settings/#secret-key">Django Documentation</a>
+    </li>
+    <li>
+      <a href="https://flask-jwt-extended.readthedocs.io/en/stable/basic_usage.html#basic-usage">Flask-JWT-Extended Documentation</a>
+    </li>
+    <li>
+      <a href="https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/">CVE-2023-27524 - Apache Superset had multiple CVEs related to this kind of Vulnerability</a>
+    </li>
+    <li>
+      <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-17526">CVE-2020-17526 - Apache Airflow had multiple CVEs related to this kind of Vulnerability</a>
+    </li>
+    <li>
+      <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-41192">CVE-2021-41192 - Redash was assigning a environment variable with a default value which it was assigning the default secrect if the environment variable does not exists</a>
+    </li>
+
+  </references>
+</qhelp>

python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKey.ql

@@ -0,0 +1,64 @@
+/**
+ * @name Initializing SECRET_KEY of Flask application with Constant value
+ * @description Initializing SECRET_KEY of Flask application with Constant value
+ * files can lead to Authentication bypass
+ * @kind path-problem
+ * @id py/flask-constant-secret-key
+ * @problem.severity error
+ * @security-severity 8.5
+ * @precision high
+ * @tags security
+ *       experimental
+ *       external/cwe/cwe-287
+ */
+
+import python
+import experimental.semmle.python.Concepts
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.ApiGraphs
+import semmle.python.dataflow.new.TaintTracking
+import WebAppConstantSecretKeyDjango
+import WebAppConstantSecretKeyFlask
+import semmle.python.filters.Tests
+
+newtype TFrameWork =
+  Flask() or
+  Django()
+
+module WebAppConstantSecretKeyConfig implements DataFlow::StateConfigSig {
+  class FlowState = TFrameWork;
+
+  predicate isSource(DataFlow::Node source, FlowState state) {
+    state = Flask() and FlaskConstantSecretKeyConfig::isSource(source)
+    or
+    state = Django() and DjangoConstantSecretKeyConfig::isSource(source)
+  }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node.getLocation().getFile().inStdlib()
+    or
+    // To reduce FP rate, the following was added
+    node.getLocation()
+        .getFile()
+        .getRelativePath()
+        .matches(["%test%", "%demo%", "%example%", "%sample%"]) and
+    // but that also meant all data-flow nodes in query tests were excluded... so we had
+    // to add this:
+    not node.getLocation().getFile().getRelativePath().matches("%query-tests/Security/CWE-287%")
+  }
+
+  predicate isSink(DataFlow::Node sink, FlowState state) {
+    state = Flask() and FlaskConstantSecretKeyConfig::isSink(sink)
+    or
+    state = Django() and DjangoConstantSecretKeyConfig::isSink(sink)
+  }
+}
+
+module WebAppConstantSecretKey = TaintTracking::GlobalWithState<WebAppConstantSecretKeyConfig>;
+
+import WebAppConstantSecretKey::PathGraph
+
+from WebAppConstantSecretKey::PathNode source, WebAppConstantSecretKey::PathNode sink
+where WebAppConstantSecretKey::flowPath(source, sink)
+select sink, source, sink, "The SECRET_KEY config variable is assigned by $@.", source,
+  " this constant String"

python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKeyDjango.qll

@@ -0,0 +1,52 @@
+import python
+import experimental.semmle.python.Concepts
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.ApiGraphs
+import semmle.python.dataflow.new.TaintTracking
+import WebAppConstantSecretKeySource
+
+module DjangoConstantSecretKeyConfig {
+  /**
+   * Sources are Constants that without any Tainting reach the Sinks.
+   * Also Sources can be the default value of getenv or similar methods
+   * in a case that no value is assigned to Desired SECRET_KEY environment variable
+   */
+  predicate isSource(DataFlow::Node source) { source instanceof WebAppConstantSecretKeySource }
+
+  /**
+   * Holds if There is a sink like following SECRET_KEY Assignments
+   * ```python
+   *from django.conf import settings
+   *settings.configure(
+   *    SECRET_KEY="constant",
+   *)
+   * # or
+   *settings.SECRET_KEY = "constant"
+   * ```
+   */
+  predicate isSink(DataFlow::Node sink) {
+    exists(API::moduleImport("django")) and
+    (
+      exists(AssignStmt e | e.getTarget(0).(Name).getId() = ["SECRET_KEY", "SECRET_KEY_FALLBACKS"] |
+        sink.asExpr() = e.getValue()
+      )
+      or
+      exists(API::Node settings |
+        settings =
+          API::moduleImport("django").getMember("conf").getMember(["global_settings", "settings"]) and
+        sink =
+          settings
+              .getMember("configure")
+              .getKeywordParameter(["SECRET_KEY_FALLBACKS", "SECRET_KEY"])
+              .asSink()
+      )
+      or
+      exists(DataFlow::AttrWrite attr |
+        attr.getAttributeName() = ["SECRET_KEY_FALLBACKS", "SECRET_KEY"] and
+        sink = attr.getValue()
+      )
+    ) and
+    exists(sink.getScope().getLocation().getFile().getRelativePath()) and
+    not sink.getScope().getLocation().getFile().inStdlib()
+  }
+}

python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKeyFlask.qll

@@ -0,0 +1,139 @@
+import python
+import experimental.semmle.python.Concepts
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.ApiGraphs
+import semmle.python.dataflow.new.TaintTracking
+import WebAppConstantSecretKeySource
+
+/**
+ * with using flask-session package, there is no jwt exists in cookies in user side
+ * ```python
+ *import os
+ *from flask import Flask, session
+ *app = Flask(__name__)
+ * ```
+ */
+module FlaskConstantSecretKeyConfig {
+  /**
+   * `flask.Flask()`
+   */
+  API::Node flaskInstance() {
+    result = API::moduleImport("flask").getMember("Flask").getASubclass*()
+  }
+
+  /**
+   * Sources are Constants that without any Tainting reach the Sinks.
+   * Also Sources can be the default value of getenv or similar methods
+   * in a case that no value is assigned to Desired SECRET_KEY environment variable
+   */
+  predicate isSource(DataFlow::Node source) { source instanceof WebAppConstantSecretKeySource }
+
+  /**
+   * Sinks are one of the following kinds, some of them are directly connected to a flask Instance like
+   * ```python
+   *    app.config['SECRET_KEY'] = 'CHANGEME1'
+   *    app.secret_key = 'CHANGEME2'
+   *    app.config.update(SECRET_KEY="CHANGEME3")
+   *    app.config.from_mapping(SECRET_KEY="CHANGEME4")
+   * ```
+   * other Sinks are SECRET_KEY Constants Variables that are defined in separate files or a class in those files like:
+   * ```python
+   *    app.config.from_pyfile("config.py")
+   *    app.config.from_object('config.Config')
+   *```
+   * we find these files with `FromObjectFileName` DataFlow Configuration
+   * note that "JWT_SECRET_KEY" is same as "SECRET_KEY" but it is belong to popular flask-jwt-extended library
+   */
+  predicate isSink(DataFlow::Node sink) {
+    (
+      exists(API::Node n | n = flaskInstance().getReturn() |
+        sink =
+          [
+            n.getMember("config").getSubscript(["SECRET_KEY", "JWT_SECRET_KEY"]).asSink(),
+            n.getMember("config")
+                .getMember(["update", "from_mapping"])
+                .getACall()
+                .getArgByName(["SECRET_KEY", "JWT_SECRET_KEY"])
+          ]
+      )
+      or
+      exists(DataFlow::AttrWrite attr |
+        attr.getObject().getALocalSource() = flaskInstance().getACall() and
+        attr.getAttributeName() = ["secret_key", "jwt_secret_key"] and
+        sink = attr.getValue()
+      )
+      or
+      exists(SecretKeyAssignStmt e | sink.asExpr() = e.getValue())
+    ) and
+    exists(sink.getScope().getLocation().getFile().getRelativePath()) and
+    not sink.getScope().getLocation().getFile().inStdlib()
+  }
+
+  /**
+   * An Assignments like `SECRET_KEY = ConstantValue`
+   * and `SECRET_KEY` file must be the Location that is specified in argument of `from_object` or `from_pyfile` methods
+   */
+  class SecretKeyAssignStmt extends AssignStmt {
+    SecretKeyAssignStmt() {
+      exists(string configFileName, string fileNamehelper, DataFlow::Node n1, File file |
+        fileNamehelper = [flaskConfiFileName(n1), flaskConfiFileName2(n1)] and
+        // because of `from_object` we want first part of `Config.AClassName` which `Config` is a python file name
+        configFileName = fileNamehelper.splitAt(".") and
+        file = this.getLocation().getFile()
+      |
+        (
+          if fileNamehelper = "__name__"
+          then
+            file.getShortName() = flaskInstance().asSource().getLocation().getFile().getShortName()
+          else (
+            fileNamehelper.matches("%.py") and
+            file.getShortName().matches("%" + configFileName + "%") and
+            // after spliting, don't look at %py% pattern
+            configFileName != ".py"
+            or
+            // in case of referencing to a directory which then we must look for __init__.py file
+            not fileNamehelper.matches("%.py") and
+            file.getRelativePath()
+                .matches("%" + fileNamehelper.replaceAll(".", "/") + "/__init__.py")
+          )
+        ) and
+        this.getTarget(0).(Name).getId() = ["SECRET_KEY", "JWT_SECRET_KEY"]
+      ) and
+      exists(this.getScope().getLocation().getFile().getRelativePath()) and
+      not this.getScope().getLocation().getFile().inStdlib()
+    }
+  }
+
+  /**
+   * Holds if there is a helper predicate that specify where the Flask `SECRET_KEY` variable location is defined.
+   * In Flask we have config files that specify the location of `SECRET_KEY` variable initialization
+   * and the name of these files are determined by
+   * `app.config.from_pyfile("configFileName.py")`
+   * or
+   * `app.config.from_object("configFileName.ClassName")`
+   */
+  string flaskConfiFileName(API::CallNode cn) {
+    cn =
+      flaskInstance()
+          .getReturn()
+          .getMember("config")
+          .getMember(["from_object", "from_pyfile"])
+          .getACall() and
+    result =
+      [
+        cn.getParameter(0).getAValueReachingSink().asExpr().(StrConst).getText(),
+        cn.getParameter(0).asSink().asExpr().(Name).getId()
+      ]
+  }
+
+  string flaskConfiFileName2(API::CallNode cn) {
+    cn =
+      API::moduleImport("flask")
+          .getMember("Flask")
+          .getASubclass*()
+          .getASuccessor*()
+          .getMember("from_object")
+          .getACall() and
+    result = cn.getParameter(0).asSink().asExpr().(StrConst).getText()
+  }
+}

python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKeySource.qll

@@ -0,0 +1,38 @@
+import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.ApiGraphs
+
+/** A bad source for secret key in web app configurations. */
+class WebAppConstantSecretKeySource extends DataFlow::Node {
+  WebAppConstantSecretKeySource() {
+    (
+      // we should check whether there is a default value or not
+      exists(API::Node env |
+        env = API::moduleImport("environ").getMember("Env") and
+        // has default value
+        exists(API::Node param | param = env.getKeywordParameter("SECRET_KEY") |
+          param.asSink().asExpr().getASubExpression*() instanceof StrConst
+        ) and
+        this = env.getReturn().getReturn().asSource()
+      )
+      or
+      this.asExpr() instanceof StrConst
+      or
+      exists(API::CallNode cn |
+        cn =
+          [
+            API::moduleImport("os").getMember("getenv").getACall(),
+            API::moduleImport("os").getMember("environ").getMember("get").getACall()
+          ] and
+        cn.getNumArgument() = 2 and
+        DataFlow::localFlow(any(DataFlow::Node n | n.asExpr() instanceof StrConst), cn.getArg(1)) and
+        this.asExpr() = cn.asExpr()
+      )
+    ) and
+    // followings will sanitize the get_random_secret_key of django.core.management.utils and similar random generators which we have their source code and some of them can be tracking by taint tracking because they are initilized by a constant!
+    exists(this.getScope().getLocation().getFile().getRelativePath()) and
+    not this.getScope().getLocation().getFile().inStdlib() and
+    // special sanitize case for get_random_secret_key and django-environ
+    not this.getScope().getLocation().getFile().getBaseName() = ["environ.py", "crypto.py"]
+  }
+}